枚举句柄名称问题

时间:2017-09-25 20:02:32

标签: driver enumeration handle ntdll getnameinfo

我找到了一种枚举其他程序句柄的方法,但我现在遇到了问题。我看不到Process类型的线程。我需要检查哪些程序打开我的进程句柄。

当我检查输出时,它是“未命名的”,我不知道如何解决它。

我应该通过dirver这样做吗?或没有司机的任何其他方式吗?

pid = _wtoi(argv[1]);

if (!(processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid)))
{
    printf("Could not open PID %d! (Don't try to open a system process.)\n", pid);
    return 1;
}

handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);

/* NtQuerySystemInformation won't give us the correct buffer size, 
   so we guess by doubling the buffer size. */
while ((status = NtQuerySystemInformation(
    SystemHandleInformation,
    handleInfo,
    handleInfoSize,
    NULL
    )) == STATUS_INFO_LENGTH_MISMATCH)
    handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);

/* NtQuerySystemInformation stopped giving us STATUS_INFO_LENGTH_MISMATCH. */
if (!NT_SUCCESS(status))
{
    printf("NtQuerySystemInformation failed!\n");
    return 1;
}

for (i = 0; i < handleInfo->HandleCount; i++)
{
    SYSTEM_HANDLE handle = handleInfo->Handles[i];
    HANDLE dupHandle = NULL;
    POBJECT_TYPE_INFORMATION objectTypeInfo;
    PVOID objectNameInfo;
    UNICODE_STRING objectName;
    ULONG returnLength;

    /* Check if this handle belongs to the PID the user specified. */
    if (handle.ProcessId != pid)
        continue;

    /* Duplicate the handle so we can query it. */
    if (!NT_SUCCESS(NtDuplicateObject(
        processHandle,
        handle.Handle,
        GetCurrentProcess(),
        &dupHandle,
        0,
        0,
        0
        )))
    {
        printf("[%#x] Error!\n", handle.Handle);
        continue;
    }

    /* Query the object type. */
    objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
    if (!NT_SUCCESS(NtQueryObject(
        dupHandle,
        ObjectTypeInformation,
        objectTypeInfo,
        0x1000,
        NULL
        )))
    {
        printf("[%#x] Error!\n", handle.Handle);
        CloseHandle(dupHandle);
        continue;
    }

    /* Query the object name (unless it has an access of 
       0x0012019f, on which NtQueryObject could hang. */
    if (handle.GrantedAccess == 0x0012019f)
    {
        /* We have the type, so display that. */
        printf(
            "[%#x] %.*S: (did not get name)\n",
            handle.Handle,
            objectTypeInfo->Name.Length / 2,
            objectTypeInfo->Name.Buffer
            );
        free(objectTypeInfo);
        CloseHandle(dupHandle);
        continue;
    }

    objectNameInfo = malloc(0x1000);
    if (!NT_SUCCESS(NtQueryObject(
        dupHandle,
        ObjectNameInformation,
        objectNameInfo,
        0x1000,
        &returnLength
        )))
    {
        /* Reallocate the buffer and try again. */
        objectNameInfo = realloc(objectNameInfo, returnLength);
        if (!NT_SUCCESS(NtQueryObject(
            dupHandle,
            ObjectNameInformation,
            objectNameInfo,
            returnLength,
            NULL
            )))
        {
            /* We have the type name, so just display that. */
            printf(
                "[%#x] %.*S: (could not get name)\n",
                handle.Handle,
                objectTypeInfo->Name.Length / 2,
                objectTypeInfo->Name.Buffer
                );
            free(objectTypeInfo);
            free(objectNameInfo);
            CloseHandle(dupHandle);
            continue;
        }
    }

    /* Cast our buffer into an UNICODE_STRING. */
    objectName = *(PUNICODE_STRING)objectNameInfo;

    /* Print the information! */
    if (objectName.Length)
    {
        /* The object has a name. */
        printf(
            "[%#x] %.*S: %.*S\n",
            handle.Handle,
            objectTypeInfo->Name.Length / 2,
            objectTypeInfo->Name.Buffer,
            objectName.Length / 2,
            objectName.Buffer
            );
    }
    else
    {
        /* Print something else. */
        printf(
            "[%#x] %.*S: (unnamed)\n",
            handle.Handle,
            objectTypeInfo->Name.Length / 2,
            objectTypeInfo->Name.Buffer
            );
    }

    free(objectTypeInfo);
    free(objectNameInfo);
    CloseHandle(dupHandle);
}

free(handleInfo);
CloseHandle(processHandle);

return 0;

1 个答案:

答案 0 :(得分:1)

void SearchMyProcessHandles()
{
    ULONG UniqueProcessId = GetCurrentProcessId();

    if (HANDLE hProcess = OpenProcess(MAXIMUM_ALLOWED, FALSE, UniqueProcessId))
    {
        NTSTATUS status;
        union {
            PSYSTEM_HANDLE_INFORMATION_EX pshi;
            PVOID buf;
        };
        ULONG cb = 0x10000;
        do 
        {
            status = STATUS_INSUFFICIENT_RESOURCES;

            if (buf = new UCHAR[cb += PAGE_SIZE])
            {
                if (0 <= (status = ZwQuerySystemInformation(SystemExtendedHandleInformation, buf, cb, &cb)))
                {
                    if (ULONG_PTR NumberOfHandles = pshi->NumberOfHandles)
                    {

                        SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX* Handles = pshi->Handles;
                        do 
                        {
                            if (Handles->UniqueProcessId == UniqueProcessId &&
                                Handles->HandleValue == (ULONG_PTR)hProcess)
                            {
                                PVOID Object = Handles->Object;

                                Handles = pshi->Handles;
                                NumberOfHandles = pshi->NumberOfHandles;

                                do 
                                {
                                    if (Handles->Object == Object &&
                                        Handles->UniqueProcessId != UniqueProcessId)
                                    {
                                        DbgPrint("%p %p %08x\n", 
                                            Handles->UniqueProcessId, 
                                            Handles->HandleValue, 
                                            Handles->GrantedAccess);
                                    }
                                } while (Handles++, --NumberOfHandles);

                                break;
                            }

                        } while (Handles++, --NumberOfHandles);
                    }
                }
                delete [] buf;
            }
        } while (status == STATUS_INFO_LENGTH_MISMATCH);

        CloseHandle(hProcess);
    }
}