此源码翻译自C++,可用于遍历系统内核对象句柄.
但本程序无法获取其他进程完整的内核对象句柄表(包括Mutex),希望达人能解决这个问题。
procedure EumKnlObjectName(var sList:TStrings);
type
PObjectTypeInformation = ^TObjectTypeInformation;
TObjectTypeInformation = packed record
Name: Unicode_STRING;
ObjectCount, HandleCount: Cardinal;
Reserved1: array[0..3] of Cardinal;
PeakObjectCount, PeakHandleCount: Cardinal;
Reserved2: array[0..3] of Cardinal;
InvalidAttributes: Cardinal;
GenericMapping: TGenericMapping;
ValidAccess: Cardinal;
Unknown: UCHAR;
MaintainHandleDatabase: Boolean;
Reserved3: array[0..1] of UCHAR;
PoolType: Cardinal;
PagedPoolUsage, NonPagedPoolUsage: Cardinal;
end;
POBJECT_ALL_TYPES_INFORMATION = ^TOBJECT_ALL_TYPES_INFORMATION;
TOBJECT_ALL_TYPES_INFORMATION = record // Information Class 3
NumberOfTypes: DWORD;
TypeInformation: TObjectTypeInformation;
end;
TOBJECT_INFORMATION_CLASS = (
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllTypesInformation,
ObjectHandleInformation);
PObjectNameInformation = ^TObjectNameInformation;
TObjectNameInformation = packed record
Name: UNICODE_STRING;
end;
PSystemHandleInformation = ^TSystemHandleInformation;
TSystemHandleInformation = packed record
ProcessId: DWORD;
ObjectTypeNumber: Byte;
Flags: Byte;
Handle: Word;
eObject: Pointer;
GrantedAccess: ACCESS_MASK;
end;
PSystemHandleInformation_Ex = ^TSystemHandleInformation_Ex;
TSystemHandleInformation_Ex = packed record
NumberOfHandles: DWORD;
Information: TSystemHandleInformation;
end;
PNtQuerySystemInformation = function(SystemInformationClass: DWORD; SystemInformation: Pointer; SystemInformationLength: ULONG; ReturnLength: PULONG): DWORD; stdcall;
PNtQueryObject = function(ObjectHandle: THANDLE;
ObjectInformationClass: TOBJECT_INFORMATION_CLASS;
ObjectInformation: Pointer;
ObjectInformationLength: DWORD;
ReturnLength: PDWORD): DWORD; stdcall;
var
_ModuleHandle, _Count, i: Dword;
_NtQueryObject: PNtQueryObject;
_ObjTypeInfo: POBJECT_ALL_TYPES_INFORMATION;
_P, _StrLen, _Size: DWORD;
_ObjName: string;
_NtQuerySystemInformation: PNtQuerySystemInformation;
pHandleInfor: PSystemHandleInformation_Ex;
_HandleInfor: PSystemHandleInformation;
_Name: PObjectNameInformation;
begin
_Count := 0;
_ModuleHandle := GetModuleHandle('ntdll.dll');
_NtQueryObject := GetProcAddress(_ModuleHandle, 'NtQueryObject');
_NtQuerySystemInformation := GetProcAddress(LoadLibrary('ntdll.dll'), 'NtQuerySystemInformation');
_Size := $4000;
GetMem(pHandleInfor, _Size);
while _NtQuerySystemInformation(16, pHandleInfor, _Size, nil) <> 0 do
begin
_Size := _Size + _Size;
ReallocMem(pHandleInfor, _Size);
end;
_Name := GetMemory($1000);
for I := 0 to pHandleInfor^.NumberOfHandles - 1 do
begin
_HandleInfor := PSystemHandleInformation(dword(pHandleInfor) + 4 + (i * SizeOf(TSystemHandleInformation)));
if (_HandleInfor^.ProcessId <> GetCurrentProcessId) then
begin
if _NtQueryObject(_HandleInfor^.Handle, ObjectNameInformation, _Name, $2000, nil) = 0 then
begin
_ObjName := WideCharToString(_Name.Name.Buffer);
sList.Add(IntToHex(Dword(_HandleInfor^.Handle), 8) + '-' + IntToStr(_HandleInfor^.ObjectTypeNumber) + ':' + _ObjName);
end;
end;
end;
end;
其中上面的UNICODE_STRING,是一个record,buffer是pwidechar,Length是word,MaximumLength也是word
如果不想这样动态调用内核Api
可以下载Jedi Api,完全翻译好头文件的,Delphi Pas
无法获取其他进程完整的内核对象句柄表(包括Mutex),但可以获取本进程的内核对象句柄表(包括Mutex)。
最后,希望高手能解决我的问题
但本程序无法获取其他进程完整的内核对象句柄表(包括Mutex),希望达人能解决这个问题。
procedure EumKnlObjectName(var sList:TStrings);
type
PObjectTypeInformation = ^TObjectTypeInformation;
TObjectTypeInformation = packed record
Name: Unicode_STRING;
ObjectCount, HandleCount: Cardinal;
Reserved1: array[0..3] of Cardinal;
PeakObjectCount, PeakHandleCount: Cardinal;
Reserved2: array[0..3] of Cardinal;
InvalidAttributes: Cardinal;
GenericMapping: TGenericMapping;
ValidAccess: Cardinal;
Unknown: UCHAR;
MaintainHandleDatabase: Boolean;
Reserved3: array[0..1] of UCHAR;
PoolType: Cardinal;
PagedPoolUsage, NonPagedPoolUsage: Cardinal;
end;
POBJECT_ALL_TYPES_INFORMATION = ^TOBJECT_ALL_TYPES_INFORMATION;
TOBJECT_ALL_TYPES_INFORMATION = record // Information Class 3
NumberOfTypes: DWORD;
TypeInformation: TObjectTypeInformation;
end;
TOBJECT_INFORMATION_CLASS = (
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllTypesInformation,
ObjectHandleInformation);
PObjectNameInformation = ^TObjectNameInformation;
TObjectNameInformation = packed record
Name: UNICODE_STRING;
end;
PSystemHandleInformation = ^TSystemHandleInformation;
TSystemHandleInformation = packed record
ProcessId: DWORD;
ObjectTypeNumber: Byte;
Flags: Byte;
Handle: Word;
eObject: Pointer;
GrantedAccess: ACCESS_MASK;
end;
PSystemHandleInformation_Ex = ^TSystemHandleInformation_Ex;
TSystemHandleInformation_Ex = packed record
NumberOfHandles: DWORD;
Information: TSystemHandleInformation;
end;
PNtQuerySystemInformation = function(SystemInformationClass: DWORD; SystemInformation: Pointer; SystemInformationLength: ULONG; ReturnLength: PULONG): DWORD; stdcall;
PNtQueryObject = function(ObjectHandle: THANDLE;
ObjectInformationClass: TOBJECT_INFORMATION_CLASS;
ObjectInformation: Pointer;
ObjectInformationLength: DWORD;
ReturnLength: PDWORD): DWORD; stdcall;
var
_ModuleHandle, _Count, i: Dword;
_NtQueryObject: PNtQueryObject;
_ObjTypeInfo: POBJECT_ALL_TYPES_INFORMATION;
_P, _StrLen, _Size: DWORD;
_ObjName: string;
_NtQuerySystemInformation: PNtQuerySystemInformation;
pHandleInfor: PSystemHandleInformation_Ex;
_HandleInfor: PSystemHandleInformation;
_Name: PObjectNameInformation;
begin
_Count := 0;
_ModuleHandle := GetModuleHandle('ntdll.dll');
_NtQueryObject := GetProcAddress(_ModuleHandle, 'NtQueryObject');
_NtQuerySystemInformation := GetProcAddress(LoadLibrary('ntdll.dll'), 'NtQuerySystemInformation');
_Size := $4000;
GetMem(pHandleInfor, _Size);
while _NtQuerySystemInformation(16, pHandleInfor, _Size, nil) <> 0 do
begin
_Size := _Size + _Size;
ReallocMem(pHandleInfor, _Size);
end;
_Name := GetMemory($1000);
for I := 0 to pHandleInfor^.NumberOfHandles - 1 do
begin
_HandleInfor := PSystemHandleInformation(dword(pHandleInfor) + 4 + (i * SizeOf(TSystemHandleInformation)));
if (_HandleInfor^.ProcessId <> GetCurrentProcessId) then
begin
if _NtQueryObject(_HandleInfor^.Handle, ObjectNameInformation, _Name, $2000, nil) = 0 then
begin
_ObjName := WideCharToString(_Name.Name.Buffer);
sList.Add(IntToHex(Dword(_HandleInfor^.Handle), 8) + '-' + IntToStr(_HandleInfor^.ObjectTypeNumber) + ':' + _ObjName);
end;
end;
end;
end;
其中上面的UNICODE_STRING,是一个record,buffer是pwidechar,Length是word,MaximumLength也是word
如果不想这样动态调用内核Api
可以下载Jedi Api,完全翻译好头文件的,Delphi Pas
无法获取其他进程完整的内核对象句柄表(包括Mutex),但可以获取本进程的内核对象句柄表(包括Mutex)。
最后,希望高手能解决我的问题
问个问题 没人搭理