procexp.exe中有一项功能可以完成以下功能:将某一个进程中的所有句柄枚举出来,并且能够列出相应的句柄类型和对应的名称。
我自己写了一个程序,能将某个进程中的文件句柄列出来,但是在文件句柄的名称时,只能列出文件的路径和名称,而无法将其所在的盘符列出,请各位xdjm们帮忙看看,是不是应该用其他的API函数调用呀?下面是我的代码:#include <windows.h>
#include <stdio.h>
#include <assert.h>
#include <psapi.h>
#include <tchar.h>#include "ntdll.h"#pragma comment(lib,"psapi.lib")#define uint DWORD
#define MAX_ARRAY_ITEMS(x) sizeof(x)
#define THE_PROCESSID 728
HANDLE hHeap;typedef NTSTATUS (WINAPI* PNTQUERYSYSTEMINFORMATION)(SYSTEMINFOCLASS , PVOID , ULONG , PULONG );
typedef NTSTATUS (WINAPI* PNTQUERYINFORMATIONFILE)(HANDLE , PIO_STATUS_BLOCK ,PVOID , ULONG , FILE_INFORMATION_CLASS);PNTQUERYSYSTEMINFORMATION pNtQuerySystemInformation;
PNTQUERYINFORMATIONFILE pNtQueryInformationFile;
PVOID GetInfoTable(
IN ULONG ATableType
)
{
ULONG mSize = 0x8000, mRequired;
PVOID mPtr;
NTSTATUS status;
do
{
mPtr = HeapAlloc(hHeap, 0, mSize); if (!mPtr) return NULL; memset(mPtr, 0, mSize); status = pNtQuerySystemInformation((SYSTEMINFOCLASS)ATableType, mPtr, mSize, &mRequired);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(hHeap, 0, mPtr);
mSize = mSize * 2;
} } while (status == STATUS_INFO_LENGTH_MISMATCH); if (NT_SUCCESS(status)) return mPtr; HeapFree(hHeap, 0, mPtr); return NULL;
}UCHAR GetFileHandleType()
{
HANDLE hFile;
PSYSTEM_HANDLE_INFORMATION Info;
ULONG r;
UCHAR Result = 0; hFile = CreateFile("NUL", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0); if (hFile != INVALID_HANDLE_VALUE)
{
Info = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation); if (Info)
{
for (r = 0; r < Info->uCount; r++)
{
if (Info->aSH[r].Handle == (USHORT)hFile &&
Info->aSH[r].uIdProcess == GetCurrentProcessId())
{
Result = Info->aSH[r].ObjectType;
break;
}
} HeapFree(hHeap, 0, Info);
} CloseHandle(hFile);
}
return Result;
}
typedef struct _NM_INFO
{
HANDLE hFile;
FILE_NAME_INFORMATION Info;
WCHAR Name[MAX_PATH];
} NM_INFO, *PNM_INFO;DWORD WINAPI
GetFileNameThread(PVOID lpParameter)
{
PNM_INFO NmInfo = (PNM_INFO)lpParameter;
IO_STATUS_BLOCK IoStatus; pNtQueryInformationFile(NmInfo->hFile, &IoStatus, &NmInfo->Info,
sizeof(NM_INFO) - sizeof(HANDLE), FileNameInformation); return 0;
}
void GetFileName(HANDLE hFile, PCHAR TheName)
{
HANDLE hThread;
PNM_INFO Info = (PNM_INFO)HeapAlloc(hHeap, 0, sizeof(NM_INFO)); Info->hFile = hFile; hThread = CreateThread(NULL, 0, GetFileNameThread, Info, 0, NULL); if (WaitForSingleObject(hThread, INFINITE) == WAIT_TIMEOUT) TerminateThread(hThread, 0); CloseHandle(hThread); memset(TheName, 0, MAX_PATH); WideCharToMultiByte(CP_ACP, 0, Info->Info.FileName, Info->Info.FileNameLength >> 1, TheName, MAX_PATH, NULL, NULL); HeapFree(hHeap, 0, Info);
}int _tmain(int argc, _TCHAR* argv[])
{
PSYSTEM_HANDLE_INFORMATION Info;
ULONG r;
CHAR Name[MAX_PATH];
HANDLE hProcess, hFile;
UCHAR ObFileType;
HMODULE hNtdll;
hNtdll = LoadLibrary("ntdll.dll");
if (hNtdll == NULL) {
printf("Cann't load ntdll.dll\n");
return 0;
} pNtQuerySystemInformation = (PNTQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "NtQuerySystemInformation");
if (pNtQuerySystemInformation == NULL) {
printf("Cann't find the address of NtQuerySystemInformation\n");
return 0;
} pNtQueryInformationFile = (PNTQUERYINFORMATIONFILE)GetProcAddress(hNtdll, "NtQueryInformationFile");
if (pNtQueryInformationFile == NULL) {
printf("Cann't find the address of NtQueryInformationFile\n");
return 0;
} hHeap = GetProcessHeap(); ObFileType = GetFileHandleType(); //printf("ObFileType is %x\n", ObFileType);
我自己写了一个程序,能将某个进程中的文件句柄列出来,但是在文件句柄的名称时,只能列出文件的路径和名称,而无法将其所在的盘符列出,请各位xdjm们帮忙看看,是不是应该用其他的API函数调用呀?下面是我的代码:#include <windows.h>
#include <stdio.h>
#include <assert.h>
#include <psapi.h>
#include <tchar.h>#include "ntdll.h"#pragma comment(lib,"psapi.lib")#define uint DWORD
#define MAX_ARRAY_ITEMS(x) sizeof(x)
#define THE_PROCESSID 728
HANDLE hHeap;typedef NTSTATUS (WINAPI* PNTQUERYSYSTEMINFORMATION)(SYSTEMINFOCLASS , PVOID , ULONG , PULONG );
typedef NTSTATUS (WINAPI* PNTQUERYINFORMATIONFILE)(HANDLE , PIO_STATUS_BLOCK ,PVOID , ULONG , FILE_INFORMATION_CLASS);PNTQUERYSYSTEMINFORMATION pNtQuerySystemInformation;
PNTQUERYINFORMATIONFILE pNtQueryInformationFile;
PVOID GetInfoTable(
IN ULONG ATableType
)
{
ULONG mSize = 0x8000, mRequired;
PVOID mPtr;
NTSTATUS status;
do
{
mPtr = HeapAlloc(hHeap, 0, mSize); if (!mPtr) return NULL; memset(mPtr, 0, mSize); status = pNtQuerySystemInformation((SYSTEMINFOCLASS)ATableType, mPtr, mSize, &mRequired);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(hHeap, 0, mPtr);
mSize = mSize * 2;
} } while (status == STATUS_INFO_LENGTH_MISMATCH); if (NT_SUCCESS(status)) return mPtr; HeapFree(hHeap, 0, mPtr); return NULL;
}UCHAR GetFileHandleType()
{
HANDLE hFile;
PSYSTEM_HANDLE_INFORMATION Info;
ULONG r;
UCHAR Result = 0; hFile = CreateFile("NUL", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0); if (hFile != INVALID_HANDLE_VALUE)
{
Info = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation); if (Info)
{
for (r = 0; r < Info->uCount; r++)
{
if (Info->aSH[r].Handle == (USHORT)hFile &&
Info->aSH[r].uIdProcess == GetCurrentProcessId())
{
Result = Info->aSH[r].ObjectType;
break;
}
} HeapFree(hHeap, 0, Info);
} CloseHandle(hFile);
}
return Result;
}
typedef struct _NM_INFO
{
HANDLE hFile;
FILE_NAME_INFORMATION Info;
WCHAR Name[MAX_PATH];
} NM_INFO, *PNM_INFO;DWORD WINAPI
GetFileNameThread(PVOID lpParameter)
{
PNM_INFO NmInfo = (PNM_INFO)lpParameter;
IO_STATUS_BLOCK IoStatus; pNtQueryInformationFile(NmInfo->hFile, &IoStatus, &NmInfo->Info,
sizeof(NM_INFO) - sizeof(HANDLE), FileNameInformation); return 0;
}
void GetFileName(HANDLE hFile, PCHAR TheName)
{
HANDLE hThread;
PNM_INFO Info = (PNM_INFO)HeapAlloc(hHeap, 0, sizeof(NM_INFO)); Info->hFile = hFile; hThread = CreateThread(NULL, 0, GetFileNameThread, Info, 0, NULL); if (WaitForSingleObject(hThread, INFINITE) == WAIT_TIMEOUT) TerminateThread(hThread, 0); CloseHandle(hThread); memset(TheName, 0, MAX_PATH); WideCharToMultiByte(CP_ACP, 0, Info->Info.FileName, Info->Info.FileNameLength >> 1, TheName, MAX_PATH, NULL, NULL); HeapFree(hHeap, 0, Info);
}int _tmain(int argc, _TCHAR* argv[])
{
PSYSTEM_HANDLE_INFORMATION Info;
ULONG r;
CHAR Name[MAX_PATH];
HANDLE hProcess, hFile;
UCHAR ObFileType;
HMODULE hNtdll;
hNtdll = LoadLibrary("ntdll.dll");
if (hNtdll == NULL) {
printf("Cann't load ntdll.dll\n");
return 0;
} pNtQuerySystemInformation = (PNTQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "NtQuerySystemInformation");
if (pNtQuerySystemInformation == NULL) {
printf("Cann't find the address of NtQuerySystemInformation\n");
return 0;
} pNtQueryInformationFile = (PNTQUERYINFORMATIONFILE)GetProcAddress(hNtdll, "NtQueryInformationFile");
if (pNtQueryInformationFile == NULL) {
printf("Cann't find the address of NtQueryInformationFile\n");
return 0;
} hHeap = GetProcessHeap(); ObFileType = GetFileHandleType(); //printf("ObFileType is %x\n", ObFileType);
The GetModuleFileName function retrieves the full path and filename for the executable file containing the specified module. Windows 95: The GetModuleFilename function will return long filenames when an application's version number is greater than or equal to 4.00 and the long filename is available. Otherwise, it returns only 8.3 format filenames.DWORD GetModuleFileName(
HMODULE hModule, // handle to module to find filename for
LPTSTR lpFilename, // pointer to buffer to receive module path
DWORD nSize // size of buffer, in characters
);