#include <winternl.h>#define SystemHandleInformation 0x10 // Information Class 16
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004L
#define STATUS_BUFFER_OVERFLOW 0x80000005L
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId; //!< the process id.
UCHAR ObjectTypeNumber; //!< handle object type.
UCHAR Flags; //!< 0x01=PROTECT_FROM_CLOSE,0x02=INHERIT.
USHORT Handle; //!< object handle value.
PVOID Object; //!< object handle refer core obj address.
ACCESS_MASK GrantedAccess; //!< the access right which be defined on the create time.
}SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef DWORD (WINAPI *PROCNTQSI)(UINT,PVOID,ULONG,PULONG);
DWORD GetProcHandle(DWORD pid, PSYSTEM_HANDLE_INFORMATION StructHandle, DWORD dwStructStcCount)
{
//1 init
DWORD re = STATUS_INFO_LENGTH_MISMATCH;
DWORD Count =0;
DWORD i, nedCount = 0, j = 0;
HINSTANCE NtdllDll = NULL; //2 get system path and ntdll.dll
char mSystemPath[MAX_PATH+1];
memset(mSystemPath,0x00,MAX_PATH+1);
GetSystemDirectory(mSystemPath,MAX_PATH);
strcat(mSystemPath,"\\ntdll.dll");
NtdllDll = GetModuleHandle(mSystemPath);//LoadLibrary("ntdll.dll");
if(NtdllDll == NULL)
{
return 0;
}
//3 get func NtQuerySystemInformation
PROCNTQSI NtQuerySystemInformation = (PROCNTQSI)GetProcAddress(NtdllDll,"NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
return 0;
} //4 get system handle list
const DWORD MAX_HANDLE_LIST_BUF = 0x200000;
const DWORD MAX_HANDLE_LIST_BUF_REQ = (20 *1024 * 1024);
PDWORD pdwHandleList = NULL;
while (STATUS_INFO_LENGTH_MISMATCH == re)
{
if (pdwHandleList)
{
free(pdwHandleList);
}
pdwHandleList = (PDWORD)malloc(MAX_HANDLE_LIST_BUF );
DWORD dwNumBytesRet = 0;
re = NtQuerySystemInformation(SystemHandleInformation,pdwHandleList,MAX_HANDLE_LIST_BUF,&dwNumBytesRet);
if (dwNumBytesRet>MAX_HANDLE_LIST_BUF|| (re != STATUS_INFO_LENGTH_MISMATCH && re!= 0))
{
free(pdwHandleList);
return 0;
}
}
//5 get handle count
Count = *(DWORD*)pdwHandleList; // the total count of handle's
PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
//6 if call is null, return the count . if pid=0, system count else the special process's handle count
//the first DWORD is the count,after this is the handle list.
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)(pdwHandleList + sizeof(DWORD));
if (StructHandle == NULL || dwStructStcCount == 0)
{
if (pid == 0)
{
nedCount = Count;
}
else
{
for (i = 0, nedCount = 0; i < Count; i++)
{
if (pHandleInfo[i].ProcessId == pid)
{
nedCount++;
//}
//else
//{
PrintProcessNameAndID(pid);
}
}
}
free(pdwHandleList);
return nedCount;
} //7 dump system handles
if (pid == 0)
{
if (dwStructStcCount > Count)
{
dwStructStcCount = Count;
}
memcpy(StructHandle, pHandleInfo, dwStructStcCount *sizeof(PSYSTEM_HANDLE_INFORMATION));
free(pdwHandleList);
return dwStructStcCount;
}
//8 get special process's(pid) handles.
for (i = 0, j = 0; i < Count; i++)
{
if (pHandleInfo[i].ProcessId == pid)
{
memcpy(&StructHandle[j], &pHandleInfo[i], sizeof(PSYSTEM_HANDLE_INFORMATION));
j++;
}
} free(pdwHandleList);
return j;
}
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004L
#define STATUS_BUFFER_OVERFLOW 0x80000005L
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId; //!< the process id.
UCHAR ObjectTypeNumber; //!< handle object type.
UCHAR Flags; //!< 0x01=PROTECT_FROM_CLOSE,0x02=INHERIT.
USHORT Handle; //!< object handle value.
PVOID Object; //!< object handle refer core obj address.
ACCESS_MASK GrantedAccess; //!< the access right which be defined on the create time.
}SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef DWORD (WINAPI *PROCNTQSI)(UINT,PVOID,ULONG,PULONG);
DWORD GetProcHandle(DWORD pid, PSYSTEM_HANDLE_INFORMATION StructHandle, DWORD dwStructStcCount)
{
//1 init
DWORD re = STATUS_INFO_LENGTH_MISMATCH;
DWORD Count =0;
DWORD i, nedCount = 0, j = 0;
HINSTANCE NtdllDll = NULL; //2 get system path and ntdll.dll
char mSystemPath[MAX_PATH+1];
memset(mSystemPath,0x00,MAX_PATH+1);
GetSystemDirectory(mSystemPath,MAX_PATH);
strcat(mSystemPath,"\\ntdll.dll");
NtdllDll = GetModuleHandle(mSystemPath);//LoadLibrary("ntdll.dll");
if(NtdllDll == NULL)
{
return 0;
}
//3 get func NtQuerySystemInformation
PROCNTQSI NtQuerySystemInformation = (PROCNTQSI)GetProcAddress(NtdllDll,"NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
return 0;
} //4 get system handle list
const DWORD MAX_HANDLE_LIST_BUF = 0x200000;
const DWORD MAX_HANDLE_LIST_BUF_REQ = (20 *1024 * 1024);
PDWORD pdwHandleList = NULL;
while (STATUS_INFO_LENGTH_MISMATCH == re)
{
if (pdwHandleList)
{
free(pdwHandleList);
}
pdwHandleList = (PDWORD)malloc(MAX_HANDLE_LIST_BUF );
DWORD dwNumBytesRet = 0;
re = NtQuerySystemInformation(SystemHandleInformation,pdwHandleList,MAX_HANDLE_LIST_BUF,&dwNumBytesRet);
if (dwNumBytesRet>MAX_HANDLE_LIST_BUF|| (re != STATUS_INFO_LENGTH_MISMATCH && re!= 0))
{
free(pdwHandleList);
return 0;
}
}
//5 get handle count
Count = *(DWORD*)pdwHandleList; // the total count of handle's
PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
//6 if call is null, return the count . if pid=0, system count else the special process's handle count
//the first DWORD is the count,after this is the handle list.
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)(pdwHandleList + sizeof(DWORD));
if (StructHandle == NULL || dwStructStcCount == 0)
{
if (pid == 0)
{
nedCount = Count;
}
else
{
for (i = 0, nedCount = 0; i < Count; i++)
{
if (pHandleInfo[i].ProcessId == pid)
{
nedCount++;
//}
//else
//{
PrintProcessNameAndID(pid);
}
}
}
free(pdwHandleList);
return nedCount;
} //7 dump system handles
if (pid == 0)
{
if (dwStructStcCount > Count)
{
dwStructStcCount = Count;
}
memcpy(StructHandle, pHandleInfo, dwStructStcCount *sizeof(PSYSTEM_HANDLE_INFORMATION));
free(pdwHandleList);
return dwStructStcCount;
}
//8 get special process's(pid) handles.
for (i = 0, j = 0; i < Count; i++)
{
if (pHandleInfo[i].ProcessId == pid)
{
memcpy(&StructHandle[j], &pHandleInfo[i], sizeof(PSYSTEM_HANDLE_INFORMATION));
j++;
}
} free(pdwHandleList);
return j;
}
unkonwn 4 unkonwn 1
smss.exe 1044 unkonwn 2
csrss.exe 1100 unkonwn 3
winlogon.exe 1128 unkonwn 4
services.exe 1172 unkonwn 6
lsass.exe 1184 unkonwn 8
Ati2evxx.exe 1388 unkonwn 11
svchost.exe 1404 unkonwn 12
svchost.exe 1464 unkonwn 14
svchost.exe 404 unkonwn 15
svchost.exe 716 unkonwn 16
svchost.exe 892 unkonwn 17
spoolsv.exe 1268 unkonwn 19
avp.exe 1896 unkonwn 23
inetinfo.exe 2036 unkonwn 27
mdm.exe 196 unkonwn 32
svchost.exe 504 unkonwn 40
vmware-authd.exe 1040 unkonwn 64
vmount2.exe 1532 unkonwn 74
vmnat.exe 1556 unkonwn 104
vmnetdhcp.exe 1668 unkonwn 128
alg.exe 1696 unkonwn 384
Explorer.EXE 3528 unkonwn 1024
wscntfy.exe 3616 unkonwn 1080
TSVNCache.exe 3628 unkonwn 1144
360tray.exe 3960 unkonwn 1146
avp.exe 3996 unkonwn 2692
unkonwn 468 unkonwn 65539
VM305_STI.EXE 640 unkonwn 131073
ctfmon.exe 224 unkonwn 131074
MsnMsgr.Exe 2076 unkonwn 131075
OUTLOOK.EXE 288 unkonwn 131078
WINWORD.EXE 3140 unkonwn 131087
usnsvc.exe 2400 unkonwn 131097
regedit.exe 668 unkonwn 131099
srgui.exe 3152 unkonwn 131101
devenv.exe 3392
dexplore.exe 3700
iexplore.exe 2852
editplus.exe 4760
calc.exe 5568
devenv.exe 2492
为什么会这样呢,我上面的程序那里写了,还时对_SYSTEM_HANDLE_INFORMATION的理解不对。