GetFinalPathByHandle为NtQuerySystemInformation返回的所有句柄返回相同的路径

GetFinalPathByHandle returns the same path for all handles returned by NtQuerySystemInformation

本文关键字：返回路径句柄 NtQuerySystemInformation GetFinalPathByHandle 更新时间：2023-10-16

我想检索操作系统中进程访问的所有文件路径。检索进程列表，并且这些进程具有正确的句柄值。所以现在我想使用GetFinalPathNameByHandle函数来获取这些文件的路径，但path变量对所有记录都是相同的。伙计们，我需要帮忙。

源代码在这里：http://pastebin.com/nU26Vcsd如果无法访问pastebin，则在此处http://hastebin.com/wahudogawa.avrasm

66号线是我需要帮助的地方。测试进程的每个文件处理程序的路径都是相同的，并且等于执行该程序的路径（而不是进程启动文件夹）。

我将其运行为：testprogram.exe | grep 5231，其中5231是我需要的进程的PID。

结果看起来像：

PID: 5231        FileHandlePid: 44       The final path is: DeviceHarddiskVolume4KillFileHandleC++Debug

而这些应该像：

PID: 5231        FileHandlePid: 44       The final path is: DeviceHarddiskVolume2UsersusernameAppDataRoamingtestapp

或者，如果我的预期结果有误，请纠正我。

最新添加：

感谢@Raymond Chen的评论，我正在努力向前迈进，并使用DuplicateHandle（）函数。到目前为止，我已经更新了代码（抱歉，现在是硬编码的pid），添加了HandleValueTemp，并试图将其传递给DuplicateHandle。输出更改为不可打印的字符。

for (i = 0; i < hCount; ++i)
if ((hFirstEntry[i].ObjectType == 28))
{
    HANDLE TargetHandleValueTemp = (HANDLE)hFirstEntry[i].HandleValue;
    HANDLE SourceProcHandleTemp = OpenProcess(PROCESS_DUP_HANDLE, FALSE, hFirstEntry[i].OwnerPid);
    if (!DuplicateHandle(SourceProcHandleTemp, (HANDLE)hFirstEntry[i].HandleValue, GetCurrentProcess(), &TargetHandleValueTemp, 0, FALSE, DUPLICATE_SAME_ACCESS))
    {
        cout << "Error in DuplicateHandle"
    }
    CloseHandle(SourceProcHandleTemp);
    TCHAR Path[MAX_PATH];
    DWORD dwret = GetFinalPathNameByHandle(TargetHandleValueTemp, Path, MAX_PATH, 0);
    _tprintf(TEXT("PID: %dtFileHandle: %dtThe final path is: %sn"), hFirstEntry[i].OwnerPid, TargetHandleValueTemp, Path);
    CloseHandle(TargetHandleValueTemp);
}

深入挖掘并不时查看评论。也许这个代码对这里的其他人有用。

感谢@RaymondChen和@HarryJohnston的评论，我得以取得工作成果。我把它留在这里，以备其他人需要时使用。代码有点糟糕，但进一步的格式化取决于您。测试时请记住将OwnerPid在循环中更新为您自己的。

#include <Windows.h>
#include <stdio.h>
#include <string.h>
#include <tchar.h>
#include <iostream>
#define START_ALLOC                 0x1000
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define SystemHandleInformation     0x10
typedef long(__stdcall *NtQSI)(
ULONG  SystemInformationClass,
PVOID  SystemInformation,
ULONG  SystemInformationLength,
PULONG ReturnLength
);
typedef struct _SYSTEM_HANDLE_ENTRY {
ULONG  OwnerPid;
BYTE   ObjectType;
BYTE   HandleFlags;
USHORT HandleValue;
PVOID  ObjectPointer;
ACCESS_MASK  AccessMask;
} SYSTEM_HANDLE_ENTRY, *PSYSTEM_HANDLE_ENTRY;
int main()
{
HMODULE hNtDll = NULL;
NtQSI   pNtQSI = NULL;
PVOID   pMem = NULL;
ULONG   allocSize = START_ALLOC;
ULONG   retVal = 0;
// --------------------------------
ULONG   hCount = 0;
PSYSTEM_HANDLE_ENTRY hFirstEntry = NULL;
// --------------------------------
ULONG   i;
hNtDll = LoadLibraryA("NTDLL.dll");
if (!hNtDll)
    return 1;
pNtQSI = (NtQSI)GetProcAddress(hNtDll, "NtQuerySystemInformation");
if (!pNtQSI) {
    FreeLibrary(hNtDll);
    return 2;
}
pMem = malloc(allocSize);
while (pNtQSI(SystemHandleInformation, pMem, allocSize, &retVal)
    == STATUS_INFO_LENGTH_MISMATCH) {
    pMem = realloc(pMem, allocSize *= 2);
}
hCount = *(ULONG*)pMem;
hFirstEntry = (PSYSTEM_HANDLE_ENTRY)((PBYTE)pMem + 4);
for (i = 0; i < hCount; ++i)
if ((hFirstEntry[i].ObjectType == 30) && (hFirstEntry[i].OwnerPid == 5628))
{
    HANDLE TargetHandleValueTemp = (HANDLE)hFirstEntry[i].HandleValue;
    HANDLE SourceProcHandleTemp = OpenProcess(PROCESS_DUP_HANDLE, FALSE, hFirstEntry[i].OwnerPid);
    if (!DuplicateHandle(SourceProcHandleTemp, (HANDLE)hFirstEntry[i].HandleValue, GetCurrentProcess(), &TargetHandleValueTemp, 0, FALSE, DUPLICATE_SAME_ACCESS))
    {
        TargetHandleValueTemp = (HANDLE)hFirstEntry[i].HandleValue;
    }
    CloseHandle(SourceProcHandleTemp);
    TCHAR Path[MAX_PATH];
    DWORD dwret = GetFinalPathNameByHandle(TargetHandleValueTemp, Path, MAX_PATH, 0);
    _tprintf(TEXT("PID: %dtFileHandle: %dtThe final path is: %sn"), hFirstEntry[i].OwnerPid, TargetHandleValueTemp, Path);
    CloseHandle(TargetHandleValueTemp);
}
free(pMem);
FreeLibrary(hNtDll);
}