获取进程句柄的详细信息

Getting Detail Information of process handle

本文关键字:详细信息 取进程句柄      更新时间:2023-10-16

我在命令行上运行了" handle.exe -a Device000006c ",其中" Device000006c"是我的设备的物理对象名称,例如麦克风并获得以下输出:

Handle v4.0
Copyright (C) 1997-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
svchost.exe        pid: 864    type: File           770: Device000006cglobal
svchost.exe        pid: 864    type: File           ECC: Device000006cglobal
svchost.exe        pid: 348    type: File           514: Device000006cglobal
svchost.exe        pid: 348    type: File           88C: Device000006cglobal
audiodg.exe        pid: 4592   type: File           1C4: Device000006c
audiodg.exe        pid: 4592   type: File           1CC: Device000006c

输出的最后一两行显示 audiodg 正在使用该设备.exe播放音频时处理。

audiodg.exe        pid: 4592   type: File           1CC: Device000006c

我能够得到" 1CC"是句柄十六进制地址,但什么是"Device000006c",这里是与句柄相关联的名称或在句柄核心中搜索的其他内容。

我正在尝试从以下链接中获取处理信息

https://code.msdn.microsoft.com/windowsapps/CppFileHandle-03c8ea0b

但无法获得这种处理的信息

DWORD EnumerateFileHandles(ULONG pid)
{
    HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
assert(hNtDll != NULL);
PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = 
    (PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, 
    "NtQuerySystemInformation");
assert(NtQuerySystemInformation != NULL);
PFN_NTQUERYINFORMATIONFILE NtQueryInformationFile = 
    (PFN_NTQUERYINFORMATIONFILE)GetProcAddress(hNtDll, 
    "NtQueryInformationFile");
DWORD nSize = 4096, nReturn;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
    HeapAlloc(GetProcessHeap(), 0, nSize);
while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, 
    nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
{
    HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
    nSize += 4096;
    pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
        GetProcessHeap(), 0, nSize);
}
DWORD dwFiles = 0;
HANDLE hProcess = OpenProcess(
    PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (hProcess == NULL)
{
    _tprintf(_T("OpenProcess failed w/err 0x%08lxn"), GetLastError());
    getchar();
    return -1;
}
for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
    PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
    if(pHandle->ProcessId == pid)
    {
     int a=10;
    }
    if (pHandle->ProcessId == pid && 
        pHandle->ObjectTypeNumber == HANDLE_TYPE_FILE)
    {
        dwFiles++;  // Increase the number of file handles
        // Duplicate the handle in the current process
        HANDLE hCopy;
        if (!DuplicateHandle(hProcess, (HANDLE)pHandle->Handle, 
            GetCurrentProcess(), &hCopy, MAXIMUM_ALLOWED, FALSE, 0))
            continue;
        // Retrieve file name information about the file object.
        IO_STATUS_BLOCK ioStatus;
        PFILE_NAME_INFORMATION pNameInfo = (PFILE_NAME_INFORMATION)
            malloc(MAX_PATH * 2 * 2);
        DWORD dwInfoSize = MAX_PATH * 2 * 2;
        if (NtQueryInformationFile(hCopy, &ioStatus, pNameInfo, 
            dwInfoSize, FileNameInformation) == STATUS_SUCCESS)
        {
            // Get the file name and print it
            WCHAR wszFileName[MAX_PATH + 1];
            StringCchCopyNW(wszFileName, MAX_PATH + 1, 
                pNameInfo->FileName, /*must be WCHAR*/
                pNameInfo->FileNameLength /*in bytes*/ / 2);
            wprintf(L"0x%x:t%sn", pHandle->Handle, wszFileName);
        }
        free(pNameInfo);
        CloseHandle(hCopy);
    }
}
CloseHandle(hProcess);
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
// Return the number of file handles in the process
return dwFiles;
}

int _tmain(int argc, _TCHAR* argv[])
{
ULONG pid = GetCurrentProcessId();
DWORD dwFiles = EnumerateFileHandles(4592);
_tprintf(TEXT("rn"));
// Get file name from file handle using a file mapping object
HANDLE hFile;
hFile = CreateFile(TEXT("test.txt"), GENERIC_WRITE | GENERIC_READ,
    0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
    _tprintf(TEXT("CreateFile failed with %dn"), GetLastError());
    return 0;
}
BYTE bWriteBuffer[] = "0123456789"; 
DWORD dwBytesWritten; 
// Write 11 bytes from the buffer to the file 
if (!WriteFile(hFile,                // File handle 
    bWriteBuffer,                    // Buffer to be write from 
    sizeof(bWriteBuffer),            // Number of bytes to write 
    &dwBytesWritten,                 // Number of bytes that were written 
    NULL))                           // No overlapped structure 
{ 
    // WriteFile returns FALSE because of some error 
    _tprintf(TEXT("Could not write to file w/err 0x%08lxn"), GetLastError()); 
    CloseHandle(hFile); 
    return 0; 
} 
//GetFileNameFromHandle(hFile);
CloseHandle(hFile);
return 0;
}

任何帮助句柄都是通过物理设备对象信息以编程方式搜索设备的进程使用情况。

您的代码仅使用给定进程的文件句柄

if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_FILE)

当您通过SystemHandleInformation获取句柄时,您应该检查其类型,并根据其类型执行某些操作。正如您在示例中看到的,如果句柄是文件句柄,它通过 NtQueryInformationFile 获取文件名。因此,您应该对所需的每种手柄类型执行类似的任务。

使用 ntdll 中的 NtQueryObject 函数,可以获取句柄的类型。在此示例中,进程的每个句柄都用于根据其类型打印某些信息。

相关文章: