标签:
typedef struct _SYSTEM_HANDLE_INFORMATION{ ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; /* ProcessId: 进程标识符 ObjectTypeNumber; 打开的对象的类型 Flags: 句柄属性标志 Handle: 句柄数值,在进程打开的句柄中唯一标识某个句柄 Object: 这个就是句柄对应的EPROCESS的地址 GrantedAccess: 句柄对象的访问权限 */ } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; ObjectTypeNumber的定义 #define OB_TYPE_INDEX_TYPE 1 // [ObjT] "Type" #define OB_TYPE_INDEX_DIRECTORY 2 // [Dire] "Directory" #define OB_TYPE_INDEX_SYMBOLIC_LINK 3 // [Symb] "SymbolicLink" #define OB_TYPE_INDEX_TOKEN 4 // [Toke] "Token" #define OB_TYPE_INDEX_PROCESS 5 // [Proc] "Process" #define OB_TYPE_INDEX_THREAD 6 // [Thre] "Thread" #define OB_TYPE_INDEX_JOB 7 // [Job ] "Job" #define OB_TYPE_INDEX_EVENT 8 // [Even] "Event" #define OB_TYPE_INDEX_EVENT_PAIR 9 // [Even] "EventPair" #define OB_TYPE_INDEX_MUTANT 10 // [Muta] "Mutant" #define OB_TYPE_INDEX_CALLBACK 11 // [Call] "Callback" #define OB_TYPE_INDEX_SEMAPHORE 12 // [Sema] "Semaphore" #define OB_TYPE_INDEX_TIMER 13 // [Time] "Timer" #define OB_TYPE_INDEX_PROFILE 14 // [Prof] "Profile" #define OB_TYPE_INDEX_WINDOW_STATION 15 // [Wind] "WindowStation" #define OB_TYPE_INDEX_DESKTOP 16 // [Desk] "Desktop" #define OB_TYPE_INDEX_SECTION 17 // [Sect] "Section" #define OB_TYPE_INDEX_KEY 18 // [Key ] "Key" #define OB_TYPE_INDEX_PORT 19 // [Port] "Port" #define OB_TYPE_INDEX_WAITABLE_PORT 20 // [Wait] "WaitablePort" #define OB_TYPE_INDEX_ADAPTER 21 // [Adap] "Adapter" #define OB_TYPE_INDEX_CONTROLLER 22 // [Cont] "Controller" #define OB_TYPE_INDEX_DEVICE 23 // [Devi] "Device" #define OB_TYPE_INDEX_DRIVER 24 // [Driv] "Driver" #define OB_TYPE_INDEX_IO_COMPLETION 25 // [IoCo] "IoCompletion" #define OB_TYPE_INDEX_FILE 26 // [File] "File" #define OB_TYPE_INDEX_WMI_GUID 27 // [WmiG] "WmiGuid"
使用时应注意,返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
使用NtQuerySystemInformation函数的SystemHandleInformation=16号功能. 其相关结构定义如下: typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO{ USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION{ ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 该功能号获取系统内所有进程的句柄放在Handles里,个数由NumberOfHandles标识, 每个句柄由UniqueProcessId来区分属于那个不同的进程.
-------《ProcessExplorer原理分析之句柄处理【原创】》
标签:
原文地址:http://www.cnblogs.com/Lthis/p/4200292.html
