首页 > 代码库 > 【转】SYSTEM_HANDLE_INFORMATION

【转】SYSTEM_HANDLE_INFORMATION

2024-10-22 13:14:02   208人阅读

typedef struct _SYSTEM_HANDLE_INFORMATION{    ULONG                ProcessId;    UCHAR                ObjectTypeNumber;    UCHAR                Flags;    USHORT               Handle;    PVOID                Object;    ACCESS_MASK          GrantedAccess;    /*    ProcessId:           进程标识符    ObjectTypeNumber;    打开的对象的类型    Flags:               句柄属性标志    Handle:              句柄数值,在进程打开的句柄中唯一标识某个句柄    Object:              这个就是句柄对应的EPROCESS的地址    GrantedAccess:       句柄对象的访问权限    */} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;ObjectTypeNumber的定义#define OB_TYPE_INDEX_TYPE 1 // [ObjT] "Type"#define OB_TYPE_INDEX_DIRECTORY 2 // [Dire] "Directory"#define OB_TYPE_INDEX_SYMBOLIC_LINK 3 // [Symb] "SymbolicLink"#define OB_TYPE_INDEX_TOKEN 4 // [Toke] "Token"#define OB_TYPE_INDEX_PROCESS 5 // [Proc] "Process"#define OB_TYPE_INDEX_THREAD 6 // [Thre] "Thread"#define OB_TYPE_INDEX_JOB 7 // [Job ] "Job"#define OB_TYPE_INDEX_EVENT 8 // [Even] "Event"#define OB_TYPE_INDEX_EVENT_PAIR 9 // [Even] "EventPair"#define OB_TYPE_INDEX_MUTANT 10 // [Muta] "Mutant"#define OB_TYPE_INDEX_CALLBACK 11 // [Call] "Callback"#define OB_TYPE_INDEX_SEMAPHORE 12 // [Sema] "Semaphore"#define OB_TYPE_INDEX_TIMER 13 // [Time] "Timer"#define OB_TYPE_INDEX_PROFILE 14 // [Prof] "Profile"#define OB_TYPE_INDEX_WINDOW_STATION 15 // [Wind] "WindowStation"#define OB_TYPE_INDEX_DESKTOP 16 // [Desk] "Desktop"#define OB_TYPE_INDEX_SECTION 17 // [Sect] "Section"#define OB_TYPE_INDEX_KEY 18 // [Key ] "Key"#define OB_TYPE_INDEX_PORT 19 // [Port] "Port"#define OB_TYPE_INDEX_WAITABLE_PORT 20 // [Wait] "WaitablePort"#define OB_TYPE_INDEX_ADAPTER 21 // [Adap] "Adapter"#define OB_TYPE_INDEX_CONTROLLER 22 // [Cont] "Controller"#define OB_TYPE_INDEX_DEVICE 23 // [Devi] "Device"#define OB_TYPE_INDEX_DRIVER 24 // [Driv] "Driver"#define OB_TYPE_INDEX_IO_COMPLETION 25 // [IoCo] "IoCompletion"#define OB_TYPE_INDEX_FILE 26 // [File] "File"#define OB_TYPE_INDEX_WMI_GUID 27 // [WmiG] "WmiGuid"

使用时应注意,返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组

  使用NtQuerySystemInformation函数的SystemHandleInformation=16号功能.  其相关结构定义如下:  typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO{      USHORT UniqueProcessId;      USHORT CreatorBackTraceIndex;      UCHAR ObjectTypeIndex;      UCHAR HandleAttributes;      USHORT HandleValue;      PVOID Object;      ULONG GrantedAccess;  } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;  typedef struct _SYSTEM_HANDLE_INFORMATION{      ULONG NumberOfHandles;      SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];  } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;  该功能号获取系统内所有进程的句柄放在Handles里,个数由NumberOfHandles标识,  每个句柄由UniqueProcessId来区分属于那个不同的进程.
                                              

                                     -------《ProcessExplorer原理分析之句柄处理【原创】

【转】SYSTEM_HANDLE_INFORMATION


联系
我们