[原创]在三环下获取指定进程中所有的句柄信息,并列出内核对象地址 | 宜武汇-ag真人国际厅网站

#include

#include

#include

 

#define systemhandleinformation 0x10

#define systemhandleinformationsize 1024 * 1024 * 20

 

using fntquerysysteminformation = ntstatus(winapi*)(

    ulong systeminformationclass,

    pvoid systeminformation,

    ulong systeminformationlength,

    pulong returnlength

 

// handle information

typedef struct _system_handle_table_entry_info

    ushort uniqueprocessid;

    ushort creatorbacktraceindex;

    uchar objecttypeindex;

    uchar handleattributes;

    ushort handlevalue;

    pvoid object;

    ulong grantedaccess;

} system_handle_table_entry_info, *psystem_handle_table_entry_info;

 

// handle table information

typedef struct _system_handle_information

    ulong numberofhandles;

    system_handle_table_entry_info handles[1];

} system_handle_information, *psystem_handle_information;

 

int main()

    ulong returnlength = 0;

    fntquerysysteminformation ntquerysysteminformation = (fntquerysysteminformation)getprocaddress(getmodulehandle(l"ntdll"), "ntquerysysteminformation");

    psystem_handle_information handletableinformation = (psystem_handle_information)heapalloc(getprocessheap(), heap_zero_memory, systemhandleinformationsize);

    ntquerysysteminformation(systemhandleinformation, handletableinformation,systemhandleinformationsize, &returnlength);

 

    for (int i = 0; i < handletableinformation->numberofhandles; i )

    {

        system_handle_table_entry_info handleinfo = (system_handle_table_entry_info)handletableinformation->handles[i];

        //指定进程的pid, 16进制的形式

        if (handleinfo.uniqueprocessid == 0x1234)

        {

            printf_s("handle 0x%x at 0x%p, pid: %x\n", handleinfo.handlevalue, handleinfo.object, handleinfo.uniqueprocessid);

        }

        else

        {

            break;

        }

    }

 

    return 0;

原文链接:https://bbs.kanxue.com/thread-277291.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创在三环下获取指定进程中所有的句柄信息,并/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图