获取进程句柄的详细信息

时间:2015-02-02 12:07:08

标签: c++ c windows winapi

我已经跑了" handle.exe -a \Device\0000006c"在命令行上" \Device\0000006c"是我的设备的物理对象名称,例如,麦克风和获得以下输出:

Handle v4.0
Copyright (C) 1997-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

svchost.exe        pid: 864    type: File           770: \Device\0000006c\global
svchost.exe        pid: 864    type: File           ECC: \Device\0000006c\global
svchost.exe        pid: 348    type: File           514: \Device\0000006c\global
svchost.exe        pid: 348    type: File           88C: \Device\0000006c\global
audiodg.exe        pid: 4592   type: File           1C4: \Device\0000006c
audiodg.exe        pid: 4592   type: File           1CC: \Device\0000006c

最后两行输出显示正在播放音频时audiodg.exe进程正在使用该设备。

audiodg.exe        pid: 4592   type: File           1CC: \Device\0000006c

我能够得到那个" 1CC"处理十六进制地址但是" \Device\0000006c"这里是与句柄相关联的名称或在句柄核心中搜索的其他内容。

我正试图通过以下链接获取处理信息

https://code.msdn.microsoft.com/windowsapps/CppFileHandle-03c8ea0b

但无法获取句柄的此类信息

DWORD EnumerateFileHandles(ULONG pid)
{
    HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
assert(hNtDll != NULL);

PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = 
    (PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, 
    "NtQuerySystemInformation");
assert(NtQuerySystemInformation != NULL);

PFN_NTQUERYINFORMATIONFILE NtQueryInformationFile = 
    (PFN_NTQUERYINFORMATIONFILE)GetProcAddress(hNtDll, 
    "NtQueryInformationFile");

DWORD nSize = 4096, nReturn;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
    HeapAlloc(GetProcessHeap(), 0, nSize);

while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, 
    nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
{
    HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
    nSize += 4096;
    pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
        GetProcessHeap(), 0, nSize);
}
DWORD dwFiles = 0;

HANDLE hProcess = OpenProcess(
    PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (hProcess == NULL)
{
    _tprintf(_T("OpenProcess failed w/err 0x%08lx\n"), GetLastError());
    getchar();
    return -1;
}

for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
    PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);

    if(pHandle->ProcessId == pid)
    {
     int a=10;
    }

    if (pHandle->ProcessId == pid && 
        pHandle->ObjectTypeNumber == HANDLE_TYPE_FILE)
    {
        dwFiles++;  // Increase the number of file handles

        // Duplicate the handle in the current process
        HANDLE hCopy;
        if (!DuplicateHandle(hProcess, (HANDLE)pHandle->Handle, 
            GetCurrentProcess(), &hCopy, MAXIMUM_ALLOWED, FALSE, 0))
            continue;

        // Retrieve file name information about the file object.
        IO_STATUS_BLOCK ioStatus;
        PFILE_NAME_INFORMATION pNameInfo = (PFILE_NAME_INFORMATION)
            malloc(MAX_PATH * 2 * 2);
        DWORD dwInfoSize = MAX_PATH * 2 * 2;

        if (NtQueryInformationFile(hCopy, &ioStatus, pNameInfo, 
            dwInfoSize, FileNameInformation) == STATUS_SUCCESS)
        {
            // Get the file name and print it
            WCHAR wszFileName[MAX_PATH + 1];
            StringCchCopyNW(wszFileName, MAX_PATH + 1, 
                pNameInfo->FileName, /*must be WCHAR*/
                pNameInfo->FileNameLength /*in bytes*/ / 2);

            wprintf(L"0x%x:\t%s\n", pHandle->Handle, wszFileName);
        }
        free(pNameInfo);

        CloseHandle(hCopy);
    }
}

CloseHandle(hProcess);

HeapFree(GetProcessHeap(), 0, pSysHandleInfo);

// Return the number of file handles in the process
return dwFiles;
}


int _tmain(int argc, _TCHAR* argv[])
{
ULONG pid = GetCurrentProcessId();
DWORD dwFiles = EnumerateFileHandles(4592);

_tprintf(TEXT("\r\n"));

// Get file name from file handle using a file mapping object
HANDLE hFile;
hFile = CreateFile(TEXT("test.txt"), GENERIC_WRITE | GENERIC_READ,
    0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
    _tprintf(TEXT("CreateFile failed with %d\n"), GetLastError());
    return 0;
}

BYTE bWriteBuffer[] = "0123456789"; 
DWORD dwBytesWritten; 

// Write 11 bytes from the buffer to the file 
if (!WriteFile(hFile,                // File handle 
    bWriteBuffer,                    // Buffer to be write from 
    sizeof(bWriteBuffer),            // Number of bytes to write 
    &dwBytesWritten,                 // Number of bytes that were written 
    NULL))                           // No overlapped structure 
{ 
    // WriteFile returns FALSE because of some error 

    _tprintf(TEXT("Could not write to file w/err 0x%08lx\n"), GetLastError()); 
    CloseHandle(hFile); 
    return 0; 
} 

//GetFileNameFromHandle(hFile);
CloseHandle(hFile);

return 0;
}

任何帮助如何通过物理设备对象信息以编程方式搜索设备的进程使用情况。

1 个答案:

答案 0 :(得分:0)

您的代码仅使用给定流程的文件句柄 

if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_FILE)

当你通过SystemHandleInformation获得句柄时,你应该检查它的类型并根据它的类型做一些事情。正如您在示例中看到的那样,句柄是文件句柄,它通过NtQueryInformationFile获取文件名。所以你应该对你想要的每种句柄类型执行类似的任务。

在ntdll中使用NtQueryObject函数,可以获得句柄类型。在this example中,进程的每个句柄都用于根据类型打印一些信息。

相关问题
最新问题