| 发表于:2007-03-17 11:14:15 楼主 |
procexp.exe中有一项功能可以完成以下功能:将某一个进程中的所有句柄枚举出来,并且能够列出相应的句柄类型和对应的名称。
我自己写了一个程序,能将某个进程中的文件句柄列出来,但是在文件句柄的名称时,只能列出文件的路径和名称,而无法将其所在的盘符列出,请各位xdjm们帮忙看看,是不是应该用其他的api函数调用呀?下面是我的代码:
#include <windows.h>
#include <stdio.h>
#include <assert.h>
#include <psapi.h>
#include <tchar.h>
#include "ntdll.h "
#pragma comment(lib, "psapi.lib ")
#define uint dword
#define max_array_items(x) sizeof(x)
#define the_processid 728
handle hheap;
typedef ntstatus (winapi* pntquerysysteminformation)(systeminfoclass , pvoid , ulong , pulong );
typedef ntstatus (winapi* pntqueryinformationfile)(handle , pio_status_block ,pvoid , ulong , file_information_class);
pntquerysysteminformation pntquerysysteminformation;
pntqueryinformationfile pntqueryinformationfile;
pvoid getinfotable(
in ulong atabletype
)
{
ulong msize = 0x8000, mrequired;
pvoid mptr;
ntstatus status;
do
{
mptr = heapalloc(hheap, 0, msize);
if (!mptr) return null;
memset(mptr, 0, msize);
status = pntquerysysteminformation((systeminfoclass)atabletype, mptr, msize, &mrequired);
if (status == status_info_length_mismatch)
{
heapfree(hheap, 0, mptr);
msize = msize * 2;
}
} while (status == status_info_length_mismatch);
if (nt_success(status)) return mptr;
heapfree(hheap, 0, mptr);
return null;
}
uchar getfilehandletype()
{
handle hfile;
psystem_handle_information info;
ulong r;
uchar result = 0;
hfile = createfile( "nul ", generic_read, 0, null, open_existing, 0, 0);
if (hfile != invalid_handle_value)
{
info = (psystem_handle_information)getinfotable(systemhandleinformation);
if (info)
{
for (r = 0; r < info-> ucount; r++)
{
if (info-> ash[r].handle == (ushort)hfile &&
info-> ash[r].uidprocess == getcurrentprocessid())
{
result = info-> ash[r].objecttype;
break;
}
}
heapfree(hheap, 0, info);
}
closehandle(hfile);
}
return result;
}
typedef struct _nm_info
{
handle hfile;
file_name_information info;
wchar name[max_path];
} nm_info, *pnm_info;
dword winapi
getfilenamethread(pvoid lpparameter)
{
pnm_info nminfo = (pnm_info)lpparameter;
io_status_block iostatus;
pntqueryinformationfile(nminfo-> hfile, &iostatus, &nminfo-> info,
sizeof(nm_info) - sizeof(handle), filenameinformation);
return 0;
}
void getfilename(handle hfile, pchar thename)
{
handle hthread;
pnm_info info = (pnm_info)heapalloc(hheap, 0, sizeof(nm_info));
info-> hfile = hfile;
hthread = createthread(null, 0, getfilenamethread, info, 0, null);
if (waitforsingleobject(hthread, infinite) == wait_timeout) terminatethread(hthread, 0);
closehandle(hthread);
memset(thename, 0, max_path);
widechartomultibyte(cp_acp, 0, info-> info.filename, info-> info.filenamelength > > 1, thename, max_path, null, null);
heapfree(hheap, 0, info);
}
int _tmain(int argc, _tchar* argv[])
{
psystem_handle_information info;
ulong r;
char name[max_path];
handle hprocess, hfile;
uchar obfiletype;
hmodule hntdll;
hntdll = loadlibrary( "ntdll.dll ");
if (hntdll == null) {
printf( "cann 't load ntdll.dll\n ");
return 0;
}
pntquerysysteminformation = (pntquerysysteminformation)getprocaddress(hntdll, "ntquerysysteminformation ");
if (pntquerysysteminformation == null) {
printf( "cann 't find the address of ntquerysysteminformation\n ");
return 0;
}
pntqueryinformationfile = (pntqueryinformationfile)getprocaddress(hntdll, "ntqueryinformationfile ");
if (pntqueryinformationfile == null) {
printf( "cann 't find the address of ntqueryinformationfile\n ");
return 0;
}
hheap = getprocessheap();
obfiletype = getfilehandletype();
//printf( "obfiletype is %x\n ", obfiletype); |
|
|
|
|
