2016-08-23 106 views
0

我正在編寫一個列出打開的文件句柄的程序。其實我得到的結果太多了。我的列表包含病毒掃描程序之類的東西。我得到一堆對象類型43,看起來不像我想要的。有沒有這些值的列表在任何地方?是否有SYSTEM_HANDLE_ENTRY.ObjectType的可能值列表?

+1

這些都沒有記錄由MSFT。你的選擇是爲類型信息調用Nt/ZwQueryObject(),或者相信其他人對枚舉的假設 - 例如。看看Process Hacker項目的源代碼。 –

回答

2

您可以致電NtQueryObject與指定ObjectTypesInformation信息類。這會爲您提供有關係統中當前註冊的所有對象類型的信息。使用SYSTEM_HANDLE_ENTRY.ObjectType作爲返回數組的索引,以獲取有關相應對象類型的信息。或者,您可以使用NtQueryObjectObjectTypeInformation來獲取有關給定對象(由其句柄指定)的類型信息。

此代碼應檢索所有類型的對象的信息。

typedef enum _OBJECT_INFORMATION_CLASS { 
    ObjectBasicInformation, 
    ObjectNameInformation, 
    ObjectTypeInformation, 
    ObjectTypesInformation, 
    ObjectHandleFlagInformation, 
    ObjectSessionInformation, 
} OBJECT_INFORMATION_CLASS; 

typedef struct _OBJECT_TYPE_INFORMATION { 
    UNICODE_STRING TypeName; 
    ULONG TotalNumberOfObjects; 
    ULONG TotalNumberOfHandles; 
    ULONG TotalPagedPoolUsage; 
    ULONG TotalNonPagedPoolUsage; 
    ULONG TotalNamePoolUsage; 
    ULONG TotalHandleTableUsage; 
    ULONG HighWaterNumberOfObjects; 
    ULONG HighWaterNumberOfHandles; 
    ULONG HighWaterPagedPoolUsage; 
    ULONG HighWaterNonPagedPoolUsage; 
    ULONG HighWaterNamePoolUsage; 
    ULONG HighWaterHandleTableUsage; 
    ULONG InvalidAttributes; 
    GENERIC_MAPPING GenericMapping; 
    ULONG ValidAccessMask; 
    BOOLEAN SecurityRequired; 
    BOOLEAN MaintainHandleCount; 
    ULONG PoolType; 
    ULONG DefaultPagedPoolCharge; 
    ULONG DefaultNonPagedPoolCharge; 
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 

typedef struct _OBJECT_TYPES_INFORMATION { 
    LONG NumberOfTypes; 
// OBJECT_TYPE_INFORMATION TypeInformation [1]; 
} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 

NTSTATUS QueryObjectTypesInfo(POBJECT_TYPES_INFORMATION *TypesInfo) 
{ 
    ULONG StartBufferLength = 28; 
    ULONG BufferLength = 0; 
    NTSTATUS status = 0xC0000001; 

    status = STATUS_SUCCESS; 
    *TypesInfo = (POBJECT_TYPES_INFORMATION)malloc(StartBufferLength); 
    if (*TypesInfo != NULL) { 
    status = NtQueryObject(NULL, ObjectTypesInformation, TypesInfo, StartBufferLength, &BufferLength); 
    if (status == STATUS_INFO_LENGTH_MISMATCH) { 
     *TypesInfo = NULL; 
     while (status == STATUS_INFO_LENGTH_MISMATCH) { 
     if (*TypesInfo != NULL) 
      free(*TypesInfo); 

     *TypesInfo = (POBJECT_TYPES_INFORMATION)malloc(BufferLength); 
     if (*TypesInfo != NULL) 
      status = NtQueryObject(NULL, ObjectTypesInformation, *TypesInfo, BufferLength, &BufferLength); 
     else status = STATUS_INSUFFICIENT_RESOURCES; 
     } 

     if (!NT_SUCCESS(status)) { 
     if (*TypesInfo != NULL) { 
      free(*TypesInfo); 
      *TypesInfo = NULL; 
     } 
     } 
    } 
    } else status = STATUS_INSUFFICIENT_RESOURCES; 

    return status; 
} 

正如上面的評論所述,這個東西是相當無證的。然而,上面的代碼(稍作修改..例如,你需要得到NtQueryObject程序的地址,並定義一些NTSTATUS contants)對我的作品在64位Windows 8.1。

對於一個完整的代碼(這是很舊的和在捷克評論),從我的(捷克)網站上下載這個項目: https://jadro-windows.cz/download/ntqueryobject.zip

使用qo.exe --list-types命令獲取類型信息

相關問題