文件-进程关联演示程序
2008-03-18 17:34
381 查看
1、首先使用ZwQuerySystemInformation查询所有进程句柄,
2、获取句柄所代表对象信息,查出目标文件。核心态程序相对简单,对于
用户态程序,使用ZwQueryInformationFile同时与GetFileInformationByHandle、
GetVolumeInformation二API搭配获得之(前者得文件除去卷的路径名,后二者
得卷名);另外可用ZwQueryObject。
3、综合1,2即完成
演示一:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _FILE_NAME_INformATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INformATION, *PFILE_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWQUERYINformATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN ULONG FileInformationClass);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYINformATIONFILE ZwQueryInformationFile;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryInformationFile =
(ZWQUERYINformATIONFILE)GetProcAddress( g_hNtDLL, "ZwQueryInformationFile");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
DWORD Volumeserial[26];
void InitVolumeName()
{
DWORD disk = GetLogicalDrives();
for (int i=0; i<26; i++)
{
if (disk&(1<<i))
{
char str[] = "A://";
str[0] += i;
GetVolumeInformation(str, NULL, 0, &Volumeserial[i], 0, 0, 0, 0);
}
}
}
wchar_t GetVolumeName(HANDLE hFile)
{
BY_HANDLE_FILE_INformATION info;
if (GetFileInformationByHandle(hFile, &info))
{
for (int i=0; i<26; i++)
if (info.dwVolumeSerialNumber == Volumeserial[i])
return L'A'+i;
}
return L'!';
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
InitVolumeName();
char namebuf[2000];
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
IO_STATUS_BLOCK ios;
PFILE_NAME_INformATION name = (PFILE_NAME_INformATION)namebuf;
ZeroMemory(name, 2000);
status = ZwQueryInformationFile(handle, &ios, namebuf, 2000, 9);
if (status >= 0)
{
wchar_t volume = GetVolumeName(handle);
if (volume != L'!')
{
wchar_t outstr[1000] = L"A:";
outstr[0] = volume;
memcpy(&outstr[2], name->FileName, name->FileNameLength);
outstr[2+name->FileNameLength] = 0;
#if 0
printf("%ws/n", outstr);
#endif
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
演示二:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _OBJECT_NAME_INformATION {
UNICODE_STRING Name;
} OBJECT_NAME_INformATION, *POBJECT_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWOPENFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
typedef NTSTATUS (CALLBACK* ZWQUERYOBJECT)(
IN HANDLE ObjectHandle,
IN ULONG ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYOBJECT ZwQueryObject;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryObject =
(ZWQUERYOBJECT)GetProcAddress( g_hNtDLL, "ZwQueryObject");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
char namebuf[2000];
DWORD ret;
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
POBJECT_NAME_INformATION name = (POBJECT_NAME_INformATION)namebuf;
status = ZwQueryObject(handle, 1, namebuf, 2000, &ret);
if (status >= 0)
{
#if 0
printf("%ws/n",name->Name.Buffer);
#endif
wchar_t outstr[1000] = L"A:";
if (name->Name.Length > 23 && memicmp(name->Name.Buffer, L"//Device//HardDiskVolume", 44) == 0)
{
outstr[0] = name->Name.Buffer[22] - L'1' + L'C';
memcpy(&outstr[2], &name->Name.Buffer[23], name->Name.Length-23*2);
outstr[name->Name.Length/2-21] = 0;
}
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
2、获取句柄所代表对象信息,查出目标文件。核心态程序相对简单,对于
用户态程序,使用ZwQueryInformationFile同时与GetFileInformationByHandle、
GetVolumeInformation二API搭配获得之(前者得文件除去卷的路径名,后二者
得卷名);另外可用ZwQueryObject。
3、综合1,2即完成
演示一:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _FILE_NAME_INformATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INformATION, *PFILE_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWQUERYINformATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN ULONG FileInformationClass);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYINformATIONFILE ZwQueryInformationFile;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryInformationFile =
(ZWQUERYINformATIONFILE)GetProcAddress( g_hNtDLL, "ZwQueryInformationFile");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
DWORD Volumeserial[26];
void InitVolumeName()
{
DWORD disk = GetLogicalDrives();
for (int i=0; i<26; i++)
{
if (disk&(1<<i))
{
char str[] = "A://";
str[0] += i;
GetVolumeInformation(str, NULL, 0, &Volumeserial[i], 0, 0, 0, 0);
}
}
}
wchar_t GetVolumeName(HANDLE hFile)
{
BY_HANDLE_FILE_INformATION info;
if (GetFileInformationByHandle(hFile, &info))
{
for (int i=0; i<26; i++)
if (info.dwVolumeSerialNumber == Volumeserial[i])
return L'A'+i;
}
return L'!';
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
InitVolumeName();
char namebuf[2000];
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
IO_STATUS_BLOCK ios;
PFILE_NAME_INformATION name = (PFILE_NAME_INformATION)namebuf;
ZeroMemory(name, 2000);
status = ZwQueryInformationFile(handle, &ios, namebuf, 2000, 9);
if (status >= 0)
{
wchar_t volume = GetVolumeName(handle);
if (volume != L'!')
{
wchar_t outstr[1000] = L"A:";
outstr[0] = volume;
memcpy(&outstr[2], name->FileName, name->FileNameLength);
outstr[2+name->FileNameLength] = 0;
#if 0
printf("%ws/n", outstr);
#endif
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
演示二:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _OBJECT_NAME_INformATION {
UNICODE_STRING Name;
} OBJECT_NAME_INformATION, *POBJECT_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWOPENFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
typedef NTSTATUS (CALLBACK* ZWQUERYOBJECT)(
IN HANDLE ObjectHandle,
IN ULONG ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYOBJECT ZwQueryObject;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryObject =
(ZWQUERYOBJECT)GetProcAddress( g_hNtDLL, "ZwQueryObject");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
char namebuf[2000];
DWORD ret;
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
POBJECT_NAME_INformATION name = (POBJECT_NAME_INformATION)namebuf;
status = ZwQueryObject(handle, 1, namebuf, 2000, &ret);
if (status >= 0)
{
#if 0
printf("%ws/n",name->Name.Buffer);
#endif
wchar_t outstr[1000] = L"A:";
if (name->Name.Length > 23 && memicmp(name->Name.Buffer, L"//Device//HardDiskVolume", 44) == 0)
{
outstr[0] = name->Name.Buffer[22] - L'1' + L'C';
memcpy(&outstr[2], &name->Name.Buffer[23], name->Name.Length-23*2);
outstr[name->Name.Length/2-21] = 0;
}
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
相关文章推荐
- 文件-进程关联演示程序(出自CVC)
- 文件-进程关联演示程序
- Win7计算机管理提示找不到文件或没有关联的程序问题解决方法
- 进程-端口-IP地址关联演示2
- Win7系统中bat 后缀文件关联程序恢复
- IIS网站启动不了,错误提示“另一个程序正在使用此文件,进程无法访问”
- IS 中 "另一个程序正在使用此文件,进程无法访问!"
- C# System.IO.FileStream 读取被其他程序打开的文件提示“文件正由另一进程使用,因此该进程无法访问该文件。”
- 获取某应用客户端的日志文件_32_另一个程序正在使用此文件,进程无法访问
- IIS中另一个程序正在使用此文件,进程无法访问
- Cannot create file"C:\Users\LML\AppData\Local\Temp\EditorLineEnds.ttr"。另一个程序正在使用此文件,进程无法访问。
- Windows 8 开发31日-第18日-文件关联和程序合约
- [Web]配置IIS,启动失败“另一个程序正在使用此文件,进程无法访问”
- 【转载】Win7文件关联 文件与程序“联姻”
- IIS7出现“另一个程序正在使用此文件,进程无法访问”
- IIS “另一个程序正在使用此文件,进程无法访问。”错误提示的解决办法
- FTP 打开文件夹提示"该文件没有程序与之关联来执行该操作 请在控制面板的文件夹选项中创建关联
- 该文件没有程序与之关联来执行操作,请在控制面板的文件夹选项中创建关联的解决办法
- SharePoint 2013 另一个程序正在使用此文件,进程无法访问。 (异常来自 HRESULT:0x80070020)
- 双击列表框项启动一个与文件关联的程序