文件-进程关联演示程序
来源:互联网 发布:淘宝批量添加图片 编辑:程序博客网 时间:2024/05/16 09:01
1、首先使用ZwQuerySystemInformation查询所有进程句柄,
2、获取句柄所代表对象信息,查出目标文件。核心态程序相对简单,对于
用户态程序,使用ZwQueryInformationFile同时与GetFileInformationByHandle、
GetVolumeInformation二API搭配获得之(前者得文件除去卷的路径名,后二者
得卷名);另外可用ZwQueryObject。
3、综合1,2即完成
演示一:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _FILE_NAME_INformATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INformATION, *PFILE_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWQUERYINformATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN ULONG FileInformationClass);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYINformATIONFILE ZwQueryInformationFile;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryInformationFile =
(ZWQUERYINformATIONFILE)GetProcAddress( g_hNtDLL, "ZwQueryInformationFile");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
DWORD Volumeserial[26];
void InitVolumeName()
{
DWORD disk = GetLogicalDrives();
for (int i=0; i<26; i++)
{
if (disk&(1<<i))
{
char str[] = "A://";
str[0] += i;
GetVolumeInformation(str, NULL, 0, &Volumeserial[i], 0, 0, 0, 0);
}
}
}
wchar_t GetVolumeName(HANDLE hFile)
{
BY_HANDLE_FILE_INformATION info;
if (GetFileInformationByHandle(hFile, &info))
{
for (int i=0; i<26; i++)
if (info.dwVolumeSerialNumber == Volumeserial[i])
return L'A'+i;
}
return L'!';
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
InitVolumeName();
char namebuf[2000];
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
IO_STATUS_BLOCK ios;
PFILE_NAME_INformATION name = (PFILE_NAME_INformATION)namebuf;
ZeroMemory(name, 2000);
status = ZwQueryInformationFile(handle, &ios, namebuf, 2000, 9);
if (status >= 0)
{
wchar_t volume = GetVolumeName(handle);
if (volume != L'!')
{
wchar_t outstr[1000] = L"A:";
outstr[0] = volume;
memcpy(&outstr[2], name->FileName, name->FileNameLength);
outstr[2+name->FileNameLength] = 0;
#if 0
printf("%ws/n", outstr);
#endif
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
演示二:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _OBJECT_NAME_INformATION {
UNICODE_STRING Name;
} OBJECT_NAME_INformATION, *POBJECT_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWOPENFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
typedef NTSTATUS (CALLBACK* ZWQUERYOBJECT)(
IN HANDLE ObjectHandle,
IN ULONG ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYOBJECT ZwQueryObject;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryObject =
(ZWQUERYOBJECT)GetProcAddress( g_hNtDLL, "ZwQueryObject");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
char namebuf[2000];
DWORD ret;
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
POBJECT_NAME_INformATION name = (POBJECT_NAME_INformATION)namebuf;
status = ZwQueryObject(handle, 1, namebuf, 2000, &ret);
if (status >= 0)
{
#if 0
printf("%ws/n",name->Name.Buffer);
#endif
wchar_t outstr[1000] = L"A:";
if (name->Name.Length > 23 && memicmp(name->Name.Buffer, L"//Device//HardDiskVolume", 44) == 0)
{
outstr[0] = name->Name.Buffer[22] - L'1' + L'C';
memcpy(&outstr[2], &name->Name.Buffer[23], name->Name.Length-23*2);
outstr[name->Name.Length/2-21] = 0;
}
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
2、获取句柄所代表对象信息,查出目标文件。核心态程序相对简单,对于
用户态程序,使用ZwQueryInformationFile同时与GetFileInformationByHandle、
GetVolumeInformation二API搭配获得之(前者得文件除去卷的路径名,后二者
得卷名);另外可用ZwQueryObject。
3、综合1,2即完成
演示一:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _FILE_NAME_INformATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INformATION, *PFILE_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWQUERYINformATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN ULONG FileInformationClass);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYINformATIONFILE ZwQueryInformationFile;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryInformationFile =
(ZWQUERYINformATIONFILE)GetProcAddress( g_hNtDLL, "ZwQueryInformationFile");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
DWORD Volumeserial[26];
void InitVolumeName()
{
DWORD disk = GetLogicalDrives();
for (int i=0; i<26; i++)
{
if (disk&(1<<i))
{
char str[] = "A://";
str[0] += i;
GetVolumeInformation(str, NULL, 0, &Volumeserial[i], 0, 0, 0, 0);
}
}
}
wchar_t GetVolumeName(HANDLE hFile)
{
BY_HANDLE_FILE_INformATION info;
if (GetFileInformationByHandle(hFile, &info))
{
for (int i=0; i<26; i++)
if (info.dwVolumeSerialNumber == Volumeserial[i])
return L'A'+i;
}
return L'!';
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
InitVolumeName();
char namebuf[2000];
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
IO_STATUS_BLOCK ios;
PFILE_NAME_INformATION name = (PFILE_NAME_INformATION)namebuf;
ZeroMemory(name, 2000);
status = ZwQueryInformationFile(handle, &ios, namebuf, 2000, 9);
if (status >= 0)
{
wchar_t volume = GetVolumeName(handle);
if (volume != L'!')
{
wchar_t outstr[1000] = L"A:";
outstr[0] = volume;
memcpy(&outstr[2], name->FileName, name->FileNameLength);
outstr[2+name->FileNameLength] = 0;
#if 0
printf("%ws/n", outstr);
#endif
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
演示二:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _SYSTEM_HANDLE_INformATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INformATION, *PSYSTEM_HANDLE_INformATION;
typedef struct _OBJECT_NAME_INformATION {
UNICODE_STRING Name;
} OBJECT_NAME_INformATION, *POBJECT_NAME_INformATION;
typedef NTSTATUS (CALLBACK* ZWQUERYSYSTEMINformATION)(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (CALLBACK* ZWOPENFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
typedef NTSTATUS (CALLBACK* ZWQUERYOBJECT)(
IN HANDLE ObjectHandle,
IN ULONG ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ZWQUERYSYSTEMINformATIONZwQuerySystemInformation;
ZWQUERYOBJECT ZwQueryObject;
HMODULEg_hNtDLL = NULL;
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}
ZwQuerySystemInformation =
(ZWQUERYSYSTEMINformATION)GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation");
ZwQueryObject =
(ZWQUERYOBJECT)GetProcAddress( g_hNtDLL, "ZwQueryObject");
return TRUE;
}
VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}
PULONG GetHandleList()
{
ULONG cbBuffer = 0x1000;
PULONG pBuffer = new ULONG[cbBuffer];
NTSTATUS Status;
DWORD dwNumBytesRet = 0x10;
do
{
Status = ZwQuerySystemInformation(
16,
pBuffer,
cbBuffer * sizeof * pBuffer,
&dwNumBytesRet);
if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
delete [] pBuffer;
pBuffer = new ULONG[cbBuffer *= 2];
}
else if (!NT_SUCCESS(Status))
{
delete [] pBuffer;
return NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
return pBuffer;
}
HANDLE DupHandle(DWORD PId, HANDLE handle)
{
HANDLE DupHandle;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, PId);
if(hProcess == NULL)
{
return 0;
}
if (!DuplicateHandle(hProcess, handle, GetCurrentProcess(), &DupHandle, 0, 0, 2))
DupHandle = 0;
CloseHandle( hProcess );
return DupHandle;
}
int main(int argc, char *argv[])
{
if (argc < 2)
{
printf("QueryProc filename/n");
exit(1);
}
wchar_t filename[1000];
int num = MultiByteToWideChar(CP_OEMCP,MB_PRECOMPOSED,argv[1],strlen(argv[1]),filename,1000);
filename[num] = 0;
printf("begin:/n");
InitNTDLL();
char namebuf[2000];
DWORD ret;
HANDLE hTmp;
GetModuleFileName(NULL,namebuf,MAX_PATH);
hTmp = CreateFile(namebuf,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
PULONG buf = GetHandleList();
if (buf == NULL)
exit(1);
ULONG i;
UCHAR TypeNum;
PSYSTEM_HANDLE_INformATION info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (GetCurrentProcessId() == info->ProcessId && info->Handle == (USHORT)hTmp)
TypeNum = info->ObjectTypeNumber;
}
CloseHandle(hTmp);
info = (PSYSTEM_HANDLE_INformATION)&buf[1];
for (i=0; i<buf[0]; i++, info++)
{
if (info->ObjectTypeNumber != TypeNum)
continue;
HANDLE handle = DupHandle(info->ProcessId, (HANDLE)info->Handle);
NTSTATUS status;
POBJECT_NAME_INformATION name = (POBJECT_NAME_INformATION)namebuf;
status = ZwQueryObject(handle, 1, namebuf, 2000, &ret);
if (status >= 0)
{
#if 0
printf("%ws/n",name->Name.Buffer);
#endif
wchar_t outstr[1000] = L"A:";
if (name->Name.Length > 23 && memicmp(name->Name.Buffer, L"//Device//HardDiskVolume", 44) == 0)
{
outstr[0] = name->Name.Buffer[22] - L'1' + L'C';
memcpy(&outstr[2], &name->Name.Buffer[23], name->Name.Length-23*2);
outstr[name->Name.Length/2-21] = 0;
}
if (wcsicmp(outstr, filename) == 0)
{
printf("%ws/nProcessId:%d/n", outstr, info->ProcessId);
}
}
CloseHandle(handle);
}
delete [] buf;
CloseNTDLL();
return 0;
}
- 文件-进程关联演示程序
- 文件-进程关联演示程序
- 进程-端口-IP地址关联演示
- 进程-端口-IP地址关联演示
- 进程-端口-IP地址关联演示
- 进程-端口-IP地址关联演示2
- wince 文件关联程序
- LoadRunner自带程序登录功能关联演示
- LoadRunner自带程序登录功能关联演示
- c# 自定义文件关联程序
- MFC程序与文件关联
- 控制台程序关联的cmd.exe进程
- Java读取word文件的程序演示
- 如何查看进程关联的文件
- C程序演示产生僵死进程的过程
- 演示程序
- 用程序实现文件的关联
- 将自己的程序与文件关联
- 通过HtmlInputFile控件上传文件的类
- 难眠的夜晚
- ShootSearch (基于dotlucene的开源搜索引擎)
- ShootSearch 中文分词组件(c#开源)
- 理解接口
- 文件-进程关联演示程序
- 如何度过程序员30岁以后的人生
- 试下这个速度快不快
- 学习目录
- 软件以程序员为本
- 我们这个时代的年轻人在想什么呢?
- 当前标识(GUO/ASP.net)没有对“C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files”的写访问权限。
- 再说Struts多模块开发
- 故事之宴请
