EnumerateSystemHandle

#ifndef HEADER_HEAD_FILE#define HEADER_HEAD_FILE#pragma once#defineObjectNameInformation1//系统信息类typedef enum _SYSTEM_INFORMATION_CLASS {SystemBasicInformation = 0,//系统的基本信息SystemProcessorInformation,             // obsolete...deleteSystemPerformanceInformation,SystemTimeOfDayInformation,SystemPathInformation,SystemProcessInformation,//系统进程信息SystemCallCountInformation,SystemDeviceInformation,SystemProcessorPerformanceInformation,SystemFlagsInformation,SystemCallTimeInformation,SystemModuleInformation,//系统模块信息SystemLocksInformation,SystemStackTraceInformation,SystemPagedPoolInformation,SystemNonPagedPoolInformation,SystemHandleInformation,SystemObjectInformation,SystemPageFileInformation,SystemVdmInstemulInformation,SystemVdmBopInformation,SystemFileCacheInformation,SystemPoolTagInformation,SystemInterruptInformation,SystemDpcBehaviorInformation,SystemFullMemoryInformation,SystemLoadGdiDriverInformation,SystemUnloadGdiDriverInformation,SystemTimeAdjustmentInformation,SystemSummaryMemoryInformation,SystemMirrorMemoryInformation,SystemPerformanceTraceInformation,SystemObsolete0,SystemExceptionInformation,SystemCrashDumpStateInformation,SystemKernelDebuggerInformation,SystemContextSwitchInformation,SystemRegistryQuotaInformation,SystemExtendServiceTableInformation,SystemPrioritySeperation,SystemVerifierAddDriverInformation,SystemVerifierRemoveDriverInformation,SystemProcessorIdleInformation,SystemLegacyDriverInformation,SystemCurrentTimeZoneInformation,SystemLookasideInformation,SystemTimeSlipNotification,SystemSessionCreate,SystemSessionDetach,SystemSessionInformation,SystemRangeStartInformation,SystemVerifierInformation,SystemVerifierThunkExtend,SystemSessionProcessInformation,SystemLoadGdiDriverInSystemSpace,SystemNumaProcessorMap,SystemPrefetcherInformation,SystemExtendedProcessInformation,SystemRecommendedSharedDataAlignment,SystemComPlusPackage,SystemNumaAvailableMemory,SystemProcessorPowerInformation,SystemEmulationBasicInformation,SystemEmulationProcessorInformation,SystemExtendedHandleInformation,SystemLostDelayedWriteInformation,SystemBigPoolInformation,SystemSessionPoolTagInformation,SystemSessionMappedViewInformation,SystemHotpatchInformation,SystemObjectSecurityMode,SystemWatchdogTimerHandler,SystemWatchdogTimerInformation,SystemLogicalProcessorInformation,SystemWow64SharedInformation,SystemRegisterFirmwareTableInformationHandler,SystemFirmwareTableInformation,SystemModuleInformationEx,SystemVerifierTriageInformation,SystemSuperfetchInformation,SystemMemoryListInformation,SystemFileCacheInformationEx,MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum} SYSTEM_INFORMATION_CLASS;typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {USHORT UniqueProcessId;USHORT CreatorBackTraceIndex;UCHAR ObjectTypeIndex;UCHAR HandleAttributes;USHORT HandleValue;PVOID Object;ULONG GrantedAccess;} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;typedef struct _SYSTEM_HANDLE_INFORMATION {ULONG NumberOfHandles;SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;typedef struct _OBJECT_BASIC_INFORMATION {ULONG Attributes;ACCESS_MASK GrantedAccess;ULONG HandleCount;ULONG PointerCount;ULONG PagedPoolCharge;ULONG NonPagedPoolCharge;ULONG Reserved[3];ULONG NameInfoSize;ULONG TypeInfoSize;ULONG SecurityDescriptorSize;LARGE_INTEGER CreationTime;} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;typedef struct _OBJECT_TYPE_INFORMATION {UNICODE_STRING TypeName;ULONG TotalNumberOfObjects;ULONG TotalNumberOfHandles;ULONG TotalPagedPoolUsage;ULONG TotalNonPagedPoolUsage;ULONG TotalNamePoolUsage;ULONG TotalHandleTableUsage;ULONG HighWaterNumberOfObjects;ULONG HighWaterNumberOfHandles;ULONG HighWaterPagedPoolUsage;ULONG HighWaterNonPagedPoolUsage;ULONG HighWaterNamePoolUsage;ULONG HighWaterHandleTableUsage;ULONG InvalidAttributes;GENERIC_MAPPING GenericMapping;ULONG ValidAccessMask;BOOLEAN SecurityRequired;BOOLEAN MaintainHandleCount;ULONG PoolType;ULONG DefaultPagedPoolCharge;ULONG DefaultNonPagedPoolCharge;} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);#endif

#include <ntifs.h>#include <ntddk.h>#include "Header.h"NTSTATUS EnumerateSystemHandle(void);//卸载函数VOID HelloDDKUnload(IN PDRIVER_OBJECT pDriverObject){return;}//入口函数NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath){NTSTATUS status;//注册派遣函数pDriverObject->DriverUnload = HelloDDKUnload;DbgBreakPoint();EnumerateSystemHandle();return STATUS_SUCCESS;}NTSTATUS EnumerateSystemHandle(void){NTSTATUS Status;ULONG ReturnLength;ULONG nLength = PAGE_SIZE;PVOID Buffer=NULL;ULONG_PTR HandleCount;CLIENT_ID cid;ULONG_PTR ulProcessID;OBJECT_ATTRIBUTES oa;HANDLE hProcess=0;HANDLE hHandle=0;HANDLE hDupObj=0;OBJECT_BASIC_INFORMATION BasicInfo;POBJECT_NAME_INFORMATION pNameInfo=NULL;POBJECT_TYPE_INFORMATION pTypeInfo;SYSTEM_HANDLE_TABLE_ENTRY_INFO *pSysHandleInfo=NULL;while (TRUE){Buffer = ExAllocatePool(NonPagedPool, nLength);if (Buffer == NULL)return STATUS_UNSUCCESSFUL;Status = ZwQuerySystemInformation(SystemHandleInformation, Buffer, nLength, &ReturnLength);if (NT_SUCCESS(Status)){break;}if (Status == STATUS_INFO_LENGTH_MISMATCH){ExFreePool(Buffer);nLength *= 2;continue;}}HandleCount= ((SYSTEM_HANDLE_INFORMATION *)Buffer)->NumberOfHandles;pSysHandleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO *)((SYSTEM_HANDLE_INFORMATION *)Buffer)->Handles;if (HandleCount <= 0 || pSysHandleInfo == NULL)return STATUS_UNSUCCESSFUL;for (int i = 0; i < HandleCount; i++){ulProcessID = (ULONG_PTR)pSysHandleInfo[i].UniqueProcessId;cid.UniqueProcess = (HANDLE)ulProcessID;cid.UniqueThread = (HANDLE)0;hHandle = (HANDLE)pSysHandleInfo[i].HandleValue;InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);Status = ZwOpenProcess(&hProcess, PROCESS_DUP_HANDLE, &oa, &cid);if (!NT_SUCCESS(Status)){KdPrint(("ZwOpenProcess : Fail "));continue;}Status = ZwDuplicateObject(hProcess, hHandle, NtCurrentProcess(), &hDupObj, PROCESS_ALL_ACCESS, 0, DUPLICATE_SAME_ACCESS);if (!NT_SUCCESS(Status)){continue;}Status=ZwQueryObject(hDupObj, ObjectBasicInformation, &BasicInfo, sizeof(OBJECT_BASIC_INFORMATION), NULL);if (!NT_SUCCESS(Status)){continue;}pNameInfo = ExAllocatePool(NonPagedPool,PAGE_SIZE);if (pNameInfo==NULL){continue;}Status = ZwQueryObject(hDupObj, ObjectNameInformation, pNameInfo, PAGE_SIZE, &ReturnLength);if (!NT_SUCCESS(Status)){continue;}pTypeInfo = ExAllocatePool(NonPagedPool, BasicInfo.TypeInfoSize);RtlZeroMemory(pTypeInfo, BasicInfo.TypeInfoSize);Status=ZwQueryObject(hDupObj, ObjectTypeInformation, pTypeInfo, BasicInfo.TypeInfoSize, NULL);KdPrint(("%wZ%wZ%d\n", &pNameInfo->Name,&pTypeInfo->TypeName, pSysHandleInfo[i].HandleValue));ExFreePool(pNameInfo);ExFreePool(pTypeInfo);}ZwClose(hDupObj);if(hProcess)ZwClose(hProcess);return STATUS_SUCCESS;}