Menu
I'm required for a certain task to enumerate all handles in the system. The best approach I found so far is using the underdocumented NtQuerySystemInformation with the SystemHandleInformation flag for the class parameter.
So far so good. However, running it in 32 bit mode on 64 bit Windows, the required structure is as follows:
// 32-bit version
[StructLayout(LayoutKind.Sequential, Pack=1)]
public struct SYSTEM_HANDLE_INFORMATION
{
public uint ProcessID;
public byte ObjectTypeNumber;
public byte Flags;
public ushort Handle;
public uint Object_Pointer;
public UInt32 GrantedAccess;
}
And for 64 bit Windows (x64, I didn't test Itanium, which I hope isn't different...), the structure is as follows:
// 64-bit version
[StructLayout(LayoutKind.Sequential, Pack=1)]
public struct SYSTEM_HANDLE_INFORMATION
{
public int Reserved; // unknown, no documentation found
public uint ProcessID;
public byte ObjectTypeNumber;
public byte Flags;
public ushort Handle;
public long Object_Pointer;
public UInt32 GrantedAccess;
}
Now, I should change the Object_Pointer to an IntPtr. I hoped for a moment I could do the same with ProcessId, there was a reference saying this was actually a HANDLE which is actually a 64-bit value. However, Reserved is always zero, so I cannot merge that into an IntPtr the same way.
This is probably not the only scenario where this happens. I'm looking for a best practice way of dealing with such differences:
#if WIN32 (used internally in the reference source of IntPtr) wouldn't work here unless I want to maintain separate binaries.if IntPtr.Size ==4 in code. This works for external functions, but doesn't work well with types.GetType but I'm not sure where that leads (might help with Marshalling?).None of these seem ideal, but so far, the only foolproof way seems to be to lard my system with if IsWin64() statements. I'd love to hear better approaches than mine.
952
That's the thing - SystemHandleInformation's structures only give you 16-bit PIDs. You can use SystemExtendedHandleInformation on XP and higher.
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
public IntPtr Object;
public IntPtr UniqueProcessId;
public IntPtr HandleValue;
public uint GrantedAccess;
public ushort CreatorBackTraceIndex;
public ushort ObjectTypeIndex;
public uint HandleAttributes;
public uint Reserved;
}
internal enum SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemHandleInformation = 16,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45,
SystemExtendedHandleInformation = 64,
}
[DllImport("ntdll.dll", CharSet=CharSet.Auto)]
private static extern int NtQuerySystemInformation(int InfoType, IntPtr lpStructure, int StructSize, out int returnLength);
public static void Main(string[] args)
{
Console.WriteLine(Environment.Is64BitProcess ? "x64" : "x32");
Console.WriteLine();
var infoSize = Marshal.SizeOf(typeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX));
Console.WriteLine("sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX): {0}", infoSize);
int allSize = 1000 * infoSize;
var buffer = Marshal.AllocHGlobal(allSize);
var status = NtQuerySystemInformation((int)SYSTEM_INFORMATION_CLASS.SystemExtendedHandleInformation, buffer, allSize, out allSize);
Console.WriteLine("status: {0:x}, return len: {1}", status, allSize);
if (status != 0)
{
allSize += 40 * infoSize;
Marshal.FreeHGlobal(buffer);
buffer = Marshal.AllocHGlobal(allSize);
status = NtQuerySystemInformation((int)SYSTEM_INFORMATION_CLASS.SystemExtendedHandleInformation, buffer, allSize, out allSize);
Console.WriteLine("status: {0:x}, return len: {1}", status, allSize);
}
Console.WriteLine();
var info = new SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX();
//for (var i = 0; i < allSize; i += infoSize)
for (var i = 0; i < Math.Min(allSize, 20 * infoSize); i+= infoSize) // for testing purpose only 20
{
Marshal.PtrToStructure(IntPtr.Add(buffer, i), info);
Console.WriteLine("{0,16:x}, {1,16:x}, {2,16:x}, {3,6:x}, {4,8:x}", info.Object.ToInt64(), info.UniqueProcessId.ToInt64(), info.HandleValue.ToInt64(), info.GrantedAccess, info.HandleAttributes);
}
Marshal.FreeHGlobal(buffer);
}
Output:
x32
sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX): 28
status: c0000004, return len: 1850052
status: 0, return len: 1850052
10219, 0, 6729b30, 4, 1fffff
0, 0, dfa0, 4, 2001f
0, 0, 8eb0, 4, f000f
0, 0, fca0, 4, 0
0, 0, 225b0, 4, 20019
0, 0, 98210, 4, f003f
0, 0, 6758e60, 4, 1f0001
0, 0, 98040, 4, 2001f
0, 0, 67534e0, 4, 1f0001
0, 0, 9c560, 4, 2001f
0, 0, 6834620, 4, 1fffff
0, 0, 99250, 4, f003f
0, 0, 9a7c0, 4, f003f
0, 0, 95380, 4, f003f
0, 0, 62d80, 4, f003f
0, 0, 15e580, 4, 20019
0, 0, 6f3b940, 4, 2a
0, 0, 20da30, 4, e
0, 0, 7b07a0, 4, 10
0, 0, 9af83a0, 4, 20019
x64
sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX): 40
status: c0000004, return len: 2647576
status: 0, return len: 2647856
10294, 0, fffffa8006729b30, 4, 4
70000001fffff, 0, fffff8a00000dfa0, 4, 8
2300000002001f, 0, fffff8a000008eb0, 4, c
30000000f000f, 0, fffff8a00000fca0, 4, 10
23000000000000, 0, fffff8a0000225b0, 4, 14
23000000020019, 0, fffff8a000098210, 4, 18
230000000f003f, 0, fffffa8006758e60, 4, 1c
240000001f0001, 0, fffff8a000098040, 4, 20
2300000002001f, 0, fffffa80067534e0, 4, 24
240000001f0001, 0, fffff8a00009c560, 4, 28
2300000002001f, 0, fffffa8006834620, 4, 2c
80000001fffff, 0, fffff8a000099250, 4, 30
230000000f003f, 0, fffff8a00009a7c0, 4, 34
230000000f003f, 0, fffff8a000095380, 4, 38
230000000f003f, 0, fffff8a000062d80, 4, 3c
230000000f003f, 0, fffff8a00015e580, 4, 40
23000000020019, 0, fffffa8006f3b940, 4, 44
700000000002a, 0, fffff8a00020da30, 4, 48
500000000000e, 0, fffff8a0007b07a0, 4, 4c
23000000000010, 0, fffff8a009af83a0, 4, 50
Given IntPtr's size is different, why not try the following:
[StructLayout(LayoutKind.Sequential, Pack=1)]
public struct SYSTEM_HANDLE_INFORMATION
{
public IntPtr ProcessID; // mask with 0xffffffff
public byte ObjectTypeNumber;
public byte Flags;
public ushort Handle;
public IntPtr Object_Pointer; // again good for 32/64bit
public UInt32 GrantedAccess;
}
This should work for both 32 and 64 bit unaltered.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
