1. 技术文章
  2. C# Get list of handles, AcessViolationException

C# Get list of handles, AcessViolationException

时光怂恿深爱的人放手 提交于 2019-12-11 02:37:46

问题


Info:

  • .Net 4.5

Tested on:

  • Win7 64 bit

  • Win10 64 bit (Virtual Box)

I am trying to get a list of handles of an external process and return their names as string so I can close a specific one afterwards. Therefore i wrote this function using the Win32API which will check if the handle is the handle i want to close: `

        const int CNST_SYSTEM_HANDLE_INFORMATION = 16;
        const uint STATUS_INFO_LENGTH_MISMATCH = 0xc0000004;

        public static string getObjectTypeName(Win32API.SYSTEM_HANDLE_INFORMATION shHandle, Process process)
        {
            IntPtr m_ipProcessHwnd = Win32API.OpenProcess(Win32API.ProcessAccessFlags.All, false, process.Id);
            IntPtr ipHandle = IntPtr.Zero;
            var objBasic = new Win32API.OBJECT_BASIC_INFORMATION();
            IntPtr ipBasic = IntPtr.Zero;
            var objObjectType = new Win32API.OBJECT_TYPE_INFORMATION();
            IntPtr ipObjectType = IntPtr.Zero;
            IntPtr ipObjectName = IntPtr.Zero;
            string strObjectTypeName = "";
            int nLength = 0;
            int nReturn = 0;
            IntPtr ipTemp = IntPtr.Zero;


            if (!Win32API.DuplicateHandle(m_ipProcessHwnd, shHandle.Handle,
                                          Win32API.GetCurrentProcess(), out ipHandle,
                                          0, false, Win32API.DUPLICATE_SAME_ACCESS))
                return null;



            ipBasic = Marshal.AllocHGlobal(Marshal.SizeOf(objBasic));
            Win32API.NtQueryObject(ipHandle, (int)Win32API.ObjectInformationClass.ObjectBasicInformation,
                                   ipBasic, Marshal.SizeOf(objBasic), ref nLength);
            objBasic = (Win32API.OBJECT_BASIC_INFORMATION)Marshal.PtrToStructure(ipBasic, objBasic.GetType());
            Marshal.FreeHGlobal(ipBasic);

            ipObjectType = Marshal.AllocHGlobal(objBasic.TypeInformationLength);
            nLength = objBasic.TypeInformationLength;
            while ((uint)(nReturn = Win32API.NtQueryObject(
                ipHandle, (int)Win32API.ObjectInformationClass.ObjectTypeInformation, ipObjectType,
                  nLength, ref nLength)) ==
                Win32API.STATUS_INFO_LENGTH_MISMATCH)
            {
                Marshal.FreeHGlobal(ipObjectType);
                ipObjectType = Marshal.AllocHGlobal(nLength);
            }

            objObjectType = (Win32API.OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectType, objObjectType.GetType());
            if (Is64Bits())
            {
                ipTemp = new IntPtr(Convert.ToInt64(objObjectType.Name.Buffer.ToString(), 10) >> 32);
            }
            else
            {
                ipTemp = objObjectType.Name.Buffer;
            }

        strObjectTypeName = Marshal.PtrToStringUni(ipTemp, objObjectType.Name.Length >> 1);


        Marshal.FreeHGlobal(ipObjectType);
            Win32API.CloseHandle(ipHandle);
            return strObjectTypeName;
        }`

The problem however is that this code works in Win7 64bit, not in Win10! --> In Win 10 strObjectTypeName = Marshal.PtrToStringUni(); throws a AcessViolationException (Last few lines in the code)

System.AccessViolationException Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

Am I missing something here about how unmanaged memory has to be accessed in win10?


回答1:


I have just come across the same issue. I haven't tried Win7, but when you run the code on Win10(x64) as 32bit (e.g. set the "Prefer 32-bit flag" of your application) it should work. When the exception happens, drag&drop the variable "ipTemp" to the "memory window" of Visual Studio, if it displays only question marks or an error message you don't have a valid pointer. As far as I figured out, there are (more) padding bytes in the 64bit versions of the structs that are used by this API: OBJECT_TYPE_INFORMATION contains a UNICODE_STRING and UNICODE_STRING has 4 padding bytes before the Buffer-field in 64bit Mode. My workaraound was this:

[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct UNICODE_STRING
{
    private IntPtr _dummy; // the two ushorts seem to be padded with 4 bytes in 64bit mode only

    /// <summary>
    /// The length, in bytes, of the string stored in Buffer. If the string is null-terminated, Length does not include the trailing null character.
    /// </summary>
    public ushort Length
    {
        get { return (ushort)Marshal.ReadInt16(this, 0); }
    }

    /// <summary>
    /// The length, in bytes, of Buffer.
    /// </summary>
    public ushort MaximumLength
    {
        get { return (ushort)Marshal.ReadInt16(this, 2); }
    }

    public IntPtr Buffer;
}

During my research I found so many questions regarding this topic and basically two kinds of sample code that have been copied all over the Internet that I am considering to create an open-source library named WinKernelObjectsDotNet.

Update: The library is now available here. It supports finding the process that is locking a file or a serial-port (COM) with a single line of code.




回答2:


I suggest to change UNICODE_STRING structure in a such way.

    public struct UNICODE_STRING
    {
            public ushort Length;
            public ushort MaximumLength;
            [MarshalAs(UnmanagedType.LPWStr)] public string Buffer;
    }

So getObjectTypeName method will be something like this and will work for both 32/64:

    public static string getObjectTypeName(SYSTEM_HANDLE_INFORMATION shHandle, Process process) {
        IntPtr ipProcessHwnd = OpenProcess(ProcessAccessFlags.All, false, process.Id);
        if (!DuplicateHandle(ipProcessHwnd, shHandle.Handle, GetCurrentProcess(), out IntPtr ipHandle, 0, false, DUPLICATE_SAME_ACCESS)) {
            return null;
        }

        OBJECT_BASIC_INFORMATION objBasicInformation = new OBJECT_BASIC_INFORMATION();
        IntPtr ipBasicInformation = Marshal.AllocHGlobal(Marshal.SizeOf(objBasicInformation));
        int iBasicInformationLength = 0;
        NtQueryObject(ipHandle, (int) ObjectInformationClass.ObjectBasicInformation, ipBasicInformation, Marshal.SizeOf(objBasicInformation), ref iBasicInformationLength);
        objBasicInformation = (OBJECT_BASIC_INFORMATION) Marshal.PtrToStructure(ipBasicInformation, typeof(OBJECT_BASIC_INFORMATION));
        Marshal.FreeHGlobal(ipBasicInformation);

        int iObjectTypeInformationLength = objBasicInformation.TypeInformationLength;
        IntPtr ipObjectTypeInformation = Marshal.AllocHGlobal(iObjectTypeInformationLength);
        while (Win32API.STATUS_INFO_LENGTH_MISMATCH == (uint) (NtQueryObject(ipHandle, (int) ObjectInformationClass.ObjectTypeInformation, ipObjectTypeInformation, iObjectTypeInformationLength, ref iObjectTypeInformationLength))) {
            Marshal.FreeHGlobal(ipObjectTypeInformation);
            ipObjectTypeInformation = Marshal.AllocHGlobal(iObjectTypeInformationLength);
        }
        CloseHandle(ipHandle);

        OBJECT_TYPE_INFORMATION objObjectType = (OBJECT_TYPE_INFORMATION)Marshal.PtrToStructure(ipObjectTypeInformation, typeof(OBJECT_TYPE_INFORMATION));
        Marshal.FreeHGlobal(ipObjectTypeInformation);

        return objObjectType.Name.Buffer;
    }


来源:https://stackoverflow.com/questions/39593458/c-sharp-get-list-of-handles-acessviolationexception

标签
c#
memory
unmanaged
handle
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!