Code: Select all
global hADVAPI32 := DllCall("LoadLibrary", "str", "advapi32.dll", "ptr")
global hNTDLL := DllCall("LoadLibrary", "str", "ntdll.dll", "ptr")
; ===============================================================================================================================
GetProcessHandles(ProcessID)
{
static hCurrentProcess := DllCall("GetCurrentProcess", "ptr")
AdjustTokenPrivileges(hToken := OpenProcessToken(OpenProcess(hCurrentProcess, 0x400)), LookupPrivilegeValue("SeDebugPrivilege"))
CloseHandle(hToken)
SHI := SystemHandleInformation(HandleCount), PH := [], index := 1
loop % HandleCount
{
if (SHI[A_Index, "PID"] = ProcessID)
{
if !(hProcess := OpenProcess(SHI[A_Index, "PID"], 0x440))
continue
if !(hObject := DuplicateObject(hProcess, hCurrentProcess, Handle := SHI[A_Index, "Handle"], 4)) {
CloseHandle(hObject)
continue
}
PH[index, "Handle"] := Handle
PH[index, "Type"] := ObjectTypeInformation(hObject)
PH[index, "Name"] := ObjectNameInformation(hObject)
PH[index, "FilePath"] := GetFinalPathNameByHandle(hObject)
CloseHandle(hObject)
CloseHandle(hProcess)
index++
}
}
return PH
}
; ===============================================================================================================================
OpenProcess(ProcessID, Access := 0x400) ; https://msdn.microsoft.com/en-us/library/ms684320(v=vs.85).aspx
{
if !(hProcess := DllCall("OpenProcess", "uint", Access, "int", 0, "uint", ProcessID, "ptr"))
return (ErrorLevel := 1) & 0
return hProcess
}
; ===============================================================================================================================
CloseHandle(hObject) ; https://msdn.microsoft.com/en-us/library/ms724211(v=vs.85).aspx
{
if !(DllCall("CloseHandle", "ptr", hObject))
return (ErrorLevel := 1) & 0
return 1
}
; ===============================================================================================================================
OpenProcessToken(hProcess, Access := 0x20) ; https://msdn.microsoft.com/en-us/library/aa379295(v=vs.85).aspx
{
if !(DllCall("advapi32\OpenProcessToken", "ptr", hProcess, "uint", Access, "ptr*", hToken))
return (ErrorLevel := 1) & 0
return hToken
}
; ===============================================================================================================================
LookupPrivilegeValue(Name := "SeDebugPrivilege") ; https://msdn.microsoft.com/en-us/library/aa379180(v=vs.85).aspx
{
if !(DllCall("advapi32\LookupPrivilegeValue", "ptr", 0, "str", Name, "int64*", LUID))
return (ErrorLevel := 1) & 0
return LUID
}
; ===============================================================================================================================
AdjustTokenPrivileges(hToken, LUID) ; https://msdn.microsoft.com/en-us/library/aa375202(v=vs.85).aspx
{
VarSetCapacity(TP, 16, 0) && NumPut(1, TP, 0, "uint") && NumPut(LUID, TP, 4, "int64") && NumPut(2, TP, 12, "uint")
if !(DllCall("advapi32\AdjustTokenPrivileges", "ptr", hToken, "int", 0, "ptr", &TP, "uint", 0, "ptr", 0, "ptr", 0))
return (ErrorLevel := 1) & 0
return 1
}
; ===============================================================================================================================
QueryFullProcessImageName(hProcess) ; https://msdn.microsoft.com/en-us/library/ms684919(v=vs.85).aspx
{
VarSetCapacity(ProcName, 520, 0)
DllCall("QueryFullProcessImageName", "ptr", hProcess, "uint", 0, "str", ProcName, "uint*", size)
return size
}
; ===============================================================================================================================
GetFinalPathNameByHandle(hFile) ; https://msdn.microsoft.com/en-us/library/aa364962(v=vs.85).aspx
{
size := DllCall("GetFinalPathNameByHandle", "ptr", hFile, "ptr", 0, "uint", 0, "uint", 0, "uint")
VarSetCapacity(FilePath, size << 1, 0)
if !(DllCall("GetFinalPathNameByHandle", "ptr", hFile, "str", FilePath, "uint", size, "uint", 0, "uint"))
return (ErrorLevel := 1) & 0
return SubStr(FilePath, 1, 4) = "\\?\" ? SubStr(FilePath, 5) : FilePath
}
; ===============================================================================================================================
DuplicateObject(hProcess, hCurrentProcess, Handle, Options) ; https://msdn.microsoft.com/en-us/library/ff566445(v=vs.85).aspx
{
if (DllCall("ntdll\ZwDuplicateObject", "ptr", hProcess, "ptr", Handle, "ptr", hCurrentProcess, "ptr*", hObject, "uint", 0, "uint", 0, "uint", Options) != 0)
return (ErrorLevel := 1) & 0
return hObject
}
; ===============================================================================================================================
ObjectNameInformation(handle) ; https://msdn.microsoft.com/en-us/library/ff567062(v=vs.85).aspx
{
static OBJECT_INFORMATION_CLASS := 1 ; ObjectNameInformation
DllCall("ntdll\ZwQueryObject", "ptr", handle, "uint", OBJECT_INFORMATION_CLASS, "ptr", 0, "uint", 0, "uint*", size, "uint")
VarSetCapacity(buf, size << 1, 0)
NT_STATUS := DllCall("ntdll\ZwQueryObject", "ptr", handle, "uint", OBJECT_INFORMATION_CLASS, "ptr", &buf, "uint", size, "uint*", size, "uint")
if (NT_STATUS != 0)
return (ErrorLevel := 1) & 0
return StrGet(NumGet(buf, A_PtrSize, "uptr"), NumGet(buf, 0, "ushort") // 2, "UTF-16")
}
; ===============================================================================================================================
ObjectTypeInformation(handle) ; https://msdn.microsoft.com/en-us/library/ff567062(v=vs.85).aspx
{
static OBJECT_INFORMATION_CLASS := 2 ; ObjectTypeInformation
DllCall("ntdll\ZwQueryObject", "ptr", handle, "uint", OBJECT_INFORMATION_CLASS, "ptr", 0, "uint", 0, "uint*", size, "uint")
VarSetCapacity(buf, size << 1, 0)
NT_STATUS := DllCall("ntdll\ZwQueryObject", "ptr", handle, "uint", OBJECT_INFORMATION_CLASS, "ptr", &buf, "uint", size, "uint*", size, "uint")
if (NT_STATUS != 0)
return (ErrorLevel := 1) & 0
return StrGet(NumGet(buf, A_PtrSize, "uptr"), NumGet(buf, 0, "ushort") // 2, "UTF-16")
}
; ===============================================================================================================================
SystemHandleInformation(ByRef NumberOfHandles) ; https://msdn.microsoft.com/en-us/library/ms725506(v=vs.85).aspx
{
static SYSTEM_INFORMATION_CLASS := 0x10 ; SYSTEM_HANDLE_INFORMATION
size := VarSetCapacity(buf, A_PtrSize * 4096)
NT_STATUS := DllCall("ntdll\ZwQuerySystemInformation", "int", SYSTEM_INFORMATION_CLASS, "ptr", &buf, "uint", size, "uint*", size, "uint")
while (NT_STATUS = 0xC0000004) {
VarSetCapacity(buf, size)
NT_STATUS := DllCall("ntdll\ZwQuerySystemInformation", "int", SYSTEM_INFORMATION_CLASS, "ptr", &buf, "uint", size, "uint*", size, "uint")
}
if (NT_STATUS != 0)
return (ErrorLevel := 1) & 0
NumberOfHandles := NumGet(buf, "uint")
addr := &buf + A_PtrSize, SYSTEM_HANDLE_INFORMATION := {}
loop % NumberOfHandles
{
SYSTEM_HANDLE_INFORMATION.Push({ PID: NumGet(addr + 0, "uint")
, Type: NumGet(addr + 4, "uchar")
, Flags: NumGet(addr + 5, "uchar")
, Handle: NumGet(addr + 6, "ushort")
, Addr: NumGet(addr + 8, "uptr")
, Access: NumGet(addr + 8, A_PtrSize, "uint") })
addr += 8 + (A_PtrSize * 2)
}
return SYSTEM_HANDLE_INFORMATION
}
; ===============================================================================================================================
SystemHandleInformationEx(ByRef NumberOfHandles) ; https://msdn.microsoft.com/en-us/library/ms725506(v=vs.85).aspx
{
static SYSTEM_INFORMATION_CLASS := 0x40 ; SYSTEM_HANDLE_INFORMATION_EX
size := VarSetCapacity(buf, A_PtrSize * 4096)
NT_STATUS := DllCall("ntdll\ZwQuerySystemInformation", "int", SYSTEM_INFORMATION_CLASS, "ptr", &buf, "uint", size, "uint*", size, "uint")
while (NT_STATUS = 0xC0000004) {
VarSetCapacity(buf, size)
NT_STATUS := DllCall("ntdll\ZwQuerySystemInformation", "int", SYSTEM_INFORMATION_CLASS, "ptr", &buf, "uint", size, "uint*", size, "uint")
}
if (NT_STATUS != 0)
return (ErrorLevel := 1) & 0
NumberOfHandles := NumGet(buf, "uint")
addr := &buf + (A_PtrSize * 2), SYSTEM_HANDLE_INFORMATION_EX := {}
loop % NumberOfHandles
{
SYSTEM_HANDLE_INFORMATION_EX.Push({ PID: NumGet(addr + A_PtrSize, "uptr")
, Type: NumGet(addr + A_PtrSize * 2, "uptr")
, Handle: NumGet(addr + A_PtrSize * 3 + 6, "ushort") })
addr += 16 + (A_PtrSize * 3)
}
return SYSTEM_HANDLE_INFORMATION_EX
}
; ===============================================================================================================================