Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <stdio.h>
- #include <string.h>
- #include <tchar.h>
- #define START_ALLOC 0x1000
- #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
- #define SystemHandleInformation 0x10
- typedef long(__stdcall *NtQSI)(
- ULONG SystemInformationClass,
- PVOID SystemInformation,
- ULONG SystemInformationLength,
- PULONG ReturnLength
- );
- typedef struct _SYSTEM_HANDLE_ENTRY {
- ULONG OwnerPid;
- BYTE ObjectType;
- BYTE HandleFlags;
- USHORT HandleValue;
- PVOID ObjectPointer;
- ACCESS_MASK AccessMask;
- } SYSTEM_HANDLE_ENTRY, *PSYSTEM_HANDLE_ENTRY;
- int main()
- {
- HMODULE hNtDll = NULL;
- NtQSI pNtQSI = NULL;
- PVOID pMem = NULL;
- ULONG allocSize = START_ALLOC;
- ULONG retVal = 0;
- // --------------------------------
- ULONG hCount = 0;
- PSYSTEM_HANDLE_ENTRY hFirstEntry = NULL;
- // --------------------------------
- ULONG i;
- hNtDll = LoadLibraryA("NTDLL.dll");
- if (!hNtDll)
- return 1;
- pNtQSI = (NtQSI)GetProcAddress(hNtDll, "NtQuerySystemInformation");
- if (!pNtQSI) {
- FreeLibrary(hNtDll);
- return 2;
- }
- pMem = malloc(allocSize);
- while (pNtQSI(SystemHandleInformation, pMem, allocSize, &retVal)
- == STATUS_INFO_LENGTH_MISMATCH) {
- pMem = realloc(pMem, allocSize *= 2);
- }
- hCount = *(ULONG*)pMem;
- hFirstEntry = (PSYSTEM_HANDLE_ENTRY)((PBYTE)pMem + 4);
- for (i = 0; i < hCount; ++i)
- if (hFirstEntry[i].ObjectType == 28)
- {
- TCHAR Path[MAX_PATH];
- DWORD dwret = GetFinalPathNameByHandle((HANDLE)hFirstEntry[i].HandleValue, Path, MAX_PATH, VOLUME_NAME_NT);
- _tprintf(TEXT("\nThe final path is: %s\n"), Path);
- //printf("PID: %d\tHandle: %d\r\n", hFirstEntry[i].OwnerPid, hFirstEntry[i].HandleValue);
- }
- free(pMem);
- FreeLibrary(hNtDll);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
