00001
00002
00003
00004
00005
00006
00007 #include "handle.h"
00008
00009 NTQUERYOBJECT NtQueryObject ;
00010 NTQUERYSYSTEMINFORMATION NtQuerySystemInformation;
00011 NTQUERYINFORMATIONPROCESS NtQueryInformationProcess;
00012 NTDEVICEIOCONTROLFILE NtDeviceIoControlFile ;
00013 NTQUERYINFORMATIONTHREAD NtQueryInformationThread;
00014 NTQUERYINFORMATIONFILE NtQueryInformationFile ;
00015
00016
00017 void banner(void);
00018 void EnableDebugPrivilege();
00019 LPWSTR GetObjectInfo(HANDLE hObject, OBJECT_INFORMATION_CLASS objInfoClass);
00020 DWORD QueryObjectName (HANDLE handle,char *txt);
00021 DWORD WINAPI FilenameFromHandle (PVOID lpParameter);
00022 void process_owner(HANDLE htoken);
00023
00024
00025
00026
00027
00028 DWORD GetOption (LPWSTR lpwsType, LPWSTR lpwsName) {
00029 if (lpwsType==NULL) {
00030 return(0);
00031 } else {
00032 if (!wcscmp(lpwsType, L"Token") ) return OBJTOKEN;
00033 if (!wcscmp(lpwsType, L"Thread")) return OBJTHREAD;
00034 if(!wcscmp(lpwsType, L"Process")) return OBJPROCESS;
00035 if(!wcscmp(lpwsType, L"File")) return OBJFILE;
00036 }
00037 return (OBJUNKNOWN);
00038
00039 }
00040
00041 char crap[512];
00042
00043
00044 int main(int argc, char *argv[])
00045 {
00046
00047 DWORD i,total,dwSize = sizeof(SYSTEM_HANDLE_INFORMATION);
00048 PSYSTEM_HANDLE_INFORMATION pHandleInfo ;
00049 NTSTATUS ntReturn;
00050 HANDLE hProcess ;
00051
00052
00053
00054 NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQuerySystemInformation");
00055 NtQueryObject= (NTQUERYOBJECT)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQueryObject");
00056 NtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQueryInformationProcess");
00057 NtDeviceIoControlFile = (NTDEVICEIOCONTROLFILE)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtDeviceIoControlFile");
00058 NtQueryInformationThread = (NTQUERYINFORMATIONTHREAD)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQueryInformationThread");
00059 NtQueryInformationFile = (NTQUERYINFORMATIONFILE)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQueryInformationFile");
00060
00061 if ( (!NtQuerySystemInformation) || (!NtQueryObject) || (!NtQueryInformationProcess) ||
00062 (!NtDeviceIoControlFile) || (!NtQueryInformationThread) || (!NtQueryInformationFile) ) {
00063 printf("Error chungo!\n"); exit(1);
00064
00065 }
00066
00067 EnableDebugPrivilege();
00068 pHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(dwSize);
00069 ntReturn = NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, dwSize, &dwSize);
00070
00071 if(ntReturn == STATUS_INFO_LENGTH_MISMATCH){
00072 free(pHandleInfo);
00073 pHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(dwSize);
00074 ntReturn = NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, dwSize, &dwSize);
00075 }
00076 if(ntReturn != STATUS_SUCCESS) return(0);
00077
00078
00079
00080 #ifdef _DBG_
00081 printf("Found %i Handles\n", pHandleInfo->uCount);
00082 #endif
00083 printf("--------------------------------------------------------------------------------\n");
00084 printf(" PID PROCCESS HANDLE TYPE DATA\n");
00085 printf("--------------------------------------------------------------------------------\n");
00086
00087
00088 for(i = 0; i < pHandleInfo->uCount; i++)
00089 {
00090 hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, pHandleInfo->Handles[i].uIdProcess);
00091 if(hProcess != INVALID_HANDLE_VALUE)
00092 {
00093 char lpszProcess[MAX_PATH]="";
00094 HANDLE hObject = NULL;
00095 GetModuleFileNameEx(hProcess, NULL, lpszProcess, MAX_PATH);
00096
00097 if(DuplicateHandle(hProcess, (HANDLE)pHandleInfo->Handles[i].Handle,GetCurrentProcess(), &hObject, DUPLICATE_SAME_ACCESS, FALSE, DUPLICATE_SAME_ACCESS) != FALSE)
00098 {
00099
00100 LPWSTR lpwsType=NULL;
00101 LPWSTR lpwsName=NULL;
00102 DWORD ret;
00103 PROCESS_BASIC_INFORMATION pbi;
00104 HANDLE dst;
00105 char path[MAX_PATH];
00106 DWORD buff[7] = {0,0,0,0,0,0,0};
00107
00108
00109 lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
00110 printf("%5d %16s %4.x\t%12ws ",
00111 pHandleInfo->Handles[i].uIdProcess,
00112 ((lstrlen(lpszProcess) > 0)?PathFindFileName(lpszProcess):"[System]"),
00113 pHandleInfo->Handles[i].Handle,
00114 lpwsType);
00115
00116
00117 ret=GetOption(lpwsType,lpwsName);
00118
00119 switch (ret) {
00120 case 0:
00121 break;
00122
00123 case OBJTOKEN:
00124 process_owner(hObject);
00125 break;
00126
00127 case OBJPROCESS:
00128 ZeroMemory (&pbi, sizeof (PROCESS_BASIC_INFORMATION));
00129 if (NtQueryInformationProcess (hObject,ProcessBasicInformation,&pbi,
00130 sizeof (PROCESS_BASIC_INFORMATION),NULL)==0)
00131 {
00132
00133
00134
00135 dst=OpenProcess( PROCESS_ALL_ACCESS, TRUE,pbi.UniqueProcessId);
00136 if (dst!=INVALID_HANDLE_VALUE) {
00137 GetModuleFileNameEx(dst, NULL, path, MAX_PATH);
00138 printf ("PID: 0x%04x - %s\n", pbi.UniqueProcessId,
00139 (lstrlen(path) > 0)?PathFindFileName(path):"[System]");
00140 CloseHandle(dst);
00141 } else {
00142 printf ("PID: 0x%04x - %s\n", pbi.UniqueProcessId,"<Error Opening Id>");
00143 }
00144 } else
00145 {
00146 printf("Error con NtQueryInformationProcess() %x\n",GetLastError());
00147 }
00148 break;
00149
00150 case OBJTHREAD:
00151 NtQueryInformationThread (hObject,ThreadBasicInformation,buff,28,NULL);
00152 printf("TID: 0x%04x\n",buff[3]);
00153 break;
00154
00155 case OBJFILE:
00156 memset(crap,0,256);
00157 if ( (QueryObjectName(hObject,crap)!=0) && (strlen(crap)==0) ){
00158 lpwsName = GetObjectInfo(hObject, ObjectNameInformation);
00159 printf("%ws ",lpwsName);
00160 if ( (lpwsName!=NULL) && (!wcscmp(lpwsName, L"\\Device\\Tcp") || !wcscmp(lpwsName, L"\\Device\\Udp")) )
00161 {
00162 IO_STATUS_BLOCK IoStatusBlock;
00163 TDI_REQUEST_QUERY_INFORMATION tdiRequestAddress = {{0}, TDI_QUERY_ADDRESS_INFO};
00164 BYTE tdiAddress[128];
00165 HANDLE hEvent2 = CreateEvent(NULL, TRUE, FALSE, NULL);
00166 NTSTATUS ntReturn2 = NtDeviceIoControlFile(hObject, hEvent2, NULL, NULL, &IoStatusBlock, IOCTL_TDI_QUERY_INFORMATION,
00167 &tdiRequestAddress, sizeof(tdiRequestAddress), &tdiAddress, sizeof(tdiAddress));
00168 if(hEvent2) CloseHandle(hEvent2);
00169
00170 if(ntReturn2 == STATUS_SUCCESS){
00171 struct in_addr *pAddr = (struct in_addr *)&tdiAddress[14];
00172 printf("@%s:%d", inet_ntoa(*pAddr), ntohs(*(PUSHORT)&tdiAddress[12]));
00173 }
00174 }
00175 }
00176 printf("\n");
00177 break;
00178 default:
00179 lpwsName = GetObjectInfo(hObject, ObjectNameInformation);
00180 if (lpwsName){
00181 printf("%ws",lpwsName);
00182 free(lpwsName);
00183 }
00184
00185 printf("\n");
00186 break;
00187 }
00188 CloseHandle(hObject);
00189 if (lpwsType) free(lpwsType);
00190 } else {
00191
00192 }
00193 free(lpszProcess);
00194 CloseHandle(hProcess);
00195 } else {
00196
00197
00198 }
00199
00200 }
00201
00202 free(pHandleInfo);
00203 return(0);
00204 }
00205
00206
00207 void process_owner(HANDLE htoken)
00208 {
00209
00210
00211
00212 DWORD dwLen;
00213 PSID pSid=0;
00214 TOKEN_USER *pWork;
00215 SID_NAME_USE use;
00216 TCHAR username[256];
00217 TCHAR domainname[256];
00218
00219
00220
00221 GetTokenInformation(htoken, TokenUser, NULL, 0, &dwLen);
00222 pWork= (TOKEN_USER *)LocalAlloc( LMEM_ZEROINIT,dwLen);
00223 if (GetTokenInformation(htoken, TokenUser, pWork, dwLen, &dwLen)) {
00224 dwLen = GetLengthSid(pWork->User.Sid);
00225 pSid= (PSID)LocalAlloc( LMEM_ZEROINIT,dwLen);
00226 CopySid(dwLen, pSid, pWork->User.Sid);
00227 dwLen=256;
00228 LookupAccountSid(NULL, pSid, &username[0], &dwLen, &domainname[0], &dwLen, &use);
00229 printf("\\\\%s\\%s\n",domainname,username);
00230 }
00231 }
00232
00233
00234 LPWSTR GetObjectInfo(HANDLE hObject, OBJECT_INFORMATION_CLASS objInfoClass)
00235 {
00236 LPWSTR data = NULL;
00237 DWORD dwSize = sizeof(OBJECT_NAME_INFORMATION);
00238 POBJECT_NAME_INFORMATION pObjectInfo = (POBJECT_NAME_INFORMATION) malloc(dwSize);
00239
00240 NTSTATUS ntReturn = NtQueryObject(hObject, objInfoClass, pObjectInfo, dwSize, &dwSize);
00241 if((ntReturn == STATUS_BUFFER_OVERFLOW) || (ntReturn == STATUS_INFO_LENGTH_MISMATCH)){
00242 pObjectInfo =realloc(pObjectInfo ,dwSize);
00243 ntReturn = NtQueryObject(hObject, objInfoClass, pObjectInfo, dwSize, &dwSize);
00244 }
00245 if((ntReturn >= STATUS_SUCCESS) && (pObjectInfo->Buffer != NULL))
00246 {
00247 data = (LPWSTR) malloc(pObjectInfo->Length + sizeof(WCHAR));
00248 memset(data,0,pObjectInfo->Length + sizeof(WCHAR));
00249 CopyMemory(data, pObjectInfo->Buffer, pObjectInfo->Length);
00250 }
00251 free(pObjectInfo);
00252 return data;
00253 }
00254
00255
00256 DWORD WINAPI GetFileNameThread(void *handle)
00257 {
00258
00259 DWORD iob[2];
00260
00261 NtQueryInformationFile (handle, &iob, crap, 512, 9);
00262 printf("%S",&crap[4]);
00263 return(1);
00264 }
00265
00266
00267 DWORD QueryObjectName (HANDLE handle, char *txt)
00268 {
00269 DWORD num_bytes = 0;
00270 char tmp[512] = {0,0,0,0};
00271
00272 DWORD tid;
00273 HANDLE hthread;
00274 hthread = CreateThread (NULL, 0, (LPTHREAD_START_ROUTINE)GetFileNameThread,handle, 0, &tid);
00275 if (WaitForSingleObject (hthread, 50) == WAIT_TIMEOUT)
00276 {
00277 TerminateThread (hthread, 0);
00278 CloseHandle (hthread);
00279 printf("THREAD BLOCKED... ACCESS DENIED!");
00280 return(0);
00281 }
00282 else
00283 {
00284 CloseHandle (hthread);
00285 }
00286
00287 return (1);
00288 }
00289
00290
00291 void banner(void){
00292 printf(" Handle Information for Windows (c) 2006\n");
00293 printf(" Author: Andres Tarasco ( atarasco @ sia . es )\n");
00294 printf(" URL: http://www.514.es\n\n");
00295 }
00296
00297
00298 void EnableDebugPrivilege()
00299 {
00300 HANDLE hToken;
00301 TOKEN_PRIVILEGES tokenPriv;
00302 LUID luidDebug;
00303 if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) != FALSE) {
00304 if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug) != FALSE)
00305 {
00306 tokenPriv.PrivilegeCount = 1;
00307 tokenPriv.Privileges[0].Luid = luidDebug;
00308 tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
00309 AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(tokenPriv), NULL, NULL);
00310 }
00311 }
00312 }
00313
