PSYSTEM_HANDLE_INFORMATION HandleInfo = NULL;
ULONG HandleInfoLength = 0;
...
result = NTQSI((SYSTEM_INFORMATION_CLASS)0x10, NULL, 0, &HandleInfoLength);
if (result != 0xC0000004) {
printf("OmmeSearchProcessHandle - NTQSI output is unexpected! Expexted : 0xC0000004 Result : 0x%x\n", result);
return NULL;
}
printf("system handle info length : %i\n", HandleInfoLength);
SIZE_T HandleInfoRegionSize = HandleInfoLength;
result = NTAVM((HANDLE)(-1), (PVOID*)&HandleInfo, 0, &HandleInfoRegionSize, MEM_COMMIT, PAGE_READWRITE);
if (!NT_SUCCESS(result)) {
printf("OmmeSearchProcessHandle - NTAVM failed with result : %x\n", result);
return NULL;
}
result = NTQSI((SYSTEM_INFORMATION_CLASS)0x10, (PVOID)HandleInfo, HandleInfoLength, &HandleInfoLength);
if (!NT_SUCCESS(result)) {
printf("OmmeSearchProcessHandle - NTQSI failed with result : %x\n", result);
printf("system handle info length : %i\n", HandleInfoLength);
return NULL;
}
上面的代码生成 this 。不知何故,第一个 NtQuerySystemInformation 调用没有给出正确的返回大小,有人对此有任何想法吗?然后,我偶然发现了this在 Github 上,NtQuerySystemInformation 不会给我们正确的缓冲区大小,NTQSI SystemHandleInformation 不会给出正确的返回大小,这是常识吗?
最佳答案
使用 SystemHandleInformation 调用 NtQuerySystemInformation 返回的 ReturnLength 值并不一定代表保存整个系统句柄信息所需的缓冲区大小- 或者更准确地说,它取决于输入缓冲区大小是否存在(请参阅 this )。即使它返回了预期的缓冲区大小,像示例中那样调用该函数两次也不是一个好的做法,因为所需的大小可能会在第一次和第二次调用之间发生变化。一个工作示例可能如下所示:
void GetHandleInfo()
{
PSYSTEM_HANDLE_INFORMATION handleInfo = NULL;
DWORD size = 0, required = 0;
NTSTATUS handleInfoStatus;
do
{
if (handleInfo)
{
fpExFreePool(handleInfo);
handleInfo = NULL;
}
size = required + PAGE_SIZE;
if(!(handleInfo = fpExAllocatePool(NonPagedPool, size)))
goto Done;
} while ((handleInfoStatus = fpZwQuerySystemInformation(0x10, handleInfo, size, &required)) == STATUS_INFO_LENGTH_MISMATCH);
if (!NT_SUCCESS(handleInfoStatus))
goto Done;
//The handle info is available here
Done:
if (handleInfo)
fpExFreePool(handleInfo);
return;
}
关于windows - NtQuerySystemInformation SystemHandleInformation 不会给出正确的返回大小,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73432951/