|
|
这个东西好像最早出现在Windows 2003上,可以绕过OpenProcess/DuplicateHandle实现打开进程。
以下是老外写的VB.NET代码:- Private Shared Function GetProcessHandleWById(ByVal pid As Integer, ByVal access As Security.ProcessAccess) As IntPtr
- ' ===== Try standard way
- Dim hProc As IntPtr = GetProcessHandleById(pid, access)
- If hProc.IsNotNull Then
- Return hProc
- End If
- ' ===== Use NtOpenProcess (if OpenProcess is hooked and not NtOpenProcess)
- Dim _oa As NativeStructs.ObjectAttributes
- Dim _clientId As New NativeStructs.ClientId(pid, 0)
- NativeFunctions.NtOpenProcess(hProc, access, _oa, _clientId)
- If hProc.IsNotNull Then
- Return hProc
- End If
- ' ===== Try another way (using NtGetNextProcess, VISTA ONLY)
- If cEnvironment.SupportsGetNextThreadProcessFunctions Then
- ' Open handle to our process
- Dim curHandle As IntPtr = GetProcessHandleById(NativeFunctions.GetCurrentProcessId, access)
- ' Define access to use
- Dim theAccess As Security.ProcessAccess
- If (access And Security.ProcessAccess.QueryLimitedInformation) <> Security.ProcessAccess.QueryLimitedInformation AndAlso _
- (access And Security.ProcessAccess.QueryInformation) <> Security.ProcessAccess.QueryInformation Then
- theAccess = access Or Security.ProcessAccess.QueryLimitedInformation
- Else
- theAccess = access
- End If
- ' Try to find a handle using NtGetNextProcess
- Dim i As Integer = 0 ' Watchdog
- Do While True
- NativeFunctions.NtGetNextProcess(curHandle, access, 0, 0, curHandle)
- ' Get process Id of this handle
- If curHandle.IsNotNull Then
- Dim thePid As Integer = NativeFunctions.GetProcessId(curHandle)
- If thePid = pid Then
- Return curHandle
- End If
- End If
- i += 1
- ' We assume there are less than 800 processes...
- If i > 800 Then
- Exit Do
- End If
- Loop
- End If
- ' Okay, everything failed....
- Return IntPtr.Zero
- End Function
|
|
发表于 2010-12-8 14:41:12
发表于 2010-12-11 10:56:42
