typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG64 NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
ObjectTypeIndex这个值的定义
#define OB_TYPE_INDEX_TYPE 1 // [ObjT] "Type" #define OB_TYPE_INDEX_DIRECTORY 2 // [Dire] "Directory" #define OB_TYPE_INDEX_SYMBOLIC_LINK 3 // [Symb] "SymbolicLink" #define OB_TYPE_INDEX_TOKEN 4 // [Toke] "Token" #define OB_TYPE_INDEX_PROCESS 5 // [Proc] "Process" #define OB_TYPE_INDEX_THREAD 6 // [Thre] "Thread" #define OB_TYPE_INDEX_JOB 7 // [Job ] "Job" #define OB_TYPE_INDEX_EVENT 8 // [Even] "Event" #define OB_TYPE_INDEX_EVENT_PAIR 9 // [Even] "EventPair" #define OB_TYPE_INDEX_MUTANT 10 // [Muta] "Mutant" #define OB_TYPE_INDEX_CALLBACK 11 // [Call] "Callback" #define OB_TYPE_INDEX_SEMAPHORE 12 // [Sema] "Semaphore" #define OB_TYPE_INDEX_TIMER 13 // [Time] "Timer" #define OB_TYPE_INDEX_PROFILE 14 // [Prof] "Profile" #define OB_TYPE_INDEX_WINDOW_STATION 15 // [Wind] "WindowStation" #define OB_TYPE_INDEX_DESKTOP 16 // [Desk] "Desktop" #define OB_TYPE_INDEX_SECTION 17 // [Sect] "Section" #define OB_TYPE_INDEX_KEY 18 // [Key ] "Key" #define OB_TYPE_INDEX_PORT 19 // [Port] "Port" #define OB_TYPE_INDEX_WAITABLE_PORT 20 // [Wait] "WaitablePort" #define OB_TYPE_INDEX_ADAPTER 21 // [Adap] "Adapter" #define OB_TYPE_INDEX_CONTROLLER 22 // [Cont] "Controller" #define OB_TYPE_INDEX_DEVICE 23 // [Devi] "Device" #define OB_TYPE_INDEX_DRIVER 24 // [Driv] "Driver" #define OB_TYPE_INDEX_IO_COMPLETION 25 // [IoCo] "IoCompletion" #define OB_TYPE_INDEX_FILE 26 // [File] "File" #define OB_TYPE_INDEX_WMI_GUID 27 // [WmiG] "WmiGuid"
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG64 NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
ObjectTypeIndex这个值的定义
#define OB_TYPE_INDEX_TYPE 1 // [ObjT] "Type" #define OB_TYPE_INDEX_DIRECTORY 2 // [Dire] "Directory" #define OB_TYPE_INDEX_SYMBOLIC_LINK 3 // [Symb] "SymbolicLink" #define OB_TYPE_INDEX_TOKEN 4 // [Toke] "Token" #define OB_TYPE_INDEX_PROCESS 5 // [Proc] "Process" #define OB_TYPE_INDEX_THREAD 6 // [Thre] "Thread" #define OB_TYPE_INDEX_JOB 7 // [Job ] "Job" #define OB_TYPE_INDEX_EVENT 8 // [Even] "Event" #define OB_TYPE_INDEX_EVENT_PAIR 9 // [Even] "EventPair" #define OB_TYPE_INDEX_MUTANT 10 // [Muta] "Mutant" #define OB_TYPE_INDEX_CALLBACK 11 // [Call] "Callback" #define OB_TYPE_INDEX_SEMAPHORE 12 // [Sema] "Semaphore" #define OB_TYPE_INDEX_TIMER 13 // [Time] "Timer" #define OB_TYPE_INDEX_PROFILE 14 // [Prof] "Profile" #define OB_TYPE_INDEX_WINDOW_STATION 15 // [Wind] "WindowStation" #define OB_TYPE_INDEX_DESKTOP 16 // [Desk] "Desktop" #define OB_TYPE_INDEX_SECTION 17 // [Sect] "Section" #define OB_TYPE_INDEX_KEY 18 // [Key ] "Key" #define OB_TYPE_INDEX_PORT 19 // [Port] "Port" #define OB_TYPE_INDEX_WAITABLE_PORT 20 // [Wait] "WaitablePort" #define OB_TYPE_INDEX_ADAPTER 21 // [Adap] "Adapter" #define OB_TYPE_INDEX_CONTROLLER 22 // [Cont] "Controller" #define OB_TYPE_INDEX_DEVICE 23 // [Devi] "Device" #define OB_TYPE_INDEX_DRIVER 24 // [Driv] "Driver" #define OB_TYPE_INDEX_IO_COMPLETION 25 // [IoCo] "IoCompletion" #define OB_TYPE_INDEX_FILE 26 // [File] "File" #define OB_TYPE_INDEX_WMI_GUID 27 // [WmiG] "WmiGuid"