Mirrors/PowerToys
1
0
Fork 0
mirror of https://github.com/microsoft/PowerToys.git synced 2025-12-16 11:48:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

[FileLocksmith]Detect files opened by processes with PID > 65535 (#28265)

Browse Source 
It is to fix the bug that FileLocksmith cannot detect a process with a PID greater than 65535.
This commit is contained in:
poke30744
2023-09-07 23:56:10 +09:00
committed by GitHub
parent 380895a2ca
commit 4d95adc6fc
4 changed files with 24 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/modules/FileLocksmith/FileLocksmithLibInterop/FileLocksmith.cpp
View File

@@ -36,7 +36,7 @@ std::vector<ProcessResult> find_processes_recursive(const std::vector<std::wstri
} }
} }
std::map<DWORD, std::set<std::wstring>> pid_files; std::map<ULONG_PTR, std::set<std::wstring>> pid_files;
// Returns a normal path of the file specified by kernel_name, if it matches // Returns a normal path of the file specified by kernel_name, if it matches
// the search criteria. Otherwise, return an empty string. // the search criteria. Otherwise, return an empty string.

21
src/modules/FileLocksmith/FileLocksmithLibInterop/NtdllBase.h
View File

@@ -16,20 +16,23 @@ class Ntdll
private: private:
HMODULE m_module; HMODULE m_module;
public: public:
struct SYSTEM_HANDLE struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{ {
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object; PVOID Object;
ACCESS_MASK GrantedAccess; ULONG_PTR UniqueProcessId;
ULONG_PTR HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
}; };
struct SYSTEM_HANDLE_INFORMATION struct SYSTEM_HANDLE_INFORMATION_EX
{ {
ULONG HandleCount; ULONG_PTR NumberOfHandles;
SYSTEM_HANDLE Handles[1]; ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
}; };
enum POOL_TYPE enum POOL_TYPE

16
src/modules/FileLocksmith/FileLocksmithLibInterop/NtdllExtensions.cpp
View File

@@ -154,21 +154,21 @@ std::wstring NtdllExtensions::path_to_kernel_name(LPCWSTR path)
std::vector<NtdllExtensions::HandleInfo> NtdllExtensions::handles() noexcept std::vector<NtdllExtensions::HandleInfo> NtdllExtensions::handles() noexcept
{ {
auto get_info_result = NtQuerySystemInformationMemoryLoop(SystemHandleInformation); auto get_info_result = NtQuerySystemInformationMemoryLoop(SystemExtendedHandleInformation);
if (NT_ERROR(get_info_result.status)) if (NT_ERROR(get_info_result.status))
{ {
return {}; return {};
} }
auto info_ptr = (SYSTEM_HANDLE_INFORMATION*)get_info_result.memory.data(); auto info_ptr = (SYSTEM_HANDLE_INFORMATION_EX*)get_info_result.memory.data();
std::map<DWORD, HANDLE> pid_to_handle; std::map<ULONG_PTR, HANDLE> pid_to_handle;
std::vector<HandleInfo> result; std::vector<HandleInfo> result;
std::vector<BYTE> object_info_buffer(DefaultResultBufferSize); std::vector<BYTE> object_info_buffer(DefaultResultBufferSize);
std::atomic<ULONG> i = 0; std::atomic<ULONG> i = 0;
std::atomic<ULONG> handle_count = info_ptr->HandleCount; std::atomic<ULONG_PTR> handle_count = info_ptr->NumberOfHandles;
std::atomic<HANDLE> process_handle = NULL; std::atomic<HANDLE> process_handle = NULL;
std::atomic<HANDLE> handle_copy = NULL; std::atomic<HANDLE> handle_copy = NULL;
ULONG previous_i; ULONG previous_i;
@@ -188,7 +188,7 @@ std::vector<NtdllExtensions::HandleInfo> NtdllExtensions::handles() noexcept
handle_copy = NULL; handle_copy = NULL;
auto handle_info = info_ptr->Handles + i; auto handle_info = info_ptr->Handles + i;
DWORD pid = handle_info->ProcessId; auto pid = handle_info->UniqueProcessId;
auto iter = pid_to_handle.find(pid); auto iter = pid_to_handle.find(pid);
if (iter != pid_to_handle.end()) if (iter != pid_to_handle.end())
@@ -197,7 +197,7 @@ std::vector<NtdllExtensions::HandleInfo> NtdllExtensions::handles() noexcept
} }
else else
{ {
process_handle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid); process_handle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, (DWORD)pid);
if (!process_handle) if (!process_handle)
{ {
continue; continue;
@@ -215,7 +215,7 @@ std::vector<NtdllExtensions::HandleInfo> NtdllExtensions::handles() noexcept
// } // }
HANDLE local_handle_copy; HANDLE local_handle_copy;
auto dh_result = DuplicateHandle(process_handle, (HANDLE)handle_info->Handle, GetCurrentProcess(), &local_handle_copy, 0, 0, DUPLICATE_SAME_ACCESS); auto dh_result = DuplicateHandle(process_handle, (HANDLE)handle_info->HandleValue, GetCurrentProcess(), &local_handle_copy, 0, 0, DUPLICATE_SAME_ACCESS);
if (dh_result == 0) if (dh_result == 0)
{ {
// Ignore this handle. // Ignore this handle.
@@ -241,7 +241,7 @@ std::vector<NtdllExtensions::HandleInfo> NtdllExtensions::handles() noexcept
if (type_name == L"File") if (type_name == L"File")
{ {
file_name = file_handle_to_kernel_name(handle_copy, object_info_buffer); file_name = file_handle_to_kernel_name(handle_copy, object_info_buffer);
result.push_back(HandleInfo{ pid, handle_info->Handle, type_name, file_name }); result.push_back(HandleInfo{ pid, handle_info->HandleValue, type_name, file_name });
} }
CloseHandle(handle_copy); CloseHandle(handle_copy);

6
src/modules/FileLocksmith/FileLocksmithLibInterop/NtdllExtensions.h
View File

@@ -11,7 +11,7 @@ private:
constexpr static size_t MaxResultBufferSize = 1024 * 1024 * 1024; constexpr static size_t MaxResultBufferSize = 1024 * 1024 * 1024;
constexpr static int ObjectNameInformation = 1; constexpr static int ObjectNameInformation = 1;
constexpr static int SystemHandleInformation = 16; constexpr static int SystemExtendedHandleInformation = 64;
struct MemoryLoopResult struct MemoryLoopResult
{ {
@@ -35,8 +35,8 @@ public:
struct HandleInfo struct HandleInfo
{ {
DWORD pid; ULONG_PTR pid;
USHORT handle; ULONG_PTR handle;
std::wstring type_name; std::wstring type_name;
std::wstring kernel_file_name; std::wstring kernel_file_name;
}; };