How can I see the Handles of a process?

Get help with using AutoHotkey (v2 or newer) and its commands and hotkeys
Forum rules
Post Reply
bapl
Posts: 119
Joined: 17 Apr 2021, 00:24

How can I see the Handles of a process?

Post by bapl » 08 Jan 2023, 23:50

How can I see the Handles of a process?
Is there a simple command for AHK V2 so that I can find a Handle named "DiscordHook"?
Top
User avatar
jNizM
Posts: 3183
Joined: 30 Sep 2013, 01:33
Contact:
Contact jNizM

Re: How can I see the Handles of a process?

Post by jNizM » 09 Jan 2023, 02:28

There is no AHK command for this.
Here is a v1 version to get process handles -> viewtopic.php?p=96242#p96242

If you need help to convert to v2, you can ask
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Top
User avatar
jNizM
Posts: 3183
Joined: 30 Sep 2013, 01:33
Contact:
Contact jNizM

Re: How can I see the Handles of a process?

Post by jNizM » 09 Jan 2023, 04:26

Maybe there are still some permission problems, because not all names could be resolved. Or I have forgotten something.

Code: Select all

#Requires AutoHotkey v2.0

#DllLoad "advapi32.dll"
#DllLoad "ntdll.dll"


ProcessID := 5064


Main := Gui()
LV := Main.AddListView("xm ym w800 r30", ["Handle", "Type", "Name", "Path"])
for i, v in PH := GetProcessHandles(ProcessID)
{
    LV.Add("", PH[i]["Handle"], PH[i]["Type"], PH[i]["Name"], PH[i]["Path"])
}
Main.OnEvent("Close", (*) => ExitApp)
Main.Show()


GetProcessHandles(ProcessID)
{
    static PROCESS_QUERY_INFORMATION := 0x0400
    static PROCESS_DUP_HANDLE        := 0x0040
    static TOKEN_ADJUST_PRIVILEGES   := 0x0020
    static hCurrentProcess := DllCall("GetCurrentProcess", "Ptr")

    hProcess := OpenProcess(hCurrentProcess, PROCESS_QUERY_INFORMATION)
    hToken   := OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES)
    LUID     := LookupPrivilegeValue("SeDebugPrivilege")
    AdjustTokenPrivileges(hToken, LUID)
    CloseHandle(hToken)

    mHandles := SystemHandleInformation(ProcessID)
    ProcessHandles := Map()
    for i, v in mHandles
    {
        PH := Map()
        if !(hProc := OpenProcess(mHandles[i]["UniqueProcessId"], PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE))
            continue
        if !(hDublicate := DuplicateObject(hProc, hCurrentProcess, mHandles[i]["HandleValue"], 4))
            continue
        PH["Handle"] := mHandles[i]["HandleValue"]
        PH["Name"]   := ObjectNameInformation(mHandles[i]["HandleValue"])
        PH["Type"]   := ObjectTypeInformation(mHandles[i]["HandleValue"])
        PH["Path"]   := GetFinalPathNameByHandle(mHandles[i]["HandleValue"])
        ProcessHandles[A_Index] := PH
        CloseHandle(hDublicate)
        CloseHandle(hProc)
    }
    CloseHandle(hProcess)
    return ProcessHandles
}

AdjustTokenPrivileges(hToken, LUID)
{
    static SE_PRIVILEGE_ENABLED := 0x00000002

    TOKEN_PRIVILEGES := Buffer(16, 0)
    NumPut("UInt", 1, TOKEN_PRIVILEGES, 0)
    NumPut("Int64", LUID, TOKEN_PRIVILEGES, 4)
    NumPut("UInt", SE_PRIVILEGE_ENABLED, TOKEN_PRIVILEGES, 12)
    if !(DllCall("advapi32\AdjustTokenPrivileges", "Ptr", hToken, "Int", 0, "Ptr", TOKEN_PRIVILEGES, "UInt", TOKEN_PRIVILEGES.Size, "Ptr", 0, "Ptr", 0))
        return false
    return true
}

CloseHandle(hObject)
{
    if (hObject)
        DllCall("CloseHandle", "Ptr", hObject)
}

DuplicateObject(hProcess, hCurrentProcess, Handle, Options)
{
    static STATUS_SUCCESS := 0x00000000

    NT_STATUS := DllCall("ntdll\NtDuplicateObject", "Ptr", hProcess, "Ptr", Handle, "Ptr", hCurrentProcess, "Ptr*", &hDublicate := 0, "UInt", 0, "UInt", 0, "UInt", Options)
    if (NT_STATUS = STATUS_SUCCESS)
        return hDublicate
    return false
}

GetFinalPathNameByHandle(hFile)
{
    Size := DllCall("GetFinalPathNameByHandleW", "Ptr", hFile, "Ptr", 0, "UInt", 0, "UInt", 0, "UInt")
    VarSetStrCapacity(&FilePath, Size)
    if !(DllCall("GetFinalPathNameByHandleW", "Ptr", hFile, "Str", FilePath, "UInt", Size, "UInt", 0, "UInt"))
        return
    return FilePath
}

LookupPrivilegeValue(Name)
{
    if !(DllCall("advapi32\LookupPrivilegeValueW", "Ptr", 0, "Str", Name, "Int64*", &LUID := 0))
        return false
    return LUID
}

ObjectNameInformation(Handle)
{
    static STATUS_SUCCESS        := 0x00000000
    static ObjectNameInformation := 1

    DllCall("ntdll\NtQueryObject", "Ptr", Handle, "UInt", ObjectNameInformation, "Ptr", 0, "UInt", 0, "uint*", &Size := 0, "UInt")
    Buf := Buffer(Size, 0)
    NT_STATUS := DllCall("ntdll\NtQueryObject", "Ptr", Handle, "UInt", ObjectNameInformation, "Ptr", Buf.Ptr, "UInt", Buf.Size, "uint*", &Size := 0, "UInt")
    if (NT_STATUS = STATUS_SUCCESS)
    {
        return StrGet(NumGet(buf, A_PtrSize, "uptr"), NumGet(buf, 0, "ushort") // 2, "UTF-16")
    }
    return
}

ObjectTypeInformation(Handle)
{
    static STATUS_SUCCESS        := 0x00000000
    static ObjectTypeInformation := 2

    DllCall("ntdll\NtQueryObject", "Ptr", Handle, "UInt", ObjectTypeInformation, "Ptr", 0, "UInt", 0, "uint*", &Size := 0, "UInt")
    Buf := Buffer(Size, 0)
    NT_STATUS := DllCall("ntdll\NtQueryObject", "Ptr", Handle, "UInt", ObjectTypeInformation, "Ptr", Buf.Ptr, "UInt", Buf.Size, "uint*", &Size := 0, "UInt")
    if (NT_STATUS = STATUS_SUCCESS)
    {
        return StrGet(NumGet(buf, A_PtrSize, "uptr"), NumGet(buf, 0, "ushort") // 2, "UTF-16")
    }
    return
}

OpenProcess(ProcessID, DesiredAccess, InheritHandle := 0)
{
    if !(hProcess := DllCall("OpenProcess", "UInt", DesiredAccess, "Int", InheritHandle, "UInt", ProcessID, "Ptr"))
        return false
    return hProcess
}

OpenProcessToken(hProcess, DesiredAccess)
{
    if !(DllCall("advapi32\OpenProcessToken", "Ptr", hProcess, "UInt", DesiredAccess, "Ptr*", &hToken := 0))
        return false
    return hToken
}

SystemHandleInformation(ProcessID)
{
    static STATUS_SUCCESS                   := 0x00000000
    static STATUS_INFO_LENGTH_MISMATCH      := 0xC0000004
    static STATUS_BUFFER_TOO_SMALL          := 0xC0000023
    static SYSTEM_SYSTEM_HANDLE_INFORMATION := 0x00000010

    Buf := Buffer(0, 0)
    NT_STATUS := DllCall("ntdll\NtQuerySystemInformation", "Int", SYSTEM_SYSTEM_HANDLE_INFORMATION, "Ptr", Buf.Ptr, "UInt", Buf.Size, "UInt*", &Size := 0, "UInt")
    while (NT_STATUS = STATUS_INFO_LENGTH_MISMATCH) || (NT_STATUS = STATUS_BUFFER_TOO_SMALL)
    {
        Buf := Buffer(Size, 0)
        NT_STATUS := DllCall("ntdll\NtQuerySystemInformation", "Int", SYSTEM_SYSTEM_HANDLE_INFORMATION, "Ptr", Buf.Ptr, "UInt", Buf.Size, "UInt*", &Size := 0, "UInt")
    }
    if (NT_STATUS = STATUS_SUCCESS)
    {
        NumberOfHandles := NumGet(Buf, 0x0000, "UInt")
        Addr := Buf.Ptr + 0x0008
        HANDLE_INFORMATION := Map()
        loop NumberOfHandles
        {
            if (NumGet(Addr, 0x0000, "UShort") = ProcessID)
            {
                HANDLE := Map()
                HANDLE["UniqueProcessId"]   := NumGet(Addr, 0x0000, "UShort")
                HANDLE["HandleValue"]       := NumGet(Addr, 0x0006, "UShort")
                HANDLE_INFORMATION[A_Index] := HANDLE
            }
            Addr += 0x0018
        }
        return HANDLE_INFORMATION
    }
    return false
}
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Top
bapl
Posts: 119
Joined: 17 Apr 2021, 00:24

Re: How can I see the Handles of a process?

Post by bapl » 13 Jan 2023, 11:24

@jNizM
Indeed, I can't find Device/Afd and many other Handles.
Top
User avatar
jNizM
Posts: 3183
Joined: 30 Sep 2013, 01:33
Contact:
Contact jNizM

Re: How can I see the Handles of a process?

Post by jNizM » 01 Feb 2023, 05:47

Can you test it? Changed some things
https://github.com/jNizM/ahk-scripts-v2/blob/main/src/ProcessThreadModule/GetProcessHandles.ahk
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Top
bapl
Posts: 119
Joined: 17 Apr 2021, 00:24

Re: How can I see the Handles of a process?

Post by bapl » 03 Feb 2023, 18:02

yes it works!
Thank you!
Top
Post Reply

Return to “Ask for Help (v2)”