C ++获取程序的开放式套接字的处理 [英] C++ Get Handle of Open Sockets of a Program

问题描述

如何获得程序创建的套接字的Socket ID（Handle）？

How is it possible to get the Socket ID (Handle) of the created sockets of a program?

我知道我可以得到所有程序中的所有打开的套接字 GetTcpTable（）但它有两个问题：

I know I can get all the open sockets in all programs by GetTcpTable() but it has two problems:

1. 它显示所有程序套接字

推荐答案

正如Remy所说，它不是微不足道的。您必须为系统中的每个进程调用 OpenProcess 和 PROCESS_DUP_HANDLE 。你可能还需要 PROCESS_QUERY_INFORMATION 和 PROCESS_VM_READ ，但我从来没有需要它（我看过其他代码使用

As Remy said, its not trivial. You have to call OpenProcess with PROCESS_DUP_HANDLE for each process in the system. You might also need PROCESS_QUERY_INFORMATION and PROCESS_VM_READ, but I've never needed it (I've seen other code that uses it).

对于每个进程，您可以通过 NtQuerySystemInformation 访问供应者进程的句柄表 SystemHandleInformation ）。最后，你还调用 DuplicateHandle ，使进程的句柄成为你的句柄。

For each process, you access the donor process's handle table with NtQuerySystemInformation (with an information class of SystemHandleInformation). Finally, you call DuplicateHandle to make the process's handle your handle, too.

类型，当枚举施主进程的句柄表。对于你复制的每个句柄，用 ObjectTypeInformation 调用 NtQueryObject 。如果类型是一个套接字，你保持它打开，并把它在你的列表。否则，请关闭它，然后继续。

You will have to filter the handle types when enumerating the donor process's handle table. For each handle you have duplicated, call NtQueryObject with ObjectTypeInformation. If the type is a socket, you keep it open and put it in your list. Otherwise, close it and go on.

要执行比较，代码看起来类似于下面。类型返回为 UNICODE_STRING ：

To perform the compare, the code looks similar to below. The type is returned as a UNICODE_STRING:

// info was returned from NtQueryObject, ObjectTypeInformation
POBJECT_TYPE_INFORMATION pObjectTypeInfo = (POBJECT_TYPE_INFORMATION)(LPVOID)info;

wstring type( pObjectTypeInfo->Name.Buffer, pObjectTypeInfo->Name.Length );
if( 0 != wcscmp( L"Socket", type.c_str() ) ) { /* Not a Socket */ }

如果没有Socket类型（我不记得），你应该尝试获取与句柄相关的名称（它仍然是 UNICODE_STRING ），并查找 \\Device\\Tcp 。这次，您将使用相同的句柄，但使用 ObjectNameInformation 调用 NtQueryObject ：

If there is no Socket type (I don't recall), you should try to get the name associated with the handle (its still a UNICODE_STRING), and look for \\Device\\Tcp. This time, you would use the same handle, but call NtQueryObject with ObjectNameInformation:

// info was returned from NtQueryObject, ObjectNameInformation
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)(LPVOID)info;

wstring name( pObjectNameInfo->Name.Buffer, pObjectNameInfo->Name.Length );
if( name.substr(0, 11) == "\\Device\\Tcp" ) ) { /* It's a TCP Socket */ }

我和另一个同事在几年前做过类似的事情。而不是套接字，我们使用Mutexes和事件从特权的防病毒组件从他们的用户级UI程序（这是共享处理与IPC的特权组件）。请参阅老狗和新窍门：你知道你的手柄在哪里吗？。

Myself an another fellow did similar a few years ago. Instead of Sockets, we used Mutexes and Events to crash privileged Antivirus components from their userland UI program (which was sharing handles with the privileged component for IPC). See Old Dogs and New Tricks: Do You Know Where Your Handles Are?.

这篇关于C ++获取程序的开放式套接字的处理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！