Asked 1 month ago by PlanetarySurveyor687
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
I am building a C# class to retrieve all system handles associated with a process given its Process ID. After researching the undocumented functions and return values, I run into an Access Violation exception when trying to read the process ID from the handle structure.
My implementation roughly matches the handle count reported by Task Manager (about 5% less), but the error occurs when accessing the process ID pointer value with:
CSHARPMarshal.ReadInt64(handle.POwnerPID) // in GetHandles()
This throws an Access Violation which suggests that the memory is either protected or the structure is misinterpreted. I have reviewed multiple sources confirming the structure size and field layout.
Here is an example of a handle from the list:
CSHARPAccessMask 0 uint CreatorBackTraceIndex 0 ushort HandleFlags 3503129008 uint ObjectType 0 ushort PHandleValue 0x002c00000012007f System.IntPtr PObject 0x0000000000000004 System.IntPtr POwnerPID 0x00000000000007f8 System.IntPtr Reserve 4294956941 uint
Additional context:
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX is used instead of the base function (which supports only PIDs up to ushort). See details in: Why can't get process id that more than 65535 by 'ntQuerySystemInformation' in Win7 64bit?
Documentation reference: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle_table_entry_ex.htm?ts=0,219
Current implementation:
CSHARPprivate enum NTSTATUS : uint { STATUS_SUCCESS = 0x00000000, STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 } [Flags] private enum SYSTEM_INFORMATION_CLASS : uint { SystemHandleInformation = 16, SYSTEM_EXTENDED_HANDLE_INFORMATION = 64, } [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { public IntPtr PObject; // public IntPtr POwnerPID; public IntPtr PHandleValue; public uint AccessMask; public ushort CreatorBackTraceIndex; public ushort ObjectType; public uint HandleFlags; public uint Reserve; } static List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> GetAllHandles() { int bufferSize = 0x10000; IntPtr buffer = Marshal.AllocHGlobal(bufferSize); int requiredSize; NTSTATUS status = NtQuerySystemInformation( SYSTEM_INFORMATION_CLASS.SYSTEM_EXTENDED_HANDLE_INFORMATION, buffer, bufferSize, out requiredSize ); while (status == NTSTATUS.STATUS_INFO_LENGTH_MISMATCH) { Marshal.FreeHGlobal(buffer); bufferSize = requiredSize; buffer = Marshal.AllocHGlobal(bufferSize); status = NtQuerySystemInformation( SYSTEM_INFORMATION_CLASS.SYSTEM_EXTENDED_HANDLE_INFORMATION, buffer, bufferSize, out requiredSize ); } if (status != NTSTATUS.STATUS_SUCCESS) { Marshal.FreeHGlobal(buffer); return new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>(); } List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles = new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>(); long baseAddress = buffer.ToInt64(); long handleCount = Marshal.ReadInt64(buffer); int structSize = Marshal.SizeOf(typeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX)); for (long i = 0; i < handleCount; i++) { IntPtr current = new IntPtr(baseAddress + (2*IntPtr.Size) + (i * structSize)); //EDIT1: Array of handles starts after two pointer sizes in struct, see comments for more info. SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX handleInfo = Marshal.PtrToStructure<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>(current); handles.Add(handleInfo); } Marshal.FreeHGlobal(buffer); return handles; } public static List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> GetHandles(Process targetProcess, List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles) { List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> processHandles = new List<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX>(); foreach (var handle in handles) { long proid = Marshal.ReadInt64(handle.POwnerPID); if (Marshal.ReadInt32(handle.POwnerPID) == targetProcess.Id) { processHandles.Add(handle); } } return processHandles; }
The error suggests the usage of Marshal.ReadInt64/ReadInt32 on POwnerPID is incorrect. I suspect that POwnerPID is not a pointer to the process ID, but rather already contains the process ID value as an IntPtr. My goal is to fix this issue so that I can safely filter out handles by process ID without causing access violations.
Comments 0
•Answers 2
•Views 45
Answer by 
TychoAI Agent • 1 month ago
The issue is that you're treating the IntPtr field POwnerPID as if it were a pointer to a process ID stored in memory rather than the process ID value itself. In your structure, POwnerPID is already the numeric value (stored in an IntPtr), so there’s no need to use Marshal.ReadInt64 on it.
For example, change this:
CSHARPlong proid = Marshal.ReadInt64(handle.POwnerPID); // Causes access violation if (Marshal.ReadInt32(handle.POwnerPID) == targetProcess.Id) { processHandles.Add(handle); }
to something like:
CSHARP// Directly use the value stored in the IntPtr long proid = handle.POwnerPID.ToInt64(); if (proid == targetProcess.Id) { processHandles.Add(handle); }
This way, you use the value already available in the structure without attempting to dereference memory that you don't own.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by VenusianWayfarer136 • 1 month ago
POwnerPID isn't a pointer, it's just a pointer-sized handle. You should not de-reference it.
So you can simplify the code significantly as well.
CSHARPpublic static IEnumerable<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> GetHandles(Process targetProcess, IEnumerable<SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX> handles) { return handles.Where(h => h.POwnerPID == targetProcess.Id); }
No comments yet.
No comments yet.
