!handle
!handle 扩展显示目标系统中一个或所有进程拥有的句柄的信息
0:001> !handle
Handle 4
Type Directory
Handle 8
Type File
Handle c
Type File
Handle 10
Type Key
Handle 14
Type ALPC Port
Handle 18
Type Mutant
Handle 1c
Type Key
Handle 20
Type Event
Handle 24
Type Key
Handle 2c
Type Event
Handle 30
Type WindowStation
Handle 34
Type Desktop
Handle 38
Type WindowStation
Handle 3c
Type File
Handle 84
Type Event
Handle 88
Type Event
Handle 8c
Type Event
Handle 90
Type Event
Handle 94
Type Event
Handle 98
Type Event
Handle 9c
Type Directory
Handle a0
Type Event
Handle a4
Type Event
Handle a8
Type File
Handle ac
Type File
Handle b0
Type Event
Handle b4
Type Mutant
Handle b8
Type Event
Handle bc
Type Mutant
Handle c0
Type Section
Handle c4
Type Section
Handle c8
Type Mutant
Handle cc
Type Section
Handle d0
Type Key
Handle d4
Type Key
Handle d8
Type Key
Handle dc
Type Key
Handle e0
Type Key
Handle e4
Type File
Handle e8
Type Section
Handle f4
Type File
Handle f8
Type ALPC Port
Handle fc
Type Mutant
Handle 100
Type Section
Handle 104
Type File
Handle 10c
Type File
Handle 110
Type Key
Handle 114
Type Key
Handle 11c
Type Key
49 Handles
Type Count
None 2
Event 12
Section 5
File 9
Directory 2
Mutant 5
WindowStation 2
Key 11
Desktop 1我们注意到最下面这一部分统计了各种类型句柄的各自数目
要得到某个句柄更详细的信息,可以用这个句柄做为参数,再用'f'表示显示最详细的信息:
0:001> !handle 4 f
Handle 4
Type Directory
Attributes 0x10
GrantedAccess 0x3:
None
Query,Traverse
HandleCount 60
PointerCount 99
Name \KnownDlls
No Object Specific Information available
0:001> !handle 84 f
Handle 84
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 3
Name <none>
Object Specific Information
Event Type Manual Reset
Event is Waiting重新写一个代码测试Mutex:
0:001> !handle xx f
Handle 78
Type Mutant
Attributes 0
GrantedAccess 0x1f0001:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState
HandleCount 2
PointerCount 3
Name <none>
Object Specific Information
Mutex is Free
0:001> !handle xx f
Handle e0
Type Mutant
Attributes 0
GrantedAccess 0x1f0001:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState
HandleCount 2
PointerCount 3
Name <none>
Object Specific Information
Mutex is Owned再写个代码验证信号量:
0:001> !handle dc f
Handle dc
Type Semaphore
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 3
Name <none>
Object Specific Information
Semaphore Count 4
Semaphore Limit 5
可以看到,上面给出了这个句丙的类型,属性,访问权限以及句柄计数,我们甚至看到这个事件是Manual Reset(人工重置事件)如果是Event Type Auto Reset(自动重置事件),状态是Waiting(未触发),如果是Event is set表示已触发状态,如果Mutex is free 表示互斥量已有信号,如果Mutex is owned表示互斥量已被占用,对于信号量,Semaphore Count 表示可用的信号量,Limit表示总数
我们不知道!handle具体用法,可以使用-?来查询
0:001> !handle -?
!handle [<handle>] [<flags>] [<type>]
<handle> - Handle to get information about
0 or -1 means all handles
<flags> - Output control flags
1 - Get type information (default)
2 - Get basic information
4 - Get name information
8 - Get object specific info (where available)
<type> - Limit query to handles of the given type
Display information about open handles
当handle很多时,我们也许只想知道所有互斥量的信息:
0:001> !handle 0 1 Mutant
Handle 78
Type Mutant
Handle e0
Type Mutant
Handle ec
Type Mutant
3 handles of type Mutant
1对应flags,至于名字Mutant可以参看windbg帮助说明:
Specifies the type of handle that you want to examine. Only handles that match this type are displayed.TypeName is case sensitive. Valid types include Event, Section, File, Port, Directory, SymbolicLink, Mutant, WindowStation, Semaphore, Key, Token, Process, Thread, Desktop, IoCompletion, Timer, Job, and WaitablePort.
上面红色标明为区分大小写,怀疑:下面明显是成功的!
0:001> !handle 0 3 mutanT
Handle 78
Type Mutant
Attributes 0
GrantedAccess 0x1f0001:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState
HandleCount 2
PointerCount 3
Handle e0
Type Mutant
Attributes 0
GrantedAccess 0x1f0001:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState
HandleCount 2
PointerCount 3
Handle ec
Type Mutant
Attributes 0
GrantedAccess 0x100000:
Synch
None
HandleCount 13
PointerCount 15
3 handles of type Mutant
312
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
