|
30 | 30 | Returns handle information about user-mode handles and their respective |
31 | 31 | address in the kernel. |
32 | 32 |
|
| 33 | +.PARAMETER ObjectType |
| 34 | +
|
| 35 | + Specifies the object type to be returned when listing handles. The following |
| 36 | + types are permitted: |
| 37 | +
|
| 38 | + Adapter, ALPC Port, Callback, CompositionSurface, Controller, DebugObject, |
| 39 | + Desktop, Device, Directory, Driver, DxgkSharedResource, DxgkSharedSyncObject, |
| 40 | + EtwConsumer, EtwRegistration, Event, EventPair, File, FilterCommunicationPort, |
| 41 | + FilterConnectionPort, IoCompletion, IoCompletionReserve, IRTimer, Job, Key, |
| 42 | + KeyedEvent, Mutant, PcwObject, Port, PowerRequest, Process, Profile, Section, |
| 43 | + Semaphore, Session, SymbolicLink, Thread, Timer, TmEn, TmRm, TmTm, TmTx, Token, |
| 44 | + TpWorkerFactory, Type, UserApcReserve, WaitablePort, WaitCompletionPacket, |
| 45 | + WindowStation, WmiGuid |
| 46 | +
|
33 | 47 | .PARAMETER ObjectInformation |
34 | 48 |
|
35 | 49 | Returns information about user-mode objects and their respective kernel pool |
|
112 | 126 | [Switch] |
113 | 127 | $HandleInformation, |
114 | 128 |
|
| 129 | + [Parameter( ParameterSetName = 'HandleInformation' )] |
| 130 | + [ValidateSet('Adapter', 'ALPC Port', 'Callback', 'CompositionSurface', 'Controller', 'DebugObject', 'Desktop', 'Device', 'Directory', 'Driver', 'DxgkSharedResource', 'DxgkSharedSyncObject', 'EtwConsumer', 'EtwRegistration', 'Event', 'EventPair', 'File', 'FilterCommunicationPort', 'FilterConnectionPort', 'IoCompletion', 'IoCompletionReserve', 'IRTimer', 'Job', 'Key', 'KeyedEvent', 'Mutant', 'PcwObject', 'Port', 'PowerRequest', 'Process', 'Profile', 'Section', 'Semaphore', 'Session', 'SymbolicLink', 'Thread', 'Timer', 'TmEn', 'TmRm', 'TmTm', 'TmTx', 'Token', 'TpWorkerFactory', 'Type', 'UserApcReserve', 'WaitablePort', 'WaitCompletionPacket', 'WindowStation', 'WmiGuid')] |
| 131 | + [String] |
| 132 | + $ObjectType, |
| 133 | + |
115 | 134 | [Parameter( ParameterSetName = 'ObjectInformation' )] |
116 | 135 | [Switch] |
117 | 136 | $ObjectInformation, |
|
648 | 667 | } |
649 | 668 |
|
650 | 669 | 'HandleInformation' { |
| 670 | + # Get OS version info. This will be used to resolve object type index values |
| 671 | + $OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version |
| 672 | + $OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)" |
| 673 | + |
| 674 | + # Type indexes differ according to OS. These values were obtained via some KD-fu |
| 675 | + switch ($OSMajorMinor) |
| 676 | + { |
| 677 | + '6.2' # Windows 8 and Windows Server 2012 |
| 678 | + { |
| 679 | + $IndexTable = @{ |
| 680 | + 0x02 = 'Type' |
| 681 | + 0x03 = 'Directory' |
| 682 | + 0x04 = 'SymbolicLink' |
| 683 | + 0x05 = 'Token' |
| 684 | + 0x06 = 'Job' |
| 685 | + 0x07 = 'Process' |
| 686 | + 0x08 = 'Thread' |
| 687 | + 0x09 = 'UserApcReserve' |
| 688 | + 0x0A = 'IoCompletionReserve' |
| 689 | + 0x0B = 'DebugObject' |
| 690 | + 0x0C = 'Event' |
| 691 | + 0x0D = 'EventPair' |
| 692 | + 0x0E = 'Mutant' |
| 693 | + 0x0F = 'Callback' |
| 694 | + 0x10 = 'Semaphore' |
| 695 | + 0x11 = 'Timer' |
| 696 | + 0x12 = 'IRTimer' |
| 697 | + 0x13 = 'Profile' |
| 698 | + 0x14 = 'KeyedEvent' |
| 699 | + 0x15 = 'WindowStation' |
| 700 | + 0x16 = 'Desktop' |
| 701 | + 0x17 = 'CompositionSurface' |
| 702 | + 0x18 = 'TpWorkerFactory' |
| 703 | + 0x19 = 'Adapter' |
| 704 | + 0x1A = 'Controller' |
| 705 | + 0x1B = 'Device' |
| 706 | + 0x1C = 'Driver' |
| 707 | + 0x1D = 'IoCompletion' |
| 708 | + 0x1E = 'WaitCompletionPacket' |
| 709 | + 0x1F = 'File' |
| 710 | + 0x20 = 'TmTm' |
| 711 | + 0x21 = 'TmTx' |
| 712 | + 0x22 = 'TmRm' |
| 713 | + 0x23 = 'TmEn' |
| 714 | + 0x24 = 'Section' |
| 715 | + 0x25 = 'Session' |
| 716 | + 0x26 = 'Key' |
| 717 | + 0x27 = 'ALPC Port' |
| 718 | + 0x28 = 'PowerRequest' |
| 719 | + 0x29 = 'WmiGuid' |
| 720 | + 0x2A = 'EtwRegistration' |
| 721 | + 0x2B = 'EtwConsumer' |
| 722 | + 0x2C = 'FilterConnectionPort' |
| 723 | + 0x2D = 'FilterCommunicationPort' |
| 724 | + 0x2E = 'PcwObject' |
| 725 | + 0x2F = 'DxgkSharedResource' |
| 726 | + 0x30 = 'DxgkSharedSyncObject' |
| 727 | + } |
| 728 | + } |
| 729 | + |
| 730 | + '6.1' # Windows 7 and Window Server 2008 R2 |
| 731 | + { |
| 732 | + $IndexTable = @{ |
| 733 | + 0x02 = 'Type' |
| 734 | + 0x03 = 'Directory' |
| 735 | + 0x04 = 'SymbolicLink' |
| 736 | + 0x05 = 'Token' |
| 737 | + 0x06 = 'Job' |
| 738 | + 0x07 = 'Process' |
| 739 | + 0x08 = 'Thread' |
| 740 | + 0x09 = 'UserApcReserve' |
| 741 | + 0x0a = 'IoCompletionReserve' |
| 742 | + 0x0b = 'DebugObject' |
| 743 | + 0x0c = 'Event' |
| 744 | + 0x0d = 'EventPair' |
| 745 | + 0x0e = 'Mutant' |
| 746 | + 0x0f = 'Callback' |
| 747 | + 0x10 = 'Semaphore' |
| 748 | + 0x11 = 'Timer' |
| 749 | + 0x12 = 'Profile' |
| 750 | + 0x13 = 'KeyedEvent' |
| 751 | + 0x14 = 'WindowStation' |
| 752 | + 0x15 = 'Desktop' |
| 753 | + 0x16 = 'TpWorkerFactory' |
| 754 | + 0x17 = 'Adapter' |
| 755 | + 0x18 = 'Controller' |
| 756 | + 0x19 = 'Device' |
| 757 | + 0x1a = 'Driver' |
| 758 | + 0x1b = 'IoCompletion' |
| 759 | + 0x1c = 'File' |
| 760 | + 0x1d = 'TmTm' |
| 761 | + 0x1e = 'TmTx' |
| 762 | + 0x1f = 'TmRm' |
| 763 | + 0x20 = 'TmEn' |
| 764 | + 0x21 = 'Section' |
| 765 | + 0x22 = 'Session' |
| 766 | + 0x23 = 'Key' |
| 767 | + 0x24 = 'ALPC Port' |
| 768 | + 0x25 = 'PowerRequest' |
| 769 | + 0x26 = 'WmiGuid' |
| 770 | + 0x27 = 'EtwRegistration' |
| 771 | + 0x28 = 'EtwConsumer' |
| 772 | + 0x29 = 'FilterConnectionPort' |
| 773 | + 0x2a = 'FilterCommunicationPort' |
| 774 | + 0x2b = 'PcwObject' |
| 775 | + } |
| 776 | + } |
| 777 | + |
| 778 | + '6.0' # Windows Vista and Windows Server 2008 |
| 779 | + { |
| 780 | + $IndexTable = @{ |
| 781 | + 0x01 = 'Type' |
| 782 | + 0x02 = 'Directory' |
| 783 | + 0x03 = 'SymbolicLink' |
| 784 | + 0x04 = 'Token' |
| 785 | + 0x05 = 'Job' |
| 786 | + 0x06 = 'Process' |
| 787 | + 0x07 = 'Thread' |
| 788 | + 0x08 = 'DebugObject' |
| 789 | + 0x09 = 'Event' |
| 790 | + 0x0a = 'EventPair' |
| 791 | + 0x0b = 'Mutant' |
| 792 | + 0x0c = 'Callback' |
| 793 | + 0x0d = 'Semaphore' |
| 794 | + 0x0e = 'Timer' |
| 795 | + 0x0f = 'Profile' |
| 796 | + 0x10 = 'KeyedEvent' |
| 797 | + 0x11 = 'WindowStation' |
| 798 | + 0x12 = 'Desktop' |
| 799 | + 0x13 = 'TpWorkerFactory' |
| 800 | + 0x14 = 'Adapter' |
| 801 | + 0x15 = 'Controller' |
| 802 | + 0x16 = 'Device' |
| 803 | + 0x17 = 'Driver' |
| 804 | + 0x18 = 'IoCompletion' |
| 805 | + 0x19 = 'File' |
| 806 | + 0x1a = 'TmTm' |
| 807 | + 0x1b = 'TmTx' |
| 808 | + 0x1c = 'TmRm' |
| 809 | + 0x1d = 'TmEn' |
| 810 | + 0x1e = 'Section' |
| 811 | + 0x1f = 'Session' |
| 812 | + 0x20 = 'Key' |
| 813 | + 0x21 = 'ALPC Port' |
| 814 | + 0x22 = 'WmiGuid' |
| 815 | + 0x23 = 'EtwRegistration' |
| 816 | + 0x24 = 'FilterConnectionPort' |
| 817 | + 0x25 = 'FilterCommunicationPort' |
| 818 | + } |
| 819 | + } |
| 820 | + |
| 821 | + '5.1' # Windows XP |
| 822 | + { |
| 823 | + $IndexTable = @{ |
| 824 | + 0x01 = 'Type' |
| 825 | + 0x02 = 'Directory' |
| 826 | + 0x03 = 'SymbolicLink' |
| 827 | + 0x04 = 'Token' |
| 828 | + 0x05 = 'Process' |
| 829 | + 0x06 = 'Thread' |
| 830 | + 0x07 = 'Job' |
| 831 | + 0x08 = 'DebugObject' |
| 832 | + 0x09 = 'Event' |
| 833 | + 0x0a = 'EventPair' |
| 834 | + 0x0b = 'Mutant' |
| 835 | + 0x0c = 'Callback' |
| 836 | + 0x0d = 'Semaphore' |
| 837 | + 0x0e = 'Timer' |
| 838 | + 0x0f = 'Profile' |
| 839 | + 0x10 = 'KeyedEvent' |
| 840 | + 0x11 = 'WindowStation' |
| 841 | + 0x12 = 'Desktop' |
| 842 | + 0x13 = 'Section' |
| 843 | + 0x14 = 'Key' |
| 844 | + 0x15 = 'Port' |
| 845 | + 0x16 = 'WaitablePort' |
| 846 | + 0x17 = 'Adapter' |
| 847 | + 0x18 = 'Controller' |
| 848 | + 0x19 = 'Device' |
| 849 | + 0x1a = 'Driver' |
| 850 | + 0x1b = 'IoCompletion' |
| 851 | + 0x1c = 'File' |
| 852 | + 0x1d = 'WmiGuid' |
| 853 | + 0x1e = 'FilterConnectionPort' |
| 854 | + 0x1f = 'FilterCommunicationPort' |
| 855 | + } |
| 856 | + } |
| 857 | + |
| 858 | + default # I didn't feel like resolving the values for Server 2003 |
| 859 | + { |
| 860 | + $IndexTable = @{} |
| 861 | + } |
| 862 | + } |
| 863 | + |
651 | 864 | $Arguments = @{ |
652 | 865 | InformationClass = $SystemInformationClass::SystemHandleInformation |
653 | 866 | StructType = $HandleInfoClass |
|
668 | 881 | UniqueProcessId = $_.UniqueProcessId |
669 | 882 | CreatorBackTraceIndex = $_.CreatorBackTraceIndex |
670 | 883 | ObjectTypeIndex = $_.ObjectTypeIndex |
| 884 | + ObjectType = $IndexTable[([Int32]$_.ObjectTypeIndex)] |
671 | 885 | HandleAttribute = $HandleValue |
672 | 886 | HandleValue = $_.HandleValue |
673 | 887 | Object = $_.Object |
|
677 | 891 | $Handle = New-Object PSObject -Property $Result |
678 | 892 | $Handle.PSObject.TypeNames.Insert(0, '_SYSTEM_HANDLE_INFORMATION') |
679 | 893 |
|
680 | | - Write-Output $Handle |
| 894 | + if ($PSBoundParameters['ObjectType']) |
| 895 | + { |
| 896 | + if ($Result['ObjectType'] -eq $ObjectType) |
| 897 | + { |
| 898 | + Write-Output $Handle |
| 899 | + } |
| 900 | + } |
| 901 | + else |
| 902 | + { |
| 903 | + Write-Output $Handle |
| 904 | + } |
681 | 905 | } |
682 | 906 | } |
683 | 907 |
|
|
0 commit comments