其實之所以知道是我自己寫代碼把文件內(nèi)核句柄拷貝到system進(jìn)程中的,，用的是復(fù)制句柄的函數(shù)DuplicateHandle函數(shù)，勿見笑,。
貼下代碼吧：
BOOL OccupyFile( LPCTSTR lpFileName )
{
BOOL bRet;

RaiseToDebugP();

HANDLE hProcess = OpenProcess( PROCESS_DUP_HANDLE, FALSE, 4); // 4為system進(jìn)程號

if ( hProcess == NULL )
{
hProcess = OpenProcess( PROCESS_DUP_HANDLE, FALSE, 8); // 2K下是 8??

if ( hProcess == NULL )
return FALSE;
}

HANDLE hFile;
HANDLE hTargetHandle;

hFile = CreateFile( lpFileName, GENERIC_READ, 0, NULL, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL, NULL);


if ( hFile == INVALID_HANDLE_VALUE )
{
CloseHandle( hProcess );
return FALSE;
}

bRet = DuplicateHandle( GetCurrentProcess(), hFile, hProcess, &hTargetHandle,
0, FALSE, DUPLICATE_SAME_ACCESS|DUPLICATE_CLOSE_SOURCE);

CloseHandle( hProcess );

return bRet;
}
把比如說c:\123.txt為文件名創(chuàng)建,，然后把句柄復(fù)制到了system進(jìn)程中了,，現(xiàn)在這個文件無法訪問，被system進(jìn)程占用(可以用unlock測試),。
現(xiàn)在我想單獨寫另外一個工程來實現(xiàn)解除文件占用,，該怎么實現(xiàn)呢？謝謝大家指點,。
說一下我的思路：
我的：既然文件名知道,，那用OpenFile打開這個文件就可以得到文件句柄，然后再調(diào)用DuplicateHandle從system進(jìn)程中把句柄拷貝出來不就行了嗎》
然后我就去實現(xiàn),，結(jié)果發(fā)現(xiàn)沒任何效果,。。,。,。。,。,。
再此翻開了核心編程第三章內(nèi)核對象看了看，好像理由是這樣的：
內(nèi)核對象的句柄跟進(jìn)程密切相關(guān),，不同進(jìn)程可呢句柄值不一樣,，因此我想，即使是復(fù)制的句柄到system進(jìn)程,，也可能句柄已經(jīng)變化了吧,，所以失敗，不知道這里分析的是否正確,，如果不對,，歡迎大家仍磚頭指點小弟。先說謝謝,。
最后查了一下baidu,，看到有人說用NtQuerySystemInformation函數(shù)可以解決，這個函數(shù)對我來說有點恐怖,。,。。,?？戳税胩鞗]看懂，別說用了,。,。。,。
以上是我的想法跟過程,，結(jié)果是失敗,。
希望大家?guī)兔鉀Q一下，三可有,，三可有?。?Q!!!

duplicate handle

duplicate handle

請問handle何來,？求具體點可以嗎

自己頂一下,，不然沉了，找到了一點點內(nèi)容：

#include <stdio.h>
#include <windows.h>

typedef LONG NTSTATUS;

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCountSystemHandleInformations, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N

} SYSTEM_INFORMATION_CLASS;

typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;

} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;

} CLIENT_ID;

typedef enum _THREAD_STATE
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown

} THREAD_STATE;

typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel

} KWAIT_REASON;

/*typedef struct _IO_COUNTERS
{
LARGE_INTEGER ReadOperationCount; //I/O讀操作數(shù)目
LARGE_INTEGER WriteOperationCount; //I/O寫操作數(shù)目
LARGE_INTEGER OtherOperationCount; //I/O其他操作數(shù)目
LARGE_INTEGER ReadTransferCount; //I/O讀數(shù)據(jù)數(shù)目
LARGE_INTEGER WriteTransferCount; //I/O寫數(shù)據(jù)數(shù)目
LARGE_INTEGER OtherTransferCount; //I/O其他操作數(shù)據(jù)數(shù)目

} IO_COUNTERS, *PIO_COUNTERS; */

typedef struct _VM_COUNTERS
{
ULONG PeakVirtualSize; //虛擬存儲峰值大小
ULONG VirtualSize; //虛擬存儲大小
ULONG PageFaultCount; //頁故障數(shù)目
ULONG PeakWorkingSetSize; //工作集峰值大小
ULONG WorkingSetSize; //工作集大小
ULONG QuotaPeakPagedPoolUsage; //分頁池使用配額峰值
ULONG QuotaPagedPoolUsage; //分頁池使用配額
ULONG QuotaPeakNonPagedPoolUsage; //非分頁池使用配額峰值
ULONG QuotaNonPagedPoolUsage; //非分頁池使用配額
ULONG PagefileUsage; //頁文件使用情況
ULONG PeakPagefileUsage; //頁文件使用峰值

} VM_COUNTERS, *PVM_COUNTERS;

typedef LONG KPRIORITY;

typedef struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;

} SYSTEM_THREADS, *PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[1];

} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;

typedef struct _SYSTEM_BASIC_INFORMATION
{
BYTE Reserved1[24];
PVOID Reserved2[4];
CCHAR NumberOfProcessors;

} SYSTEM_BASIC_INFORMATION;

typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);

/*typedef struct _SYSTEM_HANDLE
{
ULONG uIdProcess;
UCHAR ObjectType; // OB_TYPE_* (OB_TYPE_TYPE, etc.)
UCHAR Flags; // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.)
USHORT Handle;
POBJECT pObject;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;


typedef struct _SYSTEM_HANDLE_INFORMATION{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;*///這個問題需要用16號
int main(void)
{
HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");
if ( ntdll_dll!=NULL )
{
NTQUERYSYSTEMINFORMATION dwFunAddress = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");
if ( dwFunAddress!=NULL )
{
//執(zhí)行 SystemBasicInformation
SYSTEM_BASIC_INFORMATION sbi = {0};
NTSTATUS status = dwFunAddress(SystemBasicInformation, (PVOID)&sbi, sizeof(sbi), NULL);
if ( status == STATUS_SUCCESS )
{
printf("處理器個數(shù)：%d\r\n", sbi.NumberOfProcessors);
printf("\r\n");
}
else
{
printf("\r\n SystemBasicInformation error");
}

//執(zhí)行 SystemProcessesAndThreadsInformation
PSYSTEM_PROCESSES pSp=NULL;
ULONG retureSize=0;

status = dwFunAddress(SystemProcessesAndThreadsInformation, NULL, 0, &retureSize);
if ( status == STATUS_INFO_LENGTH_MISMATCH )
{
unsigned char *buf = new unsigned char[retureSize];
if ( buf!=NULL )
{
status = dwFunAddress(SystemProcessesAndThreadsInformation, (PVOID)buf, retureSize, NULL);
if ( status == STATUS_SUCCESS )
{
pSp = (PSYSTEM_PROCESSES)buf;

printf("===============所有進(jìn)程信息=============\r\n");
do {

printf("進(jìn)程ID：%d\r\n", pSp->ProcessId);

printf("進(jìn)程名：");
wprintf(L"%s\r\n", pSp->ProcessName.Buffer);

printf("線程數(shù)：%d\r\n", pSp->ThreadCount);
printf("工作集大?。?dKB\r\n", pSp->VmCounters.WorkingSetSize/1024);
printf("\r\n\r\n");

pSp = (PSYSTEM_PROCESSES)( (unsigned long)pSp + pSp->NextEntryDelta );

} while ( pSp->NextEntryDelta != 0 );
printf("========================================\r\n");

delete[] buf;
buf = NULL;
pSp = NULL;
}
else if ( status == STATUS_UNSUCCESSFUL )
{
printf("\r\n STATUS_UNSUCCESSFUL");
}
else if ( status == STATUS_NOT_IMPLEMENTED )
{
printf("\r\n STATUS_NOT_IMPLEMENTED");
}
else if ( status == STATUS_INVALID_INFO_CLASS )
{
printf("\r\n STATUS_INVALID_INFO_CLASS");
}
else if ( status == STATUS_INFO_LENGTH_MISMATCH )
{
printf("\r\n STATUS_INFO_LENGTH_MISMATCH");
}
}
else
{
printf("\r\n new operation error!");
}
}
}
else
{
printf("\r\n get ZwQuerySystemInformation address error!");
}

FreeLibrary(ntdll_dll);
}

system("pause > nul");
return 0;
}
自己還是沒實現(xiàn),。。,。,。

問題已經(jīng)解決了,，方法也是在看雪上找到的,。
感謝這篇帖子作者：
http://bbs./showthread.php?t=67996