远程线程DuplicateHandle失败,错误ERROR_INVALID_HANDLE

您好我试图暂停远程线程,但在途中,我偶然发现错误6,ERROR_INVALID_HANDLE DuplicateHandle失败。

下面的方法适用于当前进程,但是如果给出“calc”(在同一台主机上)的远程进程,则DuplicateHandle将失败。

该进程使用Admin priv运行,SeDebugPriv和SeSecurityPriv被授予(Process Explorer确认它),但没有用。 任何想法? `

bool DbgHelpWrapper::GetThreadStartAddress( IntPtr processHandle, DWORD processId, DWORD threadID, DWORD *dwStartAddress ) { // Get ntdll entry points. HMODULE ntDLLHandle = LoadLibrary(L"ntdll.dll"); tNtQueryInformationThread NtQueryInformationThread = (tNtQueryInformationThread)GetProcAddress(ntDLLHandle, "NtQueryInformationThread"); // Open thread with wrong access rights. HANDLE hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, processId ); HANDLE hRemoteThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, threadID); if (hRemoteThread != 0 && hRemoteProcess != 0 ) { try { // Duplicate handle to get correct access rights. HANDLE temporaryHandle = 0; DWORD duplicateHandleResult = DuplicateHandle(hRemoteProcess, hRemoteThread, GetCurrentProcess(), &temporaryHandle, THREAD_QUERY_INFORMATION, FALSE, 0 ); System::Console::WriteLine( String::Format("DuplicateHandle returned {0}", duplicateHandleResult )); System::Console::WriteLine( String::Format("DuplicateHandle error {0}", Marshal::GetLastWin32Error())); if (duplicateHandleResult != 0 ) { try { NTSTATUS ntStatus = NtQueryInformationThread(temporaryHandle, ThreadQuerySetWin32StartAddress, dwStartAddress, sizeof(DWORD), NULL); System::Console::WriteLine( String::Format("NtQueryInformationThread returned {0}", ntStatus )); if (ntStatus == 0) { System::Console::WriteLine( String::Format("StartAddress: {0:X16}", *dwStartAddress )); return true; } else { System::Console::WriteLine( String::Format("NtQueryInformationThread error {0}", Marshal::GetLastWin32Error())); return false; } } finally { CloseHandle(temporaryHandle); } } else { System::Console::WriteLine( String::Format("Cannot duplicate the thread handle to THREAD_QUERY_INFORMATION rights")); return false; } } finally { // Cleanup CloseHandle(hRemoteThread); } } else { System::Console::WriteLine( String::Format("Cannot open the thread with THREAD_SUSPEND_RESUME rights")); return FALSE; } } 

`

你告诉DuplicateHandle hRemoteThreadhRemoteProcess一个句柄,但事实并非如此。 这是您当前流程中的一个处理 – 您之前打开了几行。 (线程是远程进程的一部分,但是它的句柄不是。)