prototype long ntdll.NtQuerySystemInformation(long,pointer,long,pointer); prototype BOOL Kernel32.DuplicateHandle(HWND,HWND,HWND,pointer,long,BOOL,long); prototype HWND Kernel32.OpenProcess(long,BOOL,long); //prototype void kernel32.RtlMoveMemory(pointer,pointer,long); prototype NUMBER KERNEL.LocalAlloc ( NUMBER, NUMBER ); //prototype NUMBER KERNEL.LocalReAlloc(NUMBER,NUMBER,NUMBER); prototype NUMBER KERNEL.LocalFree(NUMBER); prototype CloseDriverHandles(number); #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 #define DUPLICATE_CLOSE_SOURCE 0x00000001 #define PROCESS_DUP_HANDLE 0x0040 #define LPTR 0x0040 typedef SYSTEM_HANDLE_COUNT begin long HandleCount; end; typedef SYSTEM_HANDLE_INFORMATION begin long ProcessId; char ObjectTypeNumber; char Flags; short Handle; pointer Object; long GrantedAccess; end; function CloseDriverHandles(nProcID) long n,cb,i,size_pshi; pointer buf; HWND hProcess; BOOL nRes; SYSTEM_HANDLE_INFORMATION obj_pshi; SYSTEM_HANDLE_INFORMATION pointer pobj_pshi; SYSTEM_HANDLE_COUNT pointer phCnt; string szMsg; begin n = 0; size_pshi = SizeOf(obj_pshi); cb = size_pshi; buf = &obj_pshi; while(ntdll.NtQuerySystemInformation(16, buf, cb, NULL) = STATUS_INFO_LENGTH_MISMATCH) cb *= 2; LocalFree(buf); buf = LocalAlloc(LPTR, cb); endwhile; //RtlMoveMemory(&n,buf,4); phCnt = buf; n = phCnt->HandleCount; buf = buf + SizeOf(n); //SprintfBox(INFORMATION,"","n=%d, size_pshi=%d",n,size_pshi); for i=0 to n-1 pobj_pshi = buf + i*size_pshi; if ( pobj_pshi->ProcessId = nProcID ) then //SprintfBox(INFORMATION,"","%d: PID: %08x, type: %02x, handle: %04x", i, // pobj_pshi->ProcessId, pobj_pshi->ObjectTypeNumber, pobj_pshi->Handle); hProcess = Kernel32.OpenProcess(PROCESS_DUP_HANDLE, 0, pobj_pshi->ProcessId); if (hProcess != NULL) then Kernel32.DuplicateHandle(hProcess, pobj_pshi->Handle, 0, 0, 0, 0, DUPLICATE_CLOSE_SOURCE); CloseHandle(hProcess); endif; endif; endfor; LocalFree(buf); end;