为什么 openprocess function 每次都返回不同的句柄？

Question

I want to get the process and thread handles about some games to inject dll, and I used OpenProcess() and OpenThread() to obtain these handles. But I found that I just get different handles each time I use these functions. And they are useless for me because they arent the true handles. Please tell me how I can get the true handles?

Thanks for your answers and comments. And I found that I did not describe my problem very well. Sorry.

Actually, if i used CreateProcess() funtion to launch a process and get handles from parameter lpProcessInformation pi . I could inject my dll into game through these handles named pi.hProcess and pi.hThread . And these handles seem like would not change during the program's runtime.

But if I got handles from OpenProcess() and OpenThread() , the process handle and thread handle were not same as the handle from CreateProcess() even though I got them in same run from a process.

So I thought that the handle from pi is the true handle, and the handle from OpenProcess() are fake. I dont know why they are different and why only handles from pi can work well.

Please tell me the difference about handles from OpenProcess() and CreateProcess() . Or how I can get the handles same as CreateProcess() through PID.

This is the code how inject dll. And ony handles from pi.hProcess and pi.hThread can work.

void KInject::InjectDll(HANDLE hProcess, HANDLE hThread, ULONG_PTR param){  
    QueueUserAPC(
        (PAPCFUNC)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"),
        hThread, 
        (ULONG_PTR)param
        );  
}

void KInject::Inject2(HANDLE hProcess, HANDLE hThread, const char* szDLL ){
    SIZE_T len = strlen(szDLL) + 1;
    PVOID param = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT | MEM_TOP_DOWN /*MEM_RESERVE*/, PAGE_READWRITE);  
    if (param != NULL)  
    {  
        SIZE_T ret;
        if (WriteProcessMemory(hProcess, param, szDLL, len, &ret)) {  
            InjectDll(hProcess, hThread, (ULONG_PTR)param );   
        }  
    }
}

This is the code how i get handles.

#include <Windows.h>
#include "tlhelp32.h"
#include <stdio.h>
#include <string.h>
#include <iostream>

using namespace std;

int main(int argc, char* argv[])
{
    HWND hq = FindWindow(NULL, "Temp");
    RECT rect;
    DWORD dwThreadID;
    DWORD dwProcessId;
    GetWindowThreadProcessId(hq, &dwProcessId);
    GetWindowRect(hq, &rect);
    DWORD a = GetWindowThreadProcessId(hq, &dwProcessId);

    THREADENTRY32 te32 = { sizeof(te32) };
    HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if (Thread32First(hThreadSnap, &te32))
    {
        do {
            if (dwProcessId == te32.th32OwnerProcessID)
            {
                dwThreadID = te32.th32ThreadID;
                break;
            }
        } while (Thread32Next(hThreadSnap, &te32));
    }
    CloseHandle(hThreadSnap);
    HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);  
    HANDLE  hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadID);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    return 0;
}

Answer 1

There is nothing wrong with the API in this regard. Their return values are just what they are supposed to be, ie "handles" to the actual processes and threads. Exactly the same way as when you open a file, you get a handle to it, and if you open the same file multiple times, you may get different handles.

Having said that, just in the same way that files do have a more permanent name—which is their paths —processes and threads also do have a more permanent name and its called their "ID".

You can use the Win32 functions GetProcessId(HANDLE handle) and GetThreadId(HANDLE handle) to get to these more permanent identifiers.