枚举进程的模块的问题

everyone 发表于 2009-10-17 00:38:51

附件里的代码可以枚举进程，点某个进程的右键菜单，然后点查看模块，就能查看模块了。但我发现有的进程能查看模块，有的进程不能显示模块。请问怎么办？

马大哈 发表于 2009-10-17 01:50:11

测试了一下,在我这里貌似都行.
 
估计是有安全软件限制了,或者用户权限过低之类.

everyone 发表于 2009-10-18 00:08:01

还是不行

我把代码生成为EXE文件。我又在一个没有安装杀毒软件的虚拟机里试了一下，结果还是有的能，有的不能。当前用户是管理员，安全模式下试了也是有的能，有的不能。
alg.exe不能 conime.exe能 csrss.exe不能 ctfmon.exe能 explorer.exe能 smss.exe不能 lsass.exe不能 services.exe不能 svchost.exe不能 winlogon.exe不能
有的进程点右键打开显示模块的窗口后，ListView控件没有条目。有的却能显示模块。我用GetLastError和FormatMessage显示"操作成功完成"。不知您能查看上面那些标为不能的进程的模块吗？ 关于制作进程管理器，您推荐用什么函数？是CreateToolhelpSnapshot，还是EnumProcesses？

马大哈 发表于 2009-10-18 12:49:57

我又测试了一下,除了SYSTEM等无模块的进程外,其余都是能行的.
 
我的系统是2003 SP2,没开任何安全软件.
 
也许是系统本身的限制吧.
 
你试一下提升进程权限: 
<div class="msgheader">QUOTE:</div><div class="msgborder">
Option Explicit '************************************************************************* '**模块名：ModSetProDebug '**说    明：将本进程运行级别设置为DEBUG '**创建人：马大哈 '**日    期：2006年10月22日 '**描    述：网上收集 '**版    本：V1.0 '*************************************************************************
Private Type LARGE_INTEGER
    lowpart As Long     highpart As Long
End Type
Private Const ANYSIZE_ARRAY           As Long = 1
Private Const SE_PRIVILEGE_ENABLED    As Long = &H2
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20
Private Const TOKEN_QUERY             As Long = &H8
Private Type LUID_AND_ATTRIBUTES
    LUID As LARGE_INTEGER     Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
    PrivilegeCount As Long     Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
Private Declare Function LookupPrivilegeValue _                 Lib "advapi32.dll" _                 Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, _                                                ByVal lpName As String, _                                                ByRef lpLuid As LARGE_INTEGER) As Long
Private Declare Function AdjustTokenPrivileges _                 Lib "advapi32.dll" (ByVal TokenHandle As Long, _                                     ByVal DisableAllPrivileges As Long, _                                     ByRef NewState As TOKEN_PRIVILEGES, _                                     ByVal BufferLength As Long, _                                     ByRef PreviousState As Long, _                                     ByRef ReturnLength As Long) As Long
Private Declare Function GetCurrentProcess Lib "KERNEL32.dll" () As Long
Private Declare Function GetCurrentProcessId Lib "KERNEL32.dll" () As Long
Private Declare Function CloseHandle Lib "KERNEL32.dll" (ByVal hObject As Long) As Long
Private Declare Function OpenProcessToken _                 Lib "advapi32.dll" (ByVal ProcessHandle As Long, _                                     ByVal DesiredAccess As Long, _                                     ByRef TokenHandle As Long) As Long
Private Declare Function GetLastError Lib "KERNEL32.dll" () As Long
Public Function EnableDebugPrivilege() As Boolean
    Dim TP     As TOKEN_PRIVILEGES
    Dim hToken As Long, r As Long, e As Long
    r = OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)     e = GetLastError
    '    Err.Raise 6     If r And Not e Then         r = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", TP.Privileges(0).LUID)         e = GetLastError
        If r And Not e Then             TP.PrivilegeCount = 1             TP.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
            r = AdjustTokenPrivileges(hToken, False, TP, LenB(TP), 0, 0)             EnableDebugPrivilege = GetLastError = 0         End If     End If
    Call CloseHandle(hToken) End Function</div>
启动时先调用EnableDebugPrivilege就行.

everyone 发表于 2009-10-19 00:33:39

谢谢，提权后又有好多进程可以列出模块了。在有杀毒软件的系统里，360安全卫士、卡巴斯基这种进程仍然无法列出模块。

马大哈 发表于 2009-10-19 01:11:32

晕,这些安全软件随便让你几句普通函数就列出来了他们还混个啥- -!
 
作为安全软件,如果连自己都保护不了,如何去保护别人呢.

everyone 发表于 2009-10-19 23:25:37

感谢老马的教导。

upring 发表于 2015-7-18 10:14:05

支持老马热心老马

页: [1]

紫水晶编程技术论坛 - 努力打造成全国最好的编程论坛's Archiver

枚举进程的模块的问题

还是不行