关于NtGetNextProcess
这个东西好像最早出现在Windows 2003上,可以绕过OpenProcess/DuplicateHandle实现打开进程。以下是老外写的VB.NET代码: Private Shared Function GetProcessHandleWById(ByVal pid As Integer, ByVal access As Security.ProcessAccess) As IntPtr
' ===== Try standard way
Dim hProc As IntPtr = GetProcessHandleById(pid, access)
If hProc.IsNotNull Then
Return hProc
End If
' ===== Use NtOpenProcess (if OpenProcess is hooked and not NtOpenProcess)
Dim _oa As NativeStructs.ObjectAttributes
Dim _clientId As New NativeStructs.ClientId(pid, 0)
NativeFunctions.NtOpenProcess(hProc, access, _oa, _clientId)
If hProc.IsNotNull Then
Return hProc
End If
' ===== Try another way (using NtGetNextProcess, VISTA ONLY)
If cEnvironment.SupportsGetNextThreadProcessFunctions Then
' Open handle to our process
Dim curHandle As IntPtr = GetProcessHandleById(NativeFunctions.GetCurrentProcessId, access)
' Define access to use
Dim theAccess As Security.ProcessAccess
If (access And Security.ProcessAccess.QueryLimitedInformation) <> Security.ProcessAccess.QueryLimitedInformation AndAlso _
(access And Security.ProcessAccess.QueryInformation) <> Security.ProcessAccess.QueryInformation Then
theAccess = access Or Security.ProcessAccess.QueryLimitedInformation
Else
theAccess = access
End If
' Try to find a handle using NtGetNextProcess
Dim i As Integer = 0 ' Watchdog
Do While True
NativeFunctions.NtGetNextProcess(curHandle, access, 0, 0, curHandle)
' Get process Id of this handle
If curHandle.IsNotNull Then
Dim thePid As Integer = NativeFunctions.GetProcessId(curHandle)
If thePid = pid Then
Return curHandle
End If
End If
i += 1
' We assume there are less than 800 processes...
If i > 800 Then
Exit Do
End If
Loop
End If
' Okay, everything failed....
Return IntPtr.Zero
End Function
Naylon写了个VB6版本的,经我测试,有效。 代码所在页面:http://files.codes-sources.com/f ... /Objects/Process.vb
VB.NET写的远程进程监视器:http://www.vbfrance.com/codes/YE ... -MONITOR_50027.aspx
......内核的玩意玩不懂啊- -! 隐藏进程。。。N种方法;对应的,获取进程信息,也N种方法。。不多说 先看再说:)
学习一下!
页:
[1]