发几个R3枚举进程的代码
本帖最后由 KMSRussian 于 2012-2-12 20:28 编辑还有R3下的方法没涉及到CoCreateInstance(),ConnectServer(),ExecQuery()等///////////////////////////////////////////////////////////////
// 02ProcessList.cpp文件
#include "stdafx.h"
#include <windows.h>
#include <tlhelp32.h> // 声明快照函数的头文件
int main(int argc, char* argv[])
{
PROCESSENTRY32 pe32;
// 在使用这个结构之前,先设置它的大小
pe32.dwSize = sizeof(pe32);
// 给系统内的所有进程拍一个快照
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
{
printf(" CreateToolhelp32Snapshot调用失败! \n");
return -1;
}
// 遍历进程快照,轮流显示每个进程的信息
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
while(bMore)
{
printf(" 进程名称:%s \n", pe32.szExeFile);
printf(" 进程ID号:%u \n\n", pe32.th32ProcessID);
bMore = ::Process32Next(hProcessSnap, &pe32);
}
// 不要忘记清除掉snapshot对象
::CloseHandle(hProcessSnap);
return 0;
}
#include "windows.h"
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>
typedef bool (_stdcall *EnumProcesses)(DWORD* pProcessIds, DWORD cb, DWORD* pBytesReturned );
typedef bool (_stdcall *EnumProcessModules)(HANDLE hProcess,HMODULE* lphModule,DWORD cb,LPDWORD lpcbNeeded);
typedef DWORD(_stdcall *GetModuleFileNameEx)( HANDLE hProcess, HMODULE hModule,LPTSTR lpFilename, DWORD nSize);
typedef DWORD (_stdcall *GetModuleBaseName)( HANDLE hProcess, HMODULE hModule, LPTSTR lpBaseName,DWORD nSize);
HMODULE h1=LoadLibrary("PSAPI.DLL");
EnumProcesses pEnumProcesses=(EnumProcesses)::GetProcAddress(h1,"EnumProcesses");//注意大小写
EnumProcessModules pEnumProcessModules =(EnumProcessModules)GetProcAddress(h1, "EnumProcessModules");
GetModuleFileNameEx pGetModuleFileNameEx =(GetModuleFileNameEx)GetProcAddress(h1, "GetModuleFileNameExA");
GetModuleBaseName pGetModuleBaseName=(GetModuleBaseName)GetProcAddress(h1,"GetModuleBaseNameA");
//注意第三个函数名GetModuleFileNameExA,在Dll里有以A和W结尾区分函数,A指采用的是ANSI字符串方式,W则是UNICODE方式。于是,我们可以用下面的语句枚举进程:
bool RaisePrivilege()
{
HANDLE hToken = NULL;
bool bRes = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken );
if( !bRes )
{
cout<<"OpenProcessToken"<<endl;
return false;
}
TOKEN_PRIVILEGES tps = {0};
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tps.Privileges.Luid );
tps.PrivilegeCount = 1;
tps.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
bRes = AdjustTokenPrivileges( hToken, false, &tps, sizeof(tps), NULL, NULL );
if( bRes == 0 )
{
cout<<"AdjustTokenPrivileges false"<<endl;
return false;
}
CloseHandle( hToken );
return true;
}
void GetProcessPathById( DWORD PId )
{
TCHAR szProcessName = _T("_Unknow_");
bool bRes = RaisePrivilege();
if( bRes )
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, PId );
DWORD dw = GetLastError();
if( hProcess != NULL )
{
HMODULE hModule = NULL;
//DWORD dw = 0;
bool bGetModule = pEnumProcessModules( hProcess, &hModule, sizeof(HMODULE), &dw );
dw = GetLastError();
if( bGetModule )
{
int len = pGetModuleBaseName( hProcess, hModule, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
}
}
CloseHandle( hProcess );
}
cout<<"PId:"<<PId<<"\t"<<"PathNam:"<<szProcessName<<endl;
}
void main()
{
DWORD dProcessIds = {0};
DWORD dRet = 0;
DWORD dRes = 0;
dRes = pEnumProcesses( dProcessIds, sizeof(dProcessIds), &dRet );
if( dRes == 0 )
{
cout<<"EnumProcesses1 False"<<endl;
return;
}
int ProcessNums = dRet/sizeof(DWORD);
for( int i = 0; i < ProcessNums; i++ )
GetProcessPathById( dProcessIds );
cout<<"Process Nums:"<<ProcessNums<<endl;
FreeLibrary(h1);
}#include "windows.h"
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>
//声明一下psapi.dll中包含的这几个函数
typedef bool (_stdcall *EnumProcesses)( DWORD* pProcessIds, DWORD cb,DWORD* pBytesReturned );
typedef bool (_stdcall *EnumProcessModules)(HANDLE hProcess,HMODULE* lphModule,DWORD cb,LPDWORD lpcbNeeded
);
typedef DWORD(_stdcall *GetModuleFileNameEx)( HANDLE hProcess, HMODULE hModule, LPTSTR lpFilename,DWORD nSize
);
typedef DWORD (_stdcall *GetModuleBaseName)(HANDLE hProcess,HMODULE hModule,LPTSTR lpBaseName,DWORD nSize
);
typedef DWORD(_stdcall *GetProcessImageFileName)( HANDLE hProcess, LPTSTR lpImageFileName,DWORD nSize );
HMODULE h1=LoadLibrary("PSAPI.DLL");
EnumProcesses pEnumProcesses= (EnumProcesses)::GetProcAddress(h1,"EnumProcesses");//注意大小写
EnumProcessModules pEnumProcessModules = (EnumProcessModules)GetProcAddress(h1, "EnumProcessModules");
GetModuleFileNameEx pGetModuleFileNameEx = (GetModuleFileNameEx)GetProcAddress(h1, "GetModuleFileNameExA");
GetModuleBaseName pGetModuleBaseName=
(GetModuleBaseName)GetProcAddress(h1,"GetModuleBaseNameA");
GetProcessImageFileName pGetProcessImageFileName=(GetProcessImageFileName)GetProcAddress(h1,"GetProcessImageFileNameA");
//注意第三个函数名GetModuleFileNameExA,在Dll里有以A和W结尾区分函数,A指采用的是ANSI字符串方式,W则是UNICODE方式。于是,我们可以用下面的语句枚举进程:
//不要忘记使用FreeLibrary 好多人都不使用
bool RaisePrivilege()
{
HANDLE hToken = NULL;
bool bRes = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken );
if( !bRes )
{
cout<<"OpenProcessToken"<<endl;
return false;
}
TOKEN_PRIVILEGES tps = {0};
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tps.Privileges.Luid );
tps.PrivilegeCount = 1;
tps.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
bRes = AdjustTokenPrivileges( hToken, false, &tps, sizeof(tps), NULL, NULL );
if( bRes == 0 )
{
cout<<"AdjustTokenPrivileges false"<<endl;
return false;
}
CloseHandle( hToken );
return true;
}
void GetProcessPathById( DWORD PId )
{
TCHAR szProcessName = _T("_Unknow_");
bool bRes = RaisePrivilege();
if( bRes )
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, PId );
DWORD dw = GetLastError();
if( hProcess != NULL )
{
HMODULE hModule = NULL;
//DWORD dw = 0;
bool bGetModule = pEnumProcessModules( hProcess, &hModule, sizeof(HMODULE), &dw );
dw = GetLastError();
if( bGetModule )
{
int len = pGetModuleBaseName( hProcess, hModule, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
}
}
CloseHandle( hProcess );
}
cout<<"PId:"<<PId<<"\t"<<"PathNam:"<<szProcessName<<endl;
}
void main()
{
//提升进程权限
RaisePrivilege();
for( int i = 0; i <0xffff; i++ )
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, i );
if( hProcess )
{
char ProcessName = {0};
pGetProcessImageFileName( hProcess, ProcessName, MAX_PATH );
cout<<"PID:"<<i<<"\t"<<"Path:"<<ProcessName<<endl;
}
}
::FreeLibrary(h1);
}#include "windows.h"
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>
typedef struct _WTS_PROCESS_INFO {
DWORD SessionId;
DWORD ProcessId;
LPTSTR pProcessName;
PSID pUserSid;
} WTS_PROCESS_INFO,*PWTS_PROCESS_INFO;
typedef HANDLE (_stdcall *WTSOpenServer)( LPTSTR pServerName );
typedef bool (_stdcall *WTSEnumerateProcesses)(HANDLE hServer, DWORD Reserved, DWORD Version, PWTS_PROCESS_INFO*ppProcessInfo, DWORD* pCount);
//存放我们要的进程名和ID 存放ppProcessInfo里面WTS_PROCESS_INFO结构数量指针
HMODULE h1=LoadLibrary("wtsapi32.dll");
WTSOpenServer pWTSOpenServer =(WTSOpenServer)GetProcAddress(h1,"WTSOpenServerA");
WTSEnumerateProcesses pWTSEnumerateProcesses=
(WTSEnumerateProcesses)GetProcAddress(h1,"WTSEnumerateProcessesA");
void main()
{
char *szServerName="Li";
HANDLE h2=pWTSOpenServer(szServerName);
PWTS_PROCESS_INFO pWtspi;
DWORD dwCount;
if(!pWTSEnumerateProcesses(h2,0,1,&pWtspi,&dwCount))
{
printf("enum process error: %d\n",GetLastError());
return;
};
for (int i=0; i<dwCount;i++)
{
printf("PsId: %d\t\tPsName: %s\n",pWtspi.ProcessId,pWtspi.pProcessName);
}
}
killvxk的驱动查进程:
1.native api获得进程表a
2.通过activelist获得进程表b
3.通过pspCidTable获得进程表c
4.通过handletablelisthead获得进程表d
5.通过csrss的handletable用2种方法枚举获得进程表e和f
6.通过扫描当前进程的handletable获得进程表g
7.遍历表c的每一个进程的SessionProcessLinks获得进程表h
8.遍历表c的每一个进程Vm.WorkingSetExpansionLinks获得进程表i
9.通过Typelist分别取process和thread的表j和表k
10.通过表k得到进程表l
11.搜索内存中的threadobject和processobject得到进程表m
12.通过Wait/Dispatch得到进程表n
13.如果系统是Win2003以上遍历表c的每一个进程的MmProcessLinks得到表o
14.综合上面的进程表得到表p
15.对表p每一个进程做HandleTable,Vm.WorkXX,MmProcessXX,SessionProcessList扫描得到表q
16.枚举HWNDHandle得到进程表r
17.枚举JobObject得到表s
18.综合得表t,此时枚举结束~~
有空再整理下 上面这些 LZ好久没来了啊。
WIN64系统上在R0隐藏进程直接引发蓝屏,终结了“进程捉迷藏”这种无聊的游戏。
页:
[1]