发几个R3枚举进程的代码

KMSRussian · 发表于 2012-2-12 20:20:52

本帖最后由 KMSRussian 于 2012-2-12 20:28 编辑

还有R3下的方法没涉及到CoCreateInstance()，ConnectServer()，ExecQuery()等

///////////////////////////////////////////////////////////////
// 02ProcessList.cpp文件
#include "stdafx.h"
#include <windows.h>
#include <tlhelp32.h> // 声明快照函数的头文件
int main(int argc, char* argv[])
{
PROCESSENTRY32 pe32;
// 在使用这个结构之前，先设置它的大小
pe32.dwSize = sizeof(pe32);
// 给系统内的所有进程拍一个快照
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
{
printf(" CreateToolhelp32Snapshot调用失败！ \n");
return -1;
}
// 遍历进程快照，轮流显示每个进程的信息
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
while(bMore)
{
printf(" 进程名称：%s \n", pe32.szExeFile);
printf(" 进程ID号：%u \n\n", pe32.th32ProcessID);
bMore = ::Process32Next(hProcessSnap, &pe32);
}
// 不要忘记清除掉snapshot对象
::CloseHandle(hProcessSnap);
return 0;
}

复制代码

#include "windows.h"
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>
typedef bool (_stdcall *EnumProcesses)(DWORD* pProcessIds, DWORD cb, DWORD* pBytesReturned );
typedef bool (_stdcall *EnumProcessModules)(HANDLE hProcess,HMODULE* lphModule,DWORD cb,LPDWORD lpcbNeeded);
typedef DWORD (_stdcall *GetModuleFileNameEx)( HANDLE hProcess, HMODULE hModule,LPTSTR lpFilename, DWORD nSize);
typedef DWORD (_stdcall *GetModuleBaseName)( HANDLE hProcess, HMODULE hModule, LPTSTR lpBaseName, DWORD nSize);
HMODULE h1=LoadLibrary("PSAPI.DLL");
EnumProcesses pEnumProcesses=(EnumProcesses)::GetProcAddress(h1,"EnumProcesses"); //注意大小写
EnumProcessModules pEnumProcessModules =(EnumProcessModules)GetProcAddress(h1, "EnumProcessModules");
GetModuleFileNameEx pGetModuleFileNameEx =(GetModuleFileNameEx)GetProcAddress(h1, "GetModuleFileNameExA");
GetModuleBaseName pGetModuleBaseName=(GetModuleBaseName)GetProcAddress(h1,"GetModuleBaseNameA");
//注意第三个函数名GetModuleFileNameExA，在Dll里有以A和W结尾区分函数，A指采用的是ANSI字符串方式，W则是UNICODE方式。于是，我们可以用下面的语句枚举进程：
bool RaisePrivilege()
{
HANDLE hToken = NULL;
bool bRes = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken );
if( !bRes )
{
cout<<"OpenProcessToken"<<endl;
return false;
}
TOKEN_PRIVILEGES tps = {0};
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tps.Privileges[0].Luid );
tps.PrivilegeCount = 1;
tps.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRes = AdjustTokenPrivileges( hToken, false, &tps, sizeof(tps), NULL, NULL );
if( bRes == 0 )
{
cout<<"AdjustTokenPrivileges false"<<endl;
return false;
}
CloseHandle( hToken );
return true;
}
void GetProcessPathById( DWORD PId )
{
TCHAR szProcessName[MAX_PATH] = _T("_Unknow_");
bool bRes = RaisePrivilege();
if( bRes )
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, PId );
DWORD dw = GetLastError();
if( hProcess != NULL )
{
HMODULE hModule = NULL;
//DWORD dw = 0;
bool bGetModule = pEnumProcessModules( hProcess, &hModule, sizeof(HMODULE), &dw );
dw = GetLastError();
if( bGetModule )
{
int len = pGetModuleBaseName( hProcess, hModule, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
}
}
CloseHandle( hProcess );
}
cout<<"PId:"<<PId<<"\t"<<"PathNam:"<<szProcessName<<endl;
}
void main()
{
DWORD dProcessIds[1024] = {0};
DWORD dRet = 0;
DWORD dRes = 0;
dRes = pEnumProcesses( dProcessIds, sizeof(dProcessIds), &dRet );
if( dRes == 0 )
{
cout<<"EnumProcesses1 False"<<endl;
return;
}
int ProcessNums = dRet/sizeof(DWORD);
for( int i = 0; i < ProcessNums; i++ )
GetProcessPathById( dProcessIds[i] );
cout<<"Process Nums:"<<ProcessNums<<endl;
FreeLibrary(h1);
}

复制代码

#include "windows.h"
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>
//声明一下psapi.dll中包含的这几个函数
typedef bool (_stdcall *EnumProcesses)( DWORD* pProcessIds, DWORD cb,DWORD* pBytesReturned );
typedef bool (_stdcall *EnumProcessModules)(HANDLE hProcess,HMODULE* lphModule,DWORD cb,LPDWORD lpcbNeeded
);
typedef DWORD (_stdcall *GetModuleFileNameEx)( HANDLE hProcess, HMODULE hModule, LPTSTR lpFilename,DWORD nSize
);
typedef DWORD (_stdcall *GetModuleBaseName)(HANDLE hProcess,HMODULE hModule,LPTSTR lpBaseName,DWORD nSize
);
typedef DWORD (_stdcall *GetProcessImageFileName)( HANDLE hProcess, LPTSTR lpImageFileName, DWORD nSize );
HMODULE h1=LoadLibrary("PSAPI.DLL");
EnumProcesses pEnumProcesses= (EnumProcesses)::GetProcAddress(h1,"EnumProcesses"); //注意大小写
EnumProcessModules pEnumProcessModules = (EnumProcessModules)GetProcAddress(h1, "EnumProcessModules");
GetModuleFileNameEx pGetModuleFileNameEx = (GetModuleFileNameEx)GetProcAddress(h1, "GetModuleFileNameExA");
GetModuleBaseName pGetModuleBaseName=
(GetModuleBaseName)GetProcAddress(h1,"GetModuleBaseNameA");
GetProcessImageFileName pGetProcessImageFileName=(GetProcessImageFileName)GetProcAddress(h1,"GetProcessImageFileNameA");
//注意第三个函数名GetModuleFileNameExA，在Dll里有以A和W结尾区分函数，A指采用的是ANSI字符串方式，W则是UNICODE方式。于是，我们可以用下面的语句枚举进程：
//不要忘记使用FreeLibrary 好多人都不使用
bool RaisePrivilege()
{
HANDLE hToken = NULL;
bool bRes = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken );
if( !bRes )
{
cout<<"OpenProcessToken"<<endl;
return false;
}
TOKEN_PRIVILEGES tps = {0};
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tps.Privileges[0].Luid );
tps.PrivilegeCount = 1;
tps.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRes = AdjustTokenPrivileges( hToken, false, &tps, sizeof(tps), NULL, NULL );
if( bRes == 0 )
{
cout<<"AdjustTokenPrivileges false"<<endl;
return false;
}
CloseHandle( hToken );
return true;
}
void GetProcessPathById( DWORD PId )
{
TCHAR szProcessName[MAX_PATH] = _T("_Unknow_");
bool bRes = RaisePrivilege();
if( bRes )
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, PId );
DWORD dw = GetLastError();
if( hProcess != NULL )
{
HMODULE hModule = NULL;
//DWORD dw = 0;
bool bGetModule = pEnumProcessModules( hProcess, &hModule, sizeof(HMODULE), &dw );
dw = GetLastError();
if( bGetModule )
{
int len = pGetModuleBaseName( hProcess, hModule, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
}
}
CloseHandle( hProcess );
}
cout<<"PId:"<<PId<<"\t"<<"PathNam:"<<szProcessName<<endl;
}
void main()
{
//提升进程权限
RaisePrivilege();
for( int i = 0; i <0xffff; i++ )
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, i );
if( hProcess )
{
char ProcessName[MAX_PATH] = {0};
pGetProcessImageFileName( hProcess, ProcessName, MAX_PATH );
cout<<"PID:"<<i<<"\t"<<"Path:"<<ProcessName<<endl;
}
}
::FreeLibrary(h1);
}

复制代码

#include "windows.h"
#include <stdio.h>
#include <iostream.h>
#include <tchar.h>
typedef struct _WTS_PROCESS_INFO {
DWORD SessionId;
DWORD ProcessId;
LPTSTR pProcessName;
PSID pUserSid;
} WTS_PROCESS_INFO, *PWTS_PROCESS_INFO;
typedef HANDLE (_stdcall *WTSOpenServer)( LPTSTR pServerName );
typedef bool (_stdcall *WTSEnumerateProcesses)(HANDLE hServer, DWORD Reserved, DWORD Version, PWTS_PROCESS_INFO* ppProcessInfo, DWORD* pCount);
//存放我们要的进程名和ID 存放ppProcessInfo里面WTS_PROCESS_INFO结构数量指针
HMODULE h1=LoadLibrary("wtsapi32.dll");
WTSOpenServer pWTSOpenServer =(WTSOpenServer)GetProcAddress(h1,"WTSOpenServerA");
WTSEnumerateProcesses pWTSEnumerateProcesses =
(WTSEnumerateProcesses)GetProcAddress(h1,"WTSEnumerateProcessesA");
void main()
{
char *szServerName="Li";
HANDLE h2=pWTSOpenServer(szServerName);
PWTS_PROCESS_INFO pWtspi;
DWORD dwCount;
if(!pWTSEnumerateProcesses(h2,0,1,&pWtspi,&dwCount))
{
printf("enum process error: %d\n",GetLastError());
return;
};
for (int i=0; i<dwCount;i++)
{
printf("PsId: %d\t\tPsName: %s\n",pWtspi[i].ProcessId,pWtspi[i].pProcessName);
}
}

复制代码

KMSRussian · 发表于 2012-2-12 20:32:47

killvxk的驱动查进程：
1.native api获得进程表a
2.通过activelist获得进程表b
3.通过pspCidTable获得进程表c
4.通过handletablelisthead获得进程表d
5.通过csrss的handletable用2种方法枚举获得进程表e和f
6.通过扫描当前进程的handletable获得进程表g
7.遍历表c的每一个进程的SessionProcessLinks获得进程表h
8.遍历表c的每一个进程Vm.WorkingSetExpansionLinks获得进程表i
9.通过Typelist分别取process和thread的表j和表k
10.通过表k得到进程表l
11.搜索内存中的threadobject和processobject得到进程表m
12.通过Wait/Dispatch得到进程表n
13.如果系统是Win2003以上遍历表c的每一个进程的MmProcessLinks得到表o
14.综合上面的进程表得到表p
15.对表p每一个进程做HandleTable，Vm.WorkXX,MmProcessXX,SessionProcessList扫描得到表q
16.枚举HWNDHandle得到进程表r
17.枚举JobObject得到表s
18.综合得表t,此时枚举结束~~
有空再整理下上面这些

Tesla.Angela · 发表于 2013-6-21 21:49:45

LZ好久没来了啊。

WIN64系统上在R0隐藏进程直接引发蓝屏，终结了“进程捉迷藏”这种无聊的游戏。

账号		自动登录	找回密码
密码			加入我们