扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在WIN 9X下一些黑客工具利用了未公开的API函数实现了隐藏自身,不在任务列表中出现的功能,要把它们找出来,同样也需要用到未公开的TOOLHELP32系列函数。因操作系统的不同NT下遍历进程则用PSAPI函数来实现,下面给出完整实列。
Process.h
//----------------------------
#ifndef Unit1H
#define Unit1H
//----------------------------
#include
#include
#include
#include
#define TH32CS_SNAPPROCESS 0x00000002 //快照进程
#define PROCESS_HANDLE_NAME 255
//---------------------------------------------------------------------------
typedef struct tagPROCESSENTRY32 //自定义TOOLHELP32结构
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID; //进程ID
DWORD th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH]; //进程文件名
} PROCESSENTRY32;
typedef PROCESSENTRY32 * LPPROCESSENTRY32;
//以下定义要从KERENL32.DLL中取出的TOOLHELP32函数的函数指针
HANDLE (WINAPI *CreateToolhelp32Snapshot)(DWORD dwFlags,DWORD th32PD);
BOOL (WINAPI *Process32First)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);
BOOL (WINAPI *Process32Next)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);
//以下定义要从PSAPI.DLL中取出函数的函数指针
BOOL (WINAPI *EnumProcesses)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded);
DWORD (WINAPI *GetModuleFileNameExA)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize);
class TForm1 : public TForm
{
__published: // IDE-managed Components
TButton *FindAllProcessFileName;
TListBox *ListBox1;
void __fastcall FindAllProcessFileNameClick(TObject *Sender);
void __fastcall FormResize(TObject *Sender);
void __fastcall Button1Click(TObject *Sender);
void __fastcall ListBox1Click(TObject *Sender);
private: // User declarations
public: // User declarations
__fastcall TForm1(TComponent* Owner);
};
//---------------------------------------------------------------------------
extern PACKAGE TForm1 *Form1;
//---------------------------------------------------------------------------
#endif
Process.cpp
//---------------------------------------------------------------------------
#include
#pragma hdrstop
#include "Unit1.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
//定义变量
HANDLE process[255];
PROCESSENTRY32 p32;
DWORD process_ids[255];
DWORD num_processes;
TCHAR file_name[MAX_PATH];
TCHAR class_name[MAX_PATH];
unsigned i;
//---------------------------------------------------------------------------
//初始化TOOLHELP32
BOOL InitToolHelp32()
{
//动态调用
HINSTANCE DLLinst=LoadLibrary("KERNEL32.DLL");
if(DLLinst)
{
//取各函数在KERNEL32中的地址
CreateToolhelp32Snapshot=(HANDLE(WINAPI *)(DWORD dwFlags,DWORD th32PD))
GetProcAddress(DLLinst,"CreateToolhelp32Snapshot");
Process32First=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))
GetProcAddress(DLLinst,"Process32First");
Process32Next=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))
GetProcAddress(DLLinst,"Process32Next");
if((!(UINT)CreateToolhelp32Snapshot)||(!(UINT)Process32First)||(!(UINT)Process32Next))
return FALSE;
else
return TRUE;
}
return FALSE;
}
//初始化PSAPI
BOOL InitPSAPI()
{
HINSTANCE PSAPI=LoadLibrary("PSAPI.DLL");
if(NULL==PSAPI)
return FALSE;
EnumProcesses=(BOOL(WINAPI *)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded))
GetProcAddress(PSAPI,"EnumProcesses");
GetModuleFileNameExA=(DWORD(WINAPI *)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize))
GetProcAddress(PSAPI,"GetModuleFileNameExA");
if(NULL == EnumProcesses||NULL == GetModuleFileName)
return FALSE;
else
return TRUE;
}
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------
void __fastcall TForm1::FindAllProcessFileNameClick(TObject *Sender)
{
OSVERSIONINFO osinfo;
osinfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
//取当前操作系统类型
if(GetVersionEx(&osinfo))
{
switch(osinfo.dwPlatformId)
{
//当前操作系统是WIN9X
case VER_PLATFORM_WIN32_WINDOWS:
if(InitToolHelp32())
{
ListBox1->Clear();
p32.dwSize=sizeof(PROCESSENTRY32);
//初始化TOOLHELP32快照
HANDLE pName=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
//开始查找
BOOL Next=Process32First(pName,&p32);
i=0;
//遍历进程
while(Next)
{
//显示进程
ListBox1->Items->Add(p32.szExeFile);
//根据进程ID获取句并
process[i]=OpenProcess(PROCESS_TERMINATE,0,p32.th32ProcessID);
//继续查找
Next=Process32Next(pName,&p32);
i++;
}
CloseHandle(pName);
}
break;
//当前操作系统是NT
case VER_PLATFORM_WIN32_NT:
if(InitPSAPI())
{
ListBox1->Clear();
//获取当前进程个数
EnumProcesses(process_ids,sizeof(process_ids),&num_processes);
//遍历进程
for(i=0; i {
//根据进程ID获取句并
process[i]=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ
,0,process_ids[i]);
//通过句并获取进程文件名
if(GetModuleFileNameExA(process[i],NULL,file_name,sizeof(file_name)))
ListBox1->Items->Add(file_name);
}
}
break;
}
}
}
//---------------------------------------------------------------------------
void __fastcall TForm1::ListBox1Click(TObject *Sender)
{
int iCount;
iCount=ListBox1->ItemIndex;
ListBox1->Hint=ListBox1->Items->Strings[iCount];
}
//---------------------------------------------------------------------------
else ShowMessage("初始化TOOLHELP32失败");
}
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
京公网安备 11010802021500号