关闭

C++调用NTAPI枚举并强制关闭指定进程

标签: winapisystemx86iohook
41049人阅读 评论(2) 收藏 举报
分类:
#include "../../RLib/RLib/native/RLib_Native.h"
#pragma comment(lib, "ntdll.lib")


Array<handle> *found_if_process_by_name(LPCWSTR name IN, LPCWSTR parent_name IN)
{
	unsigned long bytes = 0;
	ManagedMemoryBlock<char> buffer;

	// process enumeration
	while (true) {
		auto status = NtQuerySystemInformation(SystemProcessInformation,
											   buffer.ToAny<psystem_process_information>(), 
											   bytes, 
											   &bytes);
		if (!NT_SUCCESS(status)) {
			if (status == STATUS_INFO_LENGTH_MISMATCH) {
				buffer = ManagedMemoryBlock<char>(bytes * 2).SuppressFinalize();
				continue;
			}
			// failed
			return nullptr;
		}
		break;
 	}
	
	// find target process by name
	int lastBucket                    = -1;
	HANDLE processId[16]              = { NULL };
	HANDLE inheritedFromProcessId[16] = { NULL };
	auto lpProcessInfo = buffer.ToAny<system_process_information>();
	while (lpProcessInfo->NextEntryOffset != 0) {
		if (lpProcessInfo->ImageName.Buffer != NULL) {
			if (_wcsicmp(lpProcessInfo->ImageName.Buffer, name) == 0) {
				inheritedFromProcessId[++lastBucket] = lpProcessInfo->InheritedFromProcessId;
				processId[lastBucket] = lpProcessInfo->ProcessId;
			} //if
		}
		lpProcessInfo = reinterpret_cast<psystem_process_information>(reinterpret_cast<ulong>(lpProcessInfo) + lpProcessInfo->NextEntryOffset);
	}

	// find parent process by process id
	ManagedObject<Array<handle>> processIdList = new Array<handle>(16);
	if (processIdList.IsSatisfied() && lastBucket >= 0){
		lpProcessInfo = buffer.ToAny<system_process_information>();
		while (lpProcessInfo->NextEntryOffset != 0) {
			if (lpProcessInfo->ImageName.Buffer != NULL) {
				auto offsetLastBucket = lastBucket;
				while (offsetLastBucket >= 0) {
					if (lpProcessInfo->ProcessId == inheritedFromProcessId[offsetLastBucket]) {
						if (_wcsicmp(lpProcessInfo->ImageName.Buffer, parent_name) == 0) {
							processIdList->Add(processId[offsetLastBucket]);
						} //if
					} //if
					--offsetLastBucket;
				} //for
			}
			lpProcessInfo = reinterpret_cast<psystem_process_information>(reinterpret_cast<ulong>(lpProcessInfo) + lpProcessInfo->NextEntryOffset);
		}
	} //if

	// final result
	return processIdList.SuppressFinalize();
}

//-------------------------------------------------------------------------

HANDLE open_process_by_pid(HANDLE pid IN)
{
	return OpenProcess(PROCESS_TERMINATE, TRUE, reinterpret_cast<dword>(pid));
// 	HANDLE handle_opened;
// 	OBJECT_ATTRIBUTES oa = { 0 };
// 	CLIENT_ID cid        = { pid, 0 };
// 	auto status = NtOpenProcess(&handle_opened, PROCESS_TERMINATE, &oa, &cid);
// 	if (status != STATUS_SUCCESS) {
// 		Exception::SetLastError(RtlNtStatusToDosError(status));
// 		ManagedObject<exception> ex = Exception::GetLastException();
// 		return NULL;
// 	}
// 	return handle_opened;
}

//-------------------------------------------------------------------------

	// force quit msword
	ManagedObject<Array<handle>> processIdList = found_if_process_by_name(_T("WINWORD.EXE"), _T("svchost.exe"));
	if (processIdList && processIdList->Length > 0){
		foreachp(lppid, processIdList)
		{
			auto status = NtTerminateProcess(open_process_by_pid(*lppid), STATUS_ALREADY_DISCONNECTED);
			if (status != STATUS_SUCCESS){
				Exception::SetLastError(RtlNtStatusToDosError(status));
				ManagedObject<exception> ex = Exception::GetLastException();
				return NULL;
			} //if
		}
	} //if
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    联系作者
    通过QQ与我联系(全天候7*24小时基本不在线)
    最新评论
    免责声明
    如果转载的文章侵犯了您的版权,请务必告知,我将立刻删除;
    博客所有文章允许转载,原创类不要求注明出处,随意就好;
    如果是转载的文章,建议直接转载原始来源,因为原作者极可能有更新