这个得分32位和64位系统。由于QQ的保护驱动挂钩了NtOpenProcess,因此在32位下无法在用户态通过获取QQ加载模块来判断是否是登陆框。
先来64位的:
BOOL IsQQPasswordProcessInWow64(__in DWORD aProcessId)
{
int errCode = ERROR_SUCCESS;
TCHAR dbgStr[1024] = {0};
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, aProcessId);
if (hProcess == NULL)
{
ZeroMemory(dbgStr, 1024 * sizeof(TCHAR));
_stprintf_s(dbgStr, 1024, _T("OpenProcess failed . errCode : %d\n"), GetLastError());
tcout<<dbgStr;
OutputDebugString(dbgStr);
return FALSE;
}
TCHAR processImagePath[MAX_PATH] = {0};
DWORD ret = GetProcessImageFileName(hProcess, processImagePath, MAX_PATH);
if (ret == 0)
{
ZeroMemory(dbgStr, 1024 * sizeof(TCHAR));
_stprintf_s(dbgStr, 1024, _T("GetProcessImageFileName failed . errCode : %d\n"), GetLastError());
tcout<<dbgStr;
OutputDebugString(dbgStr);
}
TCHAR processName[MAX_PATH] = {0};
GetModuleNameFromPath(processImagePath, processName);
_tcsupr_s(processName, MAX_PATH);
HMODULE hMods[1024] = {0};
DWORD cbm = sizeof(hMods);
DWORD neededm = 0;
BOOL b2 = EnumProcessModules(hProcess, hMods, cbm, &neededm);
if (!b2)
{
ZeroMemory(dbgStr, 1024 * sizeof(TCHAR));
_stprintf_s(dbgStr, 1024, _T("EnumProcessModules failed . errCode : %d\n"), GetLastError());
tcout<<dbgStr;
OutputDebugString(dbgStr);
CloseHandle(hProcess);
return FALSE;
}
DWORD modulesCounts = neededm / sizeof(DWORD);
BOOL isFind = FALSE;
for (DWORD j = 0; j < modulesCounts; ++j)
{
TCHAR moduleName[MAX_PATH] = {0};
DWORD ret2 = GetModuleFileNameEx(hProcess, hMods[j], moduleName, MAX_PATH);
if (ret2 == 0)
{
ZeroMemory(dbgStr, 1024 * sizeof(TCHAR));
_stprintf_s(dbgStr, 1024, _T("\tGetModuleFileNameEx failed. errCode : %d\n"), GetLastError());
tcout<<dbgStr;
OutputDebugString(dbgStr);
continue;
}
ZeroMemory(dbgStr, 1024 * sizeof(TCHAR));
TCHAR name[MAX_PATH] = {0};
GetModuleNameFromPath(moduleName, name);
_tcsupr_s(name, MAX_PATH);
if (_tcscmp(name, MODULE_NAME) == 0)
{
isFind = TRUE;
break;
}
}
CloseHandle(hProcess);
return isFind;
}
再来32位的:
#define QQPWDEDIT_GUID _T("E72C6EAA-E6A2-404D-B469-5574831884D1")
BOOL isGUID = FALSE;
BOOL CALLBACK EnumWindowsProc(HWND hwnd,DWORD lParam)
{
DWORD mpid;
GetWindowThreadProcessId(hwnd, &mpid);
if (mpid == lParam)
{
int i = GetWindowTextLength(hwnd);
TCHAR szhello[MAX_PATH] = {0};
GetWindowText(hwnd, szhello, i + 1);
if (i > 0)
{
_tcsupr_s(szhello, MAX_PATH);
if (_tcscmp(QQPWDEDIT_GUID, szhello) == 0)
isGUID = TRUE;
}
}
return TRUE;
}
BOOL IsQQPasswordProcess(__in DWORD aProcessId)
{
BOOL ret = FALSE;
isGUID = FALSE;
EnumWindows((WNDENUMPROC)EnumWindowsProc, aProcessId);
return isGUID;
}