C# - find parent process through P/Invoke NtQue...

最新推荐文章于 2024-10-19 16:02:10 发布
最新推荐文章于 2024-10-19 16:02:10 发布
阅读量163 收藏
点赞数
文章标签: c# c/c++
原文链接:https://my.oschina.net/u/854138/blog/90804
版权
C# - Find the process tree given the parent process id .
The problem with that approach is that it does not scale well because it has go through the process list repeately, however, from the internet search, we did find that we can use the P/Invoke method into the NtQueryInformationProcess. Here is information on how to use the it.

msdn - NtQueryInformationProcess 
Also, from codeproject, there is an example on how to use it (in C++ code)
codeproject - Get Process Info with NtQueryInformationProcess 

Here is the code, and I tried to add more things around the call to Format error messages if possible.

[StructLayout(LayoutKind.Sequential)]
  public struct ParentProcessUtilities
  {
    // these members must match PROCESS_BASIC_INFORMATION
    // you can find more information and example here :   http://www.codeproject.com/Articles/19685/Get-Process-Info-with-NtQueryInformationProcess
    // also, check this out:  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx
    internal IntPtr Reserverd1;
    internal IntPtr pebBaseAddress;
    internal IntPtr Reserved2_0;
    internal IntPtr Reserved2_1;
    internal IntPtr UniqueProcessId;
    internal IntPtr InheritedFromUniqueProcessId;

    // there is a good site that tells you how you can use the P/Invoke from  C#
    //    http://www.pinvoke.net/default.aspx/kernel32.formatmessage
    [DllImport("Kernel32.dll", SetLastError=true)]
    private static extern uint FormatMessage(
      uint dwFalgs,
      IntPtr lpSource,
      uint dwMessageId,
      uint dwLanguageId,
      ref IntPtr lpBuffer,
      uint nSize,
      IntPtr Arguments);

    // from header files
    const uint FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100;
    const uint FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200;
    const uint FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000;
    const uint FORMAT_MESSAGE_ARGUMENT_ARRAY = 0x00002000;
    const uint FORMAT_MESSAGE_FROM_HMODULE = 0x00000800;
    const uint FORMAT_MESSAGE_FROM_STRING = 0x00000400;


    // you will need to p/invoke the NtQueryProcessInformation
    // see pinvoke.net for more information.
    //
    [DllImport("ntdll.dll")]
    private static extern int NtQueryInformationProcess(
      IntPtr processHandle,
      int processInformationClass,
      ref ParentProcessUtilities processInformation,
      int processInformationLength, out int returnLength);

    // you may use the LocalFree to free memory (usually the buffer) allocated
    // on unmanaged world
    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr LocalFree(IntPtr hMem);

    // built around the p/invoke to get the parent process
    /// <summary>
    /// Gets the parent process of the current process.
    /// </summary>
    /// <returns>An instance of the Process class.</returns>
    public static Process GetParentProcess()
    {
      return GetParentProcess(Process.GetCurrentProcess().Id);
    }

     /// <summary>
     /// Gets the parent process of specified process.
     /// </summary>
     /// <param name="id">The process id.</param>
     /// <returns>An instance of the Process class.</returns>
     public static Process GetParentProcess(int id)
     {
       // you cannot do this, because it you cannot expect the process id 
       // can automatically convert to system internal handle
       //IntPtr handle = new IntPtr(id);
       //return GetParentProcess(handle);
       // you will need to get the handle through the process class
       Process process = Process.GetProcessById(id);
       return GetParentProcess(process.Handle);
     }

     /// <summary>
     /// Gets the parent process of a specified process.
     /// </summary>
     /// <param name="handle">The process handle.</param>
     /// <returns>An instance of the Process class.</returns>
     public static Process GetParentProcess(IntPtr handle)
     {
       var pbi = new ParentProcessUtilities();

       int returnLength;
       int status = NtQueryInformationProcess(handle,
                                           0,
                                           ref pbi,
                                           Marshal.SizeOf(pbi), // you cannot use the "sizeof(ParentProcessUtilities)"
                                           out returnLength);
       if (status != 0)
       {
         IntPtr lpMsgBuf = IntPtr.Zero;

         uint dwFlags = FormatMessage(
            FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
            IntPtr.Zero,
            (uint) Marshal.GetLastWin32Error(), // (uint) Marshal.GetLastWin32Error(),
            0,
            ref lpMsgBuf,
            0,
            IntPtr.Zero);

         if (dwFlags == 0)
         {
           // handle the error
           int le = Marshal.GetLastWin32Error();
           throw new Win32Exception(status);
         }
         else
         {
           string sRet = Marshal.PtrToStringAnsi(lpMsgBuf);
           // free the buffer
           lpMsgBuf = LocalFree(lpMsgBuf);
           Console.WriteLine("Error : {0}", sRet);
         }
       }
       try
       {
         return Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32());
       }
       catch (ArgumentException)
       {
         // not found
         return null;
       }
     }
Below is the code that I used to drive this piece of code. 
static void Main(string[] args)
    {
      //GetProcessAndChildrenMain();
      if (args.Length < 1)
      {
        Console.WriteLine("Usage : ProcessTree <pid>");
        return;
      }
      Process process = ParentProcessUtilities.GetParentProcess(Convert.ToInt32(args[0]));
      if (process != null)
      {
        Console.WriteLine(process.Id + " " + process.MainModule.ModuleName);
      }

    }


转载于:https://my.oschina.net/u/854138/blog/90804

chengmi1845
关注
A002-185-2537-翁格婉(个人期末作业)
qq_33680482的博客
01-02 3419
Excel查找结合项目主题说明1.作业查词说明1.1第一次查词1.1.1Requirements baseline(需求基线)1.1.2Enterprise Architect(企业架构师)1.1.3Unified Modeling Language( 统一建模语言)1.1.3Unified Modeling Language( 统一建模语言)1.1.5Asynchronous Processes(异步进程)1.1.6association class(关联类)1.1.7behavioral model a
6.S081-Lab: Xv6 and Unix utilities 操作系统实验
Valishment的博客
06-19 857
学习操作系统的时候,买了一本人民邮电出版社的-Operating Systems: Three Easy Pieces 中译版(操作系统导论)。 从书中学到了很多关于操作系统的思想,出现一个问题,思考策略,并比较策略之间的利弊。整本书读起来十分有趣,当然我不是在这里打广告。 当时只是学习了理论知识,书中所给的练习以及后面的实验都没有做过,当时在附录后面看到:xv6 实验,一直没来做。 这些天,从网上找到了 xv6 实验对应的课程 6.S081,课程的 lab 是重点。 这个 Lab 主要是 Shell 的一
C# - Find the process tree given the parent pro...
11-21 105
It is common that you may want to find the process tree, where given the name of the process, you would like to find out its children and children...
C#获得父进程PID编号的完整源源码
weixin_34191845的博客
01-17 1184
将内容过程中比较重要的一些内容片段做个记录,如下内容段是关于C#获得父进程PID编号的完整源的内容,应该能对大伙有一些用途。using System; using System.Diagnostics; namespace RobvanderWoude { class GetMyPID { static int Main( string[] args ) { #region C...
【Agilepoint】Agilepoint Process Utilities 学习
kjc的博客
06-15 481
Agilepoint Process Utilities 学习Add Date Time activity(添加日期时间活动)Calculate Date Difference activity(计算日期差异活动)Cancel Tasks activity(取消任务活动)Convert Date Format activity(转换日期格式活动)Create XML Payload activity(创建XML有效载荷活动)External Command activity(外部命令活动)Inline Fu
文件比较 转自http://www.codeproject.com/cpp/vdiff.asp
chinesesword的专栏
01-11 3257
var LSPT=""; LSPT += "?durl=" + escape(document.URL); LSPT += "&hostname=" + location.hostname; LSPT += "&url=" + location.pathname; LSPT += "&query=" + escape(location.search) + escape(l
A comparison of C# vs. java
weixin_30546933的博客
07-17 1212
转发上:http://www.25hoursaday.com/CsharpVsJava.html#friends A COMPARISON OF MICROSOFT'S C# PROGRAMMING LANGUAGE TO SUN MICROSYSTEMS' JAVA PROGRAMMING LANGUAGE By Dare Obasanjo Introducti...
使用powershell提权的一些技巧
weixin_34392435的博客
06-21 1万+
原文:http://fuzzysecurity.com/tutorials/16.html 翻译:http://www.myexception.cn/windows/1752546.html https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 然后是一个小技巧: ...
基于Android4.0.3的各种工具信息整理(共130个)
热门推荐
草帽的后花园
11-06 6万+
昨日下午,老大交给一个任务,就是对android编译出来的build/host/linux-x86/bin下面的各种可执行程序进行一个了解 于是我就花了一天的时间来搜集信息,大致有两个文件 一个是比较常用的,一个是比较齐全的,当然有部分没找到(例如test_开头的部分,大部分都是从源码里面弄出来的),也没有对其进行了解 所以有错误请谅解,由于CSDN界面比较小,可能会出现显示不全的问题,如果
Uedit32高亮文件(加强)
weixin_34005042的博客
07-02 3229
替换根目录下 wordfile.txt//////////////////////////////////////////////////////////////////////////////////////////////L1"C/C++" C_LANG Line Comment = // Block Comment On = /* Block Comment Off = */ Escape ...
C#process进程的处理
t15032286291的博客
07-18 1万+
查找进程、启用进程、关闭进程 using …… using …… using System.Diagnostics;   //启用进程 void process() {  Process p;//实例化一个Process对象  p=Process.Start(@"E:\1.txt");//要开启的进程(或 要启用的程序),括号内为绝对路径  p.Kill();//结束进程 }   //查...
C#获取进程的主窗口句柄
weixin_34283445的博客
10-01 475
通过调用Win32 API实现。 public class User32API {     private static Hashtable processWnd = null;     public delegate bool WNDENUMPROC(IntPtr hwnd, uint lParam);     static User32API()     {       ...
C#】WPF MVVM 简单示例代码
-凌凌漆-的博客
10-16 441
【代码】【C#】WPF MVVM 简单示例代码。
【读书笔记-《30天自制操作系统》-27】Day28
Ocean1994的博客
10-13 969
本片内容围绕着文件操作与文字显示展开,开发了文件操作的API,并实现了日文文字的显示。
C# -- Abstract、Virtual、interface
qq_41674581的博客
10-16 408
2)接口方法默认是公有方法,不能用public abstract等修饰,无字段变量,无构造函数。4)接口和抽象类最本质的区别:抽象类是一个不完全的类,是对对象的抽象,而接口是一种行为规范。2)基类中定义了virtual方法,派生类中使用override重写该方法。2)抽象方法的实现必须在派生类中使用override关键字来实现。1)abstract关键字只能用在抽象类中修饰方法,并且没有具体的实现。1)interface用来声明接口,只提供一些方法规约,不提供方法主体。3)接口方法可包含参数。
C#从零开始学习(类型和引用)(4)
最新发布
Hikigaya_Hachi的博客
10-19 1033
C#类型和引用学习
Invoke-WebRequest -Uri https://aka.ms/wslubuntu2004 -OutFile Ubuntu.appx -UseBasicParsing
07-24
该命令使用 `Invoke-WebRequest` 函数来下载指定的 URL,并将文件保存为 `Ubuntu.appx`。参数 `-UseBasicParsing` 用于指定仅使用基本的解析功能来处理 HTML 内容。这样可以提高命令的执行效率。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值