用ToolHelp APi 取进程列表,获取父进程的代码, NT下无效
- uses TLHelp32
- tagPROCESSENTRY32 = packed record
- dwSize: DWORD;
- cntUsage: DWORD;
- th32ProcessID: DWORD; // this process
- th32DefaultHeapID: DWORD;
- th32ModuleID: DWORD; // associated exe
- cntThreads: DWORD;
- th32ParentProcessID: DWORD; // this process's parent process
- pcPriClassBase: Longint; // Base priority of process's threads
- dwFlags: DWORD;
- szExeFile: array[0..MAX_PATH - 1] of Char;// Path
- end;
- var
- Pn: TProcesseNtry32;
- sHandle: THandle;
- ..
- begin
- ...
- sHandle := CreateToolHelp32SnapShot(TH32CS_SNAPALL, 0);
- Found := Process32First(sHandle, Pn);
- while Found do
- begin
- PnName:= UpperCase(ExtractFileName(Pn.szExeFile));
- if PnName = UpperCase(ExtractFileName(ParamStr(0))) then
- begin
- ParentProc := Pn.th32ParentProcessID;
- ...
- Found:= Process32Next(sHandl, Pn);
- end;
所以用nt.dll 中 NtQueryInformationProcess 又写了一个
- {*******************************************************}
- { }
- { Parent_P.dpr }
- { show How can retrive parent process ID on WinNT }
- { }
- { (c) by explorer 20070905 }
- { }
- { http://explorer.iteye.com }
- { }
- {*******************************************************}
- program parent_P;
- {$APPTYPE CONSOLE}
- uses
- SysUtils,
- Windows;
- type
- PROCESS_BASIC_INFORMATION = packed Record
- ExitStatus: DWORD;
- PebBaseAddress: DWORD;
- AffinityMask: DWORD;
- BasePriority: DWORD;
- UniqueProcessId: ULONG;
- InheritedFromUniqueProcessId: ULONG;
- end;
- type
- TNtQueryInformationProcess = function (ProcessHandle: THANDLE; InformationClass: UINT;
- ProcessInformation: Pointer; ProcessInformationLength: uLong; ReturnLength: PULONG): DWORD stdcall;
- Const
- ProcessBasicInformation = 0;
- // ntdll!NtQueryInformationProcess (NT specific!)
- //
- // The function copies the process information of the
- // specified type into a buffer
- //
- // NTSYSAPI
- // NTSTATUS
- // NTAPI
- // NtQueryInformationProcess(
- // IN HANDLE ProcessHandle, // handle to process
- // IN PROCESSINFOCLASS InformationClass, // information type
- // OUT PVOID ProcessInformation, // pointer to buffer
- // IN ULONG ProcessInformationLength, // buffer size in bytes
- // OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit
- // // variable that receives
- // // the number of bytes
- // // written to the buffer
- // );
- function GetParentProcessID(dwId: DWORD):DWORD;
- var
- NtQueryInformationProcess: TNtQueryInformationProcess;
- hProcess: THandle;
- status: DWORD;
- pbi: PROCESS_BASIC_INFORMATION;
- begin
- Result:= High(DWORD);
- @NtQueryInformationProcess:= GetProcAddress(GetModuleHandle('ntdll'),
- Pchar('NtQueryInformationProcess'));
- if Assigned(NtQueryInformationProcess) then begin
- hProcess := OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwId);
- if Not LongBool(hProcess) then Exit;
- status:= NtQueryInformationProcess(hProcess,
- ProcessBasicInformation,
- Pointer(@pbi),
- Sizeof(PROCESS_BASIC_INFORMATION),
- nil);
- if Not LongBool(status) then
- Result:= pbi.InheritedFromUniqueProcessId;
- CloseHandle(hProcess);
- end;
- end;
- var
- dwID: DWORD;
- begin
- { TODO -oUser -cConsole Main : Insert code here }
- if ParamCount < 1 then begin
- Writeln('Usgae parent_P ProcId '#13#10);
- Exit;
- end;
- dwID:= StrToIntDef( ParamStr(1) , 0);
- Writeln(Format('Parent PID for %d is %d', [dwId, GetParentProcessID(dwId)]) );
- end.
扫一扫
658
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
