VC++实现枚举进程与模块

               

#pragma once#define _WIN32_WINNT 0x0500 #include"windows.h"#include"tlhelp32.h"#include"stdio.h"#include"NativeApi.h"#include"wchar.h"#include"psapi.h"//SDK6.0#pragma comment(lib,"psapi.lib")SDK6.0,不知道为什么vc6好像没有自带这个头文件？？int GetUserPath(WCHAR* szModPath);BOOL GetProcessModule(DWORD dwPID){    BOOL bRet    =    FALSE;    BOOL bFound    =    FALSE;    HANDLE hModuleSnap = NULL;    MODULEENTRY32 me32 ={0};     hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照    if(hModuleSnap == INVALID_HANDLE_VALUE) {     printf("获取模块失败!\n");  return FALSE; }     me32.dwSize = sizeof(MODULEENTRY32);    if(::Module32First(hModuleSnap,&me32))//获得第一个模块 {  do{      printf("方法1列模块名：%s\n",me32.szExePath);  }while(::Module32Next(hModuleSnap,&me32)); }//递归枚举模块   CloseHandle(hModuleSnap); return bFound;}bool ForceLookUpModule(DWORD dwPID){  typedef DWORD( WINAPI *FunLookModule)(  HANDLE ProcessHandle,  DWORD BaseAddress,  DWORD MemoryInformationClass,  DWORD MemoryInformation,  DWORD MemoryInformationLength,  DWORD ReturnLength ); HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ; if(hModule==NULL) {   return FALSE; }    FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory"); if(ZwQueryVirtualMemory==NULL) {  return FALSE; } HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID); if(hProcess==NULL)  return FALSE; PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME) malloc(0x200u); DWORD retLength; WCHAR Path[256]={0}; wchar_t wstr[256]={0};  for(unsigned int i=0;i<0x7fffffff;i=i+0x10000) {   if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0)  {    if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1))   {    if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c)    {     if(wcscmp(wstr, Out_Data->SectionFileName.Buffer))           {         _wsetlocale(0,L"chs");           GetUserPath(Out_Data->SectionFileName.Buffer);      wprintf(L"方法2列模块%s\n",Out_Data->SectionFileName.Buffer);           }     wcscpy(wstr,   Out_Data->SectionFileName.Buffer);    }       }     } } CloseHandle(hProcess); return TRUE; }int GetUserPath(WCHAR* szModPath){    //\Device\HarddiskVolume1,   WCHAR Path[256]={0}; WCHAR* Temp3=new WCHAR[3];  Temp3[2]='\0';  Temp3[1]=':'; THead* phead=new THead; phead->Next=NULL; phead->Num=szModPath[22]; for(int i='C';i<='Z';i++) {Temp3[0]=i; if(QueryDosDeviceW(Temp3,Path,30))  if(phead->Num==Path[22])  {     phead->Disk=(WCHAR)i;   break;  }   }        szModPath[0]=phead->Disk;    szModPath[1]=':';    szModPath[2]='\0';       wcscpy(Path,szModPath+23);    wcscat(szModPath,Path);        delete phead;    delete Temp3;         return 0;}BOOL EnableDebugPrivilege(BOOL fEnable)//这个用于提权的{   BOOL fOk = FALSE;    HANDLE hToken;  if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken)) {     TOKEN_PRIVILEGES tp;  tp.PrivilegeCount = 1;  LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);  tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;  AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);  fOk = (GetLastError() == ERROR_SUCCESS);  CloseHandle(hToken); } else {  return 0; } return(fOk);}void EnumModlueAll(DWORD dwPID){    HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,dwPID); if(hProcess==INVALID_HANDLE_VALUE) { printf(" open process failed!\n"); return; } DWORD size=0,ret=0; EnumProcessModules(hProcess,NULL,size,&ret); HMODULE *parry=(HMODULE*)malloc(ret+4); memset(parry,0,ret+4); if(EnumProcessModules(hProcess,parry,ret+4,&ret)) {  char* path=new char[MAX_PATH];  memset(path,0,MAX_PATH);  UINT i=0;    while(GetModuleFileNameEx(hProcess,parry[i],path,MAX_PATH))  {   printf("方法3模块：%s\n",path);   memset(path,0,MAX_PATH);   i++;  }  delete path;   } free(parry);  CloseHandle(hProcess);}void EnumModuleEx(DWORD dwPID){    DWORD status; HMODULE hMod=GetModuleHandle("ntdll.dll"); RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer=(RTLCREATEQUERYDEBUGBUFFER )GetProcAddress(hMod,"RtlCreateQueryDebugBuffer"); RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation=(RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod,"RtlQueryProcessDebugInformation"); RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer =(RTLDESTROYDEBUGBUFFER )GetProcAddress(hMod,"RtlDestroyQueryDebugBuffer"); if((hMod==NULL)||(RtlDestroyQueryDebugBuffer==NULL)||(RtlQueryProcessDebugInformation==NULL)||(RtlCreateQueryDebugBuffer==NULL)) {  printf("函数定位失败！\n");  return ; }   PDEBUG_BUFFER Buffer=RtlCreateQueryDebugBuffer(0,FALSE); status=RtlQueryProcessDebugInformation(dwPID,PDI_MODULES ,Buffer); if(status<0) {   printf("RtlQueryProcessDebugInformation函数调用失败，进程开了保护\n");    return ; } ULONG count=*(PULONG)(Buffer->ModuleInformation); ULONG hModule=NULL; PDEBUG_MODULE_INFORMATION ModuleInfo=(PDEBUG_MODULE_INFORMATION)((ULONG)Buffer->ModuleInformation+4); for(ULONG i=0;i<count;i++) {  printf("方法4列出的模块：%s\n",ModuleInfo->ImageName);  ModuleInfo++; }  RtlDestroyQueryDebugBuffer(Buffer);   }void EnumSelfModule(){ void *PEB         = NULL,  *Ldr         = NULL,  *Flink       = NULL,  *p           = NULL,  *BaseAddress = NULL,  *FullDllName = NULL; printf("列举自身模块！\n"); __asm {  mov     eax,fs:[0x30]   mov     PEB,eax } printf( "PEB   = 0x%08X\n", PEB ); Ldr   = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) ); printf( "Ldr   = 0x%08X\n", Ldr ); Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) ); printf( "Flink = 0x%08X\n", Flink ); p     = Flink; do {  BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) );  FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) );  printf( "p     = 0x%08X 0x%08X ", p, BaseAddress );  wprintf( L"%s\n", FullDllName );  p = *( ( void ** )p ); } while ( Flink != p ); return; }#define PAGE_SIZE 0x1000void  Search();bool IsValidModule(ULONG i);bool PrintModule();void main();bool IsValidModule(byte* i){   if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER)))return false;IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i;PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew);if(IsBadReadPtr((void*)NtHead,PAGE_SIZE))return false;if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件return false;if(NtHead->OptionalHeader.Subsystem==0x2)return true;if(NtHead->OptionalHeader.Subsystem==0x3)return true;return false;}void Search(){   printf("暴力搜索列举模块!\n");UCHAR* i=(PUCHAR)0x10000000;int Num=0;for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE){    if(IsValidModule(i)) {  printf("\t\t find a module at %08x\n",i);  Num++; }  }printf("\t\t total find module :%03d\n",Num); }void main(){ EnableDebugPrivilege(true); EnumModlueAll(4228); ForceLookUpModule(4228); getchar(); GetProcessModule(4228); EnumModuleEx(4228); getchar(); EnumSelfModule(); getchar(); Search(); printf("按任意键退出........"); getchar();}

           

再分享一下我老师大神的人工智能教程吧。零基础！通俗易懂！风趣幽默！还带黄段子！希望你也加入到我们人工智能的队伍中来！https://blog.csdn.net/jiangjunshow