#pragma once#define _WIN32_WINNT 0x0500 #include"windows.h"#include"tlhelp32.h"#include"stdio.h"#include"NativeApi.h"#include"wchar.h"#include"psapi.h"//SDK6.0#pragma comment(lib,"psapi.lib")SDK6.0,不知道为什么vc6好像没有自带这个头文件??int GetUserPath(WCHAR* szModPath);BOOL GetProcessModule(DWORD dwPID){ BOOL bRet = FALSE; BOOL bFound = FALSE; HANDLE hModuleSnap = NULL; MODULEENTRY32 me32 ={0}; hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照 if(hModuleSnap == INVALID_HANDLE_VALUE) { printf("获取模块失败!\n"); return FALSE; } me32.dwSize = sizeof(MODULEENTRY32); if(::Module32First(hModuleSnap,&me32))//获得第一个模块 { do{ printf("方法1列模块名:%s\n",me32.szExePath); }while(::Module32Next(hModuleSnap,&me32)); }//递归枚举模块 CloseHandle(hModuleSnap); return bFound;}bool ForceLookUpModule(DWORD dwPID){ typedef DWORD( WINAPI *FunLookModule)( HANDLE ProcessHandle, DWORD BaseAddress, DWORD MemoryInformationClass, DWORD MemoryInformation, DWORD MemoryInformationLength, DWORD ReturnLength ); HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ; if(hModule==NULL) { return FALSE; } FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory"); if(ZwQueryVirtualMemory==NULL) { return FALSE; } HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID); if(hProcess==NULL) return FALSE; PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME) malloc(0x200u); DWORD retLength; WCHAR Path[256]={0}; wchar_t wstr[256]={0}; for(unsigned int i=0;i<0x7fffffff;i=i+0x10000) { if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0) { if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1)) { if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c) { if(wcscmp(wstr, Out_Data->SectionFileName.Buffer)) { _wsetlocale(0,L"chs"); GetUserPath(Out_Data->SectionFileName.Buffer); wprintf(L"方法2列模块%s\n",Out_Data->SectionFileName.Buffer); } wcscpy(wstr, Out_Data->SectionFileName.Buffer); } } } } CloseHandle(hProcess); return TRUE; }int GetUserPath(WCHAR* szModPath){ //\Device\HarddiskVolume1, WCHAR Path[256]={0}; WCHAR* Temp3=new WCHAR[3]; Temp3[2]='\0'; Temp3[1]=':'; THead* phead=new THead; phead->Next=NULL; phead->Num=szModPath[22]; for(int i='C';i<='Z';i++) {Temp3[0]=i; if(QueryDosDeviceW(Temp3,Path,30)) if(phead->Num==Path[22]) { phead->Disk=(WCHAR)i; break; } } szModPath[0]=phead->Disk; szModPath[1]=':'; szModPath[2]='\0'; wcscpy(Path,szModPath+23); wcscat(szModPath,Path); delete phead; delete Temp3; return 0;}BOOL EnableDebugPrivilege(BOOL fEnable)//这个用于提权的{ BOOL fOk = FALSE; HANDLE hToken; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken)) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); fOk = (GetLastError() == ERROR_SUCCESS); CloseHandle(hToken); } else { return 0; } return(fOk);}void EnumModlueAll(DWORD dwPID){ HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,dwPID); if(hProcess==INVALID_HANDLE_VALUE) { printf(" open process failed!\n"); return; } DWORD size=0,ret=0; EnumProcessModules(hProcess,NULL,size,&ret); HMODULE *parry=(HMODULE*)malloc(ret+4); memset(parry,0,ret+4); if(EnumProcessModules(hProcess,parry,ret+4,&ret)) { char* path=new char[MAX_PATH]; memset(path,0,MAX_PATH); UINT i=0; while(GetModuleFileNameEx(hProcess,parry[i],path,MAX_PATH)) { printf("方法3模块:%s\n",path); memset(path,0,MAX_PATH); i++; } delete path; } free(parry); CloseHandle(hProcess);}void EnumModuleEx(DWORD dwPID){ DWORD status; HMODULE hMod=GetModuleHandle("ntdll.dll"); RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer=(RTLCREATEQUERYDEBUGBUFFER )GetProcAddress(hMod,"RtlCreateQueryDebugBuffer"); RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation=(RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod,"RtlQueryProcessDebugInformation"); RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer =(RTLDESTROYDEBUGBUFFER )GetProcAddress(hMod,"RtlDestroyQueryDebugBuffer"); if((hMod==NULL)||(RtlDestroyQueryDebugBuffer==NULL)||(RtlQueryProcessDebugInformation==NULL)||(RtlCreateQueryDebugBuffer==NULL)) { printf("函数定位失败!\n"); return ; } PDEBUG_BUFFER Buffer=RtlCreateQueryDebugBuffer(0,FALSE); status=RtlQueryProcessDebugInformation(dwPID,PDI_MODULES ,Buffer); if(status<0) { printf("RtlQueryProcessDebugInformation函数调用失败,进程开了保护\n"); return ; } ULONG count=*(PULONG)(Buffer->ModuleInformation); ULONG hModule=NULL; PDEBUG_MODULE_INFORMATION ModuleInfo=(PDEBUG_MODULE_INFORMATION)((ULONG)Buffer->ModuleInformation+4); for(ULONG i=0;i<count;i++) { printf("方法4列出的模块:%s\n",ModuleInfo->ImageName); ModuleInfo++; } RtlDestroyQueryDebugBuffer(Buffer); }void EnumSelfModule(){ void *PEB = NULL, *Ldr = NULL, *Flink = NULL, *p = NULL, *BaseAddress = NULL, *FullDllName = NULL; printf("列举自身模块!\n"); __asm { mov eax,fs:[0x30] mov PEB,eax } printf( "PEB = 0x%08X\n", PEB ); Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) ); printf( "Ldr = 0x%08X\n", Ldr ); Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) ); printf( "Flink = 0x%08X\n", Flink ); p = Flink; do { BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) ); FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) ); printf( "p = 0x%08X 0x%08X ", p, BaseAddress ); wprintf( L"%s\n", FullDllName ); p = *( ( void ** )p ); } while ( Flink != p ); return; }#define PAGE_SIZE 0x1000void Search();bool IsValidModule(ULONG i);bool PrintModule();void main();bool IsValidModule(byte* i){ if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER)))return false;IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i;PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew);if(IsBadReadPtr((void*)NtHead,PAGE_SIZE))return false;if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件return false;if(NtHead->OptionalHeader.Subsystem==0x2)return true;if(NtHead->OptionalHeader.Subsystem==0x3)return true;return false;}void Search(){ printf("暴力搜索列举模块!\n");UCHAR* i=(PUCHAR)0x10000000;int Num=0;for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE){ if(IsValidModule(i)) { printf("\t\t find a module at %08x\n",i); Num++; } }printf("\t\t total find module :%03d\n",Num); }void main(){ EnableDebugPrivilege(true); EnumModlueAll(4228); ForceLookUpModule(4228); getchar(); GetProcessModule(4228); EnumModuleEx(4228); getchar(); EnumSelfModule(); getchar(); Search(); printf("按任意键退出........"); getchar();}
再分享一下我老师大神的人工智能教程吧。零基础!通俗易懂!风趣幽默!还带黄段子!希望你也加入到我们人工智能的队伍中来!https://blog.csdn.net/jiangjunshow