枚举进程信息

最新推荐文章于 2018-10-08 18:45:00 发布

iteye_10992

最新推荐文章于 2018-10-08 18:45:00 发布

阅读量136

点赞数

1.PSAPI法

#include <Windows.h> #include <iostream> #include <tchar.h> #include "psapi.h" #pragma comment ( lib, "psapi.lib" ) int main() { setlocale(LC_ALL,"CHS"); //要设置控制台的Unicode属性 DWORD Pid[1024],cbNeededProcess,NumofProcess; if (!EnumProcesses(Pid,sizeof(Pid),&cbNeededProcess)) { printf("failed.\n"); } NumofProcess=cbNeededProcess/sizeof(DWORD); for (UINT i=0;i<NumofProcess;i++) { TCHAR szFilePath[MAX_PATH]=_T("unknow"); HANDLE hProcess=OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE, Pid[i]); if (hProcess != NULL) { GetModuleFileNameEx(hProcess,NULL,szFilePath,sizeof(szFilePath)); _tprintf(_T("%04d %s\n"),Pid[i],szFilePath); CloseHandle(hProcess); } } _tprintf(_T("共有%d个进程\n"),NumofProcess); return 0; }

2.ToolHelpApi

#include <Windows.h> #include <tchar.h> #include <tlhelp32.h> #include <iostream> int main() { setlocale(LC_ALL,"CHS"); PROCESSENTRY32 pe32; pe32.dwSize=sizeof(pe32); BOOL bRet; UINT uNum=0; HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); bRet = Process32First(hProcessSnap,&pe32); while (bRet) { HANDLE hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID); MODULEENTRY32 me32={0}; me32.dwSize=sizeof(MODULEENTRY32); Module32First(hModuleSnap,&me32); _tprintf(_T("%04d %s\n"),pe32.th32ProcessID,me32.szExePath); CloseHandle(hModuleSnap); uNum++; bRet=Process32Next(hProcessSnap,&pe32); } _tprintf(_T("共有%d个进程\n"),uNum); CloseHandle(hProcessSnap); return 0; }

3.WTSOpenServer法

// // WTSOpenServer 法 #include <Wtsapi32.h> #pragma comment(lib,"Wtsapi32.lib") 用nbtstat -an获取本机NetBios名称，并在命令行下输入即可 // char *szServerName = argv[1]; PWTS_PROCESS_INFO wts; DWORD dwCount; HANDLE hWtsServer = WTSOpenServer(szServerName); if(!WTSEnumerateProcesses(hWtsServer,0,1,&wts,&dwCount)) return 0; for (DWORD i=0;i<dwCount;i++) { printf("%s\n",wts[i].pProcessName); } return 0;

4.使用Native API我们使用NtQuerySystemInformation

#include <windows.h>
#include <iostream>
#include <tchar.h>
using namespace std;
#include "MyNtdll.h"//定义了函数指针和各种结构体

#define DEF_BUF_SIZE	0x1000
PFNNtQuerySystemInformation NtQuerySystemInformation ;

BOOL Initial ()
{
	// 检测当前进程中是否存在ntdll.dll
	HMODULE	hMod = GetModuleHandle(_T("ntdll.dll"));
	if ( hMod == NULL )
	{
		// 如果不存在，就使用LoadLibrary来加载
		hMod = LoadLibrary (_T("ntdll.dll")) ;
		if ( hMod == NULL )
			return FALSE ;
	}
	// 取得函数地址
	NtQuerySystemInformation =(PFNNtQuerySystemInformation)GetProcAddress(hMod,"NtQuerySystemInformation") ;
	return TRUE ;
}
VOID DisplayProcessInformation ( LPBYTE lpBuf )
{	
	cout << "///" << endl ;
	cout << "//                       Process Information                         //" << endl ;
	cout << "///" << endl ;
	PSYSTEM_PROCESSES pSysProcess = (PSYSTEM_PROCESSES)lpBuf ;
	while ( TRUE )
	{
		cout << "ProcessName:" << '\t' ; 
		if ( pSysProcess->ProcessName.Buffer != NULL )
			printf ("%30S", pSysProcess->ProcessName.Buffer ) ;
		cout << endl ;

		cout << "InheritedFromProcessId:\t\t" << pSysProcess->InheritedFromProcessId << endl ;
		cout << "ProcessId:\t\t\t" << pSysProcess->ProcessId << endl ;
		cout << "HandleCount:\t\t\t" << pSysProcess->HandleCount << endl ;
		cout << "ThreadCount:\t\t\t" << pSysProcess->ThreadCount << endl ;

		cout << "-------------------------------------------------------------------------" << endl ;
		if ( pSysProcess->NextEntryDelta == 0 )
			break ;
		pSysProcess = (PSYSTEM_PROCESSES)( (DWORD)pSysProcess + pSysProcess->NextEntryDelta ) ;
	}
}
VOID QuerySystemInformation (SYSTEM_INFORMATION_CLASS SystemInformationClass)
{
	NTSTATUS	status ;
	UINT		nSize = DEF_BUF_SIZE ;
	LPBYTE		lpBuf = NULL ;

	// 由于事先并不知道需要多少空间来存储进程信息
	// 因而采用循环测试法，
	while ( TRUE )
	{
		// 动态分配空间，用来存储进程信息
		if ( ( lpBuf = new BYTE [ nSize ] ) == NULL )
		{
			cout << "Allocate memory failed!" << endl ;
			return ;
		}

		// 枚举进程信息
		status = NtQuerySystemInformation(SystemInformationClass,lpBuf,nSize,0) ;
		if ( !NT_SUCCESS(status))
		{
			// 检测是否返回缓冲区不够大
			if ( status == STATUS_INFO_LENGTH_MISMATCH )
			{
				nSize += DEF_BUF_SIZE ;
				delete lpBuf ;
				continue ;
			}
			else
			{
				cout << "NtQuerySystemInformation ErrorCode=0x" << hex << status << endl ;
				return ;
			}
		}
		else
			break ;
	}

	// 输出进程信息
	DisplayProcessInformation (lpBuf) ;
	delete lpBuf ;
}
int main()
{
	if (Initial() == FALSE)
	{
		_tprintf(_T("Initial failed!"));
		return 0;
	}
	QuerySystemInformation(SystemProcessesAndThreadsInformation );
	return 0;
}