64位操作系统下R3枚举进程及模块的两种方式

于 2023-10-22 13:46:28 发布
阅读量271 收藏 1
点赞数
文章标签: windows c++
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_31548855/article/details/133971987
版权

应用层枚举进程及模块的两种方式

1.快照方式枚举进程

BOOL EnumProcesses(HWND hProcessList)
{
	ListView_DeleteAllItems(hProcessList);
	PROCESSENTRY32 pe = { 0 };
	pe.dwSize = sizeof(pe);
	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	int i = 0;
	TCHAR buff[256] = { 0 };
	while (Process32Next(hSnap, &pe))
	{
		ListInsertItem(hProcessList, i, 0, pe.szExeFile);
		wsprintf(buff, L"%d", (int)pe.th32ParentProcessID);
		ListSetItemText(hProcessList, i, 1, buff);
		wsprintf(buff, L"%d", (int)pe.th32ProcessID);
		ListSetItemText(hProcessList, i, 2, buff);
		i++;
	}
	CloseHandle(hSnap);
	return TRUE;
}

快照方式枚举进程测试图片

2.快照方式枚举进程模块

BOOL EnumModule(HWND hProcessList, DWORD pid)
{
	ListView_DeleteAllItems(hProcessList);
	MODULEENTRY32 me = { 0 };
	me.dwSize = sizeof(me);
	int i = 0;
	TCHAR buff[256] = { 0 };
	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid);
	while (Module32Next(hSnap, &me))
	{
		ListInsertItem(hProcessList, i, 0, me.szModule);
		wsprintf(buff, L"%p",me.modBaseAddr);
		ListSetItemText(hProcessList, i, 1, buff);
		wsprintf(buff, L"%08X", me.modBaseSize);
		ListSetItemText(hProcessList, i, 2, buff);
	}
	CloseHandle(hSnap);
	return TRUE;
}

快照方式枚举进程模块测试图片

3.通过NtQuerySystemInformation函数枚举进程

BOOL EnumProcesses(HWND hProcessList)
{
	ListView_DeleteAllItems(hProcessList);
	ULONG len = 0;
	ULONG m_bsize = 1024;
	BYTE* m_buff = new BYTE[1024];
	HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
	if (!hNtdll)
	{
		return FALSE;
	}
	pfNtQuerySystemInformation NtQuerySystemInformation = (pfNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation");
	NtQuerySystemInformation(SystemProcessInformation, m_buff, m_bsize, &len);
	while (m_bsize < len)
	{
		delete[] m_buff;
		m_bsize = len;
		m_buff = new BYTE[m_bsize];
		NtQuerySystemInformation(SystemProcessInformation, m_buff, m_bsize, &len);
	}
	SYSTEM_PROCESS_INFORMATION* ps = (SYSTEM_PROCESS_INFORMATION*)m_buff;
	ps = (SYSTEM_PROCESS_INFORMATION*)((ULONG64)ps + ps->NextEntryOffset);
	int i = 0;
	WCHAR buff[256] = { 0 };
	while (ps->NextEntryOffset)
	{
		ListInsertItem(hProcessList, i, 0, (LPCTSTR)(ps->ImageName.Buffer));
		wsprintf(buff, L"%d", (int)ps->InheritedFromUniqueProcessId);
		ListSetItemText(hProcessList, i, 1, buff);
		wsprintf(buff, L"%d", (int)ps->UniqueProcessId);
		ListSetItemText(hProcessList, i, 2, buff);
		wsprintf(buff, L"%d", CriticalLevel((int)ps->UniqueProcessId));
		ListSetItemText(hProcessList, i, 3, buff);
		i++;
		ps = (SYSTEM_PROCESS_INFORMATION*)((ULONG64)ps + ps->NextEntryOffset);
	}
	ListInsertItem(hProcessList, i, 0, (LPCTSTR)(ps->ImageName.Buffer));
	wsprintf(buff, L"%d", (int)ps->InheritedFromUniqueProcessId);
	ListSetItemText(hProcessList, i, 1, buff);
	wsprintf(buff, L"%d", (int)ps->UniqueProcessId);
	ListSetItemText(hProcessList, i, 2, buff);
	wsprintf(buff, L"%d", CriticalLevel((int)ps->UniqueProcessId));
	ListSetItemText(hProcessList, i, 3, buff);
	return TRUE;
}

NtQuerySystemInformation函数枚举进程

4.通过NtQueryInformationProcess函数枚举进程模块

BOOL EnumModule(HWND hProcessList,DWORD pid)
{
	ListView_DeleteAllItems(hProcessList);
	HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
	if (!hNtdll)
	{
		return FALSE;
	}
	int i = 0;
	pfNtOpenProcess NtOpenProcess = (pfNtOpenProcess)GetProcAddress(hNtdll, "NtOpenProcess");
	pfNtQueryInformationProcess NtQueryInformationProcess = (pfNtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");
	pfNtReadVirtualMemory NtReadVirtualMemory = (pfNtReadVirtualMemory)GetProcAddress(hNtdll, "NtReadVirtualMemory");
	BOOL source = FALSE;
	BOOL target = FALSE;
	IsWow64Process(GetCurrentProcess(), &source);
	HANDLE hProcess = 0;
	CLIENT_ID client = { 0 };
	OBJECT_ATTRIBUTES oa = { 0 };
	client.UniqueProcess = pid;
	oa.Length = sizeof(OBJECT_ATTRIBUTES);
	NtOpenProcess(&hProcess, GENERIC_ALL, &oa, &client);
	if (NULL == hProcess)
	{
		return FALSE;
	}
	IsWow64Process(hProcess, &target);
	if (source == FALSE && target == FALSE)
	{
		PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };
		NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL);
		DWORD64 Ldr64 = 0;
		LIST_ENTRY64 ListEntry64 = { 0 };
		LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };
		wchar_t buff[256] = { 0 };
		NtReadVirtualMemory(hProcess, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL);
		NtReadVirtualMemory(hProcess, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL);
		NtReadVirtualMemory(hProcess, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		while (LDTE64.InLoadOrderLinks.Flink != ListEntry64.Flink)
		{
			NtReadVirtualMemory(hProcess, (PVOID64)LDTE64.BaseDllName.Buffer, buff, sizeof(buff), NULL);
			ListInsertItem(hProcessList, i, 0, buff);
			wsprintf(buff, L"%p", (PVOID64)LDTE64.DllBase);
			ListSetItemText(hProcessList, i, 1, buff);
			wsprintf(buff, L"%08X", LDTE64.SizeOfImage);
			ListSetItemText(hProcessList, i, 2, buff);
			i++;
			//printf("模块基址:0x%llX\t模块大小:0x%-10X\t模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);
			NtReadVirtualMemory(hProcess, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		}
	}
#ifndef _WIN64
	else if (source == TRUE && target == FALSE)
	{

		PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };
		pfNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfNtWow64QueryInformationProcess64)GetProcAddress(hNtdll, "NtWow64QueryInformationProcess64");
		NtWow64QueryInformationProcess64(hProcess, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL);
		DWORD64 Ldr64 = 0;
		LIST_ENTRY64 ListEntry64 = { 0 };
		LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };
		wchar_t buff[256] = { 0 };
		pfNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfNtWow64ReadVirtualMemory64)GetProcAddress(hNtdll, "NtWow64ReadVirtualMemory64");
		NtWow64ReadVirtualMemory64(hProcess, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL);
		NtWow64ReadVirtualMemory64(hProcess, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL);
		NtWow64ReadVirtualMemory64(hProcess, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		while (LDTE64.InLoadOrderLinks.Flink != ListEntry64.Flink)
		{
			NtWow64ReadVirtualMemory64(hProcess, (PVOID64)LDTE64.BaseDllName.Buffer, buff, sizeof(buff), NULL);
			ListInsertItem(hProcessList, i, 0, buff);
			wsprintf(buff, L"%08X%08X", *((ULONG*)&LDTE64.DllBase+1) ,*(ULONG*)&LDTE64.DllBase);
			ListSetItemText(hProcessList, i, 1, buff);
			wsprintf(buff, L"%08X", LDTE64.SizeOfImage);
			ListSetItemText(hProcessList, i, 2, buff);
			i++;
			//printf("模块基址:0x%llX\t模块大小:0x%-10X\t模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);
			NtWow64ReadVirtualMemory64(hProcess, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		}
	}
	else if (source == TRUE && target == TRUE)
	{
		PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };
		pfNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfNtWow64QueryInformationProcess64)GetProcAddress(hNtdll, "NtWow64QueryInformationProcess64");
		NtWow64QueryInformationProcess64(hProcess, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL);
		DWORD64 Ldr64 = 0;
		LIST_ENTRY64 ListEntry64 = { 0 };
		LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };
		wchar_t buff[256] = { 0 };
		pfNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfNtWow64ReadVirtualMemory64)GetProcAddress(hNtdll, "NtWow64ReadVirtualMemory64");
		NtWow64ReadVirtualMemory64(hProcess, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL);
		NtWow64ReadVirtualMemory64(hProcess, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL);
		NtWow64ReadVirtualMemory64(hProcess, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		while (LDTE64.InLoadOrderLinks.Flink != ListEntry64.Flink)
		{
			NtWow64ReadVirtualMemory64(hProcess, (PVOID64)LDTE64.BaseDllName.Buffer, buff, sizeof(buff), NULL);
			ListInsertItem(hProcessList, i, 0, buff);
			wsprintf(buff, L"%08X%08X", *((ULONG*)&LDTE64.DllBase + 1), *(ULONG*)&LDTE64.DllBase);
			ListSetItemText(hProcessList, i, 1, buff);
			wsprintf(buff, L"%08X", LDTE64.SizeOfImage);
			ListSetItemText(hProcessList, i, 2, buff);
			i++;
			//printf("模块基址:0x%llX\t模块大小:0x%-10X\t模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);
			NtWow64ReadVirtualMemory64(hProcess, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		}

		PROCESS_BASIC_INFORMATION32 pbi32 = { 0 };
		NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi32, sizeof(pbi32), NULL);
		DWORD Ldr32 = 0;
		LIST_ENTRY32 ListEntry32 = { 0 };
		LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };
		//wchar_t buff[256] = { 0 };
		NtReadVirtualMemory(hProcess, (PVOID)(pbi32.PebBaseAddress + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL);
		NtReadVirtualMemory(hProcess, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL);
		NtReadVirtualMemory(hProcess, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(LDR_DATA_TABLE_ENTRY32), NULL);
		while (LDTE32.InLoadOrderLinks.Flink != ListEntry32.Flink)
		{
			NtReadVirtualMemory(hProcess, (PVOID)LDTE32.BaseDllName.Buffer, buff, sizeof(buff), NULL);
			ListInsertItem(hProcessList, i, 0, buff);
			wsprintf(buff, L"%08X", LDTE32.DllBase);
			ListSetItemText(hProcessList, i, 1, buff);
			wsprintf(buff, L"%08X", LDTE32.SizeOfImage);
			ListSetItemText(hProcessList, i, 2, buff);
			i++;
			//NtReadVirtualMemory(hProcess, (PVOID)LDTE32.FullDllName.Buffer, ProPath32, sizeof(ProPath32), NULL);
			//printf("模块基址:0x%08X\t模块大小:0x%-08X\t模块路径:%ws\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);
			NtReadVirtualMemory(hProcess, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(LDR_DATA_TABLE_ENTRY32), NULL);
		}
	}
#endif
	else if (source == FALSE && target == TRUE)
	{
		PROCESS_BASIC_INFORMATION64 pbi64 = { 0 };
		NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi64, sizeof(pbi64), NULL);
		DWORD64 Ldr64 = 0;
		LIST_ENTRY64 ListEntry64 = { 0 };
		LDR_DATA_TABLE_ENTRY64 LDTE64 = { 0 };
		wchar_t buff[256] = { 0 };
		NtReadVirtualMemory(hProcess, (PVOID64)(pbi64.PebBaseAddress + offsetof(PEB64, Ldr)), &Ldr64, sizeof(Ldr64), NULL);
		NtReadVirtualMemory(hProcess, (PVOID64)(Ldr64 + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList)), &ListEntry64, sizeof(LIST_ENTRY64), NULL);
		NtReadVirtualMemory(hProcess, (PVOID64)(ListEntry64.Flink), &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		while (LDTE64.InLoadOrderLinks.Flink != ListEntry64.Flink)
		{
			NtReadVirtualMemory(hProcess, (PVOID64)LDTE64.BaseDllName.Buffer, buff, sizeof(buff), NULL);
			ListInsertItem(hProcessList, i, 0, buff);
			wsprintf(buff, L"%p", (PVOID64)LDTE64.DllBase);
			ListSetItemText(hProcessList, i, 1, buff);
			wsprintf(buff, L"%08X", LDTE64.SizeOfImage);
			ListSetItemText(hProcessList, i, 2, buff);
			i++;
			//printf("模块基址:0x%llX\t模块大小:0x%-10X\t模块路径:%ls\n", LDTE64.DllBase, LDTE64.SizeOfImage, ProPath64);
			NtReadVirtualMemory(hProcess, (PVOID64)LDTE64.InLoadOrderLinks.Flink, &LDTE64, sizeof(LDR_DATA_TABLE_ENTRY64), NULL);
		}

		ULONG_PTR peb32 = { 0 };//用来存储32位PEB地址
		NtQueryInformationProcess(hProcess, ProcessWow64Information, &peb32, sizeof(peb32), NULL);
		DWORD32 Ldr32 = 0;
		LIST_ENTRY32 ListEntry32 = { 0 };
		LDR_DATA_TABLE_ENTRY32 LDTE32 = { 0 };
		//wchar_t buff[256] = { 0 };
		NtReadVirtualMemory(hProcess, (PVOID)(peb32 + offsetof(PEB32, Ldr)), &Ldr32, sizeof(Ldr32), NULL);
		NtReadVirtualMemory(hProcess, (PVOID)(Ldr32 + offsetof(PEB_LDR_DATA32, InLoadOrderModuleList)), &ListEntry32, sizeof(LIST_ENTRY32), NULL);
		NtReadVirtualMemory(hProcess, (PVOID)(ListEntry32.Flink), &LDTE32, sizeof(LDR_DATA_TABLE_ENTRY32), NULL);
		while (LDTE32.InLoadOrderLinks.Flink != ListEntry32.Flink)
		{
			NtReadVirtualMemory(hProcess, (PVOID)LDTE32.BaseDllName.Buffer, buff, sizeof(buff), NULL);
			ListInsertItem(hProcessList, i, 0, buff);
			wsprintf(buff, L"%08X", LDTE32.DllBase);
			ListSetItemText(hProcessList, i, 1, buff);
			wsprintf(buff, L"%08X", LDTE32.SizeOfImage);
			ListSetItemText(hProcessList, i, 2, buff);
			i++;
			//NtReadVirtualMemory(hProcess, (PVOID)LDTE32.FullDllName.Buffer, ProPath32, sizeof(ProPath32), NULL);
			//printf("模块基址:0x%lX\t模块大小:0x%-10X\t模块路径:%ls\n", LDTE32.DllBase, LDTE32.SizeOfImage, ProPath32);
			NtReadVirtualMemory(hProcess, (PVOID)LDTE32.InLoadOrderLinks.Flink, &LDTE32, sizeof(LDR_DATA_TABLE_ENTRY32), NULL);
		}
	}
	return TRUE;
}

NtQueryInformationProcess函数枚举进程模块

5.总结

综上,第一种方法使用快照枚举进程和模块,优点是代码量少,缺点是32位进程无法枚举64位进程模块。第二种方法使用Nt函数枚举进程和模块,优点是32位进程可以枚举64位进程模块,缺点是代码量多且要使用未文档化的数据结构。

qq_31548855
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
7.1 实现进程内存块枚举
CSDN
09-22 4509
在`Windows`操作系统中,每个进程的虚拟地址空间都被划分为若干内存块,每个内存块都具有一些属性,如内存大小、保护模式、类型等。这些属性可以通过`VirtualQueryEx`函数查询得到。该函数可用于查询进程虚拟地址空间中的内存信息的函数。它的作用类似于`Windows`操作系统中的`Task Manager`中的进程选项卡,可以显示出一个进程的内存使用情况、模块列表等信息。使用`VirtualQueryEx`函数,可以枚举一个进程的所有内存块。该函数需要传入要查询的进程的句柄、基地址和一个`ME
枚举进程模块
yangyang031213的博客
07-11 1010
枚举进程模块使用 CreateToolhelp32Snapshot 创建进程快照,第一个参数为 TH32CS_SNAPMODULE 时创建进程模块快照,类似枚举进程时使用的 Process32First、Process32Next,枚举进程模块时使用 Module32First、Module32Next 枚举进程模块。代码: CEnumModuleDlg:BEGIN_MESSAGE_MAP(CEn
枚举进程句柄
qq_41490873的博客
09-19 451
#include <windows.h> #include <stdio.h> #define NT_SUCCESS(x) ((x) >= 0) #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004 #define SystemHandleInformation 16 #define ObjectBasicInformation 0 #define ObjectNameInformation 1 #define ObjectTypeI
在ring3下列举系统中已加载的驱动模块的信息
Y___Y的专栏
07-02 1212
#include #include #include #include #pragma comment( linker, "/subsystem:console" )typedef LONG NTSTATUS;#define NT_SUCCESS(status)      ((NTSTATUS)(status)>=0)/***************************************
最强黑客库Blackbone使用教程
热门推荐
鬼手的博客
01-14 1万+
最强黑客库Blackbone揭秘
易语言枚举消息钩子模块
08-16
易语言枚举消息钩子模块源码 系统结构:读内核地址数据,枚举钩子,取钩子PTI,取首地址,取钩子类型,卸载钩子,取自定义类型地址,到长整数一,ZwSystemDebugControl,卸载钩子_,GetModuleFileNameExA,
2009年11月的Windows Embedded CE 6.0 R3操作系统发布
01-19
Windows Embedded CE 6.0 R3Windows Embedded与微软中国研发集团(CRD)共同合作开发的,而微软嵌入式系统开发中心(MESDC)就位于微软中国研发集团内,由此体现了微软在消费类互联设备领域的投资与承诺。...
CC++ 进程模块内存注入[x86x64] Windows R3模块注入
最新发布
06-23
CC++ 进程模块内存注入[x86x64] Windows R3模块注入,x86+x64通用,不支持异常处理,编译前关闭GS安全检查,VS2015所写,并无明显C++特征,兼容性极高 2
CC++ 进程模块内存注入[x86x64] Windows R3模块注入,
06-23
CC++ 进程模块内存注入[x86x64] Windows R3模块注入,x86+x64通用,不支持异常处理,编译前关闭GS安全检查,VS2015所写,并无明显C++特征,兼容性极高 1
枚举64位进程模块+查询64位进程的线程所属模块文件路径-易语言
06-12
该源码是 eWOW64Ext v1.21 的一个演示例子,完全使用了 eWOW64Ext 的方法 来枚举64位进程模块; 提供了两种方法来cha询64位进程的线程所属模块文件路径,该功能还没有易语言 方面的开源资料,本次为首次开源。
R3暴力枚举驱动
03-31
易语言ring3下暴力枚举驱动的例子。任何驱动都可枚举出来。
R3暴力枚举驱动 易语言源码
04-21
R3暴力枚举驱动 易语言源码 R3的权限,可以枚举全部的加载的驱动
使用ZwQueryVirtualMemory枚举进程模块支持x64
zhuhuibeishadiao
05-02 7883
#include "stdio.h" #include "windows.h"typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICO
进程模块枚举与隐藏
Catch me if you can
05-11 2466
整理
用EnumProcesses函数枚举进程
郁闷阳光的专栏
11-21 1195
当你开发的软件在用户那里运行出错了,想怎么办呢?当然是希望把出错时候的运行环境信息生成报表,然后再Email回来查看了。这里就介绍一个函数可以把当时运行环境的进程全部找到,然后可以输出每个进程的信息。当然,这个函数也可以使用到杀病毒软件里,用来查看可疑的进程信息。 函数EnumProcesses声明如下: BOOL WINAPI EnumProcesses (     DWORD
枚举进程(CreateToolhelp32Snapshot函数剖析)
KOOKNUT的博客
03-13 778
之前写过一些枚举进程的代码,这两天正在回顾之前学习的代码,看到了CreateToolhelp32Snapshot函数,就顺便来看看它的具体实现吧。 实现枚举进程信息的这个过程看起来是比较easy的,只不过是一些Windows的API函数罢了: CreateToolhelp32Snapshot Process32First Process32Next 就利用这三个函数,便可实现当前系统进程枚举...
进程枚举相关函数
spiderlily的专栏
12-04 683
1.EnumProcessModules , GetModuleBaseName        这种方法获取的进程,如果用户名是NETWORK SERVICE或LOCAL SEVICE获取用户名会失败,原因是调用OpenProcess时对这些进程没有权限! 示例代码: #include "stdafx.h" #include "windows.h" #include "psapi.h"
c++r3强杀r0保护进程思路
07-10
你可以使用操作系统提供的函数或API来获取进程ID。 2. 接下来,你可以使用操作系统提供的函数或API来打开目标进程。你可以使用进程ID作为参数来打开进程。 3. 一旦你成功打开了目标进程,你可以使用操作系统提供的...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值