运用CreateProcess()编写小程序

继续VC++6.0下的线程创建，并通过创建的新线程完成对外部程序的调用。一开始，采用的ShellExecut()函数来实现。测试过程中，完成进程创建并成功调用外部程序的调用。然后悲剧发生，360报木马侵袭，工程悲剧被杀…..之后，了解到有种木马采用的技术内部即为ShellExecut()函数，hack将其扩展为ShellExecutHock()函数，不可杀性极强。

通过，研读《windows内核编程》部分章节之后，采用CreateProcess()函数完成上述想要实现功能。CreateProcess()是一个较为复杂的函数（下面对它进行一些我对它了解的阐述）：

BOOL CreateProcess(
  LPCTSTR lpApplicationName,                 // name of executable module
  LPTSTR lpCommandLine,                      // command line string
  LPSECURITY_ATTRIBUTES lpProcessAttributes, // SD
  LPSECURITY_ATTRIBUTES lpThreadAttributes,  // SD
  BOOL bInheritHandles,                      // handle inheritance option
  DWORD dwCreationFlags,                     // creation flags
  LPVOID lpEnvironment,                      // new environment block
  LPCTSTR lpCurrentDirectory,                // current directory name
  LPSTARTUPINFO lpStartupInfo,               // startup information
  LPPROCESS_INFORMATION lpProcessInformation // process information
);

此函数可传参数多达10个不止，其中简单运用时关注两参数即可以为lpApplicationName与lpCommandLine。后两个参数传递，只要传为相应的结构体即可。以及dwCreationFlags为其它用途是将其赋值为0较为安全。下附上我写的一个简单示例：

// Create_Process.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <stdlib.h>
#include <tchar.h>
#include <conio.h>
#include <windows.h>

void Author_Information(void);

int main(int argc, char* argv[])
{
Main_t:

	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	char  commanline[40];
	char  Inch;
	char  cnt = 0;
	char  *pComman;

	printf("The Application program actual address:");
	while ((Inch=getchar())!='\n') 
		commanline[cnt++] = Inch;
	commanline[cnt] = '\0';
	pComman = commanline;

	ZeroMemory((&si),sizeof(si));
	si.cb = sizeof(si);
	si.dwFlags = STARTF_FORCEONFEEDBACK;
	ZeroMemory((&pi),sizeof(pi));

	TCHAR *szCommanLine = TEXT(pComman);

	if (!CreateProcess(NULL,
		szCommanLine,
		NULL,
		NULL,
		FALSE,
		0,
		NULL,
		NULL,
		&si,
		&pi)
		)
	{
		char ch;
		printf("Create Process false:%d\n",GetLastError());
		printf("Do you want try agin?(Y/N)");
		ch = getchar();
		if (ch=='Y')
		{
			CloseHandle(pi.hProcess);
			CloseHandle(pi.hThread);
			system("cls");
			goto Main_t;
		}
	}
	else
	{
		printf("The application program you want already execute.....\n");
		//wait for the process exits.
		WaitForSingleObject(pi.hProcess,INFINITE);
		printf("The program is closing....\n");
		//close the process and thread handles.
		CloseHandle(pi.hProcess);
		CloseHandle(pi.hThread);
	
		system("cls");
		goto Main_t;
	}
	return 0;
}

下面一个为写好的小程序，下载地址为：http://download.csdn.net/detail/toraloo/4846192

PS：此小程序实现思路与上述一样。