http://download1.csdn.net/down3/20070616/16081817815.rar
1. 通过openprocess打开要注入的进程
The OpenProcess function returns a handle of an existing process object.
HANDLE OpenProcess(
DWORD dwDesiredAccess, // access flag
BOOL bInheritHandle, // handle inheritance flag
DWORD dwProcessId // process identifier
);
========================================================
hRemoteProcess:=OpenProcess(
PROCESS_CREATE_THREAD+ //允许创建线程
PROCESS_VM_OPERATION+ //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
False, //新进程继承标志
dwRemoteProcessId //远程进程ID
)
注:如果远程进程不允许打开,往往是由于权限不够引起的;
其中dwProcessId可由TProcessEntry32型变量得到
TProcessEntry32在Delphi中的定义
TProcessEntry32=tagProcessEntry32;
tagPROCESSENTRY32 = packed record
dwSize: DWORD;
cntUsage: DWORD;
th32ProcessID: DWORD; // this process,此成员即可作为dwRemoteProcessId;
th32DefaultHeapID: DWORD;
th32ModuleID: DWORD; // associated exe
cntThreads: DWORD;
th32ParentProcessID: DWORD; // this process‘s parent process
pcPriClassBase: Longint; // Base priority of process‘s threads
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of Char;// Path
end;
2.创建进程快照
Takes a snapshot of the processes and the heaps, modules, and threads used by the processes.
HANDLE WINAPI CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID);
Parameters
dwFlags
Flags specifying portions of the system to include in the snapshot. These values are defined:
TH32CS_INHERIT Indicates that the snapshot handle is to be inheritable.
TH32CS_SNAPALL Equivalent to specifying the TH32CS_SNAPHEAPLIST, TH32CS_SNAPMODULE, TH32CS_SNAPPROCESS, and TH32CS_SNAPTHREAD values.
TH32CS_SNAPHEAPLIST Includes the heap list of the specified process in the snapshot.
TH32CS_SNAPMODULE Includes the module list of the specified process in the snapshot.
TH32CS_SNAPPROCESS Includes the Win32 process list in the snapshot.创建进程快照
TH32CS_SNAPTHREAD Includes the Win32 thread list in the snapshot.
th32ProcessID
Process identifier. This parameter can be zero to indicate the current process. This parameter is used when the TH32CS_SNAPHEAPLIST or TH32CS_SNAPMODULE value is specified. Otherwise, it is ignored.
Return Value
Returns an open handle to the specified snapshot if successful or - 1 otherwise.
用该函数配合process32first和process32Next循环即可得到一个TProcessEntry32类型的变量,从而得到进程ProcessId;
3.从系统快照中得到进程信息
Retrieves information about the first process encountered in a system snapshot.
BOOL WINAPI Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
Parameters
hSnapshot
Handle of the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
lppe
Address of a PROCESSENTRY32 structure.
Return Value
Returns TRUE if the first entry of the process list has been copied to the buffer or FALSE otherwise. The ERROR_NO_MORE_FILES error value is returned by the GetLastError function if no processes exist or the snapshot does not contain process information.
Process32next:与该函数类似;
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
