电脑故障

位置:IT落伍者 >> 电脑故障 >> 浏览文章

WIN 9X下查找隐藏进程实现方法


发布日期:2021/7/21
 

在WIN X下一些黑客工具利用了未公开的API函数实现了隐藏自身不在任务列表中出现的功能要把它们找出来同样也需要用到未公开的TOOLHELP系列函数因操作系统的不同NT下遍历进程则用PSAPI函数来实现下面给出完整实列

Processh

//

#ifndef UnitH

#define UnitH

//

#include

#include

#include

#include

#define THCS_SNAPPROCESS x //快照进程

#define PROCESS_HANDLE_NAME

//

typedef struct tagPROCESSENTRY //自定义TOOLHELP结构

{

DWORD dwSize;

DWORD cntUsage;

DWORD thProcessID; //进程ID

DWORD thDefaultHeapID;

DWORD thModuleID;

DWORD cntThreads;

DWORD thParentProcessID;

LONG pcPriClassBase;

DWORD dwFlags;

TCHAR szExeFile[MAX_PATH]; //进程文件名

} PROCESSENTRY;

typedef PROCESSENTRY * LPPROCESSENTRY;

//以下定义要从KERENLDLL中取出的TOOLHELP函数的函数指针

HANDLE (WINAPI *CreateToolhelpSnapshot)(DWORD dwFlagsDWORD thPD);

BOOL (WINAPI *ProcessFirst)(HANDLE hSnapshotLPPROCESSENTRY pe);

BOOL (WINAPI *ProcessNext)(HANDLE hSnapshotLPPROCESSENTRY pe);

//以下定义要从PSAPIDLL中取出函数的函数指针

BOOL (WINAPI *EnumProcesses)(DWORD* lpidProcessDWORD cbDWORD *cbNeeded);

DWORD (WINAPI *GetModuleFileNameExA)(HANDLE hProcessHMODULE hModuleLPTSTR lpstrFileNameDWORD nSize);

class TForm : public TForm

{

__published: // IDEmanaged Components

TButton *FindAllProcessFileName;

TListBox *ListBox;

void __fastcall FindAllProcessFileNameClick(TObject *Sender);

void __fastcall FormResize(TObject *Sender);

void __fastcall ButtonClick(TObject *Sender);

void __fastcall ListBoxClick(TObject *Sender);

private: // User declarations

public: // User declarations

__fastcall TForm(TComponent* Owner);

};

//

extern PACKAGE TForm *Form;

//

#endif

Processcpp

//

#include

#pragma hdrstop

#include Unith

//

#pragma package(smart_init)

#pragma resource *dfm

TForm *Form;

//定义变量

HANDLE process[];

PROCESSENTRY p;

DWORD process_ids[];

DWORD num_processes;

TCHAR file_name[MAX_PATH];

TCHAR class_name[MAX_PATH];

unsigned i;

//

//初始化TOOLHELP

BOOL InitToolHelp()

{

//动态调用

HINSTANCE DLLinst=LoadLibrary(KERNELDLL);

if(DLLinst)

{

//取各函数在KERNEL中的地址

CreateToolhelpSnapshot=(HANDLE(WINAPI *)(DWORD dwFlagsDWORD thPD))

GetProcAddress(DLLinstCreateToolhelpSnapshot);

ProcessFirst=(BOOL(WINAPI *)(HANDLE hSnapshotLPPROCESSENTRY pe))

GetProcAddress(DLLinstProcessFirst);

ProcessNext=(BOOL(WINAPI *)(HANDLE hSnapshotLPPROCESSENTRY pe))

GetProcAddress(DLLinstProcessNext);

if((!(UINT)CreateToolhelpSnapshot)||(!(UINT)ProcessFirst)||(!(UINT)ProcessNext))

return FALSE;

else

return TRUE;

}

return FALSE;

}

//初始化PSAPI

BOOL InitPSAPI()

{

HINSTANCE PSAPI=LoadLibrary(PSAPIDLL);

if(NULL==PSAPI)

return FALSE;

EnumProcesses=(BOOL(WINAPI *)(DWORD* lpidProcessDWORD cbDWORD *cbNeeded))

GetProcAddress(PSAPIEnumProcesses);

GetModuleFileNameExA=(DWORD(WINAPI *)(HANDLE hProcessHMODULE hModuleLPTSTR lpstrFileNameDWORD nSize))

GetProcAddress(PSAPIGetModuleFileNameExA);

if(NULL == EnumProcesses||NULL == GetModuleFileName)

return FALSE;

else

return TRUE;

}

__fastcall TForm::TForm(TComponent* Owner)

: TForm(Owner)

{

}

//

void __fastcall TForm::FindAllProcessFileNameClick(TObject *Sender)

{

OSVERSIONINFO osinfo;

osinfodwOSVersionInfoSize=sizeof(OSVERSIONINFO);

//取当前操作系统类型

if(GetVersionEx(&osinfo))

{

switch(osinfodwPlatformId)

{

//当前操作系统是WINX

case VER_PLATFORM_WIN_WINDOWS:

if(InitToolHelp())

{

ListBox>Clear();

pdwSize=sizeof(PROCESSENTRY);

//初始化TOOLHELP快照

HANDLE pName=CreateToolhelpSnapshot(THCS_SNAPPROCESSNULL);

//开始查找

BOOL Next=ProcessFirst(pName&p);

i=;

//遍历进程

while(Next)

{

//显示进程

ListBox>Items>Add(pszExeFile);

//根据进程ID获取句并

process[i]=OpenProcess(PROCESS_TERMINATEpthProcessID);

//继续查找

Next=ProcessNext(pName&p);

i++;

}

CloseHandle(pName);

}

break;

//当前操作系统是NT

case VER_PLATFORM_WIN_NT:

if(InitPSAPI())

{

ListBox>Clear();

//获取当前进程个数

EnumProcesses(process_idssizeof(process_ids)&num_processes);

//遍历进程

for(i=; i{

//根据进程ID获取句并

process[i]=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ

process_ids[i]);

//通过句并获取进程文件名

if(GetModuleFileNameExA(process[i]NULLfile_namesizeof(file_name)))

ListBox>Items>Add(file_name);

}

}

break;

}

}

}

//

void __fastcall TForm::ListBoxClick(TObject *Sender)

{

int iCount;

iCount=ListBox>ItemIndex;

ListBox>Hint=ListBox>Items>Strings[iCount];

}

//

else ShowMessage(初始化TOOLHELP失败);

}

上一篇:使用Win7引导程序启动VHD的N个场景

下一篇:如何安装WIN7系统过程图解