枚举进程与进程加载模块.docx

基于visual c+之windows核心编程代码分析（19）枚举进程以及进程加载模块信息 分类： VC+编程技术 Visual C+2010编程技术 Visual Studio2012 Windows8 信息安全 2011-12-17 12:26 114人阅读 评论(0) 收藏 举报 我们进行Windows安全编程的时候，经常需要检测进程，我们来实践一下枚举进程与进程加载模块。请见代码实现与注释分析。view plaincopy to clipboardprint?1. /*头文件*/2. #include 3. #include 4. #include 5. #include 6. /*预处理声明*/7. #pragmacomment(lib,psapi.lib) 8. /*函数声明*/9. VOIDWINAPIEnumProcess1();10. VOIDWINAPIEnumProcess2();11. VOIDListProcessModules1(DWORDdwPID);12. VOIDListProcessModules2(DWORDdwPID);13. VOIDPrintMemoryInfo(DWORDdwPID);14. VOIDShowProcessMemoryInfo(DWORDdwPID);15. VOIDListHeapInfo(DWORDdwPID);16. VOIDListProcessThreads(DWORDdwPID);17. VOIDPrintError(LPTSTRmsg);18. 19. /*20. *VOIDWINAPIEnumProcess1()21. *功能调用EnumProcesses遍历进程，22. *并调用ListProcessModules1函数和23. *ListProcessThreads函数列举模块和线程24. *25. *无参数，无返回值26. */27. VOIDWINAPIEnumProcess1()28. 29. /假设不超过1024个进程 30. DWORDaProcesses1024,cbNeeded,cProcesses;31. unsignedinti;32. /调用EnumProcesses 33. if(!EnumProcesses(aProcesses,sizeof(aProcesses),&cbNeeded)34. return;35. /进程数 36. cProcesses=cbNeeded/sizeof(DWORD);37. for(i=0;icProcesses;i+)38. 39. /显示进程信息 40. printf(nn*);41. printf(nPROCESS:%unn,aProcessesi);42. printf(n*);43. /列举模块信息和线程信息 44. ListProcessModules1(aProcessesi);45. ListProcessThreads(aProcessesi);46. 47. 48. /*49. *VOIDWINAPIEnumProcess2()50. *功能调用Process32First和Process32Next遍历进程，51. *并调用ListProcessModules2函数列举模块，52. *调用ShowProcessMemoryInfo函数显示内存使用情况53. *54. *无参数，无返回值55. */56. VOIDWINAPIEnumProcess2()57. 58. HANDLEhProcessSnap;59. HANDLEhProcess;60. PROCESSENTRY32pe32;61. DWORDdwPriorityClass;62. /Snapshot 63. hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);64. if(hProcessSnap=INVALID_HANDLE_VALUE)65. 66. PrintError(CreateToolhelp32Snapshot(ofprocesses);67. return;68. 69. /设置输入参数，结构的大小 70. pe32.dwSize=sizeof(PROCESSENTRY32);71. 72. /开始列举进程 73. if(!Process32First(hProcessSnap,&pe32)74. 75. PrintError(Process32First);/出错信息 76. CloseHandle(hProcessSnap);77. return;78. 79. do80. 81. /打印进程名 82. printf(nn=);83. printf(nPROCESSNAME:%s,pe32.szExeFile);84. printf(n-);85. 86. /获取优先级 87. dwPriorityClass=0;88. hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pe32.th32ProcessID);89. if(hProcess=NULL)90. PrintError(OpenProcess);91. else92. 93. dwPriorityClass=GetPriorityClass(hProcess);94. if(!dwPriorityClass)95. PrintError(GetPriorityClass);96. CloseHandle(hProcess);97. 98. /打印进程相关信息 99. printf(nprocessID=0x%08X,pe32.th32ProcessID);100. printf(nthreadcount=%d,tThreads);101. printf(nparentprocessID=0x%08X,pe32.th32ParentProcessID);102. printf(nPriorityBase=%d,pe32.pcPriClassBase);103. if(dwPriorityClass)104. printf(nPriorityClass=%d,dwPriorityClass);105. 106. /获取模块信息，显示内存使用情况 107. ListProcessModules2(pe32.th32ProcessID);108. PrintMemoryInfo(pe32.th32ProcessID);109. ListHeapInfo(pe32.th32ProcessID);110. 111. while(Process32Next(hProcessSnap,&pe32);112. 113. CloseHandle(hProcessSnap);/关闭句柄 114. return;115. 116. 117. /*118. *VOIDListProcessModules1(DWORDdwPID)119. *功能调用EnumProcessModules函数120. *列举和显示进程加载的模块121. *122. *参数DWORDdwPID进程PID123. */124. VOIDListProcessModules1(DWORDdwPID)125. 126. HMODULEhMods1024;127. HANDLEhProcess;128. DWORDcbNeeded;129. unsignedinti;130. 131. printf(nListProcessModules1ProcessID%un,dwPID);132. 133. /打开进程，获得句柄 134. hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|135. PROCESS_VM_READ,136. FALSE,dwPID);137. if(NULL=hProcess)138. return;139. /调用EnumProcessModules 140. if(EnumProcessModules(hProcess,hMods,sizeof(hMods),&cbNeeded)141. 142. for(i=0;i31)|(*p=9)355. +p;356. do*p-=0;while(p=sysMsg)&357. (*p=.)|(*p33);358. pr