-
-
[建议]遍历系统的几种方法
-
发表于: 2013-9-26 21:48
-
这几天因为需要研究了一下遍历系统进程的方式,在网上找了几种方法,这里总结放到一起方便需要的人。
找方法的时候忘了把作者记下来,因此没有写出每种方法的作者。
原作者看到不要告我侵权啊
//////////////////////////////////////////////////////////////////////////
通过系统快照的方式遍历系统进程
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
int main(void)
{
PROCESSENTRY32 pe32;
//在使用这个结构之前,先设置它的大小
pe32.dwSize = sizeof(pe32);
//给系统内的所有进程拍一个快照
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot调用失败!\n");
return -1;
}
//遍历进程快照,轮流显示第个进程的信息
BOOL bResult = Process32First(hProcessSnap,&pe32);
while(bResult)
{
printf("进程名称: %s",pe32.szExeFile);
printf("ID号: %u\n",pe32.th32ProcessID);
bResult = Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//////////////////////////////////////////////////////////////////////////
通过EnumProcesses获得系统进程
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include "psapi.h"
//添加连接库
#pragma comment(lib,"psapi.lib")
void PrintProcessNameAndID( DWORD processID )
{
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
// Get a handle to the process.
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,
processID );
// Get the process name.
if (NULL != hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
// 枚举进程模块信息
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
//GetModleFileName返回进程名包含路径
//GetModuleBaseName返回进程名不包含路径
//通过进程句柄 获取进程名 // 取得主模块全名,每个进程的第一模块
即为进程主模块
GetModuleBaseName( hProcess, hMod, szProcessName, sizeof
(szProcessName)/sizeof(TCHAR) );
}
}
// Print the process name and identifier.
_tprintf( TEXT("%s (PID: %u)\n"), szProcessName, processID );
CloseHandle( hProcess );
}
void main( )
{
// Get the list of process identifiers.
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the name and process identifier for each process.
for ( i = 0; i < cProcesses; i++ )
if( aProcesses[i] != 0 )
PrintProcessNameAndID(aProcesses[i]);
}
//////////////////////////////////////////////////////////////////////////
遍历EPROCESS结构中的 ActiveProcessLinks 获得系统中进程
当然还有很多还可以通过EPROCESS获得系统进程进程的方法和这个类似就不一一写出了,感兴趣的可以
自己研究一下,隐藏进程也可以通过EPROCESS实现
#include <ntddk.h>
#define EPROCESS_ACTIVELIST_OFFSET 0x88 //活动进程链
#define EPROCESS_PID_OFFSET 0x84 //PID了
#define EPROCESS_IMAGENAME_OFFSET 0x174 //映像名称
#define EPROCESS_FLINK_OFFSET 0x88 //双链表的前向指针
#define EPROCESS_BLINK_OFFSET 0x8C //双链表的后向指针
VOID ShowEPROCESS(void)
{
DWORD EProcess,FirstEProcess;
LIST_ENTRY* ActiveProcessLinks;
DWORD pid,dwCount=0;
PUCHAR pImage;
PPROCESS_INFO ProcessInfo={0};
//使用PsGetCurrentProcess得到EPROCESS
EProcess=FirstEProcess=(DWORD)PsGetCurrentProcess();
//pid=*(DWORD*)((char*)EProcess+EPROCESS_PID_OFFSET);
__try {
while ( EProcess!= 0)
{
dwCount++;
pid= *( (DWORD*)( EProcess + EPROCESS_PID_OFFSET ) );
pImage= (PUCHAR)( EProcess + EPROCESS_IMAGENAME_OFFSET ) ;
DbgPrint ( "[Pid=%8d] EProcess=0x%08X %s\n", pid, EProcess, pImage)
;
ActiveProcessLinks = (LIST_ENTRY*) ( EProcess +
EPROCESS_FLINK_OFFSET ) ;
EProcess = (DWORD)ActiveProcessLinks->Flink - EPROCESS_FLINK_OFFSET
;
if ( EProcess == FirstEProcess )
break ;
}
DbgPrint ( "ProcessCount = %d\n", dwCount ) ;
}
__except ( 1 ) {
DbgPrint ( "EnumProcessList exception !" ) ;
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Goodbye world!\n");
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath)
{
ShowEPROCESS();
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
找方法的时候忘了把作者记下来,因此没有写出每种方法的作者。
原作者看到不要告我侵权啊//////////////////////////////////////////////////////////////////////////
通过系统快照的方式遍历系统进程
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
int main(void)
{
PROCESSENTRY32 pe32;
//在使用这个结构之前,先设置它的大小
pe32.dwSize = sizeof(pe32);
//给系统内的所有进程拍一个快照
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot调用失败!\n");
return -1;
}
//遍历进程快照,轮流显示第个进程的信息
BOOL bResult = Process32First(hProcessSnap,&pe32);
while(bResult)
{
printf("进程名称: %s",pe32.szExeFile);
printf("ID号: %u\n",pe32.th32ProcessID);
bResult = Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//////////////////////////////////////////////////////////////////////////
通过EnumProcesses获得系统进程
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include "psapi.h"
//添加连接库
#pragma comment(lib,"psapi.lib")
void PrintProcessNameAndID( DWORD processID )
{
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
// Get a handle to the process.
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,
processID );
// Get the process name.
if (NULL != hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
// 枚举进程模块信息
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
//GetModleFileName返回进程名包含路径
//GetModuleBaseName返回进程名不包含路径
//通过进程句柄 获取进程名 // 取得主模块全名,每个进程的第一模块
即为进程主模块
GetModuleBaseName( hProcess, hMod, szProcessName, sizeof
(szProcessName)/sizeof(TCHAR) );
}
}
// Print the process name and identifier.
_tprintf( TEXT("%s (PID: %u)\n"), szProcessName, processID );
CloseHandle( hProcess );
}
void main( )
{
// Get the list of process identifiers.
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return;
// Calculate how many process identifiers were returned.
cProcesses = cbNeeded / sizeof(DWORD);
// Print the name and process identifier for each process.
for ( i = 0; i < cProcesses; i++ )
if( aProcesses[i] != 0 )
PrintProcessNameAndID(aProcesses[i]);
}
//////////////////////////////////////////////////////////////////////////
遍历EPROCESS结构中的 ActiveProcessLinks 获得系统中进程
当然还有很多还可以通过EPROCESS获得系统进程进程的方法和这个类似就不一一写出了,感兴趣的可以
自己研究一下,隐藏进程也可以通过EPROCESS实现
#include <ntddk.h>
#define EPROCESS_ACTIVELIST_OFFSET 0x88 //活动进程链
#define EPROCESS_PID_OFFSET 0x84 //PID了
#define EPROCESS_IMAGENAME_OFFSET 0x174 //映像名称
#define EPROCESS_FLINK_OFFSET 0x88 //双链表的前向指针
#define EPROCESS_BLINK_OFFSET 0x8C //双链表的后向指针
VOID ShowEPROCESS(void)
{
DWORD EProcess,FirstEProcess;
LIST_ENTRY* ActiveProcessLinks;
DWORD pid,dwCount=0;
PUCHAR pImage;
PPROCESS_INFO ProcessInfo={0};
//使用PsGetCurrentProcess得到EPROCESS
EProcess=FirstEProcess=(DWORD)PsGetCurrentProcess();
//pid=*(DWORD*)((char*)EProcess+EPROCESS_PID_OFFSET);
__try {
while ( EProcess!= 0)
{
dwCount++;
pid= *( (DWORD*)( EProcess + EPROCESS_PID_OFFSET ) );
pImage= (PUCHAR)( EProcess + EPROCESS_IMAGENAME_OFFSET ) ;
DbgPrint ( "[Pid=%8d] EProcess=0x%08X %s\n", pid, EProcess, pImage)
;
ActiveProcessLinks = (LIST_ENTRY*) ( EProcess +
EPROCESS_FLINK_OFFSET ) ;
EProcess = (DWORD)ActiveProcessLinks->Flink - EPROCESS_FLINK_OFFSET
;
if ( EProcess == FirstEProcess )
break ;
}
DbgPrint ( "ProcessCount = %d\n", dwCount ) ;
}
__except ( 1 ) {
DbgPrint ( "EnumProcessList exception !" ) ;
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Goodbye world!\n");
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath)
{
ShowEPROCESS();
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
