Windows核心编程ProcessInfo.cpp修改版-编程技术-看雪-安全社区|安全招聘|kanxue.com

Windows核心编程ProcessInfo.cpp修改版

发表于: 2006-1-11 20:32 6901

Windows核心编程ProcessInfo.cpp修改版

kyc

2006-1-11 20:32

6901

原版宏太多,让我等菜鸟难以理偶解修改一下吧.
Jeffrey Richter别生气.

/******************************************************************************
Module: ProcessInfo.cpp
Notices: Copyright (c) 2000 Jeffrey Richter
******************************************************************************/
#include <windowsx.h>
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdarg.h>
#include <stdio.h>
#include "resource.h"
//////////////////////////////////////////////////////////////////////////////////////
BOOL ProcessFirst(PPROCESSENTRY32 ppe);
BOOL ProcessNext(PPROCESSENTRY32 ppe);
BOOL CreateSnapshot(DWORD dwFlags, DWORD dwProcessID );
PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote);
void AddText(HWND hwnd, PCTSTR pszFormat, ...);
int HowManyHeaps() ;
///////////////////////////////////////////////////////////////////////////////////////
HANDLE m_hSnapshot;

PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote) {

   PVOID pvModulePreferredBaseAddr = NULL;
   IMAGE_DOS_HEADER idh;
   IMAGE_NT_HEADERS inth;

   // Read the remote module's DOS header
   Toolhelp32ReadProcessMemory(dwProcessId,
         pvModuleRemote, &idh, sizeof(idh), NULL);

   // Verify the DOS image header
   if (idh.e_magic == IMAGE_DOS_SIGNATURE) {
         // Read the remote module's NT header
         Toolhelp32ReadProcessMemory(dwProcessId,
               (PBYTE) pvModuleRemote + idh.e_lfanew, &inth, sizeof(inth), NULL);

         // Verify the NT image header
         if (inth.Signature == IMAGE_NT_SIGNATURE) {
               // This is valid NT header, get the image's preferred base address
               pvModulePreferredBaseAddr = (PVOID) inth.OptionalHeader.ImageBase;
         }
   }
   return(pvModulePreferredBaseAddr);
}
int HowManyHeaps() {

   int nHowManyHeaps = 0;
   HEAPLIST32 hl = { sizeof(hl) };
   for (BOOL fOk = Heap32ListFirst(m_hSnapshot, &hl); fOk; fOk = Heap32ListNext(m_hSnapshot, &hl))
         nHowManyHeaps++;
   return(nHowManyHeaps);
}
void AddText(HWND hwnd, PCTSTR pszFormat, ...) {

   va_list argList;//说明变量argList
   va_start(argList, pszFormat);//argList被初始化为指向pszFormat后的第一个参数
   TCHAR sz[20 * 1024];
   //Edit_GetText(hwnd, sz, (sizeof(sz) / sizeof(sz[0])));
   GetWindowText(hwnd, sz, sizeof(sz) / sizeof(sz[0]));
   _vstprintf(_tcschr(sz, 0), pszFormat, argList);
   //Edit_SetText(hwnd, sz);
  SetWindowText(hwnd, sz);
   va_end(argList);//清除变量argList

}
BOOL ProcessFirst(PPROCESSENTRY32 ppe) {

   BOOL fOk = Process32First(m_hSnapshot, ppe);
   if (fOk && (ppe->th32ProcessID == 0))
         fOk = ProcessNext(ppe); // Remove the "[System Process]" (PID = 0)
   return(fOk);
}

BOOL ProcessNext(PPROCESSENTRY32 ppe) {

   BOOL fOk = Process32Next(m_hSnapshot, ppe);
   if (fOk && (ppe->th32ProcessID == 0))
         fOk = ProcessNext(ppe); // Remove the "[System Process]" (PID = 0)
   return(fOk);
}

BOOL CreateSnapshot(DWORD dwFlags, DWORD dwProcessID ) {

   m_hSnapshot = INVALID_HANDLE_VALUE;;
   if (m_hSnapshot != INVALID_HANDLE_VALUE)
         CloseHandle(m_hSnapshot);

   if (dwFlags == 0) {
         m_hSnapshot = INVALID_HANDLE_VALUE;
   } else {
         m_hSnapshot = CreateToolhelp32Snapshot(dwFlags, dwProcessID);
   }
   return(m_hSnapshot != INVALID_HANDLE_VALUE);
}

VOID Dlg_PopulateProcessList(HWND hwnd) {

   HWND hwndList = GetDlgItem(hwnd, IDC_RESULTS);

   // SetWindowRedraw(hwndList, FALSE);WM_SETREDRAW设置窗口是否能重画
   SendMessage(hwndList, WM_SETREDRAW, (WPARAM)(FALSE), 0L);

   // ComboBox_ResetContent(hwndList);
   SendMessage(hwndList, CB_RESETCONTENT, 0L, 0L);
   CreateSnapshot(TH32CS_SNAPPROCESS, 0);
   //CToolhelp thProcesses(TH32CS_SNAPPROCESS);
   PROCESSENTRY32 pe = { sizeof(pe) };
   BOOL fOk = ProcessFirst(&pe);
   for (; fOk; fOk = ProcessNext(&pe)) {
         TCHAR sz[1024];

         // Place the process name (without its path) & ID in the list
         PCTSTR pszExeFile = _tcsrchr(pe.szExeFile, TEXT('\\'));
         if (pszExeFile == NULL)
               pszExeFile = pe.szExeFile;
         else pszExeFile++; // Skip over the slash
         wsprintf(sz, TEXT("%s (0x%08X)"), pszExeFile, pe.th32ProcessID);
         int n =SendMessage((hwndList), CB_ADDSTRING, 0L, (LPARAM)(LPCTSTR)(sz));
         // int n = ComboBox_AddString(hwndList, sz);

         // Associate the process ID with the added item

         // ComboBox_SetItemData(hwndList, n, pe.th32ProcessID);
         SendMessage((hwndList), CB_SETITEMDATA, (WPARAM)(int)(n), (LPARAM)(pe.th32ProcessID));
   }

   //ComboBox_SetCurSel(hwndList, 0); // Select the first entry
   SendMessage((hwndList), CB_SETCURSEL, (WPARAM)(int)(0), 0L);
   // Simulate the user selecting this first item so that the
   // results pane shows something interesting

   //FORWARD_WM_COMMAND(hwnd, IDC_PROCESSMODULELIST, hwndList, CBN_SELCHANGE, SendMessage);
   SendMessage((hwnd), WM_COMMAND, MAKEWPARAM((UINT)(IDC_RESULTS),(UINT)(CBN_SELCHANGE)), (LPARAM)(HWND)(hwndList));

   //SetWindowRedraw(hwndList, TRUE);
   SendMessage(hwndList, WM_SETREDRAW, (WPARAM)(TRUE), 0L);

   InvalidateRect(hwndList, NULL, FALSE);
}

BOOL EnableDebugPrivilege(BOOL fEnable) {

   // Enabling the debug privilege allows the application to see
   // information about service applications
   BOOL fOk = FALSE; // Assume function fails
   HANDLE hToken;

   // Try to open this process's access token enumprocesses
   //OpenProcessToken这个函数的作用是打开一个进程的访问令牌
   //GetCurrentProcess()函数的作用是得到本进程的句柄

   if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
   {

         // Attempt to modify the "Debug" privilege
         TOKEN_PRIVILEGES tp;////定义变量

         tp.PrivilegeCount = 1;
         LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
         //LookupPrivilegevalue（）的作用是修改进程的权限

         tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
         ////AdjustTokenPrivileges（）的作用是通知Windows NT修改本进程的权利
         AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
         fOk = (GetLastError() == ERROR_SUCCESS);
         CloseHandle(hToken);
   }
   return(fOk);
}
VOID ShowProcessInfo(HWND hwnd, DWORD dwProcessID) {

   SetWindowText(hwnd, TEXT("")); // Clear the output box

   //CToolhelp th(TH32CS_SNAPALL, dwProcessID);
   m_hSnapshot = INVALID_HANDLE_VALUE;
   CreateSnapshot(TH32CS_SNAPALL, dwProcessID);

   // Show Process details
   PROCESSENTRY32 pe = { sizeof(pe) };
   BOOL fOk = ProcessFirst(&pe);
   for (; fOk; fOk = ProcessNext(&pe)) {
         if (pe.th32ProcessID == dwProcessID) {
               AddText(hwnd, TEXT("Filename: %s\r\n"), pe.szExeFile);
               AddText(hwnd, TEXT(" PID=%08X, ParentPID=%08X, ")
                     TEXT("PriorityClass=%d, Threads=%d, Heaps=%d\r\n"),
                     pe.th32ProcessID, pe.th32ParentProcessID,
                     pe.pcPriClassBase, pe.cntThreads,
                     HowManyHeaps());
               break; // No need to continue looping
         }
   }

   // Show Modules in the Process
   // Number of characters to display an address
   const int cchAddress = sizeof(PVOID) * 2;
   AddText(hwnd, TEXT("\r\nModules Information:\r\n")
         TEXT(" Usage %-*s(%-*s) %8s Module\r\n"),
         cchAddress, TEXT("BaseAddr"),
         cchAddress, TEXT("ImagAddr"), TEXT("Size"));

   MODULEENTRY32 me = { sizeof(me) };
   fOk = Module32First(m_hSnapshot, &me);
   for (; fOk; fOk = Module32Next(m_hSnapshot, &me)) {
         if (me.ProccntUsage == 65535) {
               // Module was implicitly loaded and cannot be unloaded
               AddText(hwnd, TEXT(" Fixed"));
         } else {
               AddText(hwnd, TEXT(" %5d"), me.ProccntUsage);
         }
         PVOID pvPreferredBaseAddr =
               GetModulePreferredBaseAddr(pe.th32ProcessID, me.modBaseAddr);
         if (me.modBaseAddr == pvPreferredBaseAddr) {
               AddText(hwnd, TEXT(" %p %*s %8u %s\r\n"),
                     me.modBaseAddr, cchAddress, TEXT(""),
                     me.modBaseSize, me.szExePath);
         } else {
               AddText(hwnd, TEXT(" %p(%p) %8u %s\r\n"), me.modBaseAddr, pvPreferredBaseAddr, me.modBaseSize, me.szExePath);
         }
   }

   // Show threads in the process
   AddText(hwnd, TEXT("\r\nThread Information:\r\n")
         TEXT("    TID Priority\r\n"));
   THREADENTRY32 te = { sizeof(te) };
   fOk =Thread32First(m_hSnapshot, &te);
   for (; fOk; fOk = Thread32Next(m_hSnapshot,&te)) {
         if (te.th32OwnerProcessID == dwProcessID) {
               int nPriority = te.tpBasePri + te.tpDeltaPri;
               if ((te.tpBasePri < 16) && (nPriority > 15)) nPriority = 15;
               if ((te.tpBasePri > 15) && (nPriority > 31)) nPriority = 31;
               if ((te.tpBasePri < 16) && (nPriority < 1)) nPriority = 1;
               if ((te.tpBasePri > 15) && (nPriority < 16)) nPriority = 16;
               AddText(hwnd, TEXT(" %08X    %2d\r\n"),te.th32ThreadID, nPriority);
         }
   }
}
INT_PTR WINAPI Dlg_Proc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {

   static BOOL s_fProcesses = TRUE;

   switch(uMsg)
   {
   case WM_INITDIALOG:

         Dlg_PopulateProcessList(hwnd);
   case WM_COMMAND:
         switch(wParam)
         {
         case IDC_REFURBISH:
               DWORD dw ;
               //dw= (DWORD) ComboBox_GetItemData(hwndCtl, dw); // Process ID
               dw=SendMessage((hwnd), CB_GETITEMDATA, (WPARAM)(int)(dw), 0L);
               ShowProcessInfo(GetDlgItem(hwnd, IDC_RESULTS), dw);
         }

         break;
   case WM_CLOSE:
         EndDialog(hwnd,0);

         break;
   default: return 0;

   }
   return(FALSE);
}

int WINAPI _tWinMain(HINSTANCE hinstExe, HINSTANCE, PTSTR pszCmdLine, int) {

   EnableDebugPrivilege(TRUE);//赋予本程序足够的权限：
   DialogBox(hinstExe, MAKEINTRESOURCE(IDD_PROCESSDLG ), NULL, Dlg_Proc);

   //CToolhelp::EnableDebugPrivilege(FALSE);
   return(0);
}