-
-
Windows核心编程ProcessInfo.cpp修改版
-
2006-1-11 20:32
-
原版宏太多,让我等菜鸟难以理偶解修改一下吧.
Jeffrey Richter别生气.
/******************************************************************************
Module: ProcessInfo.cpp
Notices: Copyright (c) 2000 Jeffrey Richter
******************************************************************************/
#include <windowsx.h>
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdarg.h>
#include <stdio.h>
#include "resource.h"
//////////////////////////////////////////////////////////////////////////////////////
BOOL ProcessFirst(PPROCESSENTRY32 ppe);
BOOL ProcessNext(PPROCESSENTRY32 ppe);
BOOL CreateSnapshot(DWORD dwFlags, DWORD dwProcessID );
PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote);
void AddText(HWND hwnd, PCTSTR pszFormat, ...);
int HowManyHeaps() ;
///////////////////////////////////////////////////////////////////////////////////////
HANDLE m_hSnapshot;
PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote) {
PVOID pvModulePreferredBaseAddr = NULL;
IMAGE_DOS_HEADER idh;
IMAGE_NT_HEADERS inth;
// Read the remote module's DOS header
Toolhelp32ReadProcessMemory(dwProcessId,
pvModuleRemote, &idh, sizeof(idh), NULL);
// Verify the DOS image header
if (idh.e_magic == IMAGE_DOS_SIGNATURE) {
// Read the remote module's NT header
Toolhelp32ReadProcessMemory(dwProcessId,
(PBYTE) pvModuleRemote + idh.e_lfanew, &inth, sizeof(inth), NULL);
// Verify the NT image header
if (inth.Signature == IMAGE_NT_SIGNATURE) {
// This is valid NT header, get the image's preferred base address
pvModulePreferredBaseAddr = (PVOID) inth.OptionalHeader.ImageBase;
}
}
return(pvModulePreferredBaseAddr);
}
int HowManyHeaps() {
int nHowManyHeaps = 0;
HEAPLIST32 hl = { sizeof(hl) };
for (BOOL fOk = Heap32ListFirst(m_hSnapshot, &hl); fOk; fOk = Heap32ListNext(m_hSnapshot, &hl))
nHowManyHeaps++;
return(nHowManyHeaps);
}
void AddText(HWND hwnd, PCTSTR pszFormat, ...) {
va_list argList;//说明变量argList
va_start(argList, pszFormat);//argList被初始化为指向pszFormat后的第一个参数
TCHAR sz[20 * 1024];
//Edit_GetText(hwnd, sz, (sizeof(sz) / sizeof(sz[0])));
GetWindowText(hwnd, sz, sizeof(sz) / sizeof(sz[0]));
_vstprintf(_tcschr(sz, 0), pszFormat, argList);
//Edit_SetText(hwnd, sz);
SetWindowText(hwnd, sz);
va_end(argList);//清除变量argList
}
BOOL ProcessFirst(PPROCESSENTRY32 ppe) {
BOOL fOk = Process32First(m_hSnapshot, ppe);
if (fOk && (ppe->th32ProcessID == 0))
fOk = ProcessNext(ppe); // Remove the "[System Process]" (PID = 0)
return(fOk);
}
BOOL ProcessNext(PPROCESSENTRY32 ppe) {
BOOL fOk = Process32Next(m_hSnapshot, ppe);
if (fOk && (ppe->th32ProcessID == 0))
fOk = ProcessNext(ppe); // Remove the "[System Process]" (PID = 0)
return(fOk);
}
BOOL CreateSnapshot(DWORD dwFlags, DWORD dwProcessID ) {
m_hSnapshot = INVALID_HANDLE_VALUE;;
if (m_hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(m_hSnapshot);
if (dwFlags == 0) {
m_hSnapshot = INVALID_HANDLE_VALUE;
} else {
m_hSnapshot = CreateToolhelp32Snapshot(dwFlags, dwProcessID);
}
return(m_hSnapshot != INVALID_HANDLE_VALUE);
}
VOID Dlg_PopulateProcessList(HWND hwnd) {
HWND hwndList = GetDlgItem(hwnd, IDC_RESULTS);
// SetWindowRedraw(hwndList, FALSE);WM_SETREDRAW设置窗口是否能重画
SendMessage(hwndList, WM_SETREDRAW, (WPARAM)(FALSE), 0L);
// ComboBox_ResetContent(hwndList);
SendMessage(hwndList, CB_RESETCONTENT, 0L, 0L);
CreateSnapshot(TH32CS_SNAPPROCESS, 0);
//CToolhelp thProcesses(TH32CS_SNAPPROCESS);
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL fOk = ProcessFirst(&pe);
for (; fOk; fOk = ProcessNext(&pe)) {
TCHAR sz[1024];
// Place the process name (without its path) & ID in the list
PCTSTR pszExeFile = _tcsrchr(pe.szExeFile, TEXT('\\'));
if (pszExeFile == NULL)
pszExeFile = pe.szExeFile;
else pszExeFile++; // Skip over the slash
wsprintf(sz, TEXT("%s (0x%08X)"), pszExeFile, pe.th32ProcessID);
int n =SendMessage((hwndList), CB_ADDSTRING, 0L, (LPARAM)(LPCTSTR)(sz));
// int n = ComboBox_AddString(hwndList, sz);
// Associate the process ID with the added item
// ComboBox_SetItemData(hwndList, n, pe.th32ProcessID);
SendMessage((hwndList), CB_SETITEMDATA, (WPARAM)(int)(n), (LPARAM)(pe.th32ProcessID));
}
//ComboBox_SetCurSel(hwndList, 0); // Select the first entry
SendMessage((hwndList), CB_SETCURSEL, (WPARAM)(int)(0), 0L);
// Simulate the user selecting this first item so that the
// results pane shows something interesting
//FORWARD_WM_COMMAND(hwnd, IDC_PROCESSMODULELIST, hwndList, CBN_SELCHANGE, SendMessage);
SendMessage((hwnd), WM_COMMAND, MAKEWPARAM((UINT)(IDC_RESULTS),(UINT)(CBN_SELCHANGE)), (LPARAM)(HWND)(hwndList));
//SetWindowRedraw(hwndList, TRUE);
SendMessage(hwndList, WM_SETREDRAW, (WPARAM)(TRUE), 0L);
InvalidateRect(hwndList, NULL, FALSE);
}
BOOL EnableDebugPrivilege(BOOL fEnable) {
// Enabling the debug privilege allows the application to see
// information about service applications
BOOL fOk = FALSE; // Assume function fails
HANDLE hToken;
// Try to open this process's access token enumprocesses
//OpenProcessToken这个函数的作用是打开一个进程的访问令牌
//GetCurrentProcess()函数的作用是得到本进程的句柄
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
// Attempt to modify the "Debug" privilege
TOKEN_PRIVILEGES tp;////定义变量
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
//LookupPrivilegevalue()的作用是修改进程的权限
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
////AdjustTokenPrivileges()的作用是通知Windows NT修改本进程的权利
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
return(fOk);
}
VOID ShowProcessInfo(HWND hwnd, DWORD dwProcessID) {
SetWindowText(hwnd, TEXT("")); // Clear the output box
//CToolhelp th(TH32CS_SNAPALL, dwProcessID);
m_hSnapshot = INVALID_HANDLE_VALUE;
CreateSnapshot(TH32CS_SNAPALL, dwProcessID);
// Show Process details
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL fOk = ProcessFirst(&pe);
for (; fOk; fOk = ProcessNext(&pe)) {
if (pe.th32ProcessID == dwProcessID) {
AddText(hwnd, TEXT("Filename: %s\r\n"), pe.szExeFile);
AddText(hwnd, TEXT(" PID=%08X, ParentPID=%08X, ")
TEXT("PriorityClass=%d, Threads=%d, Heaps=%d\r\n"),
pe.th32ProcessID, pe.th32ParentProcessID,
pe.pcPriClassBase, pe.cntThreads,
HowManyHeaps());
break; // No need to continue looping
}
}
// Show Modules in the Process
// Number of characters to display an address
const int cchAddress = sizeof(PVOID) * 2;
AddText(hwnd, TEXT("\r\nModules Information:\r\n")
TEXT(" Usage %-*s(%-*s) %8s Module\r\n"),
cchAddress, TEXT("BaseAddr"),
cchAddress, TEXT("ImagAddr"), TEXT("Size"));
MODULEENTRY32 me = { sizeof(me) };
fOk = Module32First(m_hSnapshot, &me);
for (; fOk; fOk = Module32Next(m_hSnapshot, &me)) {
if (me.ProccntUsage == 65535) {
// Module was implicitly loaded and cannot be unloaded
AddText(hwnd, TEXT(" Fixed"));
} else {
AddText(hwnd, TEXT(" %5d"), me.ProccntUsage);
}
PVOID pvPreferredBaseAddr =
GetModulePreferredBaseAddr(pe.th32ProcessID, me.modBaseAddr);
if (me.modBaseAddr == pvPreferredBaseAddr) {
AddText(hwnd, TEXT(" %p %*s %8u %s\r\n"),
me.modBaseAddr, cchAddress, TEXT(""),
me.modBaseSize, me.szExePath);
} else {
AddText(hwnd, TEXT(" %p(%p) %8u %s\r\n"), me.modBaseAddr, pvPreferredBaseAddr, me.modBaseSize, me.szExePath);
}
}
// Show threads in the process
AddText(hwnd, TEXT("\r\nThread Information:\r\n")
TEXT(" TID Priority\r\n"));
THREADENTRY32 te = { sizeof(te) };
fOk =Thread32First(m_hSnapshot, &te);
for (; fOk; fOk = Thread32Next(m_hSnapshot,&te)) {
if (te.th32OwnerProcessID == dwProcessID) {
int nPriority = te.tpBasePri + te.tpDeltaPri;
if ((te.tpBasePri < 16) && (nPriority > 15)) nPriority = 15;
if ((te.tpBasePri > 15) && (nPriority > 31)) nPriority = 31;
if ((te.tpBasePri < 16) && (nPriority < 1)) nPriority = 1;
if ((te.tpBasePri > 15) && (nPriority < 16)) nPriority = 16;
AddText(hwnd, TEXT(" %08X %2d\r\n"),te.th32ThreadID, nPriority);
}
}
}
INT_PTR WINAPI Dlg_Proc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
static BOOL s_fProcesses = TRUE;
switch(uMsg)
{
case WM_INITDIALOG:
Dlg_PopulateProcessList(hwnd);
case WM_COMMAND:
switch(wParam)
{
case IDC_REFURBISH:
DWORD dw ;
//dw= (DWORD) ComboBox_GetItemData(hwndCtl, dw); // Process ID
dw=SendMessage((hwnd), CB_GETITEMDATA, (WPARAM)(int)(dw), 0L);
ShowProcessInfo(GetDlgItem(hwnd, IDC_RESULTS), dw);
}
break;
case WM_CLOSE:
EndDialog(hwnd,0);
break;
default: return 0;
}
return(FALSE);
}
int WINAPI _tWinMain(HINSTANCE hinstExe, HINSTANCE, PTSTR pszCmdLine, int) {
EnableDebugPrivilege(TRUE);//赋予本程序足够的权限:
DialogBox(hinstExe, MAKEINTRESOURCE(IDD_PROCESSDLG ), NULL, Dlg_Proc);
//CToolhelp::EnableDebugPrivilege(FALSE);
return(0);
}
Jeffrey Richter别生气.
/******************************************************************************
Module: ProcessInfo.cpp
Notices: Copyright (c) 2000 Jeffrey Richter
******************************************************************************/
#include <windowsx.h>
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdarg.h>
#include <stdio.h>
#include "resource.h"
//////////////////////////////////////////////////////////////////////////////////////
BOOL ProcessFirst(PPROCESSENTRY32 ppe);
BOOL ProcessNext(PPROCESSENTRY32 ppe);
BOOL CreateSnapshot(DWORD dwFlags, DWORD dwProcessID );
PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote);
void AddText(HWND hwnd, PCTSTR pszFormat, ...);
int HowManyHeaps() ;
///////////////////////////////////////////////////////////////////////////////////////
HANDLE m_hSnapshot;
PVOID GetModulePreferredBaseAddr(DWORD dwProcessId, PVOID pvModuleRemote) {
PVOID pvModulePreferredBaseAddr = NULL;
IMAGE_DOS_HEADER idh;
IMAGE_NT_HEADERS inth;
// Read the remote module's DOS header
Toolhelp32ReadProcessMemory(dwProcessId,
pvModuleRemote, &idh, sizeof(idh), NULL);
// Verify the DOS image header
if (idh.e_magic == IMAGE_DOS_SIGNATURE) {
// Read the remote module's NT header
Toolhelp32ReadProcessMemory(dwProcessId,
(PBYTE) pvModuleRemote + idh.e_lfanew, &inth, sizeof(inth), NULL);
// Verify the NT image header
if (inth.Signature == IMAGE_NT_SIGNATURE) {
// This is valid NT header, get the image's preferred base address
pvModulePreferredBaseAddr = (PVOID) inth.OptionalHeader.ImageBase;
}
}
return(pvModulePreferredBaseAddr);
}
int HowManyHeaps() {
int nHowManyHeaps = 0;
HEAPLIST32 hl = { sizeof(hl) };
for (BOOL fOk = Heap32ListFirst(m_hSnapshot, &hl); fOk; fOk = Heap32ListNext(m_hSnapshot, &hl))
nHowManyHeaps++;
return(nHowManyHeaps);
}
void AddText(HWND hwnd, PCTSTR pszFormat, ...) {
va_list argList;//说明变量argList
va_start(argList, pszFormat);//argList被初始化为指向pszFormat后的第一个参数
TCHAR sz[20 * 1024];
//Edit_GetText(hwnd, sz, (sizeof(sz) / sizeof(sz[0])));
GetWindowText(hwnd, sz, sizeof(sz) / sizeof(sz[0]));
_vstprintf(_tcschr(sz, 0), pszFormat, argList);
//Edit_SetText(hwnd, sz);
SetWindowText(hwnd, sz);
va_end(argList);//清除变量argList
}
BOOL ProcessFirst(PPROCESSENTRY32 ppe) {
BOOL fOk = Process32First(m_hSnapshot, ppe);
if (fOk && (ppe->th32ProcessID == 0))
fOk = ProcessNext(ppe); // Remove the "[System Process]" (PID = 0)
return(fOk);
}
BOOL ProcessNext(PPROCESSENTRY32 ppe) {
BOOL fOk = Process32Next(m_hSnapshot, ppe);
if (fOk && (ppe->th32ProcessID == 0))
fOk = ProcessNext(ppe); // Remove the "[System Process]" (PID = 0)
return(fOk);
}
BOOL CreateSnapshot(DWORD dwFlags, DWORD dwProcessID ) {
m_hSnapshot = INVALID_HANDLE_VALUE;;
if (m_hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(m_hSnapshot);
if (dwFlags == 0) {
m_hSnapshot = INVALID_HANDLE_VALUE;
} else {
m_hSnapshot = CreateToolhelp32Snapshot(dwFlags, dwProcessID);
}
return(m_hSnapshot != INVALID_HANDLE_VALUE);
}
VOID Dlg_PopulateProcessList(HWND hwnd) {
HWND hwndList = GetDlgItem(hwnd, IDC_RESULTS);
// SetWindowRedraw(hwndList, FALSE);WM_SETREDRAW设置窗口是否能重画
SendMessage(hwndList, WM_SETREDRAW, (WPARAM)(FALSE), 0L);
// ComboBox_ResetContent(hwndList);
SendMessage(hwndList, CB_RESETCONTENT, 0L, 0L);
CreateSnapshot(TH32CS_SNAPPROCESS, 0);
//CToolhelp thProcesses(TH32CS_SNAPPROCESS);
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL fOk = ProcessFirst(&pe);
for (; fOk; fOk = ProcessNext(&pe)) {
TCHAR sz[1024];
// Place the process name (without its path) & ID in the list
PCTSTR pszExeFile = _tcsrchr(pe.szExeFile, TEXT('\\'));
if (pszExeFile == NULL)
pszExeFile = pe.szExeFile;
else pszExeFile++; // Skip over the slash
wsprintf(sz, TEXT("%s (0x%08X)"), pszExeFile, pe.th32ProcessID);
int n =SendMessage((hwndList), CB_ADDSTRING, 0L, (LPARAM)(LPCTSTR)(sz));
// int n = ComboBox_AddString(hwndList, sz);
// Associate the process ID with the added item
// ComboBox_SetItemData(hwndList, n, pe.th32ProcessID);
SendMessage((hwndList), CB_SETITEMDATA, (WPARAM)(int)(n), (LPARAM)(pe.th32ProcessID));
}
//ComboBox_SetCurSel(hwndList, 0); // Select the first entry
SendMessage((hwndList), CB_SETCURSEL, (WPARAM)(int)(0), 0L);
// Simulate the user selecting this first item so that the
// results pane shows something interesting
//FORWARD_WM_COMMAND(hwnd, IDC_PROCESSMODULELIST, hwndList, CBN_SELCHANGE, SendMessage);
SendMessage((hwnd), WM_COMMAND, MAKEWPARAM((UINT)(IDC_RESULTS),(UINT)(CBN_SELCHANGE)), (LPARAM)(HWND)(hwndList));
//SetWindowRedraw(hwndList, TRUE);
SendMessage(hwndList, WM_SETREDRAW, (WPARAM)(TRUE), 0L);
InvalidateRect(hwndList, NULL, FALSE);
}
BOOL EnableDebugPrivilege(BOOL fEnable) {
// Enabling the debug privilege allows the application to see
// information about service applications
BOOL fOk = FALSE; // Assume function fails
HANDLE hToken;
// Try to open this process's access token enumprocesses
//OpenProcessToken这个函数的作用是打开一个进程的访问令牌
//GetCurrentProcess()函数的作用是得到本进程的句柄
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
// Attempt to modify the "Debug" privilege
TOKEN_PRIVILEGES tp;////定义变量
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
//LookupPrivilegevalue()的作用是修改进程的权限
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
////AdjustTokenPrivileges()的作用是通知Windows NT修改本进程的权利
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
return(fOk);
}
VOID ShowProcessInfo(HWND hwnd, DWORD dwProcessID) {
SetWindowText(hwnd, TEXT("")); // Clear the output box
//CToolhelp th(TH32CS_SNAPALL, dwProcessID);
m_hSnapshot = INVALID_HANDLE_VALUE;
CreateSnapshot(TH32CS_SNAPALL, dwProcessID);
// Show Process details
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL fOk = ProcessFirst(&pe);
for (; fOk; fOk = ProcessNext(&pe)) {
if (pe.th32ProcessID == dwProcessID) {
AddText(hwnd, TEXT("Filename: %s\r\n"), pe.szExeFile);
AddText(hwnd, TEXT(" PID=%08X, ParentPID=%08X, ")
TEXT("PriorityClass=%d, Threads=%d, Heaps=%d\r\n"),
pe.th32ProcessID, pe.th32ParentProcessID,
pe.pcPriClassBase, pe.cntThreads,
HowManyHeaps());
break; // No need to continue looping
}
}
// Show Modules in the Process
// Number of characters to display an address
const int cchAddress = sizeof(PVOID) * 2;
AddText(hwnd, TEXT("\r\nModules Information:\r\n")
TEXT(" Usage %-*s(%-*s) %8s Module\r\n"),
cchAddress, TEXT("BaseAddr"),
cchAddress, TEXT("ImagAddr"), TEXT("Size"));
MODULEENTRY32 me = { sizeof(me) };
fOk = Module32First(m_hSnapshot, &me);
for (; fOk; fOk = Module32Next(m_hSnapshot, &me)) {
if (me.ProccntUsage == 65535) {
// Module was implicitly loaded and cannot be unloaded
AddText(hwnd, TEXT(" Fixed"));
} else {
AddText(hwnd, TEXT(" %5d"), me.ProccntUsage);
}
PVOID pvPreferredBaseAddr =
GetModulePreferredBaseAddr(pe.th32ProcessID, me.modBaseAddr);
if (me.modBaseAddr == pvPreferredBaseAddr) {
AddText(hwnd, TEXT(" %p %*s %8u %s\r\n"),
me.modBaseAddr, cchAddress, TEXT(""),
me.modBaseSize, me.szExePath);
} else {
AddText(hwnd, TEXT(" %p(%p) %8u %s\r\n"), me.modBaseAddr, pvPreferredBaseAddr, me.modBaseSize, me.szExePath);
}
}
// Show threads in the process
AddText(hwnd, TEXT("\r\nThread Information:\r\n")
TEXT(" TID Priority\r\n"));
THREADENTRY32 te = { sizeof(te) };
fOk =Thread32First(m_hSnapshot, &te);
for (; fOk; fOk = Thread32Next(m_hSnapshot,&te)) {
if (te.th32OwnerProcessID == dwProcessID) {
int nPriority = te.tpBasePri + te.tpDeltaPri;
if ((te.tpBasePri < 16) && (nPriority > 15)) nPriority = 15;
if ((te.tpBasePri > 15) && (nPriority > 31)) nPriority = 31;
if ((te.tpBasePri < 16) && (nPriority < 1)) nPriority = 1;
if ((te.tpBasePri > 15) && (nPriority < 16)) nPriority = 16;
AddText(hwnd, TEXT(" %08X %2d\r\n"),te.th32ThreadID, nPriority);
}
}
}
INT_PTR WINAPI Dlg_Proc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
static BOOL s_fProcesses = TRUE;
switch(uMsg)
{
case WM_INITDIALOG:
Dlg_PopulateProcessList(hwnd);
case WM_COMMAND:
switch(wParam)
{
case IDC_REFURBISH:
DWORD dw ;
//dw= (DWORD) ComboBox_GetItemData(hwndCtl, dw); // Process ID
dw=SendMessage((hwnd), CB_GETITEMDATA, (WPARAM)(int)(dw), 0L);
ShowProcessInfo(GetDlgItem(hwnd, IDC_RESULTS), dw);
}
break;
case WM_CLOSE:
EndDialog(hwnd,0);
break;
default: return 0;
}
return(FALSE);
}
int WINAPI _tWinMain(HINSTANCE hinstExe, HINSTANCE, PTSTR pszCmdLine, int) {
EnableDebugPrivilege(TRUE);//赋予本程序足够的权限:
DialogBox(hinstExe, MAKEINTRESOURCE(IDD_PROCESSDLG ), NULL, Dlg_Proc);
//CToolhelp::EnableDebugPrivilege(FALSE);
return(0);
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
