my ListDLLs, in VS2005-编程技术-看雪-安全社区|安全招聘|kanxue.com

my ListDLLs, in VS2005

发表于: 2007-1-20 14:53 3799

my ListDLLs, in VS2005

bookworm

2007-1-20 14:53

3799

// ********************************************************************************
//
// test.cpp : Defines the entry point for the console application.
//
// Written by: bookworm
//
// Last Updated: 1/5/2007
//
// Environment: VS2005, Console application, unicode, warning level 4, treat warning as error
//
// Purpose:
//    To list all the loaded modules (include the DLLs) in all the running processes,
// whenever possible.
//
//    It implements the main function of ListDll provided by SysInternals (www.sysinternals.com),
// except that this program does not call those undocumented APIs exported by NTDLL.
//
// ********************************************************************************

#include "stdafx.h"
#include <windows.h>
#include <psapi.h>
#include <assert.h>

// =========================================================

__inline HRESULT HRESULT_FROM_LAST_ERROR(VOID)
{
DWORD dwError = GetLastError();
return HRESULT_FROM_WIN32( dwError );
}

// =========================================================
// To allow current process to have necessary rights
// Note: You need to be a local admin before calling this function, or it'll fail if you do not
//    do something tricky like a virus.

HRESULT PowerMeUp( VOID )
{
HRESULT hr = S_OK;
HANDLE  hToken = INVALID_HANDLE_VALUE;
LUID ID;
TOKEN_PRIVILEGES tp;

if( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ||
      ! LookupPrivilegeValueW( NULL, SE_DEBUG_NAME, & ID ) )
{
      hr = HRESULT_FROM_LAST_ERROR();
      goto Done;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = ID;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if( ! AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), NULL, NULL ) )
{
      hr = HRESULT_FROM_LAST_ERROR();
}

Done:
if( INVALID_HANDLE_VALUE != hToken || NULL != hToken )
      CloseHandle( hToken );

return hr;
}

// =========================================================
// Get the information of one module in the process

HRESULT ProcessTheModule( __in HANDLE hProc,
                        __in HMODULE hMod )
{
HRESULT hr = S_OK;

MODULEINFO  mi = {0};
WCHAR    wszModuleFileName[MAX_PATH] = {0};
WCHAR    wszModulePath[MAX_PATH] = {0};
WCHAR    wszDrive[MAX_PATH] = {0};
WCHAR    wszPath[MAX_PATH] = {0};
WCHAR    wszFile[MAX_PATH] = {0};
WCHAR    wszExt[MAX_PATH] = {0};
errno_t    err = 0;

if( ! hProc || ! hMod )
{
      hr = E_INVALIDARG;
      goto Done;
}

if( ! GetModuleInformation( hProc, hMod, &mi, sizeof(MODULEINFO) ) ||
      0 == GetModuleFileNameExW( hProc, hMod, wszModuleFileName, sizeof(wszModuleFileName) ) )
{
      hr = HRESULT_FROM_LAST_ERROR();
      goto Done;
}

if( 0 != ( err = _wsplitpath_s( wszModuleFileName, wszDrive, MAX_PATH, wszPath, MAX_PATH, wszFile, MAX_PATH, wszExt, MAX_PATH ) ) ||
      0 != ( err = _wmakepath_s( wszModulePath, MAX_PATH, wszDrive, wszPath, NULL, NULL ) ) ||
      0 != ( err = _wmakepath_s( wszFile, MAX_PATH, NULL, NULL, wszFile, wszExt ) ) )
{
      hr = err; // it's not something accurate here, but at least hr != S_OK
      goto Done;
}

wprintf( L"0x%08p  0x%08p  0x%08x  %s \t\t%s\n\r",
      mi.lpBaseOfDll, mi.EntryPoint, mi.SizeOfImage, wszFile, wszModulePath );

Done:
return hr;
}

// =========================================================
// Get the information of one process
// ONLY works for XP and up: check GetProcessImageFileName() in MSDN

HRESULT ProcessTheProcess( __in DWORD dwProcessID )
{
HRESULT hr = S_OK;
HMODULE hMod[1024] = {0};                            // assume the process does NOT load more than 1024 modules at the moment
DWORD dwTotal = 0;
WCHAR wszProcessFileName[MAX_PATH] = {0};

HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcessID );
if( NULL == hProcess ||
      0 == GetProcessImageFileNameW( hProcess, wszProcessFileName, sizeof(wszProcessFileName) ) ||
      ! EnumProcessModules( hProcess, hMod, sizeof(hMod), & dwTotal ) )
{
      hr = HRESULT_FROM_LAST_ERROR();
      goto Done;
}

wprintf( L"\
==================================================\n\r\
PID=%d Process=%s\n\n\r", dwProcessID, wszProcessFileName );

dwTotal /= sizeof(HMODULE);                            // total number of modules at the time of last EnumProcessModules()

if( dwTotal > sizeof(hMod) )                         // what can I say?
{
      hr = E_UNEXPECTED;
      goto Done;
}

wprintf( L"\
ImageBase EntryPoint\tImage Size  File\t\tPath\n\r\
--------- ----------\t----------  ----\t\t----\n\r" );
for( WORD i = 0; i < dwTotal; i++ )
{
      (VOID) ProcessTheModule( hProcess, hMod[i] );
}
wprintf( L"\n\r" );

Done:
if( hProcess )
      CloseHandle( hProcess );

return hr;
}

// =========================================================
// Get the list of processes

HRESULT BrowseProcesses( VOID )
{
DWORD dwProcesses[1024] = {0},                      // assume no more than 1024 processes are running at any time
         dwTotal = 0;
HRESULT hr = S_OK;

if( ! EnumProcesses( dwProcesses, sizeof(dwProcesses), &dwTotal ) )
{
      hr = HRESULT_FROM_LAST_ERROR();
      goto Done;
}

dwTotal /= sizeof(DWORD);                            // the total number of processes at last EnumProcess call
assert( dwTotal < 1024 );
for( WORD i = 0; i < dwTotal; i++ )
{
      (VOID) ProcessTheProcess( dwProcesses[i] );       // we actually ignore the possible error when dealing with one process
}

Done:
return hr;
}

// =========================================================

int wmain( __in int argc,
         __in_ecount(argc) WCHAR* argv[] )
{
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(argv);

HRESULT    hr = PowerMeUp();
if( FAILED(hr) )
      goto Done;

hr = BrowseProcesses();

Done:
return hr;
}

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・0

支持