下面这段代码是我在网上找到的,实现的功能是循环枚举进程,找到对应的进程结束掉
有个很闷的问题:
我用记事本进程测试,如果我在运行程序前先运行十个notepad.exe,则十个notepad.exe都能被结束掉。但如果我先运行程序,再运行十个notepad.exe,却只能结束九个,余下的那个notepad.exe进程只有要系统产生新的进程时才能被结束。。。好几天了,哪位前辈如果有空帮看看,感激不尽
;_____________________________________________________
不好意思啊,刚学,可能对有些问题理解得不正确
照6楼的qihoocom前辈所说的我把那个循环改成了.repeat .until。。。。这个循环会先执行一次循环体内的代码再判断,可结束还是一样啊。。。。
我理解错了吗?
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include masm32.inc
include advapi32.inc
include shlwapi.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib masm32.lib
includelib shlwapi.lib
UNICODE_STRING STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer PWSTR ?
UNICODE_STRING ENDS
SYSTEMTHREADS struct
KernelTime db 8 dup(?)
UserTime db 8 dup(?)
CreateTime db 8 dup(?)
WaitTime ULONG ?
StartAddress PVOID ?
ClientIs dd ?
Priority dd ?
BasePriority dd ?
ContextSwitchCount ULONG ?
ThreadState ULONG ?
WaitReason dd ?
SYSTEMTHREADS ends
SYSTEMPROCESSES struct
NextEntryDelta ULONG ?
ThreadCount ULONG ?
Reserved1 dd 6 DUP(?)
CreateTime db 8 dup(?)
UserTime db 8 dup(?)
KernelTime db 8 dup(?)
ProcessName UNICODE_STRING <>
BasePriority dd ?
ProcessId ULONG ?
InheritedFromProcessId ULONG ?
HandleCount ULONG ?
Reserved2 ULONG 2 DUP (?)
VmCounters dd ?
IoCounters dd ?
Threads SYSTEMTHREADS <>
SYSTEMPROCESSES ends
.const
NT_PROCESSTHREAD_INFO equ 5
_Name db "notepad.exe",0
.data
ZwQuerySystemInformation db "ZwQuerySystemInformation",0
Ntdll db "ntdll.dll",0
Apiaddr dd ?
Pprocessinfo dd ?
ReturnLength dd ?
_Process dd ?
hFileName dd ?
ProcessNameFormat db "%ws",13,10,0
buffer db 50 dup (?)
.data?
processinfo db 10000h dup (?)
.code
;________________________________________
_Processa proc
pushad
mov eax,offset processinfo
mov Pprocessinfo,eax
mov ecx,offset ReturnLength
push ecx
push 10000h
push Pprocessinfo
push NT_PROCESSTHREAD_INFO
call Apiaddr
mov edi,Pprocessinfo
assume edi:ptr SYSTEMPROCESSES
.repeat
invoke wsprintf,addr buffer,addr ProcessNameFormat,[edi].ProcessName.Buffer,0
lea eax,offset buffer
.if eax
invoke StrStrI,eax,offset _Name
.if eax
invoke OpenProcess,PROCESS_ALL_ACCESS,TRUE,[edi].ProcessId
invoke TerminateProcess,eax,-1
.endif
.endif
add edi,[edi].NextEntryDelta
.until [edi].NextEntryDelta == 0
assume edi:nothing
popad
ret
_Processa endp
;_____________________________________
start:
invoke LoadLibrary,offset Ntdll
invoke GetProcAddress,eax,offset ZwQuerySystemInformation
mov Apiaddr,eax
.while TRUE
invoke Sleep,1000
call _Processa
.endw
invoke ExitProcess,NULL
end start
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)