获取Windows进程的父进程编号

    Windows API中没有提供直接获取指定进程父进程编号的函数。为此可以通过进程快照来遍历所有进程，从而获取进程的父进程编号。本文通过NTDLL.dll中未公开API NtQueryInformationProcess来获取进程的相关信息，其中就包含了进程的父进程编号。见代码：

#define NTSTATUS LONG #define ProcessBasicInformation 0 typedef UINT PROCESSINFOCLASS; typedef NTSYSAPI NTSTATUS (NTAPI *Func_NtQueryInformationProcess)( IN HANDLE ProcessHandle, // 进程句柄 IN PROCESSINFOCLASS InformationClass, // 信息类型 OUT PVOID ProcessInformation, // 缓冲指针 IN ULONG ProcessInformationLength, // 以字节为单位的缓冲大小 OUT PULONG ReturnLength OPTIONAL // 写入缓冲的字节数 ); typedef struct { DWORD ExitStatus; // 接收进程终止状态 DWORD PebBaseAddress; // 接收进程环境块地址 DWORD AffinityMask; // 接收进程关联掩码 DWORD BasePriority; // 接收进程的优先级类 ULONG UniqueProcessId; // 接收进程ID ULONG InheritedFromUniqueProcessId; //接收父进程ID } PROCESS_BASIC_INFORMATION; VOID GetParentProcessId(DWORD dwProcessId) { PROCESS_BASIC_INFORMATION pbi = {0}; HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId); Func_NtQueryInformationProcess NtQueryInformationProcess = (Func_NtQueryInformationProcess)GetProcAddress(GetModuleHandle(TEXT("NTDLL")) , "NtQueryInformationProcess"); NtQueryInformationProcess(hProcess, ProcessBasicInformation , (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); CloseHandle(hProcess); return pbi.InheritedFromUniqueProcessId; }