三种枚举进程

于 2010-06-09 10:40:00 发布
阅读量751 收藏 1
点赞数
分类专栏: 线程/进程DLL 文章标签: integer struct null winapi token string
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/ljz888666555/article/details/5657634
版权

EnumProcesses Function

Retrieves the process identifier for each process object in the system.


BOOL WINAPI EnumProcesses(
  __out DWORD* pProcessIds,
  __in DWORD cb,
  __out DWORD* pBytesReturned
);

参考上面的API

下面还有一篇文 章,不过原链接失效了,所以只能给出我收藏的内容了。
用户模式下枚举进程的三种方法
关键词: 用户模式 枚举 进程  

枚举系统进程的方法有很多中,在用户态下比较简单的 有三种方法:
Windows的psapi,Toolhlp32或NTQuerySystemInformation
第一种:
#include "stdio.h"
#include "windows.h"
#include "psapi.h"
#pragma comment(lib,"psapi.lib")

//需要额外添加 psapi.h 以及 psapi.lib
//存在一定 的问题,system进程不能列出来(当然这个可以根据pid来判别.system的pid是4),
//卡巴斯基的进程也不行,看来本身还是有缺 陷


//提升进程权限
bool AdjustPurview()
{
  TOKEN_PRIVILEGES TokenPrivileges;
 BOOL bRet;
  HANDLE hToken;

 LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &TokenPrivileges.Privileges[0].Luid);  
 OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
   
 TokenPrivileges.PrivilegeCount = 1;  
 TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
   
 bRet = AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL);

  CloseHandle(hToken);
  return bRet == TRUE;
}


void PrintProcessNameAndID( DWORD processID )
{
 char szProcessName[MAX_PATH] = "........";
 
 AdjustPurview();
 //取得进程的句柄
 HANDLE hProcess = OpenProcess( 
  PROCESS_QUERY_INFORMATION |
  PROCESS_VM_READ,
  FALSE, 
  processID );
 //取得进程名称
 if ( hProcess )
 {
  HMODULE hMod;
  DWORD cbNeeded;
  if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
  GetModuleBaseName( hProcess, hMod, szProcessName,sizeof(szProcessName) );
 }
 
 //回显进程名称和ID
 printf( "/n%-20s%-20d", szProcessName, processID );
 CloseHandle( hProcess );
}


void main( )

{
 
 DWORD aProcesses[1024], cbNeeded, cProcesses;
 
 unsigned int i;
 
 //枚举系统进程ID列表
 
 if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
 {
  return;
 }
 
 //计算进程数量
 
 cProcesses = cbNeeded / sizeof(DWORD);
 
 // 输出每个进程的名称和ID
 
 for ( i = 0; i < cProcesses; i++ )
  
  PrintProcessNameAndID( aProcesses[i] );
 
 return;
 
}


第二种: toolhlp32
#include "stdio.h"
#include "windows.h"
#include "tlhelp32.h"

int main()
{
 HANDLE hProcessSnap = NULL;
 PROCESSENTRY32 pe32 ={0};
 hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 if (hProcessSnap == (HANDLE)-1)
 {
  printf("/nCreateToolhelp32Snapshot() failed:%d",GetLastError());
  return 1;
 }
 pe32.dwSize = sizeof(PROCESSENTRY32);
 printf("/nProcessName ProcessID");
 if (Process32First(hProcessSnap, &pe32))
 {
  do
  {
  printf("/n%-20s%d",pe32.szExeFile,pe32.th32ProcessID);
  }while (Process32Next(hProcessSnap, &pe32));
 }
 else
 {
  printf("/nProcess32Firstt() failed:%d",GetLastError());
 }
 
 CloseHandle (hProcessSnap);
 
 return 0;
 
}

第三 种:使用native api NtQuerySystemInformation(),其功能号5就是查询进程信息
#include "stdio.h"
#include "windows.h"
typedef struct _THREAD_INFO
{
 LARGE_INTEGER CreateTime;
 DWORD dwUnknown1;
 DWORD dwStartAddress;
 DWORD StartEIP;
 DWORD dwOwnerPID;
 DWORD dwThreadId;
 DWORD dwCurrentPriority;
 DWORD dwBasePriority;
 DWORD dwContextSwitches;
 DWORD Unknown;
 DWORD WaitReason;
}THREADINFO, *PTHREADINFO;

typedef struct _UNICODE_STRING
{
 USHORT Length;
 USHORT MaxLength;
 PWSTR Buffer;
} UNICODE_STRING;

typedef struct _PROCESS_INFO
{
 DWORD dwOffset;
 DWORD dwThreadsCount;
 DWORD dwUnused1[6];
 LARGE_INTEGER CreateTime;
 LARGE_INTEGER UserTime;
 LARGE_INTEGER KernelTime;
 UNICODE_STRING ProcessName;

 DWORD dwBasePriority;
 DWORD dwProcessID;
 DWORD dwParentProcessId;
 DWORD dwHandleCount;
 DWORD dwUnused3[2];

 DWORD dwVirtualBytesPeak;
 DWORD dwVirtualBytes;
 ULONG dwPageFaults;
 DWORD dwWorkingSetPeak;
 DWORD dwWorkingSet;
 DWORD dwQuotaPeakPagedPoolUsage;
 DWORD dwQuotaPagedPoolUsage;
 DWORD dwQuotaPeakNonPagedPoolUsage;
 DWORD dwQuotaNonPagedPoolUsage;
 DWORD dwPageFileUsage;
 DWORD dwPageFileUsagePeak;

 DWORD dCommitCharge;
 THREADINFO ThreadSysInfo[1];

} PROCESSINFO, *PPROCESSINFO;

int main(int argc, char* argv[])
{
 //PROINFO proinfo;
 PVOID pProcInfo = NULL;
 DWORD dwInfoSize = 0x20000;
 //DWORD retLen;
 PPROCESSINFO pProcessInfo;
 
 //分配内存
 pProcInfo = (PVOID)(new BYTE[dwInfoSize]);
 
 //定义导出函数
 long ( __stdcall *NtQuerySystemInformation )( DWORD, PVOID, DWORD, DWORD );
 
 //从ntdll.dll获取NtQuerySystemInformation 地址
 NtQuerySystemInformation = (long(__stdcall*)(DWORD,PVOID,DWORD,DWORD))
  GetProcAddress( GetModuleHandle( "ntdll.dll" ),"NtQuerySystemInformation" ); 
 
 //调用NtQuerySystemInformation的5号功能获取进程信息
 NtQuerySystemInformation(5,pProcInfo,dwInfoSize,0);
 
 pProcessInfo = (PPROCESSINFO)pProcInfo;
 
 //循环取出进程信息
 while(pProcessInfo->dwOffset)
 {  
  printf("%ws/n",pProcessInfo->ProcessName.Buffer);
  
  pProcessInfo = (PPROCESSINFO)((BYTE*)pProcessInfo 
  + pProcessInfo->dwOffset);
 }
 
 
 delete[] pProcInfo;
 
 return 0;
}

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值