这篇文章展示了几个WindowsAPI函数的使用,包括根据PID查杀进程、根据进程名获取PID、根据PID获取进程名、挂起和恢复进程以及复制指定PID进程的Token句柄。这些函数涉及到进程控制和权限操作的核心技术。
1. 根据PID查杀进程
void KillProcByPID(int pid)
{
HANDLE killHandle = OpenProcess(PROCESS_TERMINATE | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pid);
if (killHandle == NULL)
return;
TerminateProcess(killHandle, 0);
return;
}
2. 根据进程名获取PID(注意:对于同名多进程需要额外处理)
int GetPIDByName(const char* name)
{
int pid = 0;
PROCESSENTRY32 pe32 = { 0 };
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return pid;
}
// 遍历进程快照,轮流显示每个进程的信息
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
while (bMore)
{
if (lstrcmpi(pe32.szExeFile, name) == 0)
{
pid = pe32.th32ProcessID;
break;
}
bMore = ::Process32Next(hProcessSnap, &pe32);
}
::CloseHandle(hProcessSnap);
return pid;
}
3.根据PID获取进程名
void GetNameByID(int pid, char* outBuf)
{
PROCESSENTRY32 pe32 = { 0 };
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return;
}
BOOL bMore = ::Process32First(hProcessSnap, &pe32);
while (bMore)
{
if (pid == pe32.th32ProcessID)
{
//注意传入的buf大小
strcpy_s(outBuf, 128, pe32.szExeFile);
break;
}
bMore = ::Process32Next(hProcessSnap, &pe32);
}
::CloseHandle(hProcessSnap);
}
4. 根据进程名挂起与恢复进程
typedef LONG(NTAPI* _NtSuspendProcess)(IN HANDLE ProcessHandle);
typedef LONG(NTAPI* _NtResumeProcess)(IN HANDLE ProcessHandle);
void SuspendProc(const char* cProcName)
{
HANDLE ProcessHandle = 0;
_NtSuspendProcess NtSuspendProcess = 0;
_NtResumeProcess NtResumeProcess = 0;
NtSuspendProcess = (_NtSuspendProcess)
GetProcAddress(GetModuleHandle(_T("ntdll")), "NtSuspendProcess");
NtResumeProcess = (_NtResumeProcess)
GetProcAddress(GetModuleHandle(_T("ntdll")), "NtResumeProcess");
int pid = GetPIDByName(cProcName);
ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (ProcessHandle)
{
if (NtSuspendProcess)
{
NtSuspendProcess(ProcessHandle);
}
CloseHandle(ProcessHandle);
}
}
void CWinPlat::ResumeProc(const char* cProcName)
{
HANDLE ProcessHandle = 0;
_NtSuspendProcess NtSuspendProcess = 0;
_NtResumeProcess NtResumeProcess = 0;
NtSuspendProcess = (_NtSuspendProcess)
GetProcAddress(GetModuleHandle(_T("ntdll")), "NtSuspendProcess");
NtResumeProcess = (_NtResumeProcess)
GetProcAddress(GetModuleHandle(_T("ntdll")), "NtResumeProcess");
int pid = GetPIDByName(cProcName);
if (pid)
{
ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (ProcessHandle)
{
if (NtResumeProcess)
{
NtResumeProcess(ProcessHandle);
}
CloseHandle(ProcessHandle);
}
}
}
5. 复制指定PID进程的Token句柄
DWORD GetExplorerToken(int nProcessId, OUT PHANDLE phToken)
{
DWORD dwStatus = ERROR_FILE_NOT_FOUND;
BOOL bRet = FALSE;
HANDLE hProcess = NULL;
HANDLE hProcessSnap = NULL;
TCHAR FileName[MAX_PATH] = { 0 };
PROCESSENTRY32 pe32 = { 0 };
__try
{
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
dwStatus = GetLastError();
__leave;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
dwStatus = GetLastError();
__leave;
}
do {
if (nProcessId == pe32.th32ProcessID)
{
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION,
FALSE,
pe32.th32ProcessID);
if (NULL != hProcess)
{
HANDLE hToken;
if (OpenProcessToken(hProcess, TOKEN_DUPLICATE, &hToken))
{
HANDLE hNewToken = NULL;
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken);
*phToken= hNewToken;
dwStatus = 0;
CloseHandle(hToken);
}
break;
CloseHandle(hProcess);
hProcess = NULL;
}
else
{
int nLast = GetLastError();
char pszbuffer[100] = { 0 };
sprintf(pszbuffer, "error:%d:%d:%d", nLast, nProcessId, pe32.th32ProcessID);
}
}
} while (Process32Next(hProcessSnap, &pe32));
}
__finally
{
if (NULL != hProcess)
{
CloseHandle(hProcess);
}
if (NULL != hProcessSnap)
{
CloseHandle(hProcessSnap);
}
}
return dwStatus;
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
