ProcessFun
#pragma once #ifndef __PROCESSFUN_H__
#define __PROCESSFUN_H__ #include <iostream>
#include <string>
#include <algorithm>
#include <windows.h>
#include <psapi.h>
using namespace std;
#include "Ntdll.h" #pragma comment(lib, "psapi.lib") #pragma warning(disable: 4996) BOOL EnablePrivilege(ULONG Privilege = SE_DEBUG_PRIVILEGE, BOOL Enable = TRUE); DWORD NtEnumProcess(LPDWORD lpProcess); BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess); HANDLE NtOpenProcess(DWORD dwPid); HANDLE DoOpenProcess(DWORD dwPid); HANDLE PowerOpenProcess(DWORD dwPid); BOOL IsProcessExit(HANDLE hProcess); BOOL NtTerminateProcess(HANDLE hProcess); BOOL JoTerminateProcess(HANDLE hProcess); BOOL CrtTerminateProcess(HANDLE hProcess); BOOL WvmTerminateProcess(HANDLE hProcess); BOOL PowerTerminateProcess(HANDLE hProcess); BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath); BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath); DWORD GetEProcess(DWORD dwPid); DWORD GetParentProcessId(DWORD dwPid); BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName); LARGE_INTEGER GetProcessCreateTime(DWORD dwPid); #endif // __PROCESSFUN_H__
ProcessFun.h
#include "ProcessFun.h" BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
{
HANDLE hToken = NULL;
if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
return FALSE; TOKEN_PRIVILEGES tp = {};
tp.PrivilegeCount = ;
tp.Privileges[].Luid.LowPart = Privilege;
tp.Privileges[].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
} DWORD NtEnumProcess(LPDWORD lpProcess)
{
DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return NULL;
} DWORD dwLenth = ;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
lpProcess[dwLenth++] = lpSP->ProcessId; lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); sort(lpProcess, lpProcess + dwLenth); return dwLenth;
} BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
{
SystemProcess = {}; DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
SystemProcess = *lpSP;
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} HANDLE NtOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
CLIENT_ID cid = {};
cid.UniqueProcess = (HANDLE)(dwPid % ? dwPid : dwPid + ); NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
return hProcess;
} HANDLE DoOpenProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); HANDLE hTgtProc = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
/*{
hTgtProc = hTmpProc;
printf("%d %d 0x%llX\n", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
}*/
hTgtProc = hTmpProc; NtClose(hSrcProc); if (hTgtProc != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return hTgtProc;
} HANDLE PowerOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NtOpenProcess(dwPid); if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; hProcess = DoOpenProcess(dwPid);
if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; return NULL;
} BOOL IsProcessExit(HANDLE hProcess)
{
DWORD dwExitCode = NULL;
GetExitCodeProcess(hProcess, &dwExitCode); return dwExitCode != STILL_ACTIVE;
} BOOL NtTerminateProcess(HANDLE hProcess)
{
return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
} BOOL JoTerminateProcess(HANDLE hProcess)
{
HANDLE hJob = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
return FALSE; BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess)); if (status)
status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL)); NtClose(hJob); return status && IsProcessExit(hProcess);
} BOOL CrtTerminateProcess(HANDLE hProcess)
{
// return FALSE;
} BOOL WvmTerminateProcess(HANDLE hProcess)
{
BOOL status = FALSE; PVOID lpBuf = NULL;
DWORD dwSize = 0x1000, dwRet = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE); for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
{
status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
} NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); if (status)
Sleep(); return status && IsProcessExit(hProcess);
} BOOL PowerTerminateProcess(HANDLE hProcess)
{
if (NtTerminateProcess(hProcess))
return TRUE; if (JoTerminateProcess(hProcess))
return TRUE; if (WvmTerminateProcess(hProcess))
return TRUE; return FALSE;
} BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
{
if (hProcess == NULL || lpFilePath == NULL)
return FALSE; strcpy(lpFilePath, ""); CHAR szDosPath[MAX_PATH] = "";
if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
return FALSE; return DosPathToNtPath(szDosPath, lpFilePath);
} BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
{
CHAR szDriveList[MAX_PATH] = "";
if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
return FALSE; for (int i = ; szDriveList[i]; i += )
{
if (stricmp(&szDriveList[i], "A:\\") == || stricmp(&szDriveList[i], "B:\\") == )
continue; CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
strcpy(szNtDrive, &szDriveList[i]);
szNtDrive[] = '\0'; if (!QueryDosDeviceA(szNtDrive, szDosDrive, MAX_PATH) ||
strncmp(szDosDrive, lpDosPath, strlen(szDosDrive)) != )
continue; strcpy(lpNtPath, szNtDrive);
strcat(lpNtPath, &lpDosPath[strlen(szDosDrive)]); return TRUE;
} return FALSE;
} DWORD GetEProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); DWORD dwEProcess = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
dwEProcess = (DWORD)lpSHI->Object; NtClose(hSrcProc); if (dwEProcess != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return dwEProcess;
} DWORD GetParentProcessId(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.InheritedFromProcessId;
} BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName)
{
strcpy(lpProcessName, ""); DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
wcstombs(lpProcessName, lpSP->ProcessName.Buffer, MAX_PATH);
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} LARGE_INTEGER GetProcessCreateTime(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.CreateTime;
}
ProcessFun.cpp
ProcessFun的更多相关文章
- 网络编程并发 多进程 进程池,互斥锁,信号量,IO模型
进程:程序正在执行的过程,就是一个正在执行的任务,而负责执行任务的就是cpu 操作系统:操作系统就是一个协调.管理和控制计算机硬件资源和软件资源的控制程序. 操作系统的作用: 1:隐藏丑陋复杂的硬件接 ...
- multimap的使用 in C++,同一个关键码存在多个值
#include <iostream> #include <string> #include <vector> #include <algorithm> ...
- 入门大数据---Flink学习总括
第一节 初识 Flink 在数据激增的时代,催生出了一批计算框架.最早期比较流行的有MapReduce,然后有Spark,直到现在越来越多的公司采用Flink处理.Flink相对前两个框架真正做到了高 ...
随机推荐
- 2019 牛客暑期多校 B generator 1 (矩阵快速幂+倍增)
题目:https://ac.nowcoder.com/acm/contest/885/B 题意:给你x0,x1,让你求出xn,递推式时xn=a*xn-1+b*xn-2 思路:这个n特别大,我自己没有摸 ...
- H5+SDK
1.(个人猜测): SDK是写在容器(手机操作系统上的webview组件)上的应用,对H5应用暴露规定的API接口.相当于浏览器的开发者,给浏览器中新增了某些方法,js直接通过接口就可以调用的. 这个 ...
- Django的流程如何理解(餐厅点餐举例)
去饭店(商场)吃饭的步骤: 告诉前台服务员,来一小碗牛肉拉面,菜单上勾上一个牛肉拉面(url) 服务员去拉面窗口,告诉后厨,一碗牛肉拉面),后厨(view)开始准备. 后厨给打杂小弟说,给我一份儿面条 ...
- SQL Server中char、varchar、text和nchar、nvarchar、ntext的区别 (转)
转:http://blog.csdn.net/jackychu/article/details/4183118 http://www.cnblogs.com/jhxk/articles/1633578 ...
- 尚学linux课程---11、vim操作命令1
尚学linux课程---11.vim操作命令1 一.总结 一句话总结: 要看不同的视频,每个视频的关键点都不一样,不如之间的的视频就没讲到vim中set nu是什么意思 1.Vi有三种基本工作模式? ...
- ABP的新旧版本
新版本 https://abp.io/documents/abp/latest/Index https://github.com/abpframework/abp ABP is an open sou ...
- spss乱码问题解决
spss乱码问题解决 方法1:网友kuangsir6提供 选择字体为:DFKai-SB 格式(我并没有找到这个格式) 方法是 SPSS(PASW)---Edit---Options---Viewer- ...
- MySQL总结01
window删除MySQL服务 cmd下执行 sc delete MySQL 登陆登出 登陆: mysql -uroot -ppasswd -h host 退出登陆 mysqladmin -uroot ...
- (1.1)学习笔记之mysql体系结构(内存、进程、线程)
关键词:mysql体系结构 参考:https://www.cnblogs.com/zhoubaojian/articles/7866292.html 一.mysql体系架构概述 1.mysql体系结构 ...
- 【题解】sweet
题目描述 为了防止糖果被小猫偷吃,John把他的糖果放在了很多的高台上,一个高台可以认为是一段平行于X轴的线段,并且高台的y坐标都是大于0的,每个高台都有左端点和高台的长度,每个高台都有糖果.所有的高 ...