ProcessFun
#pragma once #ifndef __PROCESSFUN_H__
#define __PROCESSFUN_H__ #include <iostream>
#include <string>
#include <algorithm>
#include <windows.h>
#include <psapi.h>
using namespace std;
#include "Ntdll.h" #pragma comment(lib, "psapi.lib") #pragma warning(disable: 4996) BOOL EnablePrivilege(ULONG Privilege = SE_DEBUG_PRIVILEGE, BOOL Enable = TRUE); DWORD NtEnumProcess(LPDWORD lpProcess); BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess); HANDLE NtOpenProcess(DWORD dwPid); HANDLE DoOpenProcess(DWORD dwPid); HANDLE PowerOpenProcess(DWORD dwPid); BOOL IsProcessExit(HANDLE hProcess); BOOL NtTerminateProcess(HANDLE hProcess); BOOL JoTerminateProcess(HANDLE hProcess); BOOL CrtTerminateProcess(HANDLE hProcess); BOOL WvmTerminateProcess(HANDLE hProcess); BOOL PowerTerminateProcess(HANDLE hProcess); BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath); BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath); DWORD GetEProcess(DWORD dwPid); DWORD GetParentProcessId(DWORD dwPid); BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName); LARGE_INTEGER GetProcessCreateTime(DWORD dwPid); #endif // __PROCESSFUN_H__
ProcessFun.h
#include "ProcessFun.h" BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
{
HANDLE hToken = NULL;
if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
return FALSE; TOKEN_PRIVILEGES tp = {};
tp.PrivilegeCount = ;
tp.Privileges[].Luid.LowPart = Privilege;
tp.Privileges[].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
} DWORD NtEnumProcess(LPDWORD lpProcess)
{
DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return NULL;
} DWORD dwLenth = ;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
lpProcess[dwLenth++] = lpSP->ProcessId; lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); sort(lpProcess, lpProcess + dwLenth); return dwLenth;
} BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
{
SystemProcess = {}; DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
SystemProcess = *lpSP;
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} HANDLE NtOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
CLIENT_ID cid = {};
cid.UniqueProcess = (HANDLE)(dwPid % ? dwPid : dwPid + ); NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
return hProcess;
} HANDLE DoOpenProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); HANDLE hTgtProc = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
/*{
hTgtProc = hTmpProc;
printf("%d %d 0x%llX\n", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
}*/
hTgtProc = hTmpProc; NtClose(hSrcProc); if (hTgtProc != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return hTgtProc;
} HANDLE PowerOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NtOpenProcess(dwPid); if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; hProcess = DoOpenProcess(dwPid);
if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; return NULL;
} BOOL IsProcessExit(HANDLE hProcess)
{
DWORD dwExitCode = NULL;
GetExitCodeProcess(hProcess, &dwExitCode); return dwExitCode != STILL_ACTIVE;
} BOOL NtTerminateProcess(HANDLE hProcess)
{
return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
} BOOL JoTerminateProcess(HANDLE hProcess)
{
HANDLE hJob = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
return FALSE; BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess)); if (status)
status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL)); NtClose(hJob); return status && IsProcessExit(hProcess);
} BOOL CrtTerminateProcess(HANDLE hProcess)
{
// return FALSE;
} BOOL WvmTerminateProcess(HANDLE hProcess)
{
BOOL status = FALSE; PVOID lpBuf = NULL;
DWORD dwSize = 0x1000, dwRet = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE); for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
{
status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
} NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); if (status)
Sleep(); return status && IsProcessExit(hProcess);
} BOOL PowerTerminateProcess(HANDLE hProcess)
{
if (NtTerminateProcess(hProcess))
return TRUE; if (JoTerminateProcess(hProcess))
return TRUE; if (WvmTerminateProcess(hProcess))
return TRUE; return FALSE;
} BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
{
if (hProcess == NULL || lpFilePath == NULL)
return FALSE; strcpy(lpFilePath, ""); CHAR szDosPath[MAX_PATH] = "";
if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
return FALSE; return DosPathToNtPath(szDosPath, lpFilePath);
} BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
{
CHAR szDriveList[MAX_PATH] = "";
if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
return FALSE; for (int i = ; szDriveList[i]; i += )
{
if (stricmp(&szDriveList[i], "A:\\") == || stricmp(&szDriveList[i], "B:\\") == )
continue; CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
strcpy(szNtDrive, &szDriveList[i]);
szNtDrive[] = '\0'; if (!QueryDosDeviceA(szNtDrive, szDosDrive, MAX_PATH) ||
strncmp(szDosDrive, lpDosPath, strlen(szDosDrive)) != )
continue; strcpy(lpNtPath, szNtDrive);
strcat(lpNtPath, &lpDosPath[strlen(szDosDrive)]); return TRUE;
} return FALSE;
} DWORD GetEProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); DWORD dwEProcess = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
dwEProcess = (DWORD)lpSHI->Object; NtClose(hSrcProc); if (dwEProcess != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return dwEProcess;
} DWORD GetParentProcessId(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.InheritedFromProcessId;
} BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName)
{
strcpy(lpProcessName, ""); DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
wcstombs(lpProcessName, lpSP->ProcessName.Buffer, MAX_PATH);
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} LARGE_INTEGER GetProcessCreateTime(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.CreateTime;
}
ProcessFun.cpp
ProcessFun的更多相关文章
- 网络编程并发 多进程 进程池,互斥锁,信号量,IO模型
进程:程序正在执行的过程,就是一个正在执行的任务,而负责执行任务的就是cpu 操作系统:操作系统就是一个协调.管理和控制计算机硬件资源和软件资源的控制程序. 操作系统的作用: 1:隐藏丑陋复杂的硬件接 ...
- multimap的使用 in C++,同一个关键码存在多个值
#include <iostream> #include <string> #include <vector> #include <algorithm> ...
- 入门大数据---Flink学习总括
第一节 初识 Flink 在数据激增的时代,催生出了一批计算框架.最早期比较流行的有MapReduce,然后有Spark,直到现在越来越多的公司采用Flink处理.Flink相对前两个框架真正做到了高 ...
随机推荐
- IOS 创建目录/文件夹
•IOS 应用目录简介 个文件夹:Documents, Library和 tmp.Library包含Caches.Preferences目录. Documents:应用中用户数据可以放在这里,iTun ...
- ()C#打印机
System.Drawing.Printing下得用来完成打印功能 1.打印设置 2.页面设置 3.打印预览 4.打印
- windows 配置msys2环境
msys2是一个在windows下模拟类unix的环境,之所以叫环境,是用为他提供了部分unix shell类似的功能,这个环境使你像在unix上使用shell一样.看到msys2你可能想到是不是还有 ...
- toString()方法,与call()方法结合;用来进行数据类型检测
//toString()方法,与call()方法结合;用来进行数据类型检测 console.log(Object.prototype.toString.call([]));//'[object A ...
- HDU 1724 Ellipse (自适应辛普森积分)
题目链接:HDU 1724 Problem Description Math is important!! Many students failed in 2+2's mathematical tes ...
- Linux(三)—— 项目部署环境搭建
目录 项目部署环境搭建 一.linux上网 二.rpm包管理 1.光盘挂载 2.安装卸载rpm包 3.查询是否安装 4.查看软件包 5.互相依赖关系的软件包 三.yum包管理 1.使用aliyun的y ...
- python获取沪股通、深股通、港股通每日资金流向数据
接口:moneyflow_hsgt 描述:获取沪股通.深股通.港股通每日资金流向数据,每次最多返回300条记录,总量不限制. 注:tushare模块下载和安装教程,请查阅我之前的文章 输入参数 名称 ...
- 忘记root密码
Ubuntu密码恢复的方法如下: 1.重新启动,按ESC键进入Boot Menu,选择recovery mode(一般是第二个选项).2.在#号提示符下用cat /etc/shadow,看看用户名.3 ...
- Red5文件结构简介
Red5文件结构简介 Red5 是 支持Windows,Linux等多平台的RTMP流媒体服务器,最早属于谷歌下的开源项目,先已移植到Github,地址为https://github.com/Red5 ...
- 【记录】VScode快捷键大全
记住快捷键能够提高工作效率 Ctrl+Shift+P,F1 展示全局命令面板 Ctrl+P 快速打开最近打开的文件 Ctrl+Shift+N 打开新的编辑器窗口 Ctrl+Shift+W 关闭编辑器 ...