ProcessFun
#pragma once #ifndef __PROCESSFUN_H__
#define __PROCESSFUN_H__ #include <iostream>
#include <string>
#include <algorithm>
#include <windows.h>
#include <psapi.h>
using namespace std;
#include "Ntdll.h" #pragma comment(lib, "psapi.lib") #pragma warning(disable: 4996) BOOL EnablePrivilege(ULONG Privilege = SE_DEBUG_PRIVILEGE, BOOL Enable = TRUE); DWORD NtEnumProcess(LPDWORD lpProcess); BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess); HANDLE NtOpenProcess(DWORD dwPid); HANDLE DoOpenProcess(DWORD dwPid); HANDLE PowerOpenProcess(DWORD dwPid); BOOL IsProcessExit(HANDLE hProcess); BOOL NtTerminateProcess(HANDLE hProcess); BOOL JoTerminateProcess(HANDLE hProcess); BOOL CrtTerminateProcess(HANDLE hProcess); BOOL WvmTerminateProcess(HANDLE hProcess); BOOL PowerTerminateProcess(HANDLE hProcess); BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath); BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath); DWORD GetEProcess(DWORD dwPid); DWORD GetParentProcessId(DWORD dwPid); BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName); LARGE_INTEGER GetProcessCreateTime(DWORD dwPid); #endif // __PROCESSFUN_H__
ProcessFun.h
#include "ProcessFun.h" BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
{
HANDLE hToken = NULL;
if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
return FALSE; TOKEN_PRIVILEGES tp = {};
tp.PrivilegeCount = ;
tp.Privileges[].Luid.LowPart = Privilege;
tp.Privileges[].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
} DWORD NtEnumProcess(LPDWORD lpProcess)
{
DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return NULL;
} DWORD dwLenth = ;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
lpProcess[dwLenth++] = lpSP->ProcessId; lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); sort(lpProcess, lpProcess + dwLenth); return dwLenth;
} BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
{
SystemProcess = {}; DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
SystemProcess = *lpSP;
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} HANDLE NtOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
CLIENT_ID cid = {};
cid.UniqueProcess = (HANDLE)(dwPid % ? dwPid : dwPid + ); NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
return hProcess;
} HANDLE DoOpenProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); HANDLE hTgtProc = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
/*{
hTgtProc = hTmpProc;
printf("%d %d 0x%llX\n", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
}*/
hTgtProc = hTmpProc; NtClose(hSrcProc); if (hTgtProc != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return hTgtProc;
} HANDLE PowerOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NtOpenProcess(dwPid); if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; hProcess = DoOpenProcess(dwPid);
if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; return NULL;
} BOOL IsProcessExit(HANDLE hProcess)
{
DWORD dwExitCode = NULL;
GetExitCodeProcess(hProcess, &dwExitCode); return dwExitCode != STILL_ACTIVE;
} BOOL NtTerminateProcess(HANDLE hProcess)
{
return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
} BOOL JoTerminateProcess(HANDLE hProcess)
{
HANDLE hJob = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
return FALSE; BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess)); if (status)
status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL)); NtClose(hJob); return status && IsProcessExit(hProcess);
} BOOL CrtTerminateProcess(HANDLE hProcess)
{
// return FALSE;
} BOOL WvmTerminateProcess(HANDLE hProcess)
{
BOOL status = FALSE; PVOID lpBuf = NULL;
DWORD dwSize = 0x1000, dwRet = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE); for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
{
status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
} NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); if (status)
Sleep(); return status && IsProcessExit(hProcess);
} BOOL PowerTerminateProcess(HANDLE hProcess)
{
if (NtTerminateProcess(hProcess))
return TRUE; if (JoTerminateProcess(hProcess))
return TRUE; if (WvmTerminateProcess(hProcess))
return TRUE; return FALSE;
} BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
{
if (hProcess == NULL || lpFilePath == NULL)
return FALSE; strcpy(lpFilePath, ""); CHAR szDosPath[MAX_PATH] = "";
if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
return FALSE; return DosPathToNtPath(szDosPath, lpFilePath);
} BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
{
CHAR szDriveList[MAX_PATH] = "";
if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
return FALSE; for (int i = ; szDriveList[i]; i += )
{
if (stricmp(&szDriveList[i], "A:\\") == || stricmp(&szDriveList[i], "B:\\") == )
continue; CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
strcpy(szNtDrive, &szDriveList[i]);
szNtDrive[] = '\0'; if (!QueryDosDeviceA(szNtDrive, szDosDrive, MAX_PATH) ||
strncmp(szDosDrive, lpDosPath, strlen(szDosDrive)) != )
continue; strcpy(lpNtPath, szNtDrive);
strcat(lpNtPath, &lpDosPath[strlen(szDosDrive)]); return TRUE;
} return FALSE;
} DWORD GetEProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); DWORD dwEProcess = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
dwEProcess = (DWORD)lpSHI->Object; NtClose(hSrcProc); if (dwEProcess != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return dwEProcess;
} DWORD GetParentProcessId(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.InheritedFromProcessId;
} BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName)
{
strcpy(lpProcessName, ""); DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
wcstombs(lpProcessName, lpSP->ProcessName.Buffer, MAX_PATH);
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} LARGE_INTEGER GetProcessCreateTime(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.CreateTime;
}
ProcessFun.cpp
ProcessFun的更多相关文章
- 网络编程并发 多进程 进程池,互斥锁,信号量,IO模型
进程:程序正在执行的过程,就是一个正在执行的任务,而负责执行任务的就是cpu 操作系统:操作系统就是一个协调.管理和控制计算机硬件资源和软件资源的控制程序. 操作系统的作用: 1:隐藏丑陋复杂的硬件接 ...
- multimap的使用 in C++,同一个关键码存在多个值
#include <iostream> #include <string> #include <vector> #include <algorithm> ...
- 入门大数据---Flink学习总括
第一节 初识 Flink 在数据激增的时代,催生出了一批计算框架.最早期比较流行的有MapReduce,然后有Spark,直到现在越来越多的公司采用Flink处理.Flink相对前两个框架真正做到了高 ...
随机推荐
- ! Unknown property attribute "class"
当时是在用Xcode 7进行编译ASDK的代码发现报错了 当时就蒙圈了,@property(class)--这是啥呀,太久没看过object-c了,但是不至于@property是没有class属性的, ...
- Linux桌面与命令行切换
1.首先在安装Linux的时候是选则Desktop桌面方式安装 2.切换命令 2.1快捷键:Ctrl+Alt+F1 切换到桌面模式 Ctrl+Alt+F3 切换到命令行模式
- C#调PowerShell在SCVMM中创建虚拟机时,实时显示创建进度
关于c#调用PowerShell来控制SCVMM,网上有很多例子,也比较简单,但创建虚拟机的过程,是一个很漫长的时间,所以一般来说,创建的时候都希望可以实时的显示当前虚拟机的创建进度.当时这个问题困扰 ...
- 数据访问层的接口IBaseDAL
using System; using System.Collections; using System.Data; using System.Data.Common; using System.Co ...
- Oracle之Group by和Having-----转了
在介绍GROUP BY 和 HAVING 子句前,我们必需先讲讲sql语言中一种特殊的函数:聚合函数,例如SUM, COUNT, MAX, AVG等.这些函数和其它函数的根本区别就是它们一般作用在多条 ...
- A1082 Read Number in Chinese (25 分)
1082 Read Number in Chinese (25 分) Given an integer with no more than 9 digits, you are supposed t ...
- for in 的实现
v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VM ...
- camunda任务的一些简单操作
public class ZccTaskService { TaskService taskService; @Before public void init(){ ProcessEngineConf ...
- jmeter 响应超时时间设置 压力增大,不能正常退出全部线程
当压力增大会出现connect timeout error 压力增大,不能正常退出全部线程: 解决办法:http request default--advance--timeouts 如填写1,表示大 ...
- 在规定的时间内出现动画.html
<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title> ...