Windows简单系统编程 有重赏
a. 遍历进程SYSTEM.EXE的所有线程(Thread),并把每个线程的ID写入到文件c:\threads.txt中。
b. 遍历进程SYSTEM.EXE加载的所有模块(Module),并把每个模块的路径以及加载基地址(base address)写入到文件c:\modules.txt中。
输出:
线程1 Tid:1234
线程2 Tid:5678
.........
模块1 Base Address:0x12345678 Path:C:\WINDOWS\SYSTEM32\qq.dll
模块1 Base Address:0x87654321 Path:C:\WINDOWS\SYSTEM32\360.dl
.........
****提示****
http://msdn.microsoft.com/en-us/library/ms682489(v=vs.85).aspx
[解决办法]
查找加载DLL的代码
#include "afx.h"#include <TLHELP32.H>#include <map>#include <string>using namespace std;void DisplayModule(DWORD dwProcessId){ HANDLE hthSnapshot=NULL; HANDLE hProcess=NULL,hThread=NULL; //获取进程快照 hthSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId); if(hthSnapshot==NULL) return; map<string ,string> m_map; //获取注入dll的句柄 MODULEENTRY32W me={sizeof(me)}; BOOL fFound=FALSE; BOOL fMoreMods=Module32FirstW(hthSnapshot,&me); for(;fMoreMods;fMoreMods=Module32NextW(hthSnapshot,&me))//枚举进程模块判断是否为注入模块 { char szModule[256]; memset(szModule,0,sizeof(szModule)); WideCharToMultiByte(CP_ACP,NULL,me.szModule,-1,szModule,sizeof(szModule),NULL,FALSE); strlwr(szModule); char szExePath[256]; memset(szExePath,0,sizeof(szExePath)); WideCharToMultiByte(CP_ACP,NULL,me.szExePath,-1,szExePath,sizeof(szExePath),NULL,FALSE); strlwr(szExePath); printf("%s %s\r\n",szModule,szExePath); } CloseHandle(hthSnapshot);}DWORD FindProcess(char *szProcessName){ strlwr(szProcessName); //获取当前进程访问令牌的句柄 HANDLE hToken; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken)) { return 0; } //获取当前进程系统权限的特权值 LUID Luid; if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Luid)) { CloseHandle(hToken); return 0; } //启用当前进程指定访问令牌的特权 TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges[0].Luid = Luid; if (!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) { CloseHandle(hToken); return 0; } //创建系统进程快照 HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //获取进程信息 PROCESSENTRY32 pe; pe.dwSize = sizeof(pe); BOOL bNext=Process32First(hSnap, &pe); while(bNext) { strlwr(pe.szExeFile); if(strstr(pe.szExeFile,szProcessName)) { printf("查找:%s开始\r\n",pe.szExeFile); //获取被注入进程的句柄 HANDLE hkernel32=OpenProcess(PROCESS_ALL_ACCESS,1,pe.th32ProcessID); DisplayModule(pe.th32ProcessID); CloseHandle(hkernel32); printf("查找:%s结束\r\n",pe.szExeFile); } bNext=Process32Next(hSnap, &pe); } CloseHandle(hSnap); CloseHandle(hToken); return 1;}int main(int argc, char* argv[]){ char processname[]="SYSTEM"; FindProcess(processname); getchar(); return 0;}
[解决办法]
给出的提示连接里不就有代码,这都不愿看,还是找点转行吧。
#include <windows.h>#include <tlhelp32.h>#include <tchar.h>// Forward declarations:BOOL GetProcessList( );BOOL ListProcessModules( DWORD dwPID );BOOL ListProcessThreads( DWORD dwOwnerPID );void printError( TCHAR* msg );int main( void ){ GetProcessList( ); return 0;}BOOL GetProcessList( ){ HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; DWORD dwPriorityClass; // Take a snapshot of all processes in the system. hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) { printError( TEXT("CreateToolhelp32Snapshot (of processes)") ); return( FALSE ); } // Set the size of the structure before using it. pe32.dwSize = sizeof( PROCESSENTRY32 ); // Retrieve information about the first process, // and exit if unsuccessful if( !Process32First( hProcessSnap, &pe32 ) ) { printError( TEXT("Process32First") ); // show cause of failure CloseHandle( hProcessSnap ); // clean the snapshot object return( FALSE ); } // Now walk the snapshot of processes, and // display information about each process in turn do { _tprintf( TEXT("\n\n=====================================================" )); _tprintf( TEXT("\nPROCESS NAME: %s"), pe32.szExeFile ); _tprintf( TEXT("\n-------------------------------------------------------" )); // Retrieve the priority class. dwPriorityClass = 0; hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID ); if( hProcess == NULL ) printError( TEXT("OpenProcess") ); else { dwPriorityClass = GetPriorityClass( hProcess ); if( !dwPriorityClass ) printError( TEXT("GetPriorityClass") ); CloseHandle( hProcess ); } _tprintf( TEXT("\n Process ID = 0x%08X"), pe32.th32ProcessID ); _tprintf( TEXT("\n Thread count = %d"), pe32.cntThreads ); _tprintf( TEXT("\n Parent process ID = 0x%08X"), pe32.th32ParentProcessID ); _tprintf( TEXT("\n Priority base = %d"), pe32.pcPriClassBase ); if( dwPriorityClass ) _tprintf( TEXT("\n Priority class = %d"), dwPriorityClass ); // List the modules and threads associated with this process ListProcessModules( pe32.th32ProcessID ); ListProcessThreads( pe32.th32ProcessID ); } while( Process32Next( hProcessSnap, &pe32 ) ); CloseHandle( hProcessSnap ); return( TRUE );}BOOL ListProcessModules( DWORD dwPID ){ HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { printError( TEXT("CreateToolhelp32Snapshot (of modules)") ); return( FALSE ); } // Set the size of the structure before using it. me32.dwSize = sizeof( MODULEENTRY32 ); // Retrieve information about the first module, // and exit if unsuccessful if( !Module32First( hModuleSnap, &me32 ) ) { printError( TEXT("Module32First") ); // show cause of failure CloseHandle( hModuleSnap ); // clean the snapshot object return( FALSE ); } // Now walk the module list of the process, // and display information about each module do { _tprintf( TEXT("\n\n MODULE NAME: %s"), me32.szModule ); _tprintf( TEXT("\n Executable = %s"), me32.szExePath ); _tprintf( TEXT("\n Process ID = 0x%08X"), me32.th32ProcessID ); _tprintf( TEXT("\n Ref count (g) = 0x%04X"), me32.GlblcntUsage ); _tprintf( TEXT("\n Ref count (p) = 0x%04X"), me32.ProccntUsage ); _tprintf( TEXT("\n Base address = 0x%08X"), (DWORD) me32.modBaseAddr ); _tprintf( TEXT("\n Base size = %d"), me32.modBaseSize ); } while( Module32Next( hModuleSnap, &me32 ) ); CloseHandle( hModuleSnap ); return( TRUE );}BOOL ListProcessThreads( DWORD dwOwnerPID ) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; // Take a snapshot of all running threads hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); // Fill in the size of the structure before using it. te32.dwSize = sizeof(THREADENTRY32); // Retrieve information about the first thread, // and exit if unsuccessful if( !Thread32First( hThreadSnap, &te32 ) ) { printError( TEXT("Thread32First") ); // show cause of failure CloseHandle( hThreadSnap ); // clean the snapshot object return( FALSE ); } // Now walk the thread list of the system, // and display information about each thread // associated with the specified process do { if( te32.th32OwnerProcessID == dwOwnerPID ) { _tprintf( TEXT("\n\n THREAD ID = 0x%08X"), te32.th32ThreadID ); _tprintf( TEXT("\n Base priority = %d"), te32.tpBasePri ); _tprintf( TEXT("\n Delta priority = %d"), te32.tpDeltaPri ); _tprintf( TEXT("\n")); } } while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap ); return( TRUE );}void printError( TCHAR* msg ){ DWORD eNum; TCHAR sysMsg[256]; TCHAR* p; eNum = GetLastError( ); FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, eNum, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null p = sysMsg; while( ( *p > 31 ) || ( *p == 9 ) ) ++p; do { *p-- = 0; } while( ( p >= sysMsg ) && ( ( *p == '.' ) || ( *p < 33 ) ) ); // Display the message _tprintf( TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );}
[解决办法]