扫一扫
关注微信公众号

WIN 9X下查找隐藏进程实现方法
2007-06-05   中国IT实验室

在WIN 9X下一些黑客工具利用了未公开的API函数实现了隐藏自身,不在任务列表中出现的功能,要把它们找出来,同样也需要用到未公开的TOOLHELP32系列函数。因操作系统的不同NT下遍历进程则用PSAPI函数来实现,下面给出完整实列。
  Process.h
  //----------------------------
  #ifndef Unit1H
  #define Unit1H
  //----------------------------
  #include
  #include
  #include
  #include
  
  #define TH32CS_SNAPPROCESS 0x00000002 //快照进程
  #define PROCESS_HANDLE_NAME 255
  //---------------------------------------------------------------------------
  typedef struct tagPROCESSENTRY32 //自定义TOOLHELP32结构
  {
  DWORD dwSize;
  DWORD cntUsage;
  DWORD th32ProcessID; //进程ID
  DWORD th32DefaultHeapID;
  DWORD th32ModuleID;
  DWORD cntThreads;
  DWORD th32ParentProcessID;
  LONG pcPriClassBase;
  DWORD dwFlags;
  TCHAR szExeFile[MAX_PATH]; //进程文件名
  } PROCESSENTRY32;
  
  typedef PROCESSENTRY32 * LPPROCESSENTRY32;
  
  //以下定义要从KERENL32.DLL中取出的TOOLHELP32函数的函数指针
  
  HANDLE (WINAPI *CreateToolhelp32Snapshot)(DWORD dwFlags,DWORD th32PD);
  BOOL (WINAPI *Process32First)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);
  BOOL (WINAPI *Process32Next)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);
  
  //以下定义要从PSAPI.DLL中取出函数的函数指针
  BOOL (WINAPI *EnumProcesses)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded);
  DWORD (WINAPI *GetModuleFileNameExA)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize);
  
  
  class TForm1 : public TForm
  {
  __published: // IDE-managed Components
  TButton *FindAllProcessFileName;
  TListBox *ListBox1;
  void __fastcall FindAllProcessFileNameClick(TObject *Sender);
  void __fastcall FormResize(TObject *Sender);
  void __fastcall Button1Click(TObject *Sender);
  void __fastcall ListBox1Click(TObject *Sender);
  private: // User declarations
  public: // User declarations
  __fastcall TForm1(TComponent* Owner);
  };
  //---------------------------------------------------------------------------
  extern PACKAGE TForm1 *Form1;
  //---------------------------------------------------------------------------
  #endif
  
  
  Process.cpp
  //---------------------------------------------------------------------------
  #include
  #pragma hdrstop
  #include "Unit1.h"
  //---------------------------------------------------------------------------
  #pragma package(smart_init)
  #pragma resource "*.dfm"
  
  TForm1 *Form1;
  
  //定义变量
  HANDLE process[255];
  PROCESSENTRY32 p32;
  DWORD process_ids[255];
  DWORD num_processes;
  TCHAR file_name[MAX_PATH];
  TCHAR class_name[MAX_PATH];
  unsigned i;
  //---------------------------------------------------------------------------
  
  //初始化TOOLHELP32
  BOOL InitToolHelp32()
  {
  //动态调用
  HINSTANCE DLLinst=LoadLibrary("KERNEL32.DLL");
  if(DLLinst)
  {
  //取各函数在KERNEL32中的地址
  CreateToolhelp32Snapshot=(HANDLE(WINAPI *)(DWORD dwFlags,DWORD th32PD))
  GetProcAddress(DLLinst,"CreateToolhelp32Snapshot");
  Process32First=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))
  GetProcAddress(DLLinst,"Process32First");
  Process32Next=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))
  GetProcAddress(DLLinst,"Process32Next");
  if((!(UINT)CreateToolhelp32Snapshot)||(!(UINT)Process32First)||(!(UINT)Process32Next))
  return FALSE;
  else
  return TRUE;
  }
  return FALSE;
  }
  
  
  //初始化PSAPI
  BOOL InitPSAPI()
  {
  HINSTANCE PSAPI=LoadLibrary("PSAPI.DLL");
  if(NULL==PSAPI)
  return FALSE;
  EnumProcesses=(BOOL(WINAPI *)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded))
  GetProcAddress(PSAPI,"EnumProcesses");
  GetModuleFileNameExA=(DWORD(WINAPI *)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize))
  GetProcAddress(PSAPI,"GetModuleFileNameExA");
  if(NULL == EnumProcesses||NULL == GetModuleFileName)
  return FALSE;
  else
  return TRUE;
  }
  
  
  __fastcall TForm1::TForm1(TComponent* Owner)
  : TForm(Owner)
  {
  }
  //---------------------------------------------------------------------------
  
  void __fastcall TForm1::FindAllProcessFileNameClick(TObject *Sender)
  {
  OSVERSIONINFO osinfo;
  osinfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
  //取当前操作系统类型
  if(GetVersionEx(&osinfo))
  {
  switch(osinfo.dwPlatformId)
  {
  //当前操作系统是WIN9X
  case VER_PLATFORM_WIN32_WINDOWS:
  if(InitToolHelp32())
  {
  ListBox1->Clear();
  p32.dwSize=sizeof(PROCESSENTRY32);
  //初始化TOOLHELP32快照
  HANDLE pName=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
  //开始查找
  BOOL Next=Process32First(pName,&p32);
  i=0;
  //遍历进程
  while(Next)
  {
  //显示进程
  ListBox1->Items->Add(p32.szExeFile);
  //根据进程ID获取句并
  process[i]=OpenProcess(PROCESS_TERMINATE,0,p32.th32ProcessID);
  //继续查找
  Next=Process32Next(pName,&p32);
  i++;
  }
  CloseHandle(pName);
  }
  break;
  
  //当前操作系统是NT
  case VER_PLATFORM_WIN32_NT:
  if(InitPSAPI())
  {
  ListBox1->Clear();
  //获取当前进程个数
  EnumProcesses(process_ids,sizeof(process_ids),&num_processes);
  //遍历进程
  for(i=0; i  {
  //根据进程ID获取句并
  process[i]=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ
  ,0,process_ids[i]);
  //通过句并获取进程文件名
  if(GetModuleFileNameExA(process[i],NULL,file_name,sizeof(file_name)))
  ListBox1->Items->Add(file_name);
  }
  }
  break;
  }
  }
  }
  
  //---------------------------------------------------------------------------
  void __fastcall TForm1::ListBox1Click(TObject *Sender)
  {
  int iCount;
  iCount=ListBox1->ItemIndex;
  ListBox1->Hint=ListBox1->Items->Strings[iCount];
  }
  //---------------------------------------------------------------------------
  
  else ShowMessage("初始化TOOLHELP32失败");
  }

热词搜索:

上一篇:Win2k下进程不死术
下一篇:Win2000系统进程列表

分享到: 收藏