WIN 9X下查找隐藏进程实现方法

80酷酷网    80kuku.com

  进程

在WIN 9X下一些黑客工具利用了未公开的API函数实现了隐藏自身,不在任务列表中出现的功能,要把它们找出来,同样也需要用到未公开的TOOLHELP32系列函数。因操作系统的不同NT下遍历进程则用PSAPI函数来实现,下面给出完整实列。

Process.h

//----------------------------

#ifndef Unit1H

#define Unit1H

//----------------------------

#include

#include

#include

#include

#define TH32CS_SNAPPROCESS 0x00000002 //快照进程

#define PROCESS_HANDLE_NAME 255

//---------------------------------------------------------------------------

typedef struct tagPROCESSENTRY32 //自定义TOOLHELP32结构

{

DWORD dwSize;

DWORD cntUsage;

DWORD th32ProcessID; //进程ID

DWORD th32DefaultHeapID;

DWORD th32ModuleID;

DWORD cntThreads;

DWORD th32ParentProcessID;

LONG pcPriClassBase;

DWORD dwFlags;

TCHAR szExeFile[MAX_PATH]; //进程文件名

} PROCESSENTRY32;

typedef PROCESSENTRY32 * LPPROCESSENTRY32;

//以下定义要从KERENL32.DLL中取出的TOOLHELP32函数的函数指针

HANDLE (WINAPI *CreateToolhelp32Snapshot)(DWORD dwFlags,DWORD th32PD);

BOOL (WINAPI *Process32First)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);

BOOL (WINAPI *Process32Next)(HANDLE hSnapshot,LPPROCESSENTRY32 pe);

//以下定义要从PSAPI.DLL中取出函数的函数指针

BOOL (WINAPI *EnumProcesses)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded);

DWORD (WINAPI *GetModuleFileNameExA)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize);

class TForm1 : public TForm

{

__published: // IDE-managed Components

TButton *FindAllProcessFileName;

TListBox *ListBox1;

void __fastcall FindAllProcessFileNameClick(TObject *Sender);

void __fastcall FormResize(TObject *Sender);

void __fastcall Button1Click(TObject *Sender);

void __fastcall ListBox1Click(TObject *Sender);

private: // User declarations

public: // User declarations

__fastcall TForm1(TComponent* Owner);

};

//---------------------------------------------------------------------------

extern PACKAGE TForm1 *Form1;

//---------------------------------------------------------------------------

#endif

Process.cpp

//---------------------------------------------------------------------------

#include

#pragma hdrstop

#include "Unit1.h"

//---------------------------------------------------------------------------

#pragma package(smart_init)

#pragma resource "*.dfm"

TForm1 *Form1;

//定义变量

HANDLE process[255];

PROCESSENTRY32 p32;

DWORD process_ids[255];

DWORD num_processes;

TCHAR file_name[MAX_PATH];

TCHAR class_name[MAX_PATH];

unsigned i;

//---------------------------------------------------------------------------

//初始化TOOLHELP32

BOOL InitToolHelp32()

{

//动态调用

HINSTANCE DLLinst=LoadLibrary("KERNEL32.DLL");

if(DLLinst)

{

//取各函数在KERNEL32中的地址

CreateToolhelp32Snapshot=(HANDLE(WINAPI *)(DWORD dwFlags,DWORD th32PD))

GetProcAddress(DLLinst,"CreateToolhelp32Snapshot");

Process32First=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))

GetProcAddress(DLLinst,"Process32First");

Process32Next=(BOOL(WINAPI *)(HANDLE hSnapshot,LPPROCESSENTRY32 pe))

GetProcAddress(DLLinst,"Process32Next");

if((!(UINT)CreateToolhelp32Snapshot)||(!(UINT)Process32First)||(!(UINT)Process32Next))

return FALSE;

else

return TRUE;

}

return FALSE;

}

//初始化PSAPI

BOOL InitPSAPI()

{

HINSTANCE PSAPI=LoadLibrary("PSAPI.DLL");

if(NULL==PSAPI)

return FALSE;

EnumProcesses=(BOOL(WINAPI *)(DWORD* lpidProcess,DWORD cb,DWORD *cbNeeded))

GetProcAddress(PSAPI,"EnumProcesses");

GetModuleFileNameExA=(DWORD(WINAPI *)(HANDLE hProcess,HMODULE hModule,LPTSTR lpstrFileName,DWORD nSize))

GetProcAddress(PSAPI,"GetModuleFileNameExA");

if(NULL == EnumProcesses||NULL == GetModuleFileName)

return FALSE;

else

return TRUE;

}

__fastcall TForm1::TForm1(TComponent* Owner)

: TForm(Owner)

{

}

//---------------------------------------------------------------------------

void __fastcall TForm1::FindAllProcessFileNameClick(TObject *Sender)

{

OSVERSIONINFO osinfo;

osinfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);

//取当前操作系统类型

if(GetVersionEx(&osinfo))

{

switch(osinfo.dwPlatformId)

{

//当前操作系统是WIN9X

case VER_PLATFORM_WIN32_WINDOWS:

if(InitToolHelp32())

{

ListBox1->Clear();

p32.dwSize=sizeof(PROCESSENTRY32);

//初始化TOOLHELP32快照

HANDLE pName=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);

//开始查找

BOOL Next=Process32First(pName,&p32);

i=0;

//遍历进程

while(Next)

{

//显示进程

ListBox1->Items->Add(p32.szExeFile);

//根据进程ID获取句并

process[i]=OpenProcess(PROCESS_TERMINATE,0,p32.th32ProcessID);

//继续查找

Next=Process32Next(pName,&p32);

i++;

}

CloseHandle(pName);

}

break;

//当前操作系统是NT

case VER_PLATFORM_WIN32_NT:

if(InitPSAPI())

{

ListBox1->Clear();

//获取当前进程个数

EnumProcesses(process_ids,sizeof(process_ids),&num_processes);

//遍历进程

for(i=0; i
{

//根据进程ID获取句并

process[i]=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ

,0,process_ids[i]);

//通过句并获取进程文件名

if(GetModuleFileNameExA(process[i],NULL,file_name,sizeof(file_name)))

ListBox1->Items->Add(file_name);

}

}

break;

}

}

}

//---------------------------------------------------------------------------

void __fastcall TForm1::ListBox1Click(TObject *Sender)

{

int iCount;

iCount=ListBox1->ItemIndex;

ListBox1->Hint=ListBox1->Items->Strings[iCount];

}

//---------------------------------------------------------------------------

else ShowMessage("初始化TOOLHELP32失败");

}





分享到
  • 微信分享
  • 新浪微博
  • QQ好友
  • QQ空间
点击: