ProcessFun
#pragma once #ifndef __PROCESSFUN_H__
#define __PROCESSFUN_H__ #include <iostream>
#include <string>
#include <algorithm>
#include <windows.h>
#include <psapi.h>
using namespace std;
#include "Ntdll.h" #pragma comment(lib, "psapi.lib") #pragma warning(disable: 4996) BOOL EnablePrivilege(ULONG Privilege = SE_DEBUG_PRIVILEGE, BOOL Enable = TRUE); DWORD NtEnumProcess(LPDWORD lpProcess); BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess); HANDLE NtOpenProcess(DWORD dwPid); HANDLE DoOpenProcess(DWORD dwPid); HANDLE PowerOpenProcess(DWORD dwPid); BOOL IsProcessExit(HANDLE hProcess); BOOL NtTerminateProcess(HANDLE hProcess); BOOL JoTerminateProcess(HANDLE hProcess); BOOL CrtTerminateProcess(HANDLE hProcess); BOOL WvmTerminateProcess(HANDLE hProcess); BOOL PowerTerminateProcess(HANDLE hProcess); BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath); BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath); DWORD GetEProcess(DWORD dwPid); DWORD GetParentProcessId(DWORD dwPid); BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName); LARGE_INTEGER GetProcessCreateTime(DWORD dwPid); #endif // __PROCESSFUN_H__
ProcessFun.h
#include "ProcessFun.h" BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
{
HANDLE hToken = NULL;
if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
return FALSE; TOKEN_PRIVILEGES tp = {};
tp.PrivilegeCount = ;
tp.Privileges[].Luid.LowPart = Privilege;
tp.Privileges[].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
} DWORD NtEnumProcess(LPDWORD lpProcess)
{
DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return NULL;
} DWORD dwLenth = ;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
lpProcess[dwLenth++] = lpSP->ProcessId; lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); sort(lpProcess, lpProcess + dwLenth); return dwLenth;
} BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
{
SystemProcess = {}; DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
SystemProcess = *lpSP;
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} HANDLE NtOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
CLIENT_ID cid = {};
cid.UniqueProcess = (HANDLE)(dwPid % ? dwPid : dwPid + ); NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
return hProcess;
} HANDLE DoOpenProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); HANDLE hTgtProc = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
/*{
hTgtProc = hTmpProc;
printf("%d %d 0x%llX\n", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
}*/
hTgtProc = hTmpProc; NtClose(hSrcProc); if (hTgtProc != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return hTgtProc;
} HANDLE PowerOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NtOpenProcess(dwPid); if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; hProcess = DoOpenProcess(dwPid);
if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; return NULL;
} BOOL IsProcessExit(HANDLE hProcess)
{
DWORD dwExitCode = NULL;
GetExitCodeProcess(hProcess, &dwExitCode); return dwExitCode != STILL_ACTIVE;
} BOOL NtTerminateProcess(HANDLE hProcess)
{
return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
} BOOL JoTerminateProcess(HANDLE hProcess)
{
HANDLE hJob = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
return FALSE; BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess)); if (status)
status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL)); NtClose(hJob); return status && IsProcessExit(hProcess);
} BOOL CrtTerminateProcess(HANDLE hProcess)
{
// return FALSE;
} BOOL WvmTerminateProcess(HANDLE hProcess)
{
BOOL status = FALSE; PVOID lpBuf = NULL;
DWORD dwSize = 0x1000, dwRet = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE); for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
{
status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
} NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); if (status)
Sleep(); return status && IsProcessExit(hProcess);
} BOOL PowerTerminateProcess(HANDLE hProcess)
{
if (NtTerminateProcess(hProcess))
return TRUE; if (JoTerminateProcess(hProcess))
return TRUE; if (WvmTerminateProcess(hProcess))
return TRUE; return FALSE;
} BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
{
if (hProcess == NULL || lpFilePath == NULL)
return FALSE; strcpy(lpFilePath, ""); CHAR szDosPath[MAX_PATH] = "";
if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
return FALSE; return DosPathToNtPath(szDosPath, lpFilePath);
} BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
{
CHAR szDriveList[MAX_PATH] = "";
if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
return FALSE; for (int i = ; szDriveList[i]; i += )
{
if (stricmp(&szDriveList[i], "A:\\") == || stricmp(&szDriveList[i], "B:\\") == )
continue; CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
strcpy(szNtDrive, &szDriveList[i]);
szNtDrive[] = '\0'; if (!QueryDosDeviceA(szNtDrive, szDosDrive, MAX_PATH) ||
strncmp(szDosDrive, lpDosPath, strlen(szDosDrive)) != )
continue; strcpy(lpNtPath, szNtDrive);
strcat(lpNtPath, &lpDosPath[strlen(szDosDrive)]); return TRUE;
} return FALSE;
} DWORD GetEProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); DWORD dwEProcess = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
dwEProcess = (DWORD)lpSHI->Object; NtClose(hSrcProc); if (dwEProcess != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return dwEProcess;
} DWORD GetParentProcessId(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.InheritedFromProcessId;
} BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName)
{
strcpy(lpProcessName, ""); DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
wcstombs(lpProcessName, lpSP->ProcessName.Buffer, MAX_PATH);
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} LARGE_INTEGER GetProcessCreateTime(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.CreateTime;
}
ProcessFun.cpp
ProcessFun的更多相关文章
- 网络编程并发 多进程 进程池,互斥锁,信号量,IO模型
进程:程序正在执行的过程,就是一个正在执行的任务,而负责执行任务的就是cpu 操作系统:操作系统就是一个协调.管理和控制计算机硬件资源和软件资源的控制程序. 操作系统的作用: 1:隐藏丑陋复杂的硬件接 ...
- multimap的使用 in C++,同一个关键码存在多个值
#include <iostream> #include <string> #include <vector> #include <algorithm> ...
- 入门大数据---Flink学习总括
第一节 初识 Flink 在数据激增的时代,催生出了一批计算框架.最早期比较流行的有MapReduce,然后有Spark,直到现在越来越多的公司采用Flink处理.Flink相对前两个框架真正做到了高 ...
随机推荐
- linux系统的文件保护
一些文件在Linux下看上去可能一切正常,但当您尝试删除的时候,居然也会报错,就像下边一样: [root@linux236 root]# ls -l 1.txt-rw-r--r-- 1 root ro ...
- BZOJ 1005: [HNOI2008]明明的烦恼(高精度+prufer序)
传送门 解题思路 看到度数和生成树个树,可以想到\(prufer\)序,而一张规定度数的图的生成树个数为\(\frac{(n-2)!}{\prod\limits_{i=1}^n(d(i)-1)!}\) ...
- 2019 牛客暑期多校 第一场 H XOR (线性基)
题目:https://ac.nowcoder.com/acm/contest/881/H 题意:求一个集合内所有子集异或和为0的长度之和 思路:首先集合内异或和,这是线性基的一个明显标志,然后我们不管 ...
- Nginx + Tomcat 配置负载均衡集群简单实例
一.Hello world 1.前期环境准备 准备两个解压版tomcat,如何同时启动两个tomcat,请看我的另一篇文章<一台机器同时启动多个tomcat>. nginx官网下载解压版n ...
- composer 手动安装及简单使用 windows
1.配置系统变量 Path 计算机->高级系统设置->环境变量->找到系统变量Path 双击 加入 ;php根目录地址:php中ext地址 如 :“;D:\phpStudy ...
- activiti7删除流程定义的相关信息
package com.zcc.activiti02; import org.activiti.engine.ProcessEngine;import org.activiti.engine.Proc ...
- HTML5网页如何让所有的浏览器都能识别语义元素标签样式
浏览器对语义元素的支持情况 如今HTML5愈来愈引发大家的关注了,但目前支持HTML5的浏览器还不是主流,特别是国内用户近50%以上仍旧使用IE6,由于支持HTML5的IE9不支持Xp系统安装,这样未 ...
- ansible了解
基础知识: ansible简介 ansible 是个什么东西呢?基于 Python paramiko 开发,分布式,无需客户端,轻量级,配置语法使用 YMAL 及 Jinja2模板语言,更强的远程命令 ...
- 【Java】Java字符串转码
最近在开发项目中,偶尔遇到从页面上传到后台的中文数据,老是出现乱码的情况,但是对这个转码的过程又记不住,故此在此备份一下,希望对朋友们也有所帮助: String title=request.getPa ...
- uoj#186 【UR #13】Yist
题目 orz myy 首先注意到答案有单调性,于是我们可以考虑二分一个\(x\),之后去判断一下每次只使用长度为\(x\)的区间能否删出目标序列 显然我们应该贪心地删除需要删除元素中最小的那一个,感性 ...