ProcessFun
#pragma once #ifndef __PROCESSFUN_H__
#define __PROCESSFUN_H__ #include <iostream>
#include <string>
#include <algorithm>
#include <windows.h>
#include <psapi.h>
using namespace std;
#include "Ntdll.h" #pragma comment(lib, "psapi.lib") #pragma warning(disable: 4996) BOOL EnablePrivilege(ULONG Privilege = SE_DEBUG_PRIVILEGE, BOOL Enable = TRUE); DWORD NtEnumProcess(LPDWORD lpProcess); BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess); HANDLE NtOpenProcess(DWORD dwPid); HANDLE DoOpenProcess(DWORD dwPid); HANDLE PowerOpenProcess(DWORD dwPid); BOOL IsProcessExit(HANDLE hProcess); BOOL NtTerminateProcess(HANDLE hProcess); BOOL JoTerminateProcess(HANDLE hProcess); BOOL CrtTerminateProcess(HANDLE hProcess); BOOL WvmTerminateProcess(HANDLE hProcess); BOOL PowerTerminateProcess(HANDLE hProcess); BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath); BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath); DWORD GetEProcess(DWORD dwPid); DWORD GetParentProcessId(DWORD dwPid); BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName); LARGE_INTEGER GetProcessCreateTime(DWORD dwPid); #endif // __PROCESSFUN_H__
ProcessFun.h
#include "ProcessFun.h" BOOL EnablePrivilege(ULONG Privilege, BOOL Enable)
{
HANDLE hToken = NULL;
if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) || hToken == NULL)
return FALSE; TOKEN_PRIVILEGES tp = {};
tp.PrivilegeCount = ;
tp.Privileges[].Luid.LowPart = Privilege;
tp.Privileges[].Attributes = Enable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
return NT_SUCCESS(NtAdjustPrivilegesToken(hToken, FALSE, &tp, sizeof(tp), NULL, NULL));
} DWORD NtEnumProcess(LPDWORD lpProcess)
{
DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return NULL;
} DWORD dwLenth = ;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
lpProcess[dwLenth++] = lpSP->ProcessId; lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); sort(lpProcess, lpProcess + dwLenth); return dwLenth;
} BOOL GetSystemProcess(DWORD dwPid, SYSTEM_PROCESSES &SystemProcess)
{
SystemProcess = {}; DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
SystemProcess = *lpSP;
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} HANDLE NtOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
CLIENT_ID cid = {};
cid.UniqueProcess = (HANDLE)(dwPid % ? dwPid : dwPid + ); NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
return hProcess;
} HANDLE DoOpenProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); HANDLE hTgtProc = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
/*{
hTgtProc = hTmpProc;
printf("%d %d 0x%llX\n", lpSHI->ProcessId, pbi.UniqueProcessId, (DWORD64)lpSHI->Object);
}*/
hTgtProc = hTmpProc; NtClose(hSrcProc); if (hTgtProc != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return hTgtProc;
} HANDLE PowerOpenProcess(DWORD dwPid)
{
HANDLE hProcess = NtOpenProcess(dwPid); if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; hProcess = DoOpenProcess(dwPid);
if (hProcess != NULL && GetProcessId(hProcess) == dwPid)
return hProcess; return NULL;
} BOOL IsProcessExit(HANDLE hProcess)
{
DWORD dwExitCode = NULL;
GetExitCodeProcess(hProcess, &dwExitCode); return dwExitCode != STILL_ACTIVE;
} BOOL NtTerminateProcess(HANDLE hProcess)
{
return NT_SUCCESS(NtTerminateProcess(hProcess, NULL)) && IsProcessExit(hProcess);
} BOOL JoTerminateProcess(HANDLE hProcess)
{
HANDLE hJob = NULL;
OBJECT_ATTRIBUTES oa = {};
oa.Length = sizeof(oa);
if (!NT_SUCCESS(NtCreateJobObject(&hJob, JOB_OBJECT_ALL_ACCESS, &oa)))
return FALSE; BOOL status = NT_SUCCESS(NtAssignProcessToJobObject(hJob, hProcess)); if (status)
status |= NT_SUCCESS(NtTerminateJobObject(hJob, NULL)); NtClose(hJob); return status && IsProcessExit(hProcess);
} BOOL CrtTerminateProcess(HANDLE hProcess)
{
// return FALSE;
} BOOL WvmTerminateProcess(HANDLE hProcess)
{
BOOL status = FALSE; PVOID lpBuf = NULL;
DWORD dwSize = 0x1000, dwRet = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, NULL, &dwSize, MEM_COMMIT, PAGE_READWRITE); for (INT64 i = 0x70000000; i < 0x7FFEFFFF; i += dwSize)
{
status |= NT_SUCCESS(NtUnmapViewOfSection(hProcess, (PVOID)i));
status |= NT_SUCCESS(NtProtectVirtualMemory(hProcess, (PVOID *)i, &dwSize, PAGE_READWRITE, &dwRet));
status |= NT_SUCCESS(NtWriteVirtualMemory(hProcess, (PVOID)i, lpBuf, dwSize, (PULONG)&dwRet));
} NtFreeVirtualMemory(hProcess, (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); if (status)
Sleep(); return status && IsProcessExit(hProcess);
} BOOL PowerTerminateProcess(HANDLE hProcess)
{
if (NtTerminateProcess(hProcess))
return TRUE; if (JoTerminateProcess(hProcess))
return TRUE; if (WvmTerminateProcess(hProcess))
return TRUE; return FALSE;
} BOOL GetProcessFilePath(HANDLE hProcess, LPSTR lpFilePath)
{
if (hProcess == NULL || lpFilePath == NULL)
return FALSE; strcpy(lpFilePath, ""); CHAR szDosPath[MAX_PATH] = "";
if (!GetProcessImageFileNameA(hProcess, szDosPath, MAX_PATH))
return FALSE; return DosPathToNtPath(szDosPath, lpFilePath);
} BOOL DosPathToNtPath(LPCSTR lpDosPath, LPSTR lpNtPath)
{
CHAR szDriveList[MAX_PATH] = "";
if (!GetLogicalDriveStringsA(MAX_PATH, szDriveList))
return FALSE; for (int i = ; szDriveList[i]; i += )
{
if (stricmp(&szDriveList[i], "A:\\") == || stricmp(&szDriveList[i], "B:\\") == )
continue; CHAR szNtDrive[MAX_PATH] = "", szDosDrive[MAX_PATH] = "";
strcpy(szNtDrive, &szDriveList[i]);
szNtDrive[] = '\0'; if (!QueryDosDeviceA(szNtDrive, szDosDrive, MAX_PATH) ||
strncmp(szDosDrive, lpDosPath, strlen(szDosDrive)) != )
continue; strcpy(lpNtPath, szNtDrive);
strcat(lpNtPath, &lpDosPath[strlen(szDosDrive)]); return TRUE;
} return FALSE;
} DWORD GetEProcess(DWORD dwPid)
{
PCHAR lpBuf = NULL;
DWORD dwPreSize = 0x1000, dwSize = NULL;
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwPreSize,
MEM_COMMIT, PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwPreSize, &dwSize); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwPreSize, MEM_RELEASE);
lpBuf = NULL; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpBuf,
NULL, &dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpBuf == NULL)
return NULL; NtQuerySystemInformation(SystemHandleInformation, (PVOID)lpBuf, dwSize, NULL); DWORD dwNumberOfHandle = *(DWORD *)lpBuf;
PSYSTEM_HANDLE_INFORMATION lpSHI = (PSYSTEM_HANDLE_INFORMATION)((PCHAR)lpBuf + sizeof(dwNumberOfHandle)); DWORD dwEProcess = NULL;
for (DWORD i = ; i < dwNumberOfHandle; i++, lpSHI++)
{
if (lpSHI->ObjectTypeNumber != OB_TYPE_PROCESS && lpSHI->ObjectTypeNumber != OB_TYPE_JOB)
continue; HANDLE hSrcProc = NtOpenProcess(lpSHI->ProcessId);
if (hSrcProc == NULL)
continue; HANDLE hTmpProc = NULL;
NtDuplicateObject(hSrcProc,
(HANDLE)lpSHI->Handle,
NtCurrentProcess(),
&hTmpProc,
PROCESS_ALL_ACCESS,
NULL,
NULL); PROCESS_BASIC_INFORMATION pbi = {};
NtQueryInformationProcess(hTmpProc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL); if (hTmpProc != NULL && pbi.UniqueProcessId != NULL && pbi.UniqueProcessId == dwPid)
dwEProcess = (DWORD)lpSHI->Object; NtClose(hSrcProc); if (dwEProcess != NULL)
break; if (hTmpProc != NULL)
NtClose(hTmpProc);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpBuf, &dwSize, MEM_RELEASE); return dwEProcess;
} DWORD GetParentProcessId(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.InheritedFromProcessId;
} BOOL GetProcessName(DWORD dwPid, LPSTR lpProcessName)
{
strcpy(lpProcessName, ""); DWORD dwSize = NULL;
PSYSTEM_PROCESSES lpbaSP = NULL; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, NULL, NULL, &dwSize) || dwSize == NULL))
return FALSE; if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
(PVOID *)&lpbaSP,
NULL,
&dwSize,
MEM_COMMIT,
PAGE_READWRITE)) ||
lpbaSP == NULL)
return FALSE; if (!NT_SUCCESS(NtQuerySystemInformation(SystemProcessInformation, (PVOID)lpbaSP, dwSize, NULL)))
{
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE);
return FALSE;
} BOOL status = FALSE;
PSYSTEM_PROCESSES lpSP = lpbaSP;
while (lpSP->NextEntryDelta != NULL)
{
if (dwPid == lpSP->ProcessId)
{
wcstombs(lpProcessName, lpSP->ProcessName.Buffer, MAX_PATH);
status = TRUE;
break;
} lpSP = (PSYSTEM_PROCESSES)((ULONG)lpSP + lpSP->NextEntryDelta);
} NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&lpbaSP, &dwSize, MEM_RELEASE); return status;
} LARGE_INTEGER GetProcessCreateTime(DWORD dwPid)
{
SYSTEM_PROCESSES sp = {};
GetSystemProcess(dwPid, sp); return sp.CreateTime;
}
ProcessFun.cpp
ProcessFun的更多相关文章
- 网络编程并发 多进程 进程池,互斥锁,信号量,IO模型
进程:程序正在执行的过程,就是一个正在执行的任务,而负责执行任务的就是cpu 操作系统:操作系统就是一个协调.管理和控制计算机硬件资源和软件资源的控制程序. 操作系统的作用: 1:隐藏丑陋复杂的硬件接 ...
- multimap的使用 in C++,同一个关键码存在多个值
#include <iostream> #include <string> #include <vector> #include <algorithm> ...
- 入门大数据---Flink学习总括
第一节 初识 Flink 在数据激增的时代,催生出了一批计算框架.最早期比较流行的有MapReduce,然后有Spark,直到现在越来越多的公司采用Flink处理.Flink相对前两个框架真正做到了高 ...
随机推荐
- <自动化测试>之<Selenium API 的用法1>
今天,简单,举例说一下在用python+selenium中元素定位的主要方法,第一部分是单个元素的操作,第二部分是一类元素的操作,实际操作中注意区分 #!/usr/bin/env python # - ...
- python 标准模块和第三方模块
>>> help('modules') Please wait a moment while I gather a list of all available modules... ...
- Mac启动时:boot task failed:fsck-safe处理办法
mac系统启动到一半,然后突然关机,查看启动信息发现:boot task failed:fsck-safe 处理方法,clover启动的时候按空格,然后选择sigle mode. 进入使用命令:fsc ...
- maven项目报错:Class path contains multiple SLF4J bindings
maven项目编译不报错,运行时报错如下: SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [b ...
- PHP缓存技术相关
全页面静态化缓存也就是将页面全部生成html静态页面,用户访问时直接访问的静态页面,而不会去走php服务器解析的流程.此种方式,在CMS系统中比较常见,比如dedecms:一种比较常用的实现方式是用输 ...
- 2.Prometheus安装部署
环境准备 2台Linux操作系统(基于centos7) docker环境 配置 IP 角色 版本 192.168.229.139 prometheus-server 2.10 192.168.229. ...
- C# 网络编程 TcpListener
1.服务断代码 public partial class Server : Form { private bool lk = true; public Server() { InitializeCom ...
- Emacs25.1之后UrlHttpError
Emacs25.1之后UrlHttpError */--> pre.src {background-color: #002b36; color: #839496;} pre.src {backg ...
- Linux 版本查詢
# uname -a 查看 Kernel版本 # cat /etc/redhat-release查看 linux版本(以RedHat為例) 1.核心查詢:uname -a結果:Linux 2.x.x ...
- GCD 与XOR
题目:UVA12716 题意: 问 gcd(i,j) = i ^ j 的对数(j <=i <= N ) N的范围为30000000,有10000组样例 分析: 有几个结论:(1)若 a ...