您的位置: 首页  >  IT文章  >  Windows简略系统编程 有重赏

Windows简略系统编程 有重赏

分类: IT文章 2023-12-29 13:51:54
Windows简单系统编程 有重赏
a. 遍历进程SYSTEM.EXE的所有线程(Thread),并把每个线程的ID写入到文件c:\threads.txt中。
  b. 遍历进程SYSTEM.EXE加载的所有模块(Module),并把每个模块的路径以及加载基地址(base address)写入到文件c:\modules.txt中。
  
  输出:
  线程1 Tid:1234
  线程2 Tid:5678
  .........

  模块1 Base Address:0x12345678 Path:C:\WINDOWS\SYSTEM32\qq.dll
  模块1 Base Address:0x87654321 Path:C:\WINDOWS\SYSTEM32\360.dl
  .........

  ****提示****
  http://msdn.microsoft.com/en-us/library/ms682489(v=vs.85).aspx

------解决方案--------------------
查找加载DLL的代码
C/C++ code
#include "afx.h"
#include <TLHELP32.H>
#include <map>
#include <string>
using namespace std;


void DisplayModule(DWORD dwProcessId)
{
    HANDLE   hthSnapshot=NULL; 
    HANDLE   hProcess=NULL,hThread=NULL; 
    //获取进程快照 
    hthSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId); 
    if(hthSnapshot==NULL)
        return;
    
    
    map<string ,string> m_map;

    //获取注入dll的句柄 
    MODULEENTRY32W   me={sizeof(me)}; 
    BOOL   fFound=FALSE; 
    BOOL   fMoreMods=Module32FirstW(hthSnapshot,&me); 
    for(;fMoreMods;fMoreMods=Module32NextW(hthSnapshot,&me))//枚举进程模块判断是否为注入模块 
    { 
        char szModule[256];        
        memset(szModule,0,sizeof(szModule));    
        WideCharToMultiByte(CP_ACP,NULL,me.szModule,-1,szModule,sizeof(szModule),NULL,FALSE);
        strlwr(szModule);


        char szExePath[256];        
        memset(szExePath,0,sizeof(szExePath));    
        WideCharToMultiByte(CP_ACP,NULL,me.szExePath,-1,szExePath,sizeof(szExePath),NULL,FALSE);
        strlwr(szExePath);


        printf("%s %s\r\n",szModule,szExePath);

    } 
    CloseHandle(hthSnapshot);
}

DWORD FindProcess(char *szProcessName)
{
    strlwr(szProcessName);
    //获取当前进程访问令牌的句柄
    HANDLE hToken;
    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
    {
        return 0;
    }
    
    //获取当前进程系统权限的特权值
    LUID Luid;
    if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Luid))
    {
        CloseHandle(hToken);
        return 0;
    }
    
    //启用当前进程指定访问令牌的特权
    TOKEN_PRIVILEGES tp;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    tp.Privileges[0].Luid = Luid;
    
    if (!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
    {
        CloseHandle(hToken);
        return 0;
    }
    
    //创建系统进程快照
    HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    
    //获取进程信息
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(pe);
    BOOL bNext=Process32First(hSnap, &pe); 
    
    while(bNext) 
    {
        strlwr(pe.szExeFile);
        
        if(strstr(pe.szExeFile,szProcessName))
        {
            printf("查找:%s开始\r\n",pe.szExeFile);
            //获取被注入进程的句柄
            
            HANDLE hkernel32=OpenProcess(PROCESS_ALL_ACCESS,1,pe.th32ProcessID);
            
            
            DisplayModule(pe.th32ProcessID);
            CloseHandle(hkernel32);
            printf("查找:%s结束\r\n",pe.szExeFile);
        }
        bNext=Process32Next(hSnap, &pe);
        
    }
    CloseHandle(hSnap);
    CloseHandle(hToken);
    return 1;
}

int main(int argc, char* argv[])
{
    char processname[]="SYSTEM";
    FindProcess(processname);
    getchar();
    return 0;
}

------解决方案--------------------

给出的提示连接里不就有代码,这都不愿看,还是找点转行吧。

C/C++ code
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>

//  Forward declarations:
BOOL GetProcessList( );
BOOL ListProcessModules( DWORD dwPID );
BOOL ListProcessThreads( DWORD dwOwnerPID );
void printError( TCHAR* msg );

int main( void )
{
  GetProcessList( );
  return 0;
}

BOOL GetProcessList( )
{
  HANDLE hProcessSnap;
  HANDLE hProcess;
  PROCESSENTRY32 pe32;
  DWORD dwPriorityClass;

  // Take a snapshot of all processes in the system.
  hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
  if( hProcessSnap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of processes)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  pe32.dwSize = sizeof( PROCESSENTRY32 );

  // Retrieve information about the first process,
  // and exit if unsuccessful
  if( !Process32First( hProcessSnap, &pe32 ) )
  {
    printError( TEXT("Process32First") ); // show cause of failure
    CloseHandle( hProcessSnap );          // clean the snapshot object
    return( FALSE );
  }

  // Now walk the snapshot of processes, and
  // display information about each process in turn
  do
  {
    _tprintf( TEXT("\n\n=====================================================" ));
    _tprintf( TEXT("\nPROCESS NAME:  %s"), pe32.szExeFile );
    _tprintf( TEXT("\n-------------------------------------------------------" ));

    // Retrieve the priority class.
    dwPriorityClass = 0;
    hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
    if( hProcess == NULL )
      printError( TEXT("OpenProcess") );
    else
    {
      dwPriorityClass = GetPriorityClass( hProcess );
      if( !dwPriorityClass )
        printError( TEXT("GetPriorityClass") );
      CloseHandle( hProcess );
    }

    _tprintf( TEXT("\n  Process ID        = 0x%08X"), pe32.th32ProcessID );
    _tprintf( TEXT("\n  Thread count      = %d"),   pe32.cntThreads );
    _tprintf( TEXT("\n  Parent process ID = 0x%08X"), pe32.th32ParentProcessID );
    _tprintf( TEXT("\n  Priority base     = %d"), pe32.pcPriClassBase );
    if( dwPriorityClass )
      _tprintf( TEXT("\n  Priority class    = %d"), dwPriorityClass );

    // List the modules and threads associated with this process
    ListProcessModules( pe32.th32ProcessID );
    ListProcessThreads( pe32.th32ProcessID );

  } while( Process32Next( hProcessSnap, &pe32 ) );

  CloseHandle( hProcessSnap );
  return( TRUE );
}


BOOL ListProcessModules( DWORD dwPID )
{
  HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
  MODULEENTRY32 me32;

  // Take a snapshot of all modules in the specified process.
  hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
  if( hModuleSnap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  me32.dwSize = sizeof( MODULEENTRY32 );

  // Retrieve information about the first module,
  // and exit if unsuccessful
  if( !Module32First( hModuleSnap, &me32 ) )
  {
    printError( TEXT("Module32First") );  // show cause of failure
    CloseHandle( hModuleSnap );           // clean the snapshot object
    return( FALSE );
  }

  // Now walk the module list of the process,
  // and display information about each module
  do
  {
    _tprintf( TEXT("\n\n     MODULE NAME:     %s"),   me32.szModule );
    _tprintf( TEXT("\n     Executable     = %s"),     me32.szExePath );
    _tprintf( TEXT("\n     Process ID     = 0x%08X"),         me32.th32ProcessID );
    _tprintf( TEXT("\n     Ref count (g)  = 0x%04X"),     me32.GlblcntUsage );
    _tprintf( TEXT("\n     Ref count (p)  = 0x%04X"),     me32.ProccntUsage );
    _tprintf( TEXT("\n     Base address   = 0x%08X"), (DWORD) me32.modBaseAddr );
    _tprintf( TEXT("\n     Base size      = %d"),             me32.modBaseSize );

  } while( Module32Next( hModuleSnap, &me32 ) );

  CloseHandle( hModuleSnap );
  return( TRUE );
}

BOOL ListProcessThreads( DWORD dwOwnerPID ) 
{ 
  HANDLE hThreadSnap = INVALID_HANDLE_VALUE; 
  THREADENTRY32 te32; 
 
  // Take a snapshot of all running threads  
  hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); 
  if( hThreadSnap == INVALID_HANDLE_VALUE ) 
    return( FALSE ); 
 
  // Fill in the size of the structure before using it. 
  te32.dwSize = sizeof(THREADENTRY32); 
 
  // Retrieve information about the first thread,
  // and exit if unsuccessful
  if( !Thread32First( hThreadSnap, &te32 ) ) 
  {
    printError( TEXT("Thread32First") ); // show cause of failure
    CloseHandle( hThreadSnap );          // clean the snapshot object
    return( FALSE );
  }

  // Now walk the thread list of the system,
  // and display information about each thread
  // associated with the specified process
  do 
  { 
    if( te32.th32OwnerProcessID == dwOwnerPID )
    {
      _tprintf( TEXT("\n\n     THREAD ID      = 0x%08X"), te32.th32ThreadID ); 
      _tprintf( TEXT("\n     Base priority  = %d"), te32.tpBasePri ); 
      _tprintf( TEXT("\n     Delta priority = %d"), te32.tpDeltaPri ); 
      _tprintf( TEXT("\n"));
    }
  } while( Thread32Next(hThreadSnap, &te32 ) ); 

  CloseHandle( hThreadSnap );
  return( TRUE );
}

void printError( TCHAR* msg )
{
  DWORD eNum;
  TCHAR sysMsg[256];
  TCHAR* p;

  eNum = GetLastError( );
  FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
         NULL, eNum,
         MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
         sysMsg, 256, NULL );

  // Trim the end of the line and terminate it with a null
  p = sysMsg;
  while( ( *p > 31 ) || ( *p == 9 ) )
    ++p;
  do { *p-- = 0; } while( ( p >= sysMsg ) &&
                          ( ( *p == '.' ) || ( *p < 33 ) ) );

  // Display the message
  _tprintf( TEXT("\n  WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );
}

相关推荐