您的位置:首页 > 其它

如何枚举进程以及如何枚举进程所包含的模块

2009-03-09 16:51 411 查看
最近需要做毕设,对我而言,也是一个不小的挑战,这半年就没写过一个程序。。。。。废话少说,言归正传,我这次的毕设和系统有比较大的关系,程序的其中一个模块就是扫描内存。大体思路如下:先得到进程列表,然后枚举每个进程所调用的模块,并得到每个模块的基地址,然后,读取内存中进程的数据,并扫描。说是简单,就光得到模块的基地址就令我想了2天,最后还是解决了,哈哈哈哈。。1)关于进程的结构体PROCESSENTRY32 {
DWORD     dwSize;     //结构的大小,以字节为单位
DWORD     cntUsage;  //无用,通常为0
DWORD     th32ProcessID;  //进程ID号
ULONG_PTR th32DefaultHeapID;  //无用,通常为0
DWORD     th32ModuleID;   //无用,通常为0
DWORD     cntThreads;      //拥有的线程数
DWORD     th32ParentProcessID;  //父进程ID
LONG      pcPriClassBase;       //。。。。。。
DWORD     dwFlags;     //无用,通常为0
TCHAR     szExeFile[MAX_PATH];   //可执行文件的名称
} PROCESSENTRY32, * PROCESSENTRY32 ;
2)关于模块的结构体
MODULEENTRY32 (
DWORD   dwSize;      //    结构的大小,以字节为单位
DWORD   th32ModuleID;   //  不再使用,设为1
DWORD   th32ProcessID;   //  所属进程的ID
DWORD   GlblcntUsage;   //   计数器,通常为0xFFFF
DWORD   ProccntUsage;   //  计数器,通常为0xFFFF
BYTE *   modBaseAddr;   //    该模块的基地址
DWORD   modBaseSize;   //  模块的大小
HMODULE hModule;     //   。。。。。。。
TCHAR   szModule[MAX_MODULE_NAME32 + 1];    // 模块名称
TCHAR   szExePath[MAX_PATH];   // 模块路径
} MODULEENTRY32, * MODULEENTRY32;
3)到这就开始枚举进程了HANDLE hProcessSnap;HANDLE hProcess;PROCESSENTRY32 pe32;DWORD dwPriorityClass;// Take a snapshot of all processes in the system.hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );if( hProcessSnap == INVALID_HANDLE_VALUE ){printError( "CreateToolhelp32Snapshot (of processes)" );return( FALSE );}// Set the size of the structure before using it.pe32.dwSize = sizeof( PROCESSENTRY32 );// Retrieve information about the first process,// and exit if unsuccessfulif( !Process32First( hProcessSnap, &pe32 ) ){printError( "Process32First" ); // Show cause of failureCloseHandle( hProcessSnap ); // Must clean up the snapshot object!return( FALSE );}// Now walk the snapshot of processes, and// display information about each process in turndo{printf( "/n/n=====================================================" );printf( "/nPROCESS NAME: %s", pe32.szExeFile );printf( "/n-----------------------------------------------------" );// Retrieve the priority class.dwPriorityClass = 0;hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );if( hProcess == NULL )printError( "OpenProcess" );else{dwPriorityClass = GetPriorityClass( hProcess );if( !dwPriorityClass )printError( "GetPriorityClass" );CloseHandle( hProcess );}printf( "/n process ID = 0x%08X", pe32.th32ProcessID );printf( "/n thread count = %d", pe32.cntThreads );printf( "/n parent process ID = 0x%08X", pe32.th32ParentProcessID );printf( "/n Priority Base = %d", pe32.pcPriClassBase );if( dwPriorityClass )printf( "/n Priority Class = %d", dwPriorityClass );} while( Process32Next( hProcessSnap, &pe32 ) );CloseHandle( hProcessSnap );4)枚举模块了,但是我用的是Module32First,Module32NextHANDLE hModuleSnap = INVALID_HANDLE_VALUE;MODULEENTRY32 me32;// Take a snapshot of all modules in the specified process.hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );if( hModuleSnap == INVALID_HANDLE_VALUE ){printError( "CreateToolhelp32Snapshot (of modules)" );return( FALSE );}// Set the size of the structure before using it.me32.dwSize = sizeof( MODULEENTRY32 );// Retrieve information about the first module,// and exit if unsuccessfulif( !Module32First( hModuleSnap, &me32 ) ){printError( "Module32First" ); // Show cause of failureCloseHandle( hModuleSnap ); // Must clean up the snapshot object!return( FALSE );}// Now walk the module list of the process,// and display information about each moduledo{printf( "/n/n MODULE NAME: %s", me32.szModule );printf( "/n executable = %s", me32.szExePath );printf( "/n process ID = 0x%08X", me32.th32ProcessID );printf( "/n ref count (g) = 0x%04X", me32.GlblcntUsage );printf( "/n ref count (p) = 0x%04X", me32.ProccntUsage );printf( "/n base address = 0x%08X", (DWORD) me32.modBaseAddr ); //我要的就是这个printf( "/n base size = %d", me32.modBaseSize );} while( Module32Next( hModuleSnap, &me32 ) );CloseHandle( hModuleSnap );5)开始读取内存吧HANDLE hProcess;char buf[1024];DWORD dwNumberOfBytesRead;hProcess=(OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION |PROCESS_VM_READ, false, pid));//pid为目标进程的idif(hProcess !=NULL){if(ReadProcessMemory(hProcess,(void*)me32.modBaseAddr,&buf,1024,&dwNumberOfBytesRead)){//特征码匹配吧}}

                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                

                    
                

            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航