VC++实现枚举进程与模块

#pragma once
#define _WIN32_WINNT 0x0500 
#include"windows.h"
#include"tlhelp32.h"
#include"stdio.h"
#include"NativeApi.h"
#include"wchar.h"
#include"psapi.h"//SDK6.0
#pragma comment(lib,"psapi.lib")////SDK6.0,不知道为什么vc6好像没有自带这个头文件??

int GetUserPath(WCHAR* szModPath);
BOOL GetProcessModule(DWORD dwPID)
{
    BOOL bRet    =    FALSE;
    BOOL bFound    =    FALSE;
    HANDLE hModuleSnap = NULL;
    MODULEENTRY32 me32 ={0};
	
    hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照
    if(hModuleSnap == INVALID_HANDLE_VALUE)
	{   
		printf("获取模块失败!\n");
		return FALSE;
	}
	
    me32.dwSize = sizeof(MODULEENTRY32);
    if(::Module32First(hModuleSnap,&me32))//获得第一个模块
	{
		do{
			
			printf("方法1列模块名:%s\n",me32.szExePath);
		}while(::Module32Next(hModuleSnap,&me32));
	}//递归枚举模块
	
	
	CloseHandle(hModuleSnap);
	return bFound;
}
bool ForceLookUpModule(DWORD dwPID)
{
	
	typedef DWORD( WINAPI *FunLookModule)(
		HANDLE ProcessHandle,
		DWORD BaseAddress,
		DWORD MemoryInformationClass,
		DWORD MemoryInformation,
		DWORD MemoryInformationLength,
		DWORD ReturnLength );
	HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ;
	if(hModule==NULL)
	{ 
		return FALSE;
	}
    FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory");
	if(ZwQueryVirtualMemory==NULL)
	{
		return FALSE;
	}
	HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID);
	if(hProcess==NULL)
		return FALSE;
	PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME)	malloc(0x200u);
	DWORD retLength;
	WCHAR Path[256]={0};
	wchar_t wstr[256]={0};
	
	for(unsigned int i=0;i<0x7fffffff;i=i+0x10000)
	{ 
		if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0)
		{ 
			if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1))
			{
				if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c)
				{
					if(wcscmp(wstr, Out_Data->SectionFileName.Buffer))
						
					{   
						_wsetlocale(0,L"chs"); 				
						GetUserPath(Out_Data->SectionFileName.Buffer);
						wprintf(L"方法2列模块%s\n",Out_Data->SectionFileName.Buffer);
						
					}
					wcscpy(wstr,   Out_Data->SectionFileName.Buffer);
				}
				
			}
			
		}
	}
	CloseHandle(hProcess);
	return TRUE;
	
}
int GetUserPath(WCHAR* szModPath)
{    //\Device\HarddiskVolume1, 
	
	WCHAR Path[256]={0};
	WCHAR* Temp3=new WCHAR[3];	
	Temp3[2]='\0';	
	Temp3[1]=':';
	THead* phead=new THead;
	phead->Next=NULL;
	phead->Num=szModPath[22];
	for(int i='C';i<='Z';i++)
	{Temp3[0]=i;
	if(QueryDosDeviceW(Temp3,Path,30))
		if(phead->Num==Path[22])
		{  
			phead->Disk=(WCHAR)i;
			break;
		}
		
	}
	   
	   szModPath[0]=phead->Disk;
	   szModPath[1]=':';
	   szModPath[2]='\0';
   	   wcscpy(Path,szModPath+23);
	   wcscat(szModPath,Path);
	   
	   delete phead;
	   delete Temp3; 
	   
	   return 0;
}
BOOL EnableDebugPrivilege(BOOL fEnable)//这个用于提权的
{  
	BOOL fOk = FALSE;   
	HANDLE hToken;
	
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
	{   
		TOKEN_PRIVILEGES tp;
		tp.PrivilegeCount = 1;
		LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
		tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
		AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
		fOk = (GetLastError() == ERROR_SUCCESS);
		CloseHandle(hToken);
	}
	else
	{
		return 0;
	}
	return(fOk);
}

void EnumModlueAll(DWORD dwPID)
{   
	HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,dwPID);
	if(hProcess==INVALID_HANDLE_VALUE)
	{ printf(" open process failed!\n");
	return;
	}
	DWORD size=0,ret=0;
	EnumProcessModules(hProcess,NULL,size,&ret);
	HMODULE *parry=(HMODULE*)malloc(ret+4);
	memset(parry,0,ret+4);
	if(EnumProcessModules(hProcess,parry,ret+4,&ret))
	{
		char* path=new char[MAX_PATH];
		memset(path,0,MAX_PATH);
		UINT i=0;
		
		while(GetModuleFileNameEx(hProcess,parry[i],path,MAX_PATH))
		{
			printf("方法3模块:%s\n",path);
			memset(path,0,MAX_PATH);
			i++;
		}
		delete path;
		
	}
	free(parry);
	
	CloseHandle(hProcess);
}

void EnumModuleEx(DWORD dwPID)
{   
	DWORD status;
	HMODULE hMod=GetModuleHandle("ntdll.dll");
	RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer=(RTLCREATEQUERYDEBUGBUFFER )GetProcAddress(hMod,"RtlCreateQueryDebugBuffer");
	RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation=(RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod,"RtlQueryProcessDebugInformation");
	RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer =(RTLDESTROYDEBUGBUFFER )GetProcAddress(hMod,"RtlDestroyQueryDebugBuffer");
	if((hMod==NULL)||(RtlDestroyQueryDebugBuffer==NULL)||(RtlQueryProcessDebugInformation==NULL)||(RtlCreateQueryDebugBuffer==NULL))
	{
		printf("函数定位失败!\n");
		return ;
	}	
	
	PDEBUG_BUFFER Buffer=RtlCreateQueryDebugBuffer(0,FALSE);
	status=RtlQueryProcessDebugInformation(dwPID,PDI_MODULES ,Buffer);
	if(status<0)
	{ 
		printf("RtlQueryProcessDebugInformation函数调用失败,进程开了保护\n");
		
		return ;
	}
	ULONG count=*(PULONG)(Buffer->ModuleInformation);
	ULONG hModule=NULL;
	PDEBUG_MODULE_INFORMATION ModuleInfo=(PDEBUG_MODULE_INFORMATION)((ULONG)Buffer->ModuleInformation+4);
	for(ULONG i=0;i<count;i++)
	{
		printf("方法4列出的模块:%s\n",ModuleInfo->ImageName);
		ModuleInfo++;
	}
	
	RtlDestroyQueryDebugBuffer(Buffer);	
	
	
}
void EnumSelfModule()
{
	void *PEB         = NULL,
		*Ldr         = NULL,
		*Flink       = NULL,
		*p           = NULL,
		*BaseAddress = NULL,
		*FullDllName = NULL;
	printf("列举自身模块!\n");
	__asm
	{
		mov     eax,fs:[0x30]
			mov     PEB,eax
	}
	printf( "PEB   = 0x%08X\n", PEB );
	Ldr   = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
	printf( "Ldr   = 0x%08X\n", Ldr );
	Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) );
	printf( "Flink = 0x%08X\n", Flink );
	p     = Flink;
	do
	{
		BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) );
		FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) );
		printf( "p     = 0x%08X 0x%08X ", p, BaseAddress );
		wprintf( L"%s\n", FullDllName );
		p = *( ( void ** )p );
	}
	while ( Flink != p );
	return;
	
}

#define PAGE_SIZE 0x1000
void  Search();
bool IsValidModule(ULONG i);
bool PrintModule();
void main();
bool IsValidModule(byte* i)
{   if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER)))
return false;
IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i;
PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew);
if(IsBadReadPtr((void*)NtHead,PAGE_SIZE))
return false;
if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件
return false;
if(NtHead->OptionalHeader.Subsystem==0x2)
return true;
if(NtHead->OptionalHeader.Subsystem==0x3)
return true;
return false;
}

void Search()
{   printf("暴力搜索列举模块!\n");
UCHAR* i=(PUCHAR)0x10000000;
int Num=0;
for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE)
{   
	if(IsValidModule(i))
	{
		printf("\t\t find a module at %08x\n",i);
		Num++;
	}	
	
}
printf("\t\t total find module :%03d\n",Num);	

}
void main()
{
	EnableDebugPrivilege(true);
	EnumModlueAll(4228);
	ForceLookUpModule(4228);
	getchar();
	GetProcessModule(4228);
	EnumModuleEx(4228);
	getchar();
	EnumSelfModule();
	getchar();
	Search();
	printf("按任意键退出........");
	getchar();
}

你可能感兴趣的:(VC++实现枚举进程与模块)