VC++实现枚举进程与模块

[cpp] view plain copy print ?
  1. #pragma once 
  2. #define _WIN32_WINNT 0x0500  
  3. #include"windows.h" 
  4. #include"tlhelp32.h" 
  5. #include"stdio.h" 
  6. #include"NativeApi.h" 
  7. #include"wchar.h" 
  8. #include"psapi.h"//SDK6.0 
  9. #pragma comment(lib,"psapi.lib")////SDK6.0,不知道为什么vc6好像没有自带这个头文件?? 
  10.  
  11. int GetUserPath(WCHAR* szModPath); 
  12. BOOL GetProcessModule(DWORD dwPID) 
  13.     BOOL bRet    =    FALSE; 
  14.     BOOL bFound    =    FALSE; 
  15.     HANDLE hModuleSnap = NULL; 
  16.     MODULEENTRY32 me32 ={0}; 
  17.      
  18.     hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照 
  19.     if(hModuleSnap == INVALID_HANDLE_VALUE) 
  20.     {    
  21.         printf("获取模块失败!\n"); 
  22.         return FALSE; 
  23.     } 
  24.      
  25.     me32.dwSize = sizeof(MODULEENTRY32); 
  26.     if(::Module32First(hModuleSnap,&me32))//获得第一个模块 
  27.     { 
  28.         do
  29.              
  30.             printf("方法1列模块名:%s\n",me32.szExePath); 
  31.         }while(::Module32Next(hModuleSnap,&me32)); 
  32.     }//递归枚举模块 
  33.      
  34.      
  35.     CloseHandle(hModuleSnap); 
  36.     return bFound; 
  37. bool ForceLookUpModule(DWORD dwPID) 
  38.      
  39.     typedef DWORD( WINAPI *FunLookModule)( 
  40.         HANDLE ProcessHandle, 
  41.         DWORD BaseAddress, 
  42.         DWORD MemoryInformationClass, 
  43.         DWORD MemoryInformation, 
  44.         DWORD MemoryInformationLength, 
  45.         DWORD ReturnLength ); 
  46.     HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ; 
  47.     if(hModule==NULL) 
  48.     {  
  49.         return FALSE; 
  50.     } 
  51.     FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory"); 
  52.     if(ZwQueryVirtualMemory==NULL) 
  53.     { 
  54.         return FALSE; 
  55.     } 
  56.     HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID); 
  57.     if(hProcess==NULL) 
  58.         return FALSE; 
  59.     PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME)    malloc(0x200u); 
  60.     DWORD retLength; 
  61.     WCHAR Path[256]={0}; 
  62.     wchar_t wstr[256]={0}; 
  63.      
  64.     for(unsigned int i=0;i<0x7fffffff;i=i+0x10000) 
  65.     {  
  66.         if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0) 
  67.         {  
  68.             if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1)) 
  69.             { 
  70.                 if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c) 
  71.                 { 
  72.                     if(wcscmp(wstr, Out_Data->SectionFileName.Buffer)) 
  73.                          
  74.                     {    
  75.                         _wsetlocale(0,L"chs");               
  76.                         GetUserPath(Out_Data->SectionFileName.Buffer); 
  77.                         wprintf(L"方法2列模块%s\n",Out_Data->SectionFileName.Buffer); 
  78.                          
  79.                     } 
  80.                     wcscpy(wstr,   Out_Data->SectionFileName.Buffer); 
  81.                 } 
  82.                  
  83.             } 
  84.              
  85.         } 
  86.     } 
  87.     CloseHandle(hProcess); 
  88.     return TRUE; 
  89.      
  90. int GetUserPath(WCHAR* szModPath) 
  91. {    //\Device\HarddiskVolume1,  
  92.      
  93.     WCHAR Path[256]={0}; 
  94.     WCHAR* Temp3=new WCHAR[3];   
  95.     Temp3[2]='\0';   
  96.     Temp3[1]=':'
  97.     THead* phead=new THead; 
  98.     phead->Next=NULL; 
  99.     phead->Num=szModPath[22]; 
  100.     for(int i='C';i<='Z';i++) 
  101.     {Temp3[0]=i; 
  102.     if(QueryDosDeviceW(Temp3,Path,30)) 
  103.         if(phead->Num==Path[22]) 
  104.         {   
  105.             phead->Disk=(WCHAR)i; 
  106.             break
  107.         } 
  108.          
  109.     } 
  110.         
  111.        szModPath[0]=phead->Disk; 
  112.        szModPath[1]=':'
  113.        szModPath[2]='\0'
  114.        wcscpy(Path,szModPath+23); 
  115.        wcscat(szModPath,Path); 
  116.         
  117.        delete phead; 
  118.        delete Temp3;  
  119.         
  120.        return 0; 
  121. BOOL EnableDebugPrivilege(BOOL fEnable)//这个用于提权的 
  122. {   
  123.     BOOL fOk = FALSE;    
  124.     HANDLE hToken; 
  125.      
  126.     if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken)) 
  127.     {    
  128.         TOKEN_PRIVILEGES tp; 
  129.         tp.PrivilegeCount = 1; 
  130.         LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); 
  131.         tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0; 
  132.         AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); 
  133.         fOk = (GetLastError() == ERROR_SUCCESS); 
  134.         CloseHandle(hToken); 
  135.     } 
  136.     else 
  137.     { 
  138.         return 0; 
  139.     } 
  140.     return(fOk); 
  141.  
  142. void EnumModlueAll(DWORD dwPID) 
  143. {    
  144.     HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,dwPID); 
  145.     if(hProcess==INVALID_HANDLE_VALUE) 
  146.     { printf(" open process failed!\n"); 
  147.     return
  148.     } 
  149.     DWORD size=0,ret=0; 
  150.     EnumProcessModules(hProcess,NULL,size,&ret); 
  151.     HMODULE *parry=(HMODULE*)malloc(ret+4); 
  152.     memset(parry,0,ret+4); 
  153.     if(EnumProcessModules(hProcess,parry,ret+4,&ret)) 
  154.     { 
  155.         char* path=new char[MAX_PATH]; 
  156.         memset(path,0,MAX_PATH); 
  157.         UINT i=0; 
  158.          
  159.         while(GetModuleFileNameEx(hProcess,parry[i],path,MAX_PATH)) 
  160.         { 
  161.             printf("方法3模块:%s\n",path); 
  162.             memset(path,0,MAX_PATH); 
  163.             i++; 
  164.         } 
  165.         delete path; 
  166.          
  167.     } 
  168.     free(parry); 
  169.      
  170.     CloseHandle(hProcess); 
  171.  
  172. void EnumModuleEx(DWORD dwPID) 
  173. {    
  174.     DWORD status; 
  175.     HMODULE hMod=GetModuleHandle("ntdll.dll"); 
  176.     RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer=(RTLCREATEQUERYDEBUGBUFFER )GetProcAddress(hMod,"RtlCreateQueryDebugBuffer"); 
  177.     RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation=(RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod,"RtlQueryProcessDebugInformation"); 
  178.     RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer =(RTLDESTROYDEBUGBUFFER )GetProcAddress(hMod,"RtlDestroyQueryDebugBuffer"); 
  179.     if((hMod==NULL)||(RtlDestroyQueryDebugBuffer==NULL)||(RtlQueryProcessDebugInformation==NULL)||(RtlCreateQueryDebugBuffer==NULL)) 
  180.     { 
  181.         printf("函数定位失败!\n"); 
  182.         return
  183.     }    
  184.      
  185.     PDEBUG_BUFFER Buffer=RtlCreateQueryDebugBuffer(0,FALSE); 
  186.     status=RtlQueryProcessDebugInformation(dwPID,PDI_MODULES ,Buffer); 
  187.     if(status<0) 
  188.     {  
  189.         printf("RtlQueryProcessDebugInformation函数调用失败,进程开了保护\n"); 
  190.          
  191.         return
  192.     } 
  193.     ULONG count=*(PULONG)(Buffer->ModuleInformation); 
  194.     ULONG hModule=NULL; 
  195.     PDEBUG_MODULE_INFORMATION ModuleInfo=(PDEBUG_MODULE_INFORMATION)((ULONG)Buffer->ModuleInformation+4); 
  196.     for(ULONG i=0;i<count;i++) 
  197.     { 
  198.         printf("方法4列出的模块:%s\n",ModuleInfo->ImageName); 
  199.         ModuleInfo++; 
  200.     } 
  201.      
  202.     RtlDestroyQueryDebugBuffer(Buffer);  
  203.      
  204.      
  205. void EnumSelfModule() 
  206.     void *PEB         = NULL, 
  207.         *Ldr         = NULL, 
  208.         *Flink       = NULL, 
  209.         *p           = NULL, 
  210.         *BaseAddress = NULL, 
  211.         *FullDllName = NULL; 
  212.     printf("列举自身模块!\n"); 
  213.     __asm 
  214.     { 
  215.         mov     eax,fs:[0x30] 
  216.             mov     PEB,eax 
  217.     } 
  218.     printf( "PEB   = 0x%08X\n", PEB ); 
  219.     Ldr   = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) ); 
  220.     printf( "Ldr   = 0x%08X\n", Ldr ); 
  221.     Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) ); 
  222.     printf( "Flink = 0x%08X\n", Flink ); 
  223.     p     = Flink; 
  224.     do 
  225.     { 
  226.         BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) ); 
  227.         FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) ); 
  228.         printf( "p     = 0x%08X 0x%08X ", p, BaseAddress ); 
  229.         wprintf( L"%s\n", FullDllName ); 
  230.         p = *( ( void ** )p ); 
  231.     } 
  232.     while ( Flink != p ); 
  233.     return
  234.      
  235.  
  236. #define PAGE_SIZE 0x1000 
  237. void  Search(); 
  238. bool IsValidModule(ULONG i); 
  239. bool PrintModule(); 
  240. void main(); 
  241. bool IsValidModule(byte* i) 
  242. {   if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER))) 
  243. return false
  244. IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i; 
  245. PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew); 
  246. if(IsBadReadPtr((void*)NtHead,PAGE_SIZE)) 
  247. return false
  248. if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件 
  249. return false
  250. if(NtHead->OptionalHeader.Subsystem==0x2) 
  251. return true
  252. if(NtHead->OptionalHeader.Subsystem==0x3) 
  253. return true
  254. return false
  255.  
  256. void Search() 
  257. {   printf("暴力搜索列举模块!\n"); 
  258. UCHAR* i=(PUCHAR)0x10000000; 
  259. int Num=0; 
  260. for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE) 
  261. {    
  262.     if(IsValidModule(i)) 
  263.     { 
  264.         printf("\t\t find a module at %08x\n",i); 
  265.         Num++; 
  266.     }    
  267.      
  268. printf("\t\t total find module :%03d\n",Num);    
  269.  
  270. void main() 
  271.     EnableDebugPrivilege(true); 
  272.     EnumModlueAll(4228); 
  273.     ForceLookUpModule(4228); 
  274.     getchar(); 
  275.     GetProcessModule(4228); 
  276.     EnumModuleEx(4228); 
  277.     getchar(); 
  278.     EnumSelfModule(); 
  279.     getchar(); 
  280.     Search(); 
  281.     printf("按任意键退出........"); 
  282.     getchar(); 

 

原文地址:http://blog.csdn.net/yincheng01/article/details/8107293

你可能感兴趣的:(VC++实现枚举进程与模块)