查找加载某个windows标准动态库的进程

[这个贴子最后由x86在 2006/03/22 00:26am 第 4 次编辑] 一段查找加载某个windows标准动态库的进程id的代码,没有显示进程名字,只有id winxp+vc6.0编译通过以后还会增加一些功能..

#include <stdio.h>
#include <windows.h>
#include <Psapi.h>
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "ws2_32.lib")
#define PROCESSNUM 128
//////////////////////////////////////////////////////////////////
//进程权限提升函数
//////////////////////////////////////////////////////////////////
BOOL AdjustProcessPrivileges ( LPCSTR szPrivilegesName)
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return FALSE;
}
if(!LookupPrivilegeValue(NULL,szPrivilegesName,
&tkp.Privileges[0].Luid))
{
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL))
{
CloseHandle(hToken);
return 0;
}
CloseHandle(hToken);
return TRUE;
}
//////////////////////////////////////////////////////////////////
//查找系统中加载某一特定模块的进程，并返回其进程id到一数组
//////////////////////////////////////////////////////////////////
BOOL FindProcessByModuleName(DWORD * lpidProcesses,DWORD numOfProcess,LPCSTR FindModuleName,
DWORD * lpoutProcessBuffer, DWORD cb, DWORD * dwNeed)
{
*dwNeed = 0;
CHAR MapFileName[MAX_PATH] = "unknown";
CHAR ModuleName[MAX_PATH];
memset(ModuleName, 0, sizeof(ModuleName));
DWORD FileNameLength = 0;
DWORD ModuleNameLength = 0;
DWORD ModuleAddr = (DWORD)LoadLibrary(FindModuleName);
if((HMODULE)ModuleName == NULL)
{
return FALSE;
}
HANDLE pHd;
DWORD ProcessBufferId = 0;
for (DWORD i = 1; i < numOfProcess; i++)
{
pHd = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, lpidProcesses[i] );
if (pHd == NULL)
{
continue;
}
FileNameLength = GetMappedFileName( pHd, (LPVOID)ModuleAddr,MapFileName, sizeof(MapFileName) );
if(FileNameLength == 0)
{
CloseHandle(pHd);
continue;
}
for(DWORD j = (FileNameLength - 1); MapFileName[j] != ';\\';; j--)
{
ModuleName[FileNameLength - j - 1] = MapFileName[j];
}
char temp;
DWORD Starti = 0;
DWORD Endi = strlen(ModuleName) - 1;
while( Starti != Endi && Starti < Endi )
{
temp = ModuleName[Starti];
ModuleName[Starti] = ModuleName[Endi];
ModuleName[Endi] = temp;
Starti++;
Endi--;
}
if(0 != strcmp(ModuleName,FindModuleName))
{
CloseHandle(pHd);
continue;
}
CloseHandle(pHd);
if(*dwNeed >= (cb / sizeof(DWORD)))
return FALSE;
lpoutProcessBuffer[ProcessBufferId] = lpidProcesses[i];
printf("Find %d:%s\n", lpoutProcessBuffer[ProcessBufferId], ModuleName);
ProcessBufferId++;
(*dwNeed)++;
}
return TRUE;
}
//////////////////////////////////////////////////////////////////
//在一组进程空间中保留和提交一段指定大小和保护属性的内存空间
//////////////////////////////////////////////////////////////////
BOOL ReserveAndCommitForProcesses(DWORD * lpidProcesses, DWORD numOfProcess, DWORD dwThreadSize,
DWORD * lpCommitAddrs, DWORD cb, DWORD * dwNeeded,
DWORD * lpCresPondPids,DWORD cbOfCres)
{
(*dwNeeded) = 0;
HANDLE hTargetProcess;
DWORD dwTargetAddr = 0;
for (DWORD i = 0; i < numOfProcess; i++)
{
hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, lpidProcesses[i] );
if (hTargetProcess == NULL)
{
continue;
}
if(*dwNeeded >= (cb/sizeof(DWORD)) || *dwNeeded >= (cbOfCres/sizeof(DWORD)))
{
CloseHandle(hTargetProcess);
return FALSE;
}
dwTargetAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, dwThreadSize,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if((LPVOID)dwTargetAddr == NULL)
{
CloseHandle(hTargetProcess);
continue;
}
CloseHandle(hTargetProcess);
lpCommitAddrs[*dwNeeded] = dwTargetAddr;
lpCresPondPids[*dwNeeded] = lpidProcesses[i];
(*dwNeeded)++;
}
return TRUE;
}
int main(int argc, char *argv[])
{
DWORD ProcessIds[PROCESSNUM];
DWORD AccordProcessIds[PROCESSNUM];
DWORD CommitAddres[PROCESSNUM];
DWORD MatchAddrPids[PROCESSNUM];
DWORD cPids = 0;
DWORD cAccordPids = 0;
DWORD cCommitAddr = 0;
if(!AdjustProcessPrivileges(SE_DEBUG_NAME))
{
printf("AdjustProcessPrivileges Error!\n");
return 1;
}
if (!EnumProcesses( ProcessIds, sizeof(ProcessIds), &cPids))
{
printf("EnumProcess Error!\n");
return 1;
}
if(!FindProcessByModuleName(ProcessIds, cPids/sizeof(DWORD), "ws2_32.dll", AccordProcessIds, sizeof(AccordProcessIds), &cAccordPids))
{
printf("FindProcessByModuleName Error!\n");
return 1;
}
printf("%d Processes Load The ws2_32.dll\n",cAccordPids);
if(!ReserveAndCommitForProcesses(AccordProcessIds, cAccordPids, 4096,
CommitAddres, sizeof(CommitAddres), &cCommitAddr,
MatchAddrPids, sizeof(MatchAddrPids)))
{
printf("ReserveAndCommitForProcesses Error!\n");
return 1;
}
for (DWORD i = 0; i < cCommitAddr; i++)
{
printf("PID:%d,Commit Addr:0x%x\n", MatchAddrPids[i], CommitAddres[i]);
}
printf("Commit %d addresses!\n", cCommitAddr);
return 0;
}

复制代码

x86 该用户已被删除

沙发

x86发表于 2006-3-22 23:15 | 只看该作者

查找加载某个windows标准动态库的进程

#include <stdio.h>
#include <windows.h>
#include <Psapi.h>
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "ws2_32.lib")
#define PROCESSNUM 128
//线程参数结构体定义
typedef struct _RemoteParam {
char szMsg[12]; //MessageBox函数中显示的字符提示
DWORD dwMessageBox;//MessageBox函数的入口地址
char szModulename[12]; //加载的动态库名
DWORD dwLoadLibrary;
HMODULE ModuleAddr;
DWORD dwFreeLibrary;
} RemoteParam, * PRemoteParam;
//定义MessageBox类型的函数指针
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
typedef int (__stdcall * PFN_LOADLIBRARY)(LPCTSTR);
typedef int (__stdcall * PFN_FREELIBRARY)(HMODULE);
//线程函数定义
DWORD __stdcall threadProc(LPVOID lParam)
{
RemoteParam* pRP = (RemoteParam*)lParam;
PFN_MESSAGEBOX pfnMessageBox;
PFN_LOADLIBRARY pfnLoadLibrary;
PFN_FREELIBRARY pfnFreeLibrary;
pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
pfnLoadLibrary = (PFN_LOADLIBRARY)pRP->dwLoadLibrary;
pfnFreeLibrary = (PFN_FREELIBRARY)pRP->dwFreeLibrary;
pfnLoadLibrary(pRP->szModulename);
pfnMessageBox(NULL, pRP->szMsg, pRP->szMsg, 0);
pfnFreeLibrary(pRP->ModuleAddr);
return 0;
}
//////////////////////////////////////////////////////////////////
//进程权限提升函数
//////////////////////////////////////////////////////////////////
BOOL AdjustProcessPrivileges ( LPCSTR szPrivilegesName)
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
return FALSE;
}
if(!LookupPrivilegeValue(NULL,szPrivilegesName,
&tkp.Privileges[0].Luid))
{
CloseHandle(hToken);
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL))
{
CloseHandle(hToken);
return 0;
}
CloseHandle(hToken);
return TRUE;
}
//////////////////////////////////////////////////////////////////
//查找系统中加载某一特定模块的进程，并返回其进程id到一数组
//////////////////////////////////////////////////////////////////
BOOL FindProcessByModuleName(DWORD * lpidProcesses,DWORD numOfProcess,LPCSTR FindModuleName,
DWORD * lpoutProcessBuffer, DWORD cb, DWORD * dwNeed)
{
*dwNeed = 0;
CHAR MapFileName[MAX_PATH] = "unknown";
CHAR ModuleName[MAX_PATH];
memset(ModuleName, 0, sizeof(ModuleName));
DWORD FileNameLength = 0;
DWORD ModuleNameLength = 0;
DWORD ModuleAddr = (DWORD)LoadLibrary(FindModuleName);
if((HMODULE)ModuleName == NULL)
{
return FALSE;
}
HANDLE pHd;
DWORD ProcessBufferId = 0;
for (DWORD i = 1; i < numOfProcess; i++)
{
pHd = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, lpidProcesses[i] );
if (pHd == NULL)
{
continue;
}
FileNameLength = GetMappedFileName( pHd, (LPVOID)ModuleAddr,MapFileName, sizeof(MapFileName) );
if(FileNameLength == 0)
{
CloseHandle(pHd);
continue;
}
for(DWORD j = (FileNameLength - 1); MapFileName[j] != ';\\';; j--)
{
ModuleName[FileNameLength - j - 1] = MapFileName[j];
}
char temp;
DWORD Starti = 0;
DWORD Endi = strlen(ModuleName) - 1;
while( Starti != Endi && Starti < Endi )
{
temp = ModuleName[Starti];
ModuleName[Starti] = ModuleName[Endi];
ModuleName[Endi] = temp;
Starti++;
Endi--;
}
if(0 != strcmp(ModuleName,FindModuleName))
{
CloseHandle(pHd);
continue;
}
CloseHandle(pHd);
if(*dwNeed >= (cb / sizeof(DWORD)))
return FALSE;
lpoutProcessBuffer[ProcessBufferId] = lpidProcesses[i];
ProcessBufferId++;
(*dwNeed)++;
}
return TRUE;
}
//////////////////////////////////////////////////////////////////
//在一组进程空间中保留和提交一段指定大小和保护属性的内存空间
//////////////////////////////////////////////////////////////////
BOOL ReserveAndCommitForProcesses(DWORD * lpidProcesses, DWORD numOfProcess, DWORD dwThreadSize,
DWORD * lpCommitAddrs, DWORD cb, DWORD * dwNeeded,
DWORD * lpCresPondPids,DWORD cbOfCres)
{
(*dwNeeded) = 0;
HANDLE hTargetProcess;
DWORD dwTargetAddr = 0;
for (DWORD i = 0; i < numOfProcess; i++)
{
hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, lpidProcesses[i] );
if (hTargetProcess == NULL)
{
continue;
}
if(*dwNeeded >= (cb/sizeof(DWORD)) || *dwNeeded >= (cbOfCres/sizeof(DWORD)))
{
CloseHandle(hTargetProcess);
return FALSE;
}
dwTargetAddr = (DWORD)VirtualAllocEx(hTargetProcess, NULL, dwThreadSize,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if((LPVOID)dwTargetAddr == NULL)
{
CloseHandle(hTargetProcess);
continue;
}
CloseHandle(hTargetProcess);
lpCommitAddrs[*dwNeeded] = dwTargetAddr;
lpCresPondPids[*dwNeeded] = lpidProcesses[i];
(*dwNeeded)++;
}
return TRUE;
}
//////////////////////////////////////////////////////////////////////////
//在一组进程空间中已经申请的内存地址上写入本程序空间中指定地址和大小的数据
//////////////////////////////////////////////////////////////////////////
BOOL WriteRemoteProcessesMemory(DWORD * lpidProcesses, DWORD * lpRemoteAddresses,DWORD numOfProcess,
DWORD LocalBuffer, DWORD cb, DWORD * cWrittenProcesses)
{
HANDLE hTargetProcess;
*cWrittenProcesses = 0;
for (DWORD i = 0; i < numOfProcess; i++)
{
hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, lpidProcesses[i] );
if (hTargetProcess == NULL)
{
continue;
}
if (!WriteProcessMemory(hTargetProcess , (LPVOID)lpRemoteAddresses[i], (LPVOID)LocalBuffer, cb, NULL))
{
CloseHandle(hTargetProcess);
continue;
}
(*cWrittenProcesses)++;
CloseHandle(hTargetProcess);
}
return TRUE;
}
int main(int argc, char *argv[])
{
DWORD ProcessIds[PROCESSNUM];
DWORD AccordProcessIds[PROCESSNUM];
DWORD CommitThreadAddres[PROCESSNUM];
DWORD CommitPramaAddres[PROCESSNUM];
DWORD MatchAddrPids[PROCESSNUM];
DWORD cPids = 0;
DWORD cAccordPids = 0;
DWORD cCommitAddr = 0;
DWORD cWrittenProcesses = 0;
DWORD RemoteThreadId = 0;
if(!AdjustProcessPrivileges(SE_DEBUG_NAME))
{
printf("AdjustProcessPrivileges Error!\n");
return 1;
}
if (!EnumProcesses( ProcessIds, sizeof(ProcessIds), &cPids))
{
printf("EnumProcess Error!\n");
return 1;
}
if(!FindProcessByModuleName(ProcessIds, cPids/sizeof(DWORD), "ws2_32.dll", AccordProcessIds, sizeof(AccordProcessIds), &cAccordPids))
{
printf("FindProcessByModuleName Error!\n");
return 1;
}
printf("%d Processes Load The ws2_32.dll\n\n",cAccordPids);
if(!ReserveAndCommitForProcesses(AccordProcessIds, cAccordPids, 4096,
CommitThreadAddres, sizeof(CommitThreadAddres), &cCommitAddr,
MatchAddrPids, sizeof(MatchAddrPids)))
{
printf("ReserveAndCommitForProcesses Error!\n");
return 1;
}
for (DWORD i = 0; i < cCommitAddr; i++)
{
printf("PID:%.4d,Commit Addr:0x%.8x\n", MatchAddrPids[i], CommitThreadAddres[i]);
}
printf("Commit %d addresses for thread!\n\n", cCommitAddr);
if(!WriteRemoteProcessesMemory(MatchAddrPids, CommitThreadAddres, cCommitAddr,
(DWORD)&threadProc, 4096, &cWrittenProcesses))
{
printf("WriteRemoteProcessesMemory Error!\n");
return 1;
}
printf("Written %d Processess for thread!\n\n", cWrittenProcesses);
//定义线程参数结构体变量
RemoteParam remoteData;
ZeroMemory(&remoteData, sizeof(RemoteParam));
//填充结构体变量中的成员
HINSTANCE hUser32 = LoadLibrary("User32.dll");
remoteData.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
strcat(remoteData.szMsg, "Hello\0");
HINSTANCE hKernel32 = LoadLibrary("Kernel32.dll");
remoteData.dwLoadLibrary = (DWORD)GetProcAddress(hKernel32, "LoadLibraryA");
strcat(remoteData.szModulename, "User32.dll\0");
remoteData.dwFreeLibrary = (DWORD)GetProcAddress(hKernel32, "FreeLibrary");
remoteData.ModuleAddr = hUser32;
if(!ReserveAndCommitForProcesses(AccordProcessIds, cAccordPids, sizeof(RemoteParam),
CommitPramaAddres, sizeof(CommitPramaAddres), &cCommitAddr,
MatchAddrPids, sizeof(MatchAddrPids)))
{
printf("ReserveAndCommitForProcesses Error!\n");
return 1;
}
for (DWORD j = 0; j < cCommitAddr; j++)
{
printf("PID:%.4d,Commit Addr:0x%.8x\n", MatchAddrPids[j], CommitPramaAddres[j]);
}
printf("Commit %d addresses for param!\n\n", cCommitAddr);
if(!WriteRemoteProcessesMemory(MatchAddrPids, CommitPramaAddres, cCommitAddr,
(DWORD)&remoteData, sizeof(remoteData), &cWrittenProcesses))
{
printf("WriteRemoteProcessesMemory Error!\n");
return 1;
}
printf("Written %d Processess for prama!\n\n", cWrittenProcesses);
HANDLE hRemoteThread;
HANDLE hTargetProcess;
DWORD cRunThreadInProcess = 0;
for (DWORD numOfRemoteThread = 0; numOfRemoteThread < cWrittenProcesses; numOfRemoteThread++)
{
hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, MatchAddrPids[numOfRemoteThread] );
if (hTargetProcess == NULL)
{
continue;
}
hRemoteThread = CreateRemoteThread(hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))CommitThreadAddres[numOfRemoteThread],
(LPVOID)CommitPramaAddres[numOfRemoteThread], 0, &RemoteThreadId);
if(hRemoteThread == NULL)
{
CloseHandle(hTargetProcess);
continue;
}
printf("PID: %.4d. TID:%.8d\n", MatchAddrPids[numOfRemoteThread], RemoteThreadId);
CloseHandle(hTargetProcess);
CloseHandle(hRemoteThread);
cRunThreadInProcess++;
}
printf("Run %d Threads in Target Processes\n\n", cRunThreadInProcess);
FreeLibrary(hUser32);
FreeLibrary(hKernel32);
return 0;
}

复制代码

TOP

x86 该用户已被删除

板凳

x86发表于 2006-3-24 01:57 | 只看该作者

查找加载某个windows标准动态库的进程

[这个贴子最后由x86在 2006/03/24 01:59pm 第 1 次编辑] 请看最新的,插入到所有加载谋个动态库的进程,并弹出对话框表明进程运行路径和名称,代码如下: 例子是插入到所有加载了ws2_32,dll的进程,也就是所有的要进行网络数据传递的进程. 提供一个可执行文件,大家可以试着使用一下 , 0, &RemoteThreadId); if(hRemoteThread == NULL) { printf("创建远程线程失败!"); CloseHandle(hTargetProcess); return 0; } CloseHandle(hTargetProcess); CloseHandle(hRemoteThread); //;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; */ FreeLibrary(hUser32); FreeLibrary(hKernel32); return 0; }

TOP

yhf3201 该用户已被删除

地板

yhf3201发表于 2006-4-6 14:58 | 只看该作者

查找加载某个windows标准动态库的进程

我是菜鸟
看不懂
还是要谢谢

TOP

返回列表回复发帖

查找加载某个windows标准动态库的进程

查找加载某个windows标准动态库的进程

查找加载某个windows标准动态库的进程

查找加载某个windows标准动态库的进程

[收藏此主题] [关注此主题的新回复]

[通过 QQ、MSN 分享给朋友]