VC++实现枚举进程与模块
来源:岁月联盟
时间:2012-10-25
#pragma once
#define _WIN32_WINNT 0x0500
#include"windows.h"
#include"tlhelp32.h"
#include"stdio.h"
#include"NativeApi.h"
#include"wchar.h"
#include"psapi.h"//SDK6.0
#pragma comment(lib,"psapi.lib")////SDK6.0,不知道为什么vc6好像没有自带这个头文件??
int GetUserPath(WCHAR* szModPath);
BOOL GetProcessModule(DWORD dwPID)
{
BOOL bRet = FALSE;
BOOL bFound = FALSE;
HANDLE hModuleSnap = NULL;
MODULEENTRY32 me32 ={0};
hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照
if(hModuleSnap == INVALID_HANDLE_VALUE)
{
printf("获取模块失败!/n");
return FALSE;
}
me32.dwSize = sizeof(MODULEENTRY32);
if(::Module32First(hModuleSnap,&me32))//获得第一个模块
{
do{
printf("方法1列模块名:%s/n",me32.szExePath);
}while(::Module32Next(hModuleSnap,&me32));
}//递归枚举模块
CloseHandle(hModuleSnap);
return bFound;
}
bool ForceLookUpModule(DWORD dwPID)
{
typedef DWORD( WINAPI *FunLookModule)(
HANDLE ProcessHandle,
DWORD BaseAddress,
DWORD MemoryInformationClass,
DWORD MemoryInformation,
DWORD MemoryInformationLength,
DWORD ReturnLength );
HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ;
if(hModule==NULL)
{
return FALSE;
}
FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory");
if(ZwQueryVirtualMemory==NULL)
{
return FALSE;
}
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID);
if(hProcess==NULL)
return FALSE;
PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME) malloc(0x200u);
DWORD retLength;
WCHAR Path[256]={0};
wchar_t wstr[256]={0};
for(unsigned int i=0;i<0x7fffffff;i=i+0x10000)
{
if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0)
{
if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1))
{
if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c)
{
if(wcscmp(wstr, Out_Data->SectionFileName.Buffer))
{
_wsetlocale(0,L"chs");
GetUserPath(Out_Data->SectionFileName.Buffer);
wprintf(L"方法2列模块%s/n",Out_Data->SectionFileName.Buffer);
}
wcscpy(wstr, Out_Data->SectionFileName.Buffer);
}
}
}
}
CloseHandle(hProcess);
return TRUE;
}
int GetUserPath(WCHAR* szModPath)
{ ///Device/HarddiskVolume1,
WCHAR Path[256]={0};
WCHAR* Temp3=new WCHAR[3];
Temp3[2]='/0';
Temp3[1]=':';
THead* phead=new THead;
phead->Next=NULL;
phead->Num=szModPath[22];
for(int i='C';i<='Z';i++)
{Temp3[0]=i;
if(QueryDosDeviceW(Temp3,Path,30))
if(phead->Num==Path[22])
{
phead->Disk=(WCHAR)i;
break;
}
}
szModPath[0]=phead->Disk;
szModPath[1]=':';
szModPath[2]='/0';
wcscpy(Path,szModPath+23);
wcscat(szModPath,Path);
delete phead;
delete Temp3;
return 0;
}
BOOL EnableDebugPrivilege(BOOL fEnable)//这个用于提权的
{
BOOL fOk = FALSE;
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOk = (GetLastError() == ERROR_SUCCESS);
CloseHandle(hToken);
}
else
{
return 0;
}
return(fOk);
}
void EnumModlueAll(DWORD dwPID)
{
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,dwPID);
if(hProcess==INVALID_HANDLE_VALUE)
{ printf(" open process failed!/n");
return;
}
DWORD size=0,ret=0;
EnumProcessModules(hProcess,NULL,size,&ret);
HMODULE *parry=(HMODULE*)malloc(ret+4);
memset(parry,0,ret+4);
if(EnumProcessModules(hProcess,parry,ret+4,&ret))
{
char* path=new char[MAX_PATH];
memset(path,0,MAX_PATH);
UINT i=0;
while(GetModuleFileNameEx(hProcess,parry[i],path,MAX_PATH))
{
printf("方法3模块:%s/n",path);
memset(path,0,MAX_PATH);
i++;
}
delete path;
}
free(parry);
CloseHandle(hProcess);
}
void EnumModuleEx(DWORD dwPID)
{
DWORD status;
HMODULE hMod=GetModuleHandle("ntdll.dll");
RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer=(RTLCREATEQUERYDEBUGBUFFER )GetProcAddress(hMod,"RtlCreateQueryDebugBuffer");
RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation=(RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod,"RtlQueryProcessDebugInformation");
RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer =(RTLDESTROYDEBUGBUFFER )GetProcAddress(hMod,"RtlDestroyQueryDebugBuffer");
if((hMod==NULL)||(RtlDestroyQueryDebugBuffer==NULL)||(RtlQueryProcessDebugInformation==NULL)||(RtlCreateQueryDebugBuffer==NULL))
{
printf("函数定位失败!/n");
return ;
}
PDEBUG_BUFFER Buffer=RtlCreateQueryDebugBuffer(0,FALSE);
status=RtlQueryProcessDebugInformation(dwPID,PDI_MODULES ,Buffer);
if(status<0)
{
printf("RtlQueryProcessDebugInformation函数调用失败,进程开了保护/n");
return ;
}
ULONG count=*(PULONG)(Buffer->ModuleInformation);
ULONG hModule=NULL;
PDEBUG_MODULE_INFORMATION ModuleInfo=(PDEBUG_MODULE_INFORMATION)((ULONG)Buffer->ModuleInformation+4);
for(ULONG i=0;i<count;i++)
{
printf("方法4列出的模块:%s/n",ModuleInfo->ImageName);
ModuleInfo++;
}
RtlDestroyQueryDebugBuffer(Buffer);
}
void EnumSelfModule()
{
void *PEB = NULL,
*Ldr = NULL,
*Flink = NULL,
*p = NULL,
*BaseAddress = NULL,
*FullDllName = NULL;
printf("列举自身模块!/n");
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
printf( "PEB = 0x%08X/n", PEB );
Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
printf( "Ldr = 0x%08X/n", Ldr );
Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) );
printf( "Flink = 0x%08X/n", Flink );
p = Flink;
do
{
BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) );
FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) );
printf( "p = 0x%08X 0x%08X ", p, BaseAddress );
wprintf( L"%s/n", FullDllName );
p = *( ( void ** )p );
}
while ( Flink != p );
return;
}
#define PAGE_SIZE 0x1000
void Search();
bool IsValidModule(ULONG i);
bool PrintModule();
void main();
bool IsValidModule(byte* i)
{ if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER)))
return false;
IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i;
PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew);
if(IsBadReadPtr((void*)NtHead,PAGE_SIZE))
return false;
if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件
return false;
if(NtHead->OptionalHeader.Subsystem==0x2)
return true;
if(NtHead->OptionalHeader.Subsystem==0x3)
return true;
return false;
}
void Search()
{ printf("暴力搜索列举模块!/n");
UCHAR* i=(PUCHAR)0x10000000;
int Num=0;
for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE)
{
if(IsValidModule(i))
{
printf("/t/t find a module at %08x/n",i);
Num++;
}
}
printf("/t/t total find module :%03d/n",Num);
}
void main()
{
EnableDebugPrivilege(true);
EnumModlueAll(4228);
ForceLookUpModule(4228);
getchar();
GetProcessModule(4228);
EnumModuleEx(4228);
getchar();
EnumSelfModule();
getchar();
Search();
printf("按任意键退出........");
getchar();
}
上一篇:VC++实现注册表监控
下一篇:VC++实现恢复SSDT
