枚举进程信息
// 枚举进程.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 // #include <iostream> using namespace std; #include <windows.h> #include <winternl.h> typedef NTSTATUS (WINAPI*fn_NtQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI*fn_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); void QueryProcess() { HMODULE hMod = LoadLibraryW(L"ntdll.dll"); if (hMod == NULL) { cout << "LoadLibraryW error: " << GetLastError() << endl; return; } fn_NtQueryInformationProcess NtQueryInformationProcess = (fn_NtQueryInformationProcess)GetProcAddress(hMod, "NtQueryInformationProcess"); if (NtQueryInformationProcess) { PROCESS_BASIC_INFORMATION pro = { 0 }; ULONG nRet = 0; NtQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, &pro, sizeof(pro), &nRet); cout << "进程ID:" <<(ULONG)pro.UniqueProcessId << " 父进程ID:"<< (ULONG)pro.Reserved3 <<endl; } fn_NtQuerySystemInformation NtQuerySystemInformation = (fn_NtQuerySystemInformation)GetProcAddress(hMod, "NtQuerySystemInformation"); if (NtQuerySystemInformation) { SYSTEM_PROCESS_INFORMATION pro = { 0 }; PVOID buffer = 0, temp = 0; buffer = temp = malloc(200 * 2000); NtQuerySystemInformation(SystemProcessInformation, buffer, 200 * 2000, NULL); ULONG n = 1; do { temp = (PVOID)((ULONG)temp + pro.NextEntryOffset); pro = *(PSYSTEM_PROCESS_INFORMATION)temp; printf("[%d]\t %ld \t %ls \n", n, (ULONG)pro.UniqueProcessId, pro.ImageName.Buffer); n++; } while (pro.NextEntryOffset); free(buffer); } FreeLibrary(hMod); } int main() { QueryProcess(); system("pause"); return 0; }
PS:会笑的人,运气通常都会比别人好。
posted on 2022-07-27 19:30 thinkinc999 阅读(42) 评论(0) 编辑 收藏 举报
