一、 實現原理:
首先通過CreateToolhelp32Snapshot函數創建一個進程的快照,然後通過調用Process32First使用快照返回的句柄對進程進行遍歷,相關的信息存放在PROCESSENTRY32結構類型的實例中,通過調用內部的一個函數GetProcessModule,獲取對應的進程的模塊名稱,然後通過對進程地址空間信息的讀取,從而獲取相應的線程的ID等的信息。
二、主要實現代碼:
獲取進程地址空間內的相關信息:
hProcess = OpenProcess (PROCESS_ALL_ACCESS,
FALSE, pe32.th32ProcessID);
pfGetProcessMemoryInfo(hProcess,pmc,sizeof(pmc));
獲取進程的模塊信息:
BOOL CEmuteFileDlg::GetProcessModule(DWORD dwPID, DWORD dwModuleID, LPMODULEENTRY32 lpMe32, DWORD cbMe32)
{
BOOL bRet = FALSE;
BOOL bFound = FALSE;
HANDLE hModuleSnap = NULL;
MODULEENTRY32 me32 = {0};
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hModuleSnap == INVALID_HANDLE_VALUE)
return (FALSE);
// Fill the size of the structure before using it.
me32.dwSize = sizeof(MODULEENTRY32);
// Walk the module list of the process, and find the module of
// interest. Then copy the information to the buffer pointed
// to by lpMe32 so that it can be returned to the caller.
if (Module32First(hModuleSnap, &me32))
{
do
{
if (me32.th32ModuleID == dwModuleID)
{
CopyMemory (lpMe32, &me32, cbMe32);
bFound = TRUE;
}
}
while (!bFound && Module32Next(hModuleSnap, &me32));
bRet = bFound; // if this sets bRet to FALSE, dwModuleID
// no longer exists in specified process
}
else
bRet = FALSE; // could not walk module list
// Do not forget to clean up the snapshot object.
CloseHandle (hModuleSnap);
return (bRet);
}
三、提高權限:
BOOL EnableDebugPrivilege()
{
HANDLE hToken;
BOOL fOk=FALSE;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid))
printf("Can't lookup privilege value.
");
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL))
printf("Can't adjust privilege value.
");
fOk=(GetLastError()==ERROR_SUCCESS);
CloseHandle(hToken);
}
return fOk;
}
四、後記:
我感覺信息獲取的不夠完整,比如說,我很想知道怎麼才能獲取進程的線程的模塊名稱,不知道那位大俠不吝賜教!
thanx!
:-)