收藏一个列举进程的代码,能列举出一般的隐藏进程......
这个代码里面使用的关键API并不是常见的CreateToolhelp32Snapshot那一套API.
它使用的是位于psapi.dll里的EnumProcesses函数
具体代码如下:
'工程需要一个窗体,上面添加一个按钮,一个列表框控件,名称不改,默认.
Option Explicit
Private Declare Function EnumProcesses Lib "psapi.dll " (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll " (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function EnumProcessModules Lib "psapi.dll " (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef lpcbNeeded As Long) As Long
Private Declare Function GetModuleFileNameEx Lib "psapi.dll " Alias "GetModuleFileNameExA " (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll " (ByVal hObject As Long) As Long
Private Declare Function GetProcessImageFileName Lib "psapi.dll " Alias "GetProcessImageFileNameA " (ByVal hProcess As Long, ByVal lpImageFileName As String, ByVal nSize As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const PROCESS_VM_READ As Long = (&H10)
Private Sub Form_Load()
Command1.Caption = "Refresh "
Command1_Click
End Sub
Private Sub Command1_Click()
Dim aProcesses(1023) As Long, cProcesses As Long
Dim cbNeeded As Long, PidFor As Long, hModule As Long
Dim hProcess As Long, sHide As Boolean
Dim i As Long, szName As String
On Error Resume Next
List1.Clear
If EnumProcesses(aProcesses(0), 4& * 1024, cbNeeded) <> 0 Then
cProcesses = cbNeeded \ 4&
For PidFor = &HC& To &HFFFF& Step 4&
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, PidFor)
If hProcess <> 0 Then
sHide = True
szName = " <Unknown> " + Space(1024 - 9)
For i = 0 To cProcesses - 1
If PidFor = aProcesses(i) Then
sHide = False
Exit For
End If
Next i
If EnumProcessModules(hProcess, hModule, 4&, 0&) <> 0 Then
GetModuleFileNameEx hProcess, hModule, szName, 1024
szName = Left(szName, InStr(1, szName, vbNullChar) - 1)
szName = CStr(PidFor) + vbTab + szName
If sHide Then szName = szName + vbTab + "--[Hidden]-- "
List1.AddItem szName
Else
GetProcessImageFileName hProcess, szName, 1024
szName = Left(szName, InStr(1, szName, vbNullChar) - 1)
szName = CStr(PidFor) + vbTab + szName + vbTab + "--[Zombie]-- "
List1.AddItem szName
End If
CloseHandle hProcess
End If
Next PidFor
End If
End Sub
使用了之前我收集的隐藏进程DLL与隐藏进程BAS进行了测试,的确可以在系统自带任务管理器里看不见的情况下,正确列举出隐藏进程.
不知道这个API实现的原理是什么....?
工程文件打包下载:
http://www.m5home.com/blog/blogview.asp?logID=458
http://m5home.vicp.net/blog/blogview.asp?logID=458
PS:
一次登录只有十分可给,有点少...一下子就光光了:(
又没人肯结帖结多点分给我,嘿嘿:)
[解决办法]
........
老马 你跟不上时代了啊