首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > 开发语言 > VB >

完整的进程结束代码.请问怎么判断进程是否为系统进程

2012-01-24 
完整的进程结束代码.请教如何判断进程是否为系统进程.模块内容:----------------------------------------

完整的进程结束代码.请教如何判断进程是否为系统进程.
模块内容:
------------------------------------------
'--------循环杀掉相应进程
Public   Type   PROCESSENTRY32
        dwSize   As   Long
        cntUsage   As   Long
        th32ProcessID   As   Long
        th32DefaultHeapID   As   Long
        th32ModuleID   As   Long
        cntThreads   As   Long
        th32ParentProcessID   As   Long
        pcPriClassBase   As   Long
        dwFlags   As   Long
        szExeFile   As   String   *   260
End   Type
Public   Declare   Function   CreateToolhelp32Snapshot   Lib   "kernel32 "   (ByVal   dwFlags   As   Long,   ByVal   th32ProcessID   As   Long)   As   Long
Public   Declare   Function   Process32First   Lib   "kernel32 "   (ByVal   hSnapShot   As   Long,   lppe   As   PROCESSENTRY32)   As   Long
Public   Declare   Function   Process32Next   Lib   "kernel32 "   (ByVal   hSnapShot   As   Long,   lppe   As   PROCESSENTRY32)   As   Long
Public   Declare   Function   OpenProcess   Lib   "kernel32 "   (ByVal   dwDesiredAccess   As   Long,   ByVal   blnheritHandle   As   Long,   ByVal   dwAppProcessId   As   Long)   As   Long
Public   Declare   Function   TerminateProcess   Lib   "kernel32 "   (ByVal   ApphProcess   As   Long,   ByVal   uExitCode   As   Long)   As   Long
Public   Declare   Sub   CloseHandle   Lib   "kernel32 "   (ByVal   hPass   As   Long)
Public   Const   TH32CS_SNAPPROCESS   =   &H2&
--------------------------------------------

窗体代码:
--------------------------------------------
Public   Sub   KillProcess(a)
On   Error   Resume   Next  

        Dim   lSnapShot   As   Long
        Dim   lNextProcess   As   Long
        Dim   tPE   As   PROCESSENTRY32
        lSnapShot   =   CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,   0&)
        If   lSnapShot   <>   -1   Then
                tPE.dwSize   =   Len(tPE)
                lNextProcess   =   Process32First(lSnapShot,   tPE)
                Do   While   lNextProcess
                                Dim   lProcess   As   Long
                                Dim   lExitCode   As   Long

If   Left(tPE.szExeFile,   InStr(1,   tPE.szExeFile,   Chr(0))   -   1)   =   "services.exe "     Then

                                lProcess   =   OpenProcess(1,   False,   tPE.th32ProcessID)


                                TerminateProcess   lProcess,   lExitCode
                                CloseHandle   lProcess
End   If
                        lNextProcess   =   Process32Next(lSnapShot,   tPE)
                Loop
                CloseHandle   (lSnapShot)
        End   If

End   Sub


Private   Sub   Form_Load()
KillProcess   (a)
End   Sub


以上是一个关闭进程的实例,查找进程中是否有services.exe,如果有,则关闭.
我想做的是一个病毒查杀工具,但是遇到一个问题,services.exe有两个,一个是系统自己的,一个是病毒,当然,位置不一样.请问,如何获取到这个进程的所在位置?或者如何判断这个进程是属于system的?请高手帮忙解答,最后20分..

祝大家新年快乐.


[解决办法]
Option Explicit
Private Const TOKEN_READ As Long = &H20008
Private Const SECURITY_BUILTIN_DOMAIN_RID As Long = &H20&
Private Const SECURITY_NT_AUTHORITY As Long = &H5
Private Const PROCESS_QUERY_INFORMATION As Long = 1024
Private Const PROCESS_VM_READ As Long = 16
Private Const DOMAIN_ALIAS_RID_USERS = &H221
Private Const TokenUser = 1
Private Type SID_IDENTIFIER_AUTHORITY
Value(6) As Byte
End Type
Private Type SID_AND_ATTRIBUTES
SID As Long
Attributes As Long
End Type
Private Type TOKEN_USER
User As SID_AND_ATTRIBUTES
SID(500) As Byte
End Type
Private Declare Function LookupAccountSid Lib "advapi32.dll " Alias "LookupAccountSidA " (ByVal lpSystemName As String, ByVal SID As Long, ByVal name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll " (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetTokenInformation Lib "advapi32.dll " (ByVal TokenHandle As Long, ByVal TokenInformationClass As Long, TokenInformation As Any, ByVal TokenInformationLength As Long, ReturnLength As Long) As Long
Private Declare Function CloseHandle Lib "kernel32 " (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll " (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long

Public Function GetProcessUserName(ByVal ProcessID As Long) As String
Dim hProcessID As Long
Dim hToken As Long
Dim res As Long
Dim cbBuff As Long
Dim tiLen As Long
Dim TU As TOKEN_USER
Dim cnt As Long
Dim sAcctName2 As String
Dim cbAcctName As Long
Dim sDomainName As String
Dim cbDomainName As Long
Dim peUse As Long
Dim barr() As Byte
hProcessID = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, ProcessID)
If hProcessID <> 0 Then
If OpenProcessToken(hProcessID, TOKEN_READ, hToken) = 1 Then
res = GetTokenInformation(hToken, TokenUser, ByVal 0, tiLen, cbBuff)
If res = 0 And cbBuff > 0 Then
tiLen = cbBuff
If cbBuff > Len(TU) Then Exit Function
res = GetTokenInformation(hToken, TokenUser, TU, tiLen, cbBuff)
If res = 1 And tiLen > 0 Then
sAcctName2 = Space$(255)
sDomainName = Space$(255)
cbAcctName = 255
cbDomainName = 255
res = LookupAccountSid(vbNullString, TU.User.SID, sAcctName2, cbAcctName, sDomainName, cbDomainName, peUse)


GetProcessUserName = Replace(Trim(sAcctName2), Chr(0), " ")
End If
End If
End If
If hToken Then CloseHandle hToken
CloseHandle hProcessID
End If
End Function


[解决办法]
你下载 http://yuan505.vicp.net/cy_filesxxx/vbsrc/vbapihooker.rar
然后进入VBAPIHooker文件夹,在frmMain里有一个GetModEntries函数可以枚举指定进程所有模块的函数,其中的.szExePath就可以获得你要的信息

热点排行