完整的进程结束代码.请教如何判断进程是否为系统进程.
模块内容:
------------------------------------------
'--------循环杀掉相应进程
Public Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32 " (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32 " (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32 " (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function OpenProcess Lib "kernel32 " (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32 " (ByVal ApphProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Sub CloseHandle Lib "kernel32 " (ByVal hPass As Long)
Public Const TH32CS_SNAPPROCESS = &H2&
--------------------------------------------
窗体代码:
--------------------------------------------
Public Sub KillProcess(a)
On Error Resume Next
Dim lSnapShot As Long
Dim lNextProcess As Long
Dim tPE As PROCESSENTRY32
lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If lSnapShot <> -1 Then
tPE.dwSize = Len(tPE)
lNextProcess = Process32First(lSnapShot, tPE)
Do While lNextProcess
Dim lProcess As Long
Dim lExitCode As Long
If Left(tPE.szExeFile, InStr(1, tPE.szExeFile, Chr(0)) - 1) = "services.exe " Then
lProcess = OpenProcess(1, False, tPE.th32ProcessID)
TerminateProcess lProcess, lExitCode
CloseHandle lProcess
End If
lNextProcess = Process32Next(lSnapShot, tPE)
Loop
CloseHandle (lSnapShot)
End If
End Sub
Private Sub Form_Load()
KillProcess (a)
End Sub
以上是一个关闭进程的实例,查找进程中是否有services.exe,如果有,则关闭.
我想做的是一个病毒查杀工具,但是遇到一个问题,services.exe有两个,一个是系统自己的,一个是病毒,当然,位置不一样.请问,如何获取到这个进程的所在位置?或者如何判断这个进程是属于system的?请高手帮忙解答,最后20分..
祝大家新年快乐.
[解决办法]
Option Explicit
Private Const TOKEN_READ As Long = &H20008
Private Const SECURITY_BUILTIN_DOMAIN_RID As Long = &H20&
Private Const SECURITY_NT_AUTHORITY As Long = &H5
Private Const PROCESS_QUERY_INFORMATION As Long = 1024
Private Const PROCESS_VM_READ As Long = 16
Private Const DOMAIN_ALIAS_RID_USERS = &H221
Private Const TokenUser = 1
Private Type SID_IDENTIFIER_AUTHORITY
Value(6) As Byte
End Type
Private Type SID_AND_ATTRIBUTES
SID As Long
Attributes As Long
End Type
Private Type TOKEN_USER
User As SID_AND_ATTRIBUTES
SID(500) As Byte
End Type
Private Declare Function LookupAccountSid Lib "advapi32.dll " Alias "LookupAccountSidA " (ByVal lpSystemName As String, ByVal SID As Long, ByVal name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll " (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetTokenInformation Lib "advapi32.dll " (ByVal TokenHandle As Long, ByVal TokenInformationClass As Long, TokenInformation As Any, ByVal TokenInformationLength As Long, ReturnLength As Long) As Long
Private Declare Function CloseHandle Lib "kernel32 " (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll " (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Public Function GetProcessUserName(ByVal ProcessID As Long) As String
Dim hProcessID As Long
Dim hToken As Long
Dim res As Long
Dim cbBuff As Long
Dim tiLen As Long
Dim TU As TOKEN_USER
Dim cnt As Long
Dim sAcctName2 As String
Dim cbAcctName As Long
Dim sDomainName As String
Dim cbDomainName As Long
Dim peUse As Long
Dim barr() As Byte
hProcessID = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, ProcessID)
If hProcessID <> 0 Then
If OpenProcessToken(hProcessID, TOKEN_READ, hToken) = 1 Then
res = GetTokenInformation(hToken, TokenUser, ByVal 0, tiLen, cbBuff)
If res = 0 And cbBuff > 0 Then
tiLen = cbBuff
If cbBuff > Len(TU) Then Exit Function
res = GetTokenInformation(hToken, TokenUser, TU, tiLen, cbBuff)
If res = 1 And tiLen > 0 Then
sAcctName2 = Space$(255)
sDomainName = Space$(255)
cbAcctName = 255
cbDomainName = 255
res = LookupAccountSid(vbNullString, TU.User.SID, sAcctName2, cbAcctName, sDomainName, cbDomainName, peUse)
GetProcessUserName = Replace(Trim(sAcctName2), Chr(0), " ")
End If
End If
End If
If hToken Then CloseHandle hToken
CloseHandle hProcessID
End If
End Function
[解决办法]
你下载 http://yuan505.vicp.net/cy_filesxxx/vbsrc/vbapihooker.rar
然后进入VBAPIHooker文件夹,在frmMain里有一个GetModEntries函数可以枚举指定进程所有模块的函数,其中的.szExePath就可以获得你要的信息