获取父PID
已知一PID 如何查询父PID
不是枚举对比 是查询 像GetParent这样的
[解决办法]
通过wmi里win32_process类应该可以用一到两次类似sql查询的方式根据一个pid得到其ParentProcessId
[解决办法]
Private Declare Function GetCurrentProcessId Lib "kernel32.dll " () As Long
'根据 pid 获得进程路径文件名
'WinNT
Private Declare Function OpenProcess Lib "kernel32.dll " (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "psapi.dll " (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll " (ByVal hObject As Long) As Long
Private Const READ_CONTROL As Long = &H20000
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const STANDARD_RIGHTS_READ As Long = (READ_CONTROL)
Private Const STANDARD_RIGHTS_EXECUTE As Long = (READ_CONTROL)
Private Const STANDARD_RIGHTS_ALL As Long = &H1F0000
Private Const STANDARD_RIGHTS_WRITE As Long = (READ_CONTROL)
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Const PROCESS_TERMINATE As Long = (&H1)
Private Declare Function TerminateProcess Lib "kernel32.dll " (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
'Win9x
Private Declare Function CreateToolhelpSnapshot Lib "kernel32 " Alias "CreateToolhelp32Snapshot " (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32 " Alias "Process32First " (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32 " Alias "Process32Next " (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szexeFile As String * 1024
End Type
Private Const TH32CS_SNAPPROCESS = &H2
Private Const TH32CS_SNAPheaplist = &H1
Private Const TH32CS_SNAPthread = &H4
Private Const TH32CS_SNAPmodule = &H8
Private Const TH32CS_SNAPall = TH32CS_SNAPPROCESS + TH32CS_SNAPheaplist + TH32CS_SNAPthread + TH32CS_SNAPmodule
Private Declare Function GetWindowThreadProcessId Lib "user32.dll " (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Public Function GetParentProcess(Optional ByVal pid As Long = 0) As String
Dim ret As String
Dim proc As PROCESSENTRY32
Dim snap As Long
Dim lngContinue As Long
If pid = 0 Then pid = GetCurrentProcessId
snap = CreateToolhelpSnapshot(TH32CS_SNAPall, 0) '获得进程“快照”的句柄
proc.dwSize = Len(proc)
lngContinue = ProcessFirst(snap, proc) '获取第一个进程,并得到其返回值
While lngContinue <> 0 '当返回值非零时继续获取下一个进程
If pid = proc.th32ProcessID Then
ret = PIDtoProcess(proc.th32ParentProcessID)
lngContinue = 0
End If
lngContinue = ProcessNext(snap, proc)
Wend
CloseHandle snap '关闭进程“快照”句柄
GetParentProcess = ret
End Function
[解决办法]
可以查询PEB 获取父进程
下面是获取进程参数的代码 CSDN上的 InheritedFromUniqueProcessId这个就是你想要的
Private Declare Function NtQueryInformationProcess Lib "ntdll " (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As Long, ByRef ProcessInformation As Any, ByVal lProcessInformationLength As Long, ByRef lReturnLength As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32 " (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function OpenProcess Lib "kernel32 " (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32 " (ByVal hObject As Long) As Long
Public Const PROCESS_ALL_ACCESS = &H1F0FFF
Public Const PROCESS_TERMINATE = &H1
Public Const PROCESS_VM_READ = 16
Public Const PROCESS_QUERY_INFORMATION = 1024
Public Const PROCESS_SET_INFORMATION = 612
Private Type PROCESS_BASIC_INFORMATION
ExitStatus As Long
PebBaseAddress As Long
AffinityMask As Long
BasePriority As Long
UniqueProcessId As Long
InheritedFromUniqueProcessId As Long
End Type
Public Function GetCmdLine(ByVal plngPID As Long) As String
Dim strBuffer As String
Dim hProcess As Long
Dim offset1 As Long
Dim offset2 As Long
Dim Dummy As Long
Dim Info As PROCESS_BASIC_INFORMATION
Const STATUS_SUCCESS As Long = 0
offset1 = 1
offset2 = 0
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, plngPID)
If (hProcess = 0) Then
Exit Function
End If
If (NtQueryInformationProcess(hProcess, 0, Info, Len(Info), ByVal 0&) <> STATUS_SUCCESS) Then
CloseHandle hProcess
Exit Function
End If
If (ReadProcessMemory(hProcess, (Info.PebBaseAddress + &H10), offset1, 4, Dummy) = STATUS_SUCCESS) Then
CloseHandle hProcess
Exit Function
End If
If (ReadProcessMemory(hProcess, (offset1 + &H44), offset2, 4, Dummy) = STATUS_SUCCESS) Then
CloseHandle hProcess
Exit Function
End If
strBuffer = String(256, " ")
If (ReadProcessMemory(hProcess, offset2, ByVal strBuffer, 256, Dummy) = STATUS_SUCCESS) Then
CloseHandle hProcess
Exit Function
End If
CloseHandle hProcess
strBuffer = Left$(strBuffer, InStr(strBuffer, Chr(0) & Chr(0)))
GetCmdLine = StrConv(strBuffer, vbFromUnicode)
End Function
