这篇文章是我翻译了两篇VC文章结合在一起的成果~具体是翻译的文章出处我也不清楚,我也是在网络上找到的希望原作者见谅!此文章是通过获取内核数据枚举EPROCESS结构来枚举进程的.所以现在大部分隐藏进程的程序都可以有一一列出来.在有的机器上运行可能会出错.下面我把核心代码贴在下面,需要完整源码的可以去我的博客上去找.地址是:http://blog.csdn.net/chenhui530/Public Sub PrintProcesses()
Dim lngKernel As Long, pKernel As Long, lngStartProcAddr As Long, lngBaseAddr As Long
Dim objAddr As Long, strProcessName As String, strEAddr As String, strProcessId As String
Dim objEndAddr As Long, lngPID As Long, lngName As Long, lngAName As Long, lngTmp As Long
Dim strVersion As String, lngSName As Long, lngAList As Long, lngSList As Long
'在用户态加载一份ntoskrnl.exe
lngKernel = LoadLibrary("ntoskrnl.exe")
'获取System进程内核例程/变量在用户态的相对位置
lngStartProcAddr = GetProcAddress(lngKernel, "PsInitialSystemProcess")
'获取系统核心模块ntoskrnl.exe的基址
lngBaseAddr = GetKernelModuleBase()
'System进程内核例程/变量的实际地址
lngStartProcAddr = lngStartProcAddr + lngBaseAddr - lngKernel
' strEAddr = "0x" & Hex(lngStartProcAddr)
'释放ntoskrnl.exe
FreeLibrary lngKernel
'获取系统版本
strVersion = GetVersionName
If strVersion = "win2k" Then
lngPID = 156
lngName = &H1FC
lngSName = 264
lngAName = 348
lngSList = 244
lngAList = 160
'打开物理内存如果失败就退出程序
If OpenPhysicalMemory = 0 Then
End
End If
ElseIf strVersion = "winxp" Then
lngPID = 132
lngName = &H174
lngSName = 192
lngAName = 236
lngSList = 180
lngAList = 136
Else
lngPID = 132
lngName = &H154
lngSName = 160
lngAName = 204
lngSList = 180
lngAList = 136
End If
'从内核空间获取System进程的EPROCESS结构
objAddr = GetData(lngStartProcAddr)
'获取System进程的EPROCESS地址
strEAddr = "0x" & Hex(objAddr)
'strProcessId = Format(CStr(GetPID(objAddr + 132)), "0000")
'获取System进程的PID
strProcessId = Format(CStr(GetPID(objAddr + lngPID)), "0000")
'strProcessName = GetProcessName(objAddr + &H174)
'获取System进程的名
strProcessName = GetProcessName(objAddr + lngName)
lngTmp = (objAddr + lngName) - (objAddr + lngPID) '进程名和进程ID之间的差值方便后面遍历
'打印进程信息
frmMain.lstProcesses.AddItem "PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
'objAddr = GetData(objAddr + 136)
'从内核空间获取SMSS.EXE进程的EPROCESS结构
objAddr = GetData(objAddr + lngAList)
'strEAddr = "0x" & Hex(objAddr - 136)
'获取SMSS.EXE进程的EPROCESS地址
strEAddr = "0x" & Hex(objAddr - lngAList)
'strProcessId = Format(CStr(GetPID(objAddr - 4)), "0000")
'获取SMSS.EXE进程的PID
strProcessId = Format(CStr(GetPID(objAddr - lngAList + lngPID)), "0000")
'strProcessName = GetProcessName(objAddr + 236)
'获取SMSS.EXE进程的名
strProcessName = GetProcessName(objAddr + lngName - lngAList)
'打印进程信息
frmMain.lstProcesses.AddItem "PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
'获取第一个遍历EPROCESS结构
objAddr = GetData(objAddr)
'objAddr = objAddr - 136 + 180
objAddr = objAddr - lngAList + lngSList
objEndAddr = objAddr
'遍历ActiveProcessLinks
Do
If objAddr > &HFFFF0000 Then
Exit Do
End If
'strEAddr = "0x" & Hex(objAddr - 180)
'获取XXX进程的EPROCESS地址
strEAddr = "0x" & Hex(objAddr - lngSList)
'strProcessId = Format(CStr(GetPID(objAddr + 192 - 240)), "0000")
'获取XXX进程的PID
strProcessId = Format(CStr(GetPID(objAddr + lngSName - lngTmp)), "0000")
If strProcessId = "0000" Then Exit Do
'strProcessName = GetProcessName(objAddr + 192)
'获取XXX进程的名
strProcessName = GetProcessName(objAddr + lngSName)
'检测是否为隐藏进程
If IsHideProcess(strProcessId) And Val(strProcessId) > 4 Then
frmMain.lstProcesses.AddItem "隐藏PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
Else
If Val(strProcessId) > 4 Then
frmMain.lstProcesses.AddItem "PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
End If
End If
objAddr = GetData(objAddr)
Loop While objAddr <> 0 And objEndAddr <> objAddr
frmMain.Caption = "读取内存枚举进程" & " (进程总数:" & frmMain.lstProcesses.ListCount & "+1" & ")"
End Sub
Dim lngKernel As Long, pKernel As Long, lngStartProcAddr As Long, lngBaseAddr As Long
Dim objAddr As Long, strProcessName As String, strEAddr As String, strProcessId As String
Dim objEndAddr As Long, lngPID As Long, lngName As Long, lngAName As Long, lngTmp As Long
Dim strVersion As String, lngSName As Long, lngAList As Long, lngSList As Long
'在用户态加载一份ntoskrnl.exe
lngKernel = LoadLibrary("ntoskrnl.exe")
'获取System进程内核例程/变量在用户态的相对位置
lngStartProcAddr = GetProcAddress(lngKernel, "PsInitialSystemProcess")
'获取系统核心模块ntoskrnl.exe的基址
lngBaseAddr = GetKernelModuleBase()
'System进程内核例程/变量的实际地址
lngStartProcAddr = lngStartProcAddr + lngBaseAddr - lngKernel
' strEAddr = "0x" & Hex(lngStartProcAddr)
'释放ntoskrnl.exe
FreeLibrary lngKernel
'获取系统版本
strVersion = GetVersionName
If strVersion = "win2k" Then
lngPID = 156
lngName = &H1FC
lngSName = 264
lngAName = 348
lngSList = 244
lngAList = 160
'打开物理内存如果失败就退出程序
If OpenPhysicalMemory = 0 Then
End
End If
ElseIf strVersion = "winxp" Then
lngPID = 132
lngName = &H174
lngSName = 192
lngAName = 236
lngSList = 180
lngAList = 136
Else
lngPID = 132
lngName = &H154
lngSName = 160
lngAName = 204
lngSList = 180
lngAList = 136
End If
'从内核空间获取System进程的EPROCESS结构
objAddr = GetData(lngStartProcAddr)
'获取System进程的EPROCESS地址
strEAddr = "0x" & Hex(objAddr)
'strProcessId = Format(CStr(GetPID(objAddr + 132)), "0000")
'获取System进程的PID
strProcessId = Format(CStr(GetPID(objAddr + lngPID)), "0000")
'strProcessName = GetProcessName(objAddr + &H174)
'获取System进程的名
strProcessName = GetProcessName(objAddr + lngName)
lngTmp = (objAddr + lngName) - (objAddr + lngPID) '进程名和进程ID之间的差值方便后面遍历
'打印进程信息
frmMain.lstProcesses.AddItem "PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
'objAddr = GetData(objAddr + 136)
'从内核空间获取SMSS.EXE进程的EPROCESS结构
objAddr = GetData(objAddr + lngAList)
'strEAddr = "0x" & Hex(objAddr - 136)
'获取SMSS.EXE进程的EPROCESS地址
strEAddr = "0x" & Hex(objAddr - lngAList)
'strProcessId = Format(CStr(GetPID(objAddr - 4)), "0000")
'获取SMSS.EXE进程的PID
strProcessId = Format(CStr(GetPID(objAddr - lngAList + lngPID)), "0000")
'strProcessName = GetProcessName(objAddr + 236)
'获取SMSS.EXE进程的名
strProcessName = GetProcessName(objAddr + lngName - lngAList)
'打印进程信息
frmMain.lstProcesses.AddItem "PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
'获取第一个遍历EPROCESS结构
objAddr = GetData(objAddr)
'objAddr = objAddr - 136 + 180
objAddr = objAddr - lngAList + lngSList
objEndAddr = objAddr
'遍历ActiveProcessLinks
Do
If objAddr > &HFFFF0000 Then
Exit Do
End If
'strEAddr = "0x" & Hex(objAddr - 180)
'获取XXX进程的EPROCESS地址
strEAddr = "0x" & Hex(objAddr - lngSList)
'strProcessId = Format(CStr(GetPID(objAddr + 192 - 240)), "0000")
'获取XXX进程的PID
strProcessId = Format(CStr(GetPID(objAddr + lngSName - lngTmp)), "0000")
If strProcessId = "0000" Then Exit Do
'strProcessName = GetProcessName(objAddr + 192)
'获取XXX进程的名
strProcessName = GetProcessName(objAddr + lngSName)
'检测是否为隐藏进程
If IsHideProcess(strProcessId) And Val(strProcessId) > 4 Then
frmMain.lstProcesses.AddItem "隐藏PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
Else
If Val(strProcessId) > 4 Then
frmMain.lstProcesses.AddItem "PID: " & strProcessId & " EPROCESS: " & strEAddr & " ImageName: " & strProcessName
End If
End If
objAddr = GetData(objAddr)
Loop While objAddr <> 0 And objEndAddr <> objAddr
frmMain.Caption = "读取内存枚举进程" & " (进程总数:" & frmMain.lstProcesses.ListCount & "+1" & ")"
End Sub
不知道能不能用VB搜索并使用内核未导出函数......