这是一段代码,函数返回文件所在的路径,不过要知道程序的PID(这个比较麻烦),你可以参考一下咯: Public Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Public Declare Function GetModuleFileNameEx Lib "psapi.dll" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long Public Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000 Public Const SYNCHRONIZE As Long = &H100000 Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF) Public Function EnumFileName( Byval Pid As Long) As String '根据进程PID返回文件所在路径 Dim hProc As Long Dim NFile As Long Dim filename As String * 64 hProc = OpenProcess(PROCESS_ALL_ACCESS, False, pid) NFile = GetModuleFileNameEx(hProc, 0, filename, 64) EnumFileName = filename & vbNullString n = CloseHandle(a) End Function
'这里获取指定进程的PID Option Explicit Private Declare Function CloseHandle Lib "Kernel32.dll" (ByVal Handle As Long) As Long Private Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long Private Declare Function GetModuleFileNameExA Lib "PSAPI.DLL" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long Private Declare Function EnumProcessModules Lib "PSAPI.DLL" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long '返回符合进程名称的所有进程PID '如果为没有,则返回空 (Empty) Public Function GetProcessIdFromProcessName(ByVal strExeName As String) As Long On Error Resume Next Const clMaxNumProcesses As Long = 5000 Const MAX_PATH = 260 Const PROCESS_QUERY_INFORMATION = 1024 Const PROCESS_VM_READ = 16 Dim strModuleName As String * MAX_PATH Dim strProcessNamePath As String Dim strProcessName As String Dim allMatchingProcessIDs() As Long Dim alModules(1 To 400) As Long Dim lBytesReturned As Long Dim lNumMatching As Long Dim lNumProcesses As Long Dim lBytesNeeded As Long Dim alProcIDs() As Long Dim lHwndProcess As Long Dim lThisProcess As Long Dim lRet As Long On Error GoTo Z strExeName = UCase$(Trim$(strExeName)) ReDim alProcIDs(clMaxNumProcesses * 4) As Long lRet = EnumProcesses(alProcIDs(1), clMaxNumProcesses * 4, lBytesReturned) lNumProcesses = lBytesReturned / 4 ReDim Preserve alProcIDs(lNumProcesses) ReDim allMatchingProcessIDs(1 To lNumProcesses) For lThisProcess = 1 To lNumProcesses If lHwndProcess > 0 Then lRet = CloseHandle(lHwndProcess) lHwndProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, alProcIDs(lThisProcess)) If lHwndProcess <> 0 Then lRet = EnumProcessModules(lHwndProcess, alModules(1), 200&, lBytesNeeded) If lRet <> 0 Then lRet = GetModuleFileNameExA(lHwndProcess, alModules(1), strModuleName, MAX_PATH) strProcessNamePath = Trim$(UCase$(Left$(strModuleName, lRet))) strProcessName = Mid$(strProcessNamePath, InStrRev(strProcessNamePath, "\") + 1) If strProcessName = strExeName Then lNumMatching = lNumMatching + 1 allMatchingProcessIDs(lNumMatching) = alProcIDs(lThisProcess) End If End If If lHwndProcess > 0 Then lRet = CloseHandle(lHwndProcess) End If Next If lNumMatching Then ReDim Preserve allMatchingProcessIDs(1 To lNumMatching) GetProcessIdFromProcessName = allMatchingProcessIDs(1) '这个地方,不知道是否还有其它的值。 Else GetProcessIdFromProcessName = -1 End If Exit Function Z: GetProcessIdFromProcessName = -1 End Function Sub main() Dim Pid As Long Pid = GetProcessIdFromProcessName("NOTEPAD1.EXE") '获取NOTEPAD1.EXE程序的PID Debug.Print (Pid) '>0 表示找到了,否则,就是没有找到。End Sub
然后在搜索里输入“监视“,进行搜索。
----------------------------------
去 http://www.mndsoft.com
然后在搜索里输入“监视“,进行搜索。
----------------------------------
无任何收获
看懂了题目....难道是我表达有问题?
1 建立C:\notepad.exe快捷方式C:\notepad.lnk
2 运行NOTEPAD.EXE后 改为NOTEPAD1.EXE
3 读取C:\notepad.lnk 目标路径还是C:\notepad.exe得出:
快捷方式只有在运行一次后 系统才会自动定位到c:\NOTEPAD1.EXE
这时读取c:\notepad.lnk目标才是C:\NOTEPAD1.EXE继续
4 建立C:\1\目录 复制一份C:\NOTEPAD1.EXE过去 现在快捷方式还是指向C:\NOTEPAD1.EXE
5 运行C:\NOTEPAD1.EXE后 剪切到C:\1\目录 覆盖前面步骤4复制过去的一份复本在次运行快捷方式时 WINDOWS的手电筒出现了 找不到该目标...........
最后得出 快捷方式彻底行不通....看来拦截API是最简单的办法了....
Public Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function GetModuleFileNameEx Lib "psapi.dll" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
Public Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Public Const SYNCHRONIZE As Long = &H100000
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Public Function EnumFileName( Byval Pid As Long) As String '根据进程PID返回文件所在路径
Dim hProc As Long
Dim NFile As Long
Dim filename As String * 64
hProc = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
NFile = GetModuleFileNameEx(hProc, 0, filename, 64)
EnumFileName = filename & vbNullString
n = CloseHandle(a)
End Function
Option Explicit
Private Declare Function CloseHandle Lib "Kernel32.dll" (ByVal Handle As Long) As Long
Private Declare Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "PSAPI.DLL" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long
Private Declare Function EnumProcessModules Lib "PSAPI.DLL" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
'返回符合进程名称的所有进程PID
'如果为没有,则返回空 (Empty)
Public Function GetProcessIdFromProcessName(ByVal strExeName As String) As Long
On Error Resume Next
Const clMaxNumProcesses As Long = 5000
Const MAX_PATH = 260
Const PROCESS_QUERY_INFORMATION = 1024
Const PROCESS_VM_READ = 16
Dim strModuleName As String * MAX_PATH
Dim strProcessNamePath As String
Dim strProcessName As String
Dim allMatchingProcessIDs() As Long
Dim alModules(1 To 400) As Long
Dim lBytesReturned As Long
Dim lNumMatching As Long
Dim lNumProcesses As Long
Dim lBytesNeeded As Long
Dim alProcIDs() As Long
Dim lHwndProcess As Long
Dim lThisProcess As Long
Dim lRet As Long
On Error GoTo Z
strExeName = UCase$(Trim$(strExeName))
ReDim alProcIDs(clMaxNumProcesses * 4) As Long
lRet = EnumProcesses(alProcIDs(1), clMaxNumProcesses * 4, lBytesReturned)
lNumProcesses = lBytesReturned / 4
ReDim Preserve alProcIDs(lNumProcesses)
ReDim allMatchingProcessIDs(1 To lNumProcesses)
For lThisProcess = 1 To lNumProcesses
If lHwndProcess > 0 Then lRet = CloseHandle(lHwndProcess)
lHwndProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, alProcIDs(lThisProcess))
If lHwndProcess <> 0 Then
lRet = EnumProcessModules(lHwndProcess, alModules(1), 200&, lBytesNeeded)
If lRet <> 0 Then
lRet = GetModuleFileNameExA(lHwndProcess, alModules(1), strModuleName, MAX_PATH)
strProcessNamePath = Trim$(UCase$(Left$(strModuleName, lRet)))
strProcessName = Mid$(strProcessNamePath, InStrRev(strProcessNamePath, "\") + 1)
If strProcessName = strExeName Then
lNumMatching = lNumMatching + 1
allMatchingProcessIDs(lNumMatching) = alProcIDs(lThisProcess)
End If
End If
If lHwndProcess > 0 Then lRet = CloseHandle(lHwndProcess)
End If
Next
If lNumMatching Then
ReDim Preserve allMatchingProcessIDs(1 To lNumMatching)
GetProcessIdFromProcessName = allMatchingProcessIDs(1) '这个地方,不知道是否还有其它的值。
Else
GetProcessIdFromProcessName = -1
End If
Exit Function
Z:
GetProcessIdFromProcessName = -1
End Function
Sub main()
Dim Pid As Long
Pid = GetProcessIdFromProcessName("NOTEPAD1.EXE") '获取NOTEPAD1.EXE程序的PID
Debug.Print (Pid) '>0 表示找到了,否则,就是没有找到。End Sub
我要的是
运行NOTEPAD.EXE
在运行时 修改NOTEPAD.EXE 为NOTEPAD1.EXE怎么来获取NOTEPAD1.EXE
你上面帖出的代码只是简单的枚举进程对比 不知道这样说 你能明白么。
用VB做HOOK是自杀行为 我还年轻............to 大力水手
NT系统可以用movefileex随意移动 改变正在运行的程序名称 或路径看样子是不行了
不知道冰刃是怎么实现的 实时显示进程真实地址...