模块内容:
------------------------------------------
'--------循环杀掉相应进程
Public Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32" (ByVal ApphProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Public Const TH32CS_SNAPPROCESS = &H2&
--------------------------------------------窗体代码:
--------------------------------------------
Public Sub KillProcess(a)
On Error Resume Next Dim lSnapShot As Long
Dim lNextProcess As Long
Dim tPE As PROCESSENTRY32
lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If lSnapShot <> -1 Then
tPE.dwSize = Len(tPE)
lNextProcess = Process32First(lSnapShot, tPE)
Do While lNextProcess
Dim lProcess As Long
Dim lExitCode As LongIf Left(tPE.szExeFile, InStr(1, tPE.szExeFile, Chr(0)) - 1) = "services.exe" Then lProcess = OpenProcess(1, False, tPE.th32ProcessID)
TerminateProcess lProcess, lExitCode
CloseHandle lProcess
End If
lNextProcess = Process32Next(lSnapShot, tPE)
Loop
CloseHandle (lSnapShot)
End IfEnd Sub
Private Sub Form_Load()
KillProcess (a)
End Sub
以上是一个关闭进程的实例,查找进程中是否有services.exe,如果有,则关闭.
我想做的是一个病毒查杀工具,但是遇到一个问题,services.exe有两个,一个是系统自己的,一个是病毒,当然,位置不一样.请问,如何获取到这个进程的所在位置?或者如何判断这个进程是属于system的?请高手帮忙解答,最后20分..祝大家新年快乐.
------------------------------------------
'--------循环杀掉相应进程
Public Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Public Declare Function TerminateProcess Lib "kernel32" (ByVal ApphProcess As Long, ByVal uExitCode As Long) As Long
Public Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Public Const TH32CS_SNAPPROCESS = &H2&
--------------------------------------------窗体代码:
--------------------------------------------
Public Sub KillProcess(a)
On Error Resume Next Dim lSnapShot As Long
Dim lNextProcess As Long
Dim tPE As PROCESSENTRY32
lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If lSnapShot <> -1 Then
tPE.dwSize = Len(tPE)
lNextProcess = Process32First(lSnapShot, tPE)
Do While lNextProcess
Dim lProcess As Long
Dim lExitCode As LongIf Left(tPE.szExeFile, InStr(1, tPE.szExeFile, Chr(0)) - 1) = "services.exe" Then lProcess = OpenProcess(1, False, tPE.th32ProcessID)
TerminateProcess lProcess, lExitCode
CloseHandle lProcess
End If
lNextProcess = Process32Next(lSnapShot, tPE)
Loop
CloseHandle (lSnapShot)
End IfEnd Sub
Private Sub Form_Load()
KillProcess (a)
End Sub
以上是一个关闭进程的实例,查找进程中是否有services.exe,如果有,则关闭.
我想做的是一个病毒查杀工具,但是遇到一个问题,services.exe有两个,一个是系统自己的,一个是病毒,当然,位置不一样.请问,如何获取到这个进程的所在位置?或者如何判断这个进程是属于system的?请高手帮忙解答,最后20分..祝大家新年快乐.
解决方案 »
- 如何触发网页中的onFocus onMouseDown onMouseOver onMouseOut事件
- 如保才能取出Tab制表的KeyAscii值?在张等呀,很急谢谢
- 如何改变MessageBox报告的信息的颜色!
- 如何获得当前系统的安装目录
- 怎么样知道电灯是否是开着的.串口问题.
- 各位达人有没有兴趣作一个程序?
- 请问,MSHFlexGrid,MSFlexGrid,DBGrid三个控件有什么区别啊,哪个最好最常用(100)
- 请高手帮我编下这个程序!
- 请教:如何消除图形的平移的闪烁?
- memo类型字段不能为空吗?
- 如何在水晶报表中制作水印效果
- MsgBox("是否保存数据? ", vbYesNo , "提示" ) 如何指定默认焦点按钮为 否?
你这个只能杀普通的进程。对于模块路径很容易找,不过那用处不大。
判断是否是系统进程,一般判断父进程应该可以。
其实xp等高级版本就一个是系统进程就是System Idle Process名字一般就是
System Prcoess优先级是0没有父进程创建线程数是1
System进程优先级是8父进程是0经常创建很多线程
smss.exe父进程是System优先级11
csrss.exe父进程是smss.exe优先级是13
winlogon.exe父进程是csrss.exe优先级13
services.exe父进程是winlogon.exe优先级是9不知道你为何要结束这个进程。
explorer.exe就是资源管理器,显示桌面和任务栏的程序.
Private Const TOKEN_READ As Long = &H20008
Private Const SECURITY_BUILTIN_DOMAIN_RID As Long = &H20&
Private Const SECURITY_NT_AUTHORITY As Long = &H5
Private Const PROCESS_QUERY_INFORMATION As Long = 1024
Private Const PROCESS_VM_READ As Long = 16
Private Const DOMAIN_ALIAS_RID_USERS = &H221
Private Const TokenUser = 1
Private Type SID_IDENTIFIER_AUTHORITY
Value(6) As Byte
End Type
Private Type SID_AND_ATTRIBUTES
SID As Long
Attributes As Long
End Type
Private Type TOKEN_USER
User As SID_AND_ATTRIBUTES
SID(500) As Byte
End Type
Private Declare Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" (ByVal lpSystemName As String, ByVal SID As Long, ByVal name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetTokenInformation Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal TokenInformationClass As Long, TokenInformation As Any, ByVal TokenInformationLength As Long, ReturnLength As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As LongPublic Function GetProcessUserName(ByVal ProcessID As Long) As String
Dim hProcessID As Long
Dim hToken As Long
Dim res As Long
Dim cbBuff As Long
Dim tiLen As Long
Dim TU As TOKEN_USER
Dim cnt As Long
Dim sAcctName2 As String
Dim cbAcctName As Long
Dim sDomainName As String
Dim cbDomainName As Long
Dim peUse As Long
Dim barr() As Byte
hProcessID = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, ProcessID)
If hProcessID <> 0 Then
If OpenProcessToken(hProcessID, TOKEN_READ, hToken) = 1 Then
res = GetTokenInformation(hToken, TokenUser, ByVal 0, tiLen, cbBuff)
If res = 0 And cbBuff > 0 Then
tiLen = cbBuff
If cbBuff > Len(TU) Then Exit Function
res = GetTokenInformation(hToken, TokenUser, TU, tiLen, cbBuff)
If res = 1 And tiLen > 0 Then
sAcctName2 = Space$(255)
sDomainName = Space$(255)
cbAcctName = 255
cbDomainName = 255
res = LookupAccountSid(vbNullString, TU.User.SID, sAcctName2, cbAcctName, sDomainName, cbDomainName, peUse)
GetProcessUserName = Replace(Trim(sAcctName2), Chr(0), "")
End If
End If
End If
If hToken Then CloseHandle hToken
CloseHandle hProcessID
End If
End Function
然后进入VBAPIHooker文件夹,在frmMain里有一个GetModEntries函数可以枚举指定进程所有模块的函数,其中的.szExePath就可以获得你要的信息
就是一般的程序(在services.exe没有被感染或者替换的时候)
http://download.csdn.net/user/xx22nn/