EnumProcessModules这个函数第一个参数是一个进程的句柄,但是通过OpenProcess不能打开这个进程,怎么获得这个进程的模块路径?
::OpenProcess返回值为0,
HwndProcess=::OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,0,PID);
Ret=::EnumProcessModules(HwndProcess,lngModules,lngSize,lngCBSize);
Windows任务管理器可以看见这类进程的名字(XueTr这类程序可以看见完整路径)。
例如一般Windows的lsass.exe这个进程是不能通过OpenProcess打开的。
::OpenProcess返回值为0,
HwndProcess=::OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,0,PID);
Ret=::EnumProcessModules(HwndProcess,lngModules,lngSize,lngCBSize);
Windows任务管理器可以看见这类进程的名字(XueTr这类程序可以看见完整路径)。
例如一般Windows的lsass.exe这个进程是不能通过OpenProcess打开的。
Pslist+Pskill源码//pslist.cpp
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <tchar.h>
#include <psapi.h>
#pragma comment(lib,"psapi.lib")BOOL SetPrivilege()
{
HANDLE hProcess, hToken;
TOKEN_PRIVILEGES NewState;
DWORD ProcessId ;
LUID luidPrivilegeLUID;
ProcessId = GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
if(!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken)||!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidPrivilegeLUID))
{
printf("SetPrivilege Error\n");
return FALSE;
}
NewState.PrivilegeCount = 1;
NewState.Privileges[0].Luid = luidPrivilegeLUID;
NewState.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE, &NewState, NULL, NULL, NULL))
{
printf("AdjustTokenPrivilege Errro\n");
return FALSE;
}
return TRUE;
}void ListModules( DWORD processID )
{
HMODULE hMods[1024];
HANDLE hProcess;
DWORD cbNeeded;
unsigned int i; hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, processID);
if (NULL == hProcess)
return; if(EnumProcessModules(hProcess,hMods,sizeof(hMods),&cbNeeded))
{
for ( i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ )
{
char szModName[MAX_PATH];
if (GetModuleFileNameEx(hProcess,hMods,szModName,sizeof(szModName)))
{
printf("\t%s (0x%08X)\n", szModName, hMods );
}
}
} CloseHandle( hProcess );
}BOOL ListProcess()
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
BOOL bRet = FALSE; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(hProcessSnap == INVALID_HANDLE_VALUE)
return FALSE; pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap,&pe32))
{
_tprintf(TEXT("\rProcess\t\tPRIV\tPID\tTHREADS\t PATH\n"));
do
{
HMODULE hModule;
TCHAR szPath[MAX_PATH];
DWORD cbNeeded;
HANDLE hProcess = NULL;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,pe32.th32ProcessID);
EnumProcessModules(hProcess,&hModule,sizeof(HMODULE),&cbNeeded);
GetModuleFileNameEx(hProcess,hModule,szPath,sizeof(szPath));
_tprintf(TEXT("\r%-17s%-8d%-8d %-8d%s\n"),
pe32.szExeFile,
pe32.pcPriClassBase,
pe32.th32ProcessID,
pe32.cntThreads,
szPath);
// ListModules(pe32.th32ProcessID);
CloseHandle(hProcess);
CloseHandle(hModule);
}while(Process32Next(hProcessSnap,&pe32));
}
else
_tprintf(TEXT("Process32First() Error\n"));
return FALSE;
CloseHandle(hProcessSnap);
return TRUE;
}void main(void)
{
ListProcess();
}
//pskill.cpp
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)
{
BOOL bRet = FALSE;
LUID luid;
TOKEN_PRIVILEGES tp;
bRet = LookupPrivilegeValue(NULL,lpszPrivilege,&luid);
if(!bRet)
return bRet; tp.PrivilegeCount = 1;
if(bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = NULL; bRet = AdjustTokenPrivileges(hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL); if(!bRet)
return bRet; return TRUE;
}BOOL KillProcess(DWORD PID)
{
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
BOOL bKilled = FALSE;
BOOL bRet = FALSE; bRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
if(!bRet)
return bRet; bRet = SetPrivilege(hToken,SE_DEBUG_NAME,TRUE);
if(!bRet)
return bRet; hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);
if(!hProcess)
return bRet; bRet = TerminateProcess(hProcess,1);
if(!bRet)
return bRet; bKilled = TRUE;
CloseHandle(hToken);
CloseHandle(hProcess);
return bKilled;
}int main(int argc, char **argv)
{
if(argc!=2)
{
printf("Usage: %s PID\n",argv[0]);
return 0;
} if(!KillProcess(atoi(argv[1])))
{
printf("The Process Can not Be Killed\n");
return 1;
}
return 0;
}
http://blog.csdn.net/fbmly/archive/2010/04/01/5442965.aspx
问题解决了,用了AdjustTokenPrivileges提权的。
可以打开lsass.exe这个进程了。