怎样分辨一个进程是不是系统进程? 呀......那位太太帮帮忙呀我在等呢.......(呼唤ing........................) 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 确认进程是系统默认的,文件本身是原始的确认进程模块是系统默认的(恶意程序可以启动远程线程)分析参数所代表的内容是系统默认的,比如rundll32,svchost的主要功能由参数决定。实现这些功能必须建立一个比较全的系统文件列表,包括md5校验码。 http://community.csdn.net/Expert/TopicView.asp?id=5357977 #include <stdio.h>#include <windows.h>#include <tchar.h>#include "accctrl.h"#include "aclapi.h"#include "Tlhelp32.h"#define MAX_NAME 256int PrintName(HANDLE handle,SE_OBJECT_TYPE s_o_t);void PrintLastError(){ LPVOID lpMsgBuf; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language (LPTSTR) &lpMsgBuf, 0, NULL );// Process any inserts in lpMsgBuf.// ...// Display the string. printf("%s\n",lpMsgBuf);// Free the buffer. LocalFree( lpMsgBuf );}bool PrintUserName(DWORD pid){ HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,0,pid); if(!hProcess) { printf("OpenProcess:"); PrintLastError(); return false; } HANDLE hToken; BOOL bOK=OpenProcessToken(hProcess,TOKEN_QUERY,&hToken); if(!bOK) { CloseHandle(hProcess); hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,pid); if(!hProcess) { printf("OpenProcess:"); PrintLastError(); return false; } //PrintName(hProcess,SE_KERNEL_OBJECT); bOK=OpenProcessToken(hProcess,TOKEN_QUERY,&hToken); if(!bOK) { PrintName(hProcess,SE_KERNEL_OBJECT); } return false; } PTOKEN_USER ptu; //PTOKEN_OWNER pto; DWORD cb=0; bOK=GetTokenInformation(hToken,TokenUser/*TokenOwner*/,NULL,cb,&cb); if(!bOK) { DWORD dwResult = GetLastError(); if( dwResult != ERROR_INSUFFICIENT_BUFFER ) { PrintLastError(); return FALSE; } } ptu=(PTOKEN_USER) GlobalAlloc(GPTR,cb); //pto=(PTOKEN_OWNER) GlobalAlloc(GPTR,cb); bOK=GetTokenInformation(hToken,TokenUser/*TokenOwner*/,ptu,cb,&cb); char name[1024]; DWORD cbname=1023; char domain[1024]; DWORD cbdomain=1023; SID_NAME_USE snu; memset(name,0,1024); memset(domain,0,1024); bOK=LookupAccountSid(NULL,ptu->User.Sid/*pto->Owner*/,name,&cbname,domain,&cbdomain,&snu); if(!bOK) { // CloseHandle(hToken); //CloseHandle(hProcess); return false; } printf("%-20s\n",name);// CloseHandle(hToken);// CloseHandle(hProcess);*/ return true;}BOOL SetPrivilege( HANDLE hToken, // access token handle LPCTSTR lpszPrivilege, // name of privilege to enable/disable BOOL bEnablePrivilege // to enable or disable privilege ) {TOKEN_PRIVILEGES tp;LUID luid;if ( !LookupPrivilegeValue( NULL, // lookup privilege on local system lpszPrivilege, // privilege to lookup &luid ) ) // receives LUID of privilege{ printf("LookupPrivilegeValue error: %u\n", GetLastError() ); return FALSE; }tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;else tp.Privileges[0].Attributes = 0;// Enable the privilege or disable all privileges.if ( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL) ){ printf("AdjustTokenPrivileges error: %u\n", GetLastError() ); return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED){ printf("The token does not have the specified privilege. \n"); return FALSE;} return TRUE;}int PrintName(HANDLE handle,SE_OBJECT_TYPE s_o_t){ DWORD dwRtnCode = 0;PSID pSidOwner;BOOL bRtnBool = TRUE;LPTSTR AcctName, DomainName;DWORD dwAcctName = 1, dwDomainName = 1;SID_NAME_USE eUse = SidTypeUnknown;//HANDLE hFile;PSECURITY_DESCRIPTOR pSD;pSidOwner = (PSID)GlobalAlloc( GMEM_FIXED, sizeof(PSID));// Allocate memory for the security descriptor structure.pSD = (PSECURITY_DESCRIPTOR)GlobalAlloc( GMEM_FIXED, sizeof(PSECURITY_DESCRIPTOR));// Get the owner SID of the file.dwRtnCode = GetSecurityInfo( handle, s_o_t, OWNER_SECURITY_INFORMATION, &pSidOwner, NULL, NULL, NULL, &pSD);// Check GetLastError for GetSecurityInfo error condition.if (dwRtnCode != ERROR_SUCCESS) { DWORD dwErrorCode = 0; dwErrorCode = GetLastError(); _tprintf(TEXT("GetSecurityInfo error = %d\n"), dwErrorCode); return -1;}// First call to LookupAccountSid to get the buffer sizes.bRtnBool = LookupAccountSid( NULL, // local computer pSidOwner, AcctName, (LPDWORD)&dwAcctName, DomainName, (LPDWORD)&dwDomainName, &eUse);// Reallocate memory for the buffers.AcctName = (char *)GlobalAlloc( GMEM_FIXED, dwAcctName);// Check GetLastError for GlobalAlloc error condition.if (AcctName == NULL) { DWORD dwErrorCode = 0; dwErrorCode = GetLastError(); _tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode); return -1;} DomainName = (char *)GlobalAlloc( GMEM_FIXED, dwDomainName); // Check GetLastError for GlobalAlloc error condition. if (DomainName == NULL) { DWORD dwErrorCode = 0; dwErrorCode = GetLastError(); _tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode); return -1; } // Second call to LookupAccountSid to get the account name. bRtnBool = LookupAccountSid( NULL, // name of local or remote computer pSidOwner, // security identifier AcctName, // account name buffer (LPDWORD)&dwAcctName, // size of account name buffer DomainName, // domain name (LPDWORD)&dwDomainName, // size of domain name buffer &eUse); // SID type // Check GetLastError for LookupAccountSid error condition. if (bRtnBool == FALSE) { DWORD dwErrorCode = 0; dwErrorCode = GetLastError(); if (dwErrorCode == ERROR_NONE_MAPPED) _tprintf(TEXT("Account owner not found for specified SID.\n")); else _tprintf(TEXT("Error in LookupAccountSid.\n")); return -1; } else if (bRtnBool == TRUE) // Print the account name. _tprintf(TEXT("%-20s\n"), AcctName); return 1;}int main(int argc, char **argv){HANDLE hToken; if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken )) { printf( "OpenProcessToken Error %u\n", GetLastError() ); return 0; } SetPrivilege(hToken,SE_DEBUG_NAME,TRUE); SetPrivilege(hToken,SE_SECURITY_NAME,TRUE); HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if(hSnap==INVALID_HANDLE_VALUE) return 0; PROCESSENTRY32 pe; pe.dwSize=sizeof(PROCESSENTRY32); BOOL bOK=Process32First(hSnap,&pe); if(bOK) { printf("ThePid TheParentPid ExeFile UserName\n"); printf("%-8d %-8d %-20s\n",pe.th32ProcessID,pe.th32ParentProcessID,pe.szExeFile); while(Process32Next(hSnap,&pe)) { printf("%-8d %-8d %-20s",pe.th32ProcessID,pe.th32ParentProcessID,pe.szExeFile); PrintUserName(pe.th32ProcessID); } }SetPrivilege(hToken,SE_DEBUG_NAME,FALSE); SetPrivilege(hToken,SE_SECURITY_NAME ,0); return 0;}看看这段代码 对你有没有用。 ThePid TheParentPid ExeFile UserName0 0 [System Process]4 0 System Administrators916 4 smss.exe SYSTEM984 916 csrss.exe SYSTEM1008 916 winlogon.exe SYSTEM1052 1008 services.exe SYSTEM1064 1008 lsass.exe SYSTEM1220 1052 svchost.exe SYSTEM1300 1052 svchost.exe NETWORK SERVICE1408 1052 svchost.exe SYSTEM1460 1052 svchost.exe NETWORK SERVICE1536 1052 svchost.exe LOCAL SERVICE2008 1992 explorer.exe zkjiao256 1052 spoolsv.exe SYSTEM460 2008 avp.exe zkjiao476 2008 realsched.exe zkjiao484 2008 VM_STI.EXE zkjiao492 2008 ctfmon.exe zkjiao660 2008 ishare_user.exe zkjiao1248 1052 nvsvc32.exe SYSTEM1404 1052 svchost.exe SYSTEM1628 1052 wdfmgr.exe LOCAL SERVICE292 1052 alg.exe LOCAL SERVICE3868 2008 cmmon32.exe zkjiao2336 1444 conime.exe zkjiao2932 3932 BitComet.exe zkjiao2252 2008 Maze.exe zkjiao3920 2252 MazeSvr.exe zkjiao3112 1052 avp.exe SYSTEM2540 2008 UCtalk.exe zkjiao332 2008 Maxthon.exe zkjiao2736 2008 MSDEV.EXE zkjiao2512 1220 rvsim.exe zkjiao3408 2932 UPNP.exe zkjiao1844 2932 UPNP.exe zkjiao288 2736 VCSPAWN.EXE zkjiao884 288 FOOF.exe zkjiao这是在我机子上的执行结果。你看看有没有你有用的。 系统的进程?好像没有什么明确的规则可以定义某个进程是不是系统进程,9x,2000,xp各有一个系统进程清单,根据这些清单,逐一判断咯,效率确实是不知道是不是有其他更好的办法 求助:球面上两个直角坐标系之间的坐标变换 想赚几包烟钱的请进 worker thread的问题 谁给我发个最简单的VC++程序.要有完整说明语句的. 如何改变弹出信息的标题!? UAC限制:ActiveX无法发送MoveWindow命令给普通程序 [请求]请CSDN不要再来推广培训等各种形式的骚扰! VC中如何获得excel文件中的sheet表名? 招课余编程人员 wlanSetProfile 返回1206 求救,VC++程序运行不了 sock数据类型,知道的进来
确认进程模块是系统默认的(恶意程序可以启动远程线程)
分析参数所代表的内容是系统默认的,比如rundll32,svchost的主要功能由参数决定。实现这些功能必须建立一个比较全的系统文件列表,包括md5校验码。
#include <windows.h>
#include <tchar.h>
#include "accctrl.h"
#include "aclapi.h"
#include "Tlhelp32.h"
#define MAX_NAME 256
int PrintName(HANDLE handle,SE_OBJECT_TYPE s_o_t);
void PrintLastError()
{
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
(LPTSTR) &lpMsgBuf,
0,
NULL
);
// Process any inserts in lpMsgBuf.
// ...
// Display the string.
printf("%s\n",lpMsgBuf);
// Free the buffer.
LocalFree( lpMsgBuf );
}
bool PrintUserName(DWORD pid)
{
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,0,pid);
if(!hProcess)
{
printf("OpenProcess:");
PrintLastError();
return false;
}
HANDLE hToken;
BOOL bOK=OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);
if(!bOK)
{
CloseHandle(hProcess);
hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(!hProcess)
{
printf("OpenProcess:");
PrintLastError();
return false;
}
//PrintName(hProcess,SE_KERNEL_OBJECT);
bOK=OpenProcessToken(hProcess,TOKEN_QUERY,&hToken);
if(!bOK)
{
PrintName(hProcess,SE_KERNEL_OBJECT);
}
return false;
}
PTOKEN_USER ptu;
//PTOKEN_OWNER pto;
DWORD cb=0;
bOK=GetTokenInformation(hToken,TokenUser/*TokenOwner*/,NULL,cb,&cb);
if(!bOK)
{
DWORD dwResult = GetLastError();
if( dwResult != ERROR_INSUFFICIENT_BUFFER )
{
PrintLastError();
return FALSE;
}
}
ptu=(PTOKEN_USER) GlobalAlloc(GPTR,cb);
//pto=(PTOKEN_OWNER) GlobalAlloc(GPTR,cb);
bOK=GetTokenInformation(hToken,TokenUser/*TokenOwner*/,ptu,cb,&cb);
char name[1024];
DWORD cbname=1023;
char domain[1024];
DWORD cbdomain=1023;
SID_NAME_USE snu;
memset(name,0,1024);
memset(domain,0,1024);
bOK=LookupAccountSid(NULL,ptu->User.Sid/*pto->Owner*/,name,&cbname,domain,&cbdomain,&snu);
if(!bOK)
{
// CloseHandle(hToken);
//CloseHandle(hProcess);
return false;
}
printf("%-20s\n",name);
// CloseHandle(hToken);
// CloseHandle(hProcess);*/
return true;
}
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;if ( !LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid ) ) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;// Enable the privilege or disable all privileges.if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
return FALSE;
} if (GetLastError() == ERROR_NOT_ALL_ASSIGNED){
printf("The token does not have the specified privilege. \n");
return FALSE;
} return TRUE;
}
int PrintName(HANDLE handle,SE_OBJECT_TYPE s_o_t)
{
DWORD dwRtnCode = 0;
PSID pSidOwner;
BOOL bRtnBool = TRUE;
LPTSTR AcctName, DomainName;
DWORD dwAcctName = 1, dwDomainName = 1;
SID_NAME_USE eUse = SidTypeUnknown;
//HANDLE hFile;
PSECURITY_DESCRIPTOR pSD;
pSidOwner = (PSID)GlobalAlloc(
GMEM_FIXED,
sizeof(PSID));// Allocate memory for the security descriptor structure.
pSD = (PSECURITY_DESCRIPTOR)GlobalAlloc(
GMEM_FIXED,
sizeof(PSECURITY_DESCRIPTOR));// Get the owner SID of the file.
dwRtnCode = GetSecurityInfo(
handle,
s_o_t,
OWNER_SECURITY_INFORMATION,
&pSidOwner,
NULL,
NULL,
NULL,
&pSD);// Check GetLastError for GetSecurityInfo error condition.
if (dwRtnCode != ERROR_SUCCESS) {
DWORD dwErrorCode = 0; dwErrorCode = GetLastError();
_tprintf(TEXT("GetSecurityInfo error = %d\n"), dwErrorCode);
return -1;
}// First call to LookupAccountSid to get the buffer sizes.
bRtnBool = LookupAccountSid(
NULL, // local computer
pSidOwner,
AcctName,
(LPDWORD)&dwAcctName,
DomainName,
(LPDWORD)&dwDomainName,
&eUse);// Reallocate memory for the buffers.
AcctName = (char *)GlobalAlloc(
GMEM_FIXED,
dwAcctName);// Check GetLastError for GlobalAlloc error condition.
if (AcctName == NULL) {
DWORD dwErrorCode = 0; dwErrorCode = GetLastError();
_tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode);
return -1;
} DomainName = (char *)GlobalAlloc(
GMEM_FIXED,
dwDomainName); // Check GetLastError for GlobalAlloc error condition.
if (DomainName == NULL) {
DWORD dwErrorCode = 0; dwErrorCode = GetLastError();
_tprintf(TEXT("GlobalAlloc error = %d\n"), dwErrorCode);
return -1; } // Second call to LookupAccountSid to get the account name.
bRtnBool = LookupAccountSid(
NULL, // name of local or remote computer
pSidOwner, // security identifier
AcctName, // account name buffer
(LPDWORD)&dwAcctName, // size of account name buffer
DomainName, // domain name
(LPDWORD)&dwDomainName, // size of domain name buffer
&eUse); // SID type // Check GetLastError for LookupAccountSid error condition.
if (bRtnBool == FALSE) {
DWORD dwErrorCode = 0; dwErrorCode = GetLastError(); if (dwErrorCode == ERROR_NONE_MAPPED)
_tprintf(TEXT("Account owner not found for specified SID.\n"));
else
_tprintf(TEXT("Error in LookupAccountSid.\n"));
return -1; } else if (bRtnBool == TRUE) // Print the account name.
_tprintf(TEXT("%-20s\n"), AcctName);
return 1;
}
int main(int argc, char **argv)
{
HANDLE hToken;
if (!OpenProcessToken( GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken ))
{
printf( "OpenProcessToken Error %u\n", GetLastError() );
return 0;
}
SetPrivilege(hToken,SE_DEBUG_NAME,TRUE);
SetPrivilege(hToken,SE_SECURITY_NAME,TRUE);
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnap==INVALID_HANDLE_VALUE)
return 0;
PROCESSENTRY32 pe;
pe.dwSize=sizeof(PROCESSENTRY32);
BOOL bOK=Process32First(hSnap,&pe);
if(bOK)
{
printf("ThePid TheParentPid ExeFile UserName\n");
printf("%-8d %-8d %-20s\n",pe.th32ProcessID,pe.th32ParentProcessID,pe.szExeFile);
while(Process32Next(hSnap,&pe))
{
printf("%-8d %-8d %-20s",pe.th32ProcessID,pe.th32ParentProcessID,pe.szExeFile);
PrintUserName(pe.th32ProcessID);
}
}
SetPrivilege(hToken,SE_DEBUG_NAME,FALSE);
SetPrivilege(hToken,SE_SECURITY_NAME ,0);
return 0;
}
看看这段代码 对你有没有用。
0 0 [System Process]
4 0 System Administrators
916 4 smss.exe SYSTEM
984 916 csrss.exe SYSTEM
1008 916 winlogon.exe SYSTEM
1052 1008 services.exe SYSTEM
1064 1008 lsass.exe SYSTEM
1220 1052 svchost.exe SYSTEM
1300 1052 svchost.exe NETWORK SERVICE
1408 1052 svchost.exe SYSTEM
1460 1052 svchost.exe NETWORK SERVICE
1536 1052 svchost.exe LOCAL SERVICE
2008 1992 explorer.exe zkjiao
256 1052 spoolsv.exe SYSTEM
460 2008 avp.exe zkjiao
476 2008 realsched.exe zkjiao
484 2008 VM_STI.EXE zkjiao
492 2008 ctfmon.exe zkjiao
660 2008 ishare_user.exe zkjiao
1248 1052 nvsvc32.exe SYSTEM
1404 1052 svchost.exe SYSTEM
1628 1052 wdfmgr.exe LOCAL SERVICE
292 1052 alg.exe LOCAL SERVICE
3868 2008 cmmon32.exe zkjiao
2336 1444 conime.exe zkjiao
2932 3932 BitComet.exe zkjiao
2252 2008 Maze.exe zkjiao
3920 2252 MazeSvr.exe zkjiao
3112 1052 avp.exe SYSTEM
2540 2008 UCtalk.exe zkjiao
332 2008 Maxthon.exe zkjiao
2736 2008 MSDEV.EXE zkjiao
2512 1220 rvsim.exe zkjiao
3408 2932 UPNP.exe zkjiao
1844 2932 UPNP.exe zkjiao
288 2736 VCSPAWN.EXE zkjiao
884 288 FOOF.exe zkjiao
这是在我机子上的执行结果。
你看看有没有你有用的。