zoukankan      html  css  js  c++  java
  • 未公开函数 NtQuerySystemInfoMation 遍历进程信息,获得进程的用户名(如: system,Admin..)

    遍历进程用户名

    代码例子

    
    
    #include <windows.h> 
    #include <iostream>
    #include <COMDEF.H> 
    #include <stdio.h> 
    #include <Tlhelp32.h>
    using namespace std;
    
    
    typedef struct _UNICODE_STRING {
    	USHORT Length;
    	USHORT MaximumLength;
    	PWSTR   Buffer;
    } UNICODE_STRING, * PUNICODE_STRING;
    
    //SystemProcessInformation 
    typedef struct _SYSTEM_PROCESS_INFORMATION
    {
    	DWORD             dwNextEntryOffset;
    	DWORD             dwNumberOfThreads;
    	LARGE_INTEGER     qSpareLi1;
    	LARGE_INTEGER     qSpareLi2;
    	LARGE_INTEGER     qSpareLi3;
    	LARGE_INTEGER     qCreateTime;
    	LARGE_INTEGER     qUserTime;
    	LARGE_INTEGER     qKernelTime;
    	UNICODE_STRING     ImageName;
    	int                 nBasePriority;
    	DWORD             dwProcessId;
    	DWORD             dwInheritedFromUniqueProcessId;
    	DWORD             dwHandleCount;
    	DWORD             dwSessionId;
    	ULONG             dwSpareUl3;
    	SIZE_T             tPeakVirtualSize;
    	SIZE_T             tVirtualSize;
    	DWORD             dwPageFaultCount;
    	DWORD             dwPeakWorkingSetSize;
    	DWORD             dwWorkingSetSize;
    	SIZE_T             tQuotaPeakPagedPoolUsage;
    	SIZE_T             tQuotaPagedPoolUsage;
    	SIZE_T             tQuotaPeakNonPagedPoolUsage;
    	SIZE_T             tQuotaNonPagedPoolUsage;
    	SIZE_T             tPagefileUsage;
    	SIZE_T             tPeakPagefileUsage;
    	SIZE_T             tPrivatePageCount;
    	LARGE_INTEGER     qReadOperationCount;
    	LARGE_INTEGER     qWriteOperationCount;
    	LARGE_INTEGER     qOtherOperationCount;
    	LARGE_INTEGER     qReadTransferCount;
    	LARGE_INTEGER     qWriteTransferCount;
    	LARGE_INTEGER     qOtherTransferCount;
    }SYSTEM_PROCESS_INFORMATION;
    
    
    /*----------------------------------------------------
    	   函数说明: 动态加载动库文件
    		   输入参数: pDllName 库文件名称,pProcName导出函数名字
    		   输出参数: 无
    		   返回值   : 返回函数的的地址
    ----------------------------------------------------*/
    
    VOID* GetDllProc(const TCHAR* pDllName, const CHAR* pProcName)
    {
    	HMODULE         hMod;
    	hMod = LoadLibrary(pDllName);
    	if (hMod == NULL)
    		return NULL;
    
    	return GetProcAddress(hMod, pProcName);
    }
    
    //宏定义函数的指针 
    typedef LONG(WINAPI* Fun_NtQuerySystemInformation) (int   SystemInformationClass,
    	OUT PVOID SystemInformation,
    	IN ULONG SystemInformationLength,
    	OUT ULONG* pReturnLength OPTIONAL);
    
    typedef BYTE(WINAPI* Fun_WinStationGetProcessSid)(HANDLE hServer, DWORD   ProcessId,
    
    	FILETIME   ProcessStartTime, PBYTE pProcessUserSid, PDWORD dwSidSize);
    
    typedef VOID(WINAPI* Fun_CachedGetUserFromSid)(PSID pSid, PWCHAR pUserName, PULONG cbUserName);
    
    #define STATUS_INFO_LENGTH_MISMATCH         ((LONG)0xC0000004L)
    
    #define SystemProcessInformation         5 
    
    
    /*------------------------------------------------------------------
    	 函数说明: 获取系统进程的信息
    		 输入参数: SYSTEM_PROCESS_INFORMATION
    		 输出参数: 无
    
    --------------------------------------------------------------------*/
    BOOL GetSysProcInfo(SYSTEM_PROCESS_INFORMATION * *ppSysProcInfo)
    {
    	Fun_NtQuerySystemInformation     _NtQuerySystemInformation;
    	_NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc(TEXT("NTDLL.DLL"), "NtQuerySystemInformation");
    	if (_NtQuerySystemInformation == NULL)
    		return FALSE;
    
    	DWORD         dwSize = 1024 * 1024;
    	VOID* pBuf = NULL;
    	LONG         lRetVal;
    
    	while(true)
    	{
    		if (pBuf)
    			free(pBuf);
    
    		pBuf = (VOID*)malloc(dwSize);
    
    		lRetVal = _NtQuerySystemInformation(SystemProcessInformation,pBuf, dwSize, NULL);
    
    		if (STATUS_INFO_LENGTH_MISMATCH != lRetVal)
    			break;
    		dwSize *= 2;
    	}
    
    	if (lRetVal == 0)
    	{
    		*ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION*)pBuf;
    		return TRUE;
    	}
    	free(pBuf);
    	return FALSE;
    }
    
    
    
    BOOL GetProcessUser(DWORD dwPid, _bstr_t* pbStrUser)
    {
    	Fun_WinStationGetProcessSid         _WinStationGetProcessSid;
    	Fun_CachedGetUserFromSid         _CachedGetUserFromSid;
    
    	_WinStationGetProcessSid = (Fun_WinStationGetProcessSid)
    		GetDllProc(TEXT("Winsta.dll"), "WinStationGetProcessSid");
    	_CachedGetUserFromSid = (Fun_CachedGetUserFromSid)
    		GetDllProc(TEXT("utildll.dll"), "CachedGetUserFromSid");
    
    	if (_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL)
    		return FALSE;
    
    	BYTE         cRetVal;
    	FILETIME     ftStartTime;
    	DWORD         dwSize;
    	BYTE* pSid;
    	BOOL         bRetVal, bFind;
    	SYSTEM_PROCESS_INFORMATION* pProcInfo, * pCurProcInfo;
    
    	bRetVal = GetSysProcInfo(&pProcInfo);
    	if (bRetVal == FALSE || pProcInfo == NULL)
    		return FALSE;
    
    	bFind = FALSE;
    	pCurProcInfo = pProcInfo;
    	for (;;)
    	{
    		if (pCurProcInfo->dwProcessId == dwPid)
    		{
    			memcpy(&ftStartTime, &pCurProcInfo->qCreateTime, sizeof(ftStartTime));
    			bFind = TRUE;
    			break;
    		}
    
    		if (pCurProcInfo->dwNextEntryOffset == 0)
    			break;
    		pCurProcInfo = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)pCurProcInfo +
    			pCurProcInfo->dwNextEntryOffset);
    	}
    	if (bFind == FALSE)
    	{
    		free(pProcInfo);
    		return FALSE;
    	}
    
    	
    	cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, &dwSize);
    	if (cRetVal != 0)
    		return FALSE;
    
    	pSid = new BYTE[dwSize];
    	cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, &dwSize);
    	if (cRetVal == 0)
    	{
    		delete[] pSid;
    		return FALSE;
    	}
    
    	WCHAR   szUserName[1024];
    	
    	_CachedGetUserFromSid(pSid, szUserName, &dwSize);
    	delete[] pSid;
    	if (dwSize == 0)
    		return FALSE;
    
    	*pbStrUser = szUserName;
    	return TRUE;
    }
    
    
    int main()
    {
    	/*
    	1.遍历所有进程.
    	2.遍历这个进程下的所有模块.
    	3.读取模块特征.
    	4.结束掉这个进程.
    	
    	*/
    	//services.exe conhost.exe
    
    	TCHAR szProcessName[] = TEXT("services.exe");
    	BOOL bFind = FALSE;
    	TCHAR ch[256] = { 0 };
    	_bstr_t bs;
    	memcpy(&bs, ch, sizeof(bs));
    
    			GetProcessUser(pi.th32ProcessID, &bs); //第一个参数写的是你的进程ID 
    			
    }
    
    
  • 相关阅读:
    CentOS7 安装rabbitmq
    CentOS 7安装和配置ssh
    日志备份脚本
    Dubbo配置优化
    MySQL Index Condition Pushdown(ICP) 优化
    Mysql 5.6 新特性(转载)
    Mysql 中bitwise对效率的影响??
    Linux 通过 load average 判断服务器负载情况
    VMware使用过程中出现了虚拟机繁忙问题
    Centos7设置开机启动界面:图形化or命令行
  • 原文地址:https://www.cnblogs.com/iBinary/p/10816025.html
Copyright © 2011-2022 走看看