1,183
社区成员
发帖
与我相关
我的任务
分享Module32first,Module32Next不起作用?
如下代码,为什么只能得到进程名,不能得到模块名?我想得到qq.exe的使用的所有dll的名字
别劝我用EnumProcessModules,我就想知道下面的程序出了什么问题
别劝我用EnumProcessModules,我就想知道下面的程序出了什么问题
program enum;
{$apptype console}
uses
sysutils,
windows,
tlhelp32;
function GetProcessIDByName(const ProcessName: string): DWORD;
var
FSnapshotHandle: THandle;
pe: PROCESSENTRY32;
begin
result := 0;
FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pe.dwSize := SizeOf(PROCESSENTRY32);
if (Process32First(FSnapshotHandle, pe)) then
begin
while (Process32Next(FSnapshotHandle, pe)) do
begin
if (UpperCase(ExtractFileName(pe.szExeFile)) = UpperCase(ProcessName)) then
begin
Result := pe.th32ProcessID;
end;
end;
end;
CloseHandle(FSnapshotHandle);
end;
var
pid: dword;
hnd: THandle;
hModuleSnap: THandle;
me32: MODULEENTRY32;
begin
pid := GetProcessIDByName('qq.exe');
hnd := openprocess(PROCESS_ALL_ACCESS, FALSE, pid);
hModuleSnap := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if hModuleSnap = INVALID_HANDLE_VALUE then
exit;
me32.dwSize := SizeOf(MODULEENTRY32);
if Module32First(hModuleSnap, me32) then
begin
repeat
writeln(format('MODULE NAME: %s', [me32.szModule]));
writeln(format('executable: %s', [me32.szExePath]));
writeln(format('process id: %d', [me32.th32ProcessID]));
writeln(format('ref count(g):%d', [me32.GlblcntUsage]));
writeln(format('ref count(p):%d', [me32.ProccntUsage]));
writeln(format('base address:%d', [DWORD(me32.modBaseAddr)]));
writeln(format('base size: %d', [me32.modBaseSize]));
until Module32Next(hModuleSnap, me32);
end;
CloseHandle(hModuleSnap);
end.
...全文
请发表友善的回复…
发表回复
jues 2010-12-21
- 打赏
- 举报
收藏了
wqjqepr 2010-06-27
- 打赏
- 举报
#include <Windows.h>
#include <tchar.h>
#include <TlHelp32.h>
#include <vector>
#include <map>
PVOID GetModulBaseAddr(DWORD dwProcessID,PVOID pvModuleRemote)
{
PVOID pvBaseAddr = NULL;
IMAGE_DOS_HEADER dosHdr;
IMAGE_NT_HEADERS ntHdr;
Toolhelp32ReadProcessMemory(dwProcessID,pvModuleRemote,&dosHdr,sizeof(dosHdr),NULL);
if(dosHdr.e_magic == IMAGE_DOS_SIGNATURE)
{
Toolhelp32ReadProcessMemory(dwProcessID,(PBYTE)pvModuleRemote+dosHdr.e_lfanew,&ntHdr,sizeof(ntHdr),NULL);
if(ntHdr.Signature == IMAGE_NT_SIGNATURE)
{
pvBaseAddr = (PVOID)ntHdr.OptionalHeader.ImageBase;
}
}
return pvBaseAddr;
}
int main()
{
HANDLE hHandle = CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
BOOL bOk = Process32First(hHandle,&pe);
int ProcessCnt = 0;
while(bOk)
{
ProcessCnt++;
if(pe.th32ProcessID == 0)
{
bOk = Process32Next(hHandle,&pe);
if(!bOk) break;
}
wcout<<"进程名:"<<pe.szExeFile<<endl;
wcout<<"进程ID:"<<pe.th32ProcessID<<endl;
wcout<<"父进程ID:"<<pe.th32ParentProcessID<<endl;
wcout<<"进程优先级:"<<pe.pcPriClassBase<<endl;
wcout<<"子线程个数:"<<pe.cntThreads<<endl;
HANDLE hHandle2 = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe.th32ProcessID);
MODULEENTRY32 me;
me.dwSize = sizeof(me);
if(Module32First(hHandle2,&me))
{
// if(me.th32ProcessID == pe.th32ProcessID)
{
wcout<<"模块名:"<<_tcsrchr(me.szExePath,TEXT('\\'))+1;
PVOID pAddr = GetModulBaseAddr(pe.th32ProcessID,me.modBaseAddr);
if(pAddr == me.modBaseAddr)
{
wcout<<" 模块地址:"<<(LPINT)pAddr<<endl;
}
else
{
wcout<<" 模块地址:("<<(LPINT)me.modBaseAddr<<")"<<endl;
}
}
while(Module32Next(hHandle2,&me))
{
// if(me.th32ProcessID == pe.th32ProcessID)
{
wcout<<"模块名:"<<_tcsrchr(me.szExePath,TEXT('\\'))+1;
PVOID pAddr = GetModulBaseAddr(pe.th32ProcessID,me.modBaseAddr);
if(pAddr == me.modBaseAddr)
{
wcout<<" 模块地址:"<<(LPINT)pAddr<<endl;
}
else
{
wcout<<" 模块地址:("<<(LPINT)me.modBaseAddr<<")"<<endl;
}
}
}
}
THREADENTRY32 te;
te.dwSize = sizeof(te);
if(Thread32First(hHandle,&te))
{
if(te.th32OwnerProcessID == pe.th32ProcessID)
wcout<<" 线程ID:"<<te.th32ThreadID;
while(Thread32Next(hHandle,&te))
{
if(te.th32OwnerProcessID == pe.th32ProcessID)
wcout<<" 线程ID:"<<te.th32ThreadID;
}
}
wcout<<endl<<"============================"<<endl;
bOk = Process32Next(hHandle,&pe);
}
wcout<<"共统计进程数"<<ProcessCnt<<endl;
getchar();
return 0;
}
得到所有进程的名字和他使用的模块名以及其它信息。。刚刚调试通过的。。。你赶上了。
httppdf 2009-07-27
- 打赏
- 举报
随便看看,飘过~~~~~
迈克揉索芙特 2009-07-27
- 打赏
- 举报
QQ做了方法措施
zzmoutmans 2009-07-27
- 打赏
- 举报
回帖是一种美德!
qq451059235 2009-07-26
- 打赏
- 举报
看看
lgl8191909 2009-07-26
- 打赏
- 举报
我不是来劝的,只是进来顶顶顶死!
zanpen2000 2009-07-25
- 打赏
- 举报
提权了,杀软,360全关了,还是不行
gyk120 2009-07-25
- 打赏
- 举报
操作其他的程序需要提权到Debug权限
uses tlhelp32;
procedure SetPrivilege;
var
OldTokenPrivileges, TokenPrivileges: TTokenPrivileges;
ReturnLength: dword;
hToken: THandle;
Luid: int64;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);
LookupPrivilegeValue(nil, 'SeDebugPrivilege', Luid);
TokenPrivileges.Privileges[0].luid := Luid;
TokenPrivileges.PrivilegeCount := 1;
TokenPrivileges.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, False, TokenPrivileges, SizeOf(TTokenPrivileges), OldTokenPrivileges, ReturnLength);
OldTokenPrivileges.Privileges[0].luid := Luid;
OldTokenPrivileges.PrivilegeCount := 1;
OldTokenPrivileges.Privileges[0].Attributes := TokenPrivileges.Privileges[0].Attributes or SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, False, OldTokenPrivileges, ReturnLength, PTokenPrivileges(nil)^, ReturnLength);
end;
另外有些杀毒软件也可能禁止这方面的操作
uses tlhelp32;
procedure SetPrivilege;
var
OldTokenPrivileges, TokenPrivileges: TTokenPrivileges;
ReturnLength: dword;
hToken: THandle;
Luid: int64;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);
LookupPrivilegeValue(nil, 'SeDebugPrivilege', Luid);
TokenPrivileges.Privileges[0].luid := Luid;
TokenPrivileges.PrivilegeCount := 1;
TokenPrivileges.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, False, TokenPrivileges, SizeOf(TTokenPrivileges), OldTokenPrivileges, ReturnLength);
OldTokenPrivileges.Privileges[0].luid := Luid;
OldTokenPrivileges.PrivilegeCount := 1;
OldTokenPrivileges.Privileges[0].Attributes := TokenPrivileges.Privileges[0].Attributes or SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, False, OldTokenPrivileges, ReturnLength, PTokenPrivileges(nil)^, ReturnLength);
end;
另外有些杀毒软件也可能禁止这方面的操作
kampan 2009-07-25
- 打赏
- 举报
我不是来劝的,只是进来顶顶!
zanpen2000 2009-07-25
- 打赏
- 举报
另外再补充一下:此项操作不需要提权,也与杀软无关。
zanpen2000 2009-07-25
- 打赏
- 举报
我要哭了,我找到错误了
将代码中的
until Module32Next(hModuleSnap,me32);
改成
until not Module32Next(hModuleSnap,me32);
问题解决!
将代码中的
until Module32Next(hModuleSnap,me32);
改成
until not Module32Next(hModuleSnap,me32);
问题解决!
gyk120 2009-07-25
- 打赏
- 举报
对了,调试的时候下断点,没有错误吗?还有,把QQ换成其他的进程会不会出现问题?
fldx 2009-07-25
- 打赏
- 举报
qq好像有保护的吧,用spy++看,屁也看不到。。。。
zanpen2000 2009-07-25
- 打赏
- 举报
to gyk120:试了你的写法,还是不行。并且,你的写法无法编译过去,我用的是d7
baiyun126 2009-07-25
- 打赏
- 举报
转转
wuweixd 2009-07-25
- 打赏
- 举报
进来玩玩我也不知道
nettman 2009-07-25
- 打赏
- 举报
Mark!
gyk120 2009-07-25
- 打赏
- 举报
hModuleSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,peID);
if(hModuleSnap<>INVALID_HANDLE_VALUE) then
begin
ZeroMemory(@me32,sizeof( MODULEENTRY32));
me32.dwSize:=sizeof( MODULEENTRY32);
if(Tlhelp32.TModule32First(hModuleSnap,me32)=1) then
begin
repeat
TempString:=me32.szExePath;
if(Pos('.exe',TempString)>0) then
begin
lstrcpy(PAnsiChar(FilePath),me32.szExePath);
break;
end
until (Module32Next(hModuleSnap,me32)=0)
end
end
把模块快照换成上面的写法能否成功?
if(hModuleSnap<>INVALID_HANDLE_VALUE) then
begin
ZeroMemory(@me32,sizeof( MODULEENTRY32));
me32.dwSize:=sizeof( MODULEENTRY32);
if(Tlhelp32.TModule32First(hModuleSnap,me32)=1) then
begin
repeat
TempString:=me32.szExePath;
if(Pos('.exe',TempString)>0) then
begin
lstrcpy(PAnsiChar(FilePath),me32.szExePath);
break;
end
until (Module32Next(hModuleSnap,me32)=0)
end
end
把模块快照换成上面的写法能否成功?
