我想做一个全局钩子,但是只知道目的程序的可执行文件名,路径都不知道,有没有办法?

nightfallrove 2003-05-13 09:40:14
假如我要HOOK一个程序,但是不知道对方的进程号,也不知道对方是否已经运行
只知道其可执行文件名,,该怎么办?
如何才能在它启动后即得到其进程号并HOOK它?
哪位有实例呢?
谢谢谢谢..............
...全文
8 点赞 收藏 3
写回复
3 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
HUANG_JH 2003-05-14

private:
//----------------列举 Process 函数-------------------------------
HANDLE THListProcess( MinData *cListProcess )
{
HANDLE hSnapShot=NULL;
HANDLE hResult = NULL;
PROCESSENTRY32 processInfo;
char* pstrExeName;
char* pReturn ="\r\n" ;
bool bFirst = true;
::ZeroMemory(&processInfo, sizeof(PROCESSENTRY32));
processInfo.dwSize = sizeof(PROCESSENTRY32);
hSnapShot = FCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);
if(hSnapShot == INVALID_HANDLE_VALUE)
return NULL;

//列举出所有的process名称
while((bFirst ? FProcess32First(hSnapShot,
&processInfo) : FProcess32Next(hSnapShot,
&processInfo)))
{
bFirst = false;
pstrExeName = strrchr(processInfo.szExeFile,'\\');
if(!pstrExeName)
pstrExeName = processInfo.szExeFile;
else
pstrExeName++;

if (cListProcess->nSize < 4000 )
{
memcpy(cListProcess->szData + cListProcess->nSize , pstrExeName , StrLen(pstrExeName) );
cListProcess->nSize += StrLen(pstrExeName);

memcpy(cListProcess->szData + cListProcess->nSize , pReturn , StrLen(pReturn) );
cListProcess->nSize += StrLen(pReturn);
}
}

if(hSnapShot)
CloseHandle(hSnapShot);
return hResult;
}


HANDLE NTListProcess( MinData *cListProcess )
{
HANDLE hHeap = FGetProcessHeap();
NTSTATUS Status;
ULONG cbBuffer = 0x8000;
PVOID pBuffer = NULL;
HANDLE hResult = NULL;
char* pReturn ="\r\n" ;

do
{
pBuffer = HeapAlloc(hHeap, 0, cbBuffer);
if (pBuffer == NULL)
return NULL;
//return SetLastError(ERROR_NOT_ENOUGH_MEMORY), NULL;

Status = FQuerySysInfo(
SystemProcessesAndThreadsInformation,
pBuffer, cbBuffer, NULL);

if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(hHeap, 0, pBuffer);
cbBuffer *= 2;
}
else if (!NT_SUCCESS(Status))
{
HeapFree(hHeap, 0, pBuffer);
return NULL;
//return SetLastError(Status), NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);

PSYSTEM_PROCESSES pProcesses = (PSYSTEM_PROCESSES)pBuffer;

for (;;)
{
PCWSTR pszProcessName = pProcesses->ProcessName.Buffer;
if (pszProcessName == NULL)
pszProcessName = L"Idle";

CHAR szProcessName[MAX_PATH];
WideCharToMultiByte(CP_ACP, 0, pszProcessName,-1,szProcessName, MAX_PATH, NULL, NULL);

if (cListProcess->nSize < 4000 )
{
memcpy(cListProcess->szData + cListProcess->nSize , szProcessName , StrLen(szProcessName) );
cListProcess->nSize += StrLen(szProcessName);

memcpy(cListProcess->szData + cListProcess->nSize , pReturn , StrLen(pReturn) );
cListProcess->nSize += StrLen(pReturn);
}

if (pProcesses->NextEntryDelta == 0)
break;


//查找下一个 process structure 的地址
pProcesses = (PSYSTEM_PROCESSES)(
((LPBYTE)pProcesses)
+ pProcesses->NextEntryDelta);
}

HeapFree(hHeap, 0, pBuffer);
return hResult;
}

//----------------查找Process 函数-------------------------------
HANDLE FindProcess(IN const char* pstrProcessName, OUT DWORD& dwId)
{
if(!m_hKernelLib)
return NULL;

// 使用 toolhelpapi
if(FCreateToolhelp32Snapshot && FProcess32First && FProcess32Next)
return THFindProcess(pstrProcessName, dwId);

// 使用 NT api
if(FQuerySysInfo && FHeapAlloc && FGetProcessHeap && FHeapFree)
return NTFindProcess(pstrProcessName, dwId);

return NULL;
}

HANDLE THFindProcess(IN const char* pstrProcessName,OUT DWORD& dwId)
{
HANDLE hSnapShot=NULL;
HANDLE hResult = NULL;
PROCESSENTRY32 processInfo;
char* pstrExeName;

bool bFirst = true;
::ZeroMemory(&processInfo, sizeof(PROCESSENTRY32));
processInfo.dwSize = sizeof(PROCESSENTRY32);
hSnapShot = FCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);
if(hSnapShot == INVALID_HANDLE_VALUE)
return NULL;

//列举出所有的process名称
while((bFirst ? FProcess32First(hSnapShot,
&processInfo) : FProcess32Next(hSnapShot,
&processInfo)))
{
bFirst = false;
pstrExeName = strrchr(processInfo.szExeFile,'\\');
if(!pstrExeName)
pstrExeName = processInfo.szExeFile;
else
pstrExeName++;

//将列举出的process名称与输入的process名称比较
if(stricmp(pstrExeName, pstrProcessName) == 0)
{
//找到需要kill 的 process,取回其 HANDLE
hResult=OpenProcess(
SYNCHRONIZE|PROCESS_TERMINATE, TRUE,
processInfo.th32ProcessID);
dwId = processInfo.th32ProcessID;
break;
}
}
if(hSnapShot)
CloseHandle(hSnapShot);
return hResult;
}

HANDLE NTFindProcess(IN const char* pstrProcessName,OUT DWORD& dwId)
{
HANDLE hHeap = FGetProcessHeap();
NTSTATUS Status;
ULONG cbBuffer = 0x8000;
PVOID pBuffer = NULL;
HANDLE hResult = NULL;

do
{
pBuffer = HeapAlloc(hHeap, 0, cbBuffer);
if (pBuffer == NULL)
return NULL;
//return SetLastError(ERROR_NOT_ENOUGH_MEMORY), NULL;

Status = FQuerySysInfo(
SystemProcessesAndThreadsInformation,
pBuffer, cbBuffer, NULL);

if (Status == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(hHeap, 0, pBuffer);
cbBuffer *= 2;
}
else if (!NT_SUCCESS(Status))
{
HeapFree(hHeap, 0, pBuffer);
return NULL;
//return SetLastError(Status), NULL;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);

PSYSTEM_PROCESSES pProcesses = (PSYSTEM_PROCESSES)pBuffer;

for (;;)
{
PCWSTR pszProcessName = pProcesses->ProcessName.Buffer;
if (pszProcessName == NULL)
pszProcessName = L"Idle";

CHAR szProcessName[MAX_PATH];
WideCharToMultiByte(CP_ACP, 0, pszProcessName,-1,szProcessName, MAX_PATH, NULL, NULL);

if(stricmp(szProcessName, pstrProcessName) == 0) //找到需要kill 的 process
{
hResult=OpenProcess(
SYNCHRONIZE|PROCESS_TERMINATE, TRUE,
pProcesses->ProcessId);
dwId = pProcesses->ProcessId;
break;
}

if (pProcesses->NextEntryDelta == 0)
break;


//查找下一个 process structure 的地址
pProcesses = (PSYSTEM_PROCESSES)(
((LPBYTE)pProcesses)
+ pProcesses->NextEntryDelta);
}

HeapFree(hHeap, 0, pBuffer);
return hResult;
}

// CALLBACK函数 用来kill process
static BOOL CALLBACK TerminateAppEnum( HWND hwnd, LPARAM lParam )
{
DWORD dwID ;

GetWindowThreadProcessId(hwnd, &dwID) ;

if(dwID == (DWORD)lParam)
{
PostMessage(hwnd, WM_CLOSE, 0, 0) ;
}

return TRUE ;
}

HMODULE m_hNTLib;
HMODULE m_hKernelLib;
// ToolHelp related functions
PFCreateToolhelp32Snapshot FCreateToolhelp32Snapshot;
PFProcess32First FProcess32First;
PFProcess32Next FProcess32Next;
// native NT api functions
PFZwQuerySystemInformation FQuerySysInfo;
PFGetProcessHeap FGetProcessHeap;
PFHeapAlloc FHeapAlloc;
PFHeapFree FHeapFree;
};
回复
HUANG_JH 2003-05-14
参考

/*
kill进程的类
作者:HUANG_JH
修改日期 :2003/3/20

说明:
kill掉指定文件名的进程
98, ME, NT4,2k, and XP均可使用

使用:
KillProcess 函数
输入某个进程的名称如 KillProcess("QQ2000b.exe"); 即可

ListProcess 函数
列出系统中所有进程的名称,所有名称以xxx.exe \r\n xxx.exe \r\n 字符串形式
存放在 MinData.szData



定义
#include "KillProcess.hpp"
CKillProcessHelper *pKillProcess;

pKillProcess = new CKillProcessHelper;

1.
pKillProcess->KillProcess("QQ2000b.exe");

2.
MinData cListProcess;
pKillProcess->ListProcess ( &cListProcess );
Memo1->Lines->Add(cListProcess.szData );

delete pKillProcess ;
pKillProcess = NULL;


*/

#include <tlhelp32.h>
//
// Some definitions from NTDDK and other sources
//

typedef LONG NTSTATUS;
typedef LONG KPRIORITY;

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

#define SystemProcessesAndThreadsInformation 5

typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID;

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;

typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;

typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;

// Note that the size of the SYSTEM_PROCESSES structure is
// different on NT 4 and Win2K, but we don't care about it,
// since we don't access neither IoCounters member nor
//Threads array

typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
#if _WIN32_WINNT >= 0x500
IO_COUNTERS IoCounters;
#endif
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;


typedef struct _tagMinData
{
char szData[ 4096 ]; // 数据包缓冲区
int nSize ; // 数据包长度
// 数据初始化
_tagMinData()
{
memset( szData, 0, 4096 );
nSize = 0;
}
} MinData, *LPMinData;


class CKillProcessHelper
{
private:
//Functions loaded from Kernel32
typedef HANDLE (WINAPI *PFCreateToolhelp32Snapshot)(
DWORD dwFlags,
DWORD th32ProcessID
);

typedef BOOL (WINAPI *PFProcess32First)(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);

typedef BOOL (WINAPI *PFProcess32Next)(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);

// Native NT API Definitions
typedef NTSTATUS (WINAPI * PFZwQuerySystemInformation)(UINT, PVOID, ULONG, PULONG);
typedef HANDLE (WINAPI* PFGetProcessHeap)(VOID);
typedef LPVOID (WINAPI* PFHeapAlloc)(HANDLE,DWORD,SIZE_T);
typedef BOOL (WINAPI* PFHeapFree)(HANDLE,DWORD,LPVOID);

public:
CKillProcessHelper() : FCreateToolhelp32Snapshot(NULL),
FProcess32First(NULL), FProcess32Next(NULL),
m_hKernelLib(NULL),
m_hNTLib(NULL)
{
m_hKernelLib = ::LoadLibraryA("Kernel32");
if (m_hKernelLib)
{
// 加载 ToolHelp functions
FCreateToolhelp32Snapshot =
(PFCreateToolhelp32Snapshot)
::GetProcAddress(m_hKernelLib,"CreateToolhelp32Snapshot");
FProcess32First = (PFProcess32First)
::GetProcAddress(m_hKernelLib,"Process32First");
FProcess32Next = (PFProcess32Next)
::GetProcAddress(m_hKernelLib,"Process32Next");
}
if(!FCreateToolhelp32Snapshot ||
!FProcess32First || !FProcess32Next)
{
// 无法查找到 ToolHelp functions
//说明当前为 NT4. 调用 ntdll.dll

if(!m_hKernelLib)
return;

m_hNTLib = ::LoadLibraryA("ntdll.dll");
if(m_hNTLib)
{
FQuerySysInfo =
(PFZwQuerySystemInformation)
::GetProcAddress(m_hNTLib,"ZwQuerySystemInformation");
// 加载 对应的functions
FGetProcessHeap = (PFGetProcessHeap)
::GetProcAddress(m_hKernelLib,"GetProcessHeap");
FHeapAlloc = (PFHeapAlloc)
::GetProcAddress(m_hKernelLib,"HeapAlloc");
FHeapFree = (PFHeapFree)
::GetProcAddress(m_hKernelLib,"HeapFree");
}
}
}

~CKillProcessHelper()
{
if(m_hKernelLib)
FreeLibrary(m_hKernelLib);
if(m_hNTLib)
FreeLibrary(m_hNTLib);
}

bool KillProcess(IN const char* pstrProcessName)
{
DWORD dwId;
HANDLE hProcess = FindProcess(pstrProcessName,dwId);
BOOL bResult;
if(!hProcess)
return false;

// 回掉TerminateAppEnum() 发送 WM_CLOSE 到对应PID的进程
// PID是由输入的process名查找的来的
::EnumWindows((WNDENUMPROC) CKillProcessHelper::TerminateAppEnum,(LPARAM) dwId);
//等待 process结束
if(WaitForSingleObject(hProcess, 5000) != WAIT_OBJECT_0)
bResult = TerminateProcess(hProcess,0);
else
bResult = TRUE;

CloseHandle(hProcess);
return bResult == TRUE;
}

HANDLE ListProcess( MinData *cListProcess )
{

if(!m_hKernelLib)
return NULL;

// 使用 toolhelpapi
if(FCreateToolhelp32Snapshot && FProcess32First && FProcess32Next)
return THListProcess(cListProcess);

// 使用 NT api
if(FQuerySysInfo && FHeapAlloc && FGetProcessHeap && FHeapFree)
return NTListProcess( cListProcess );

return NULL;
}
回复
nightfallrove 2003-05-14
呵呵,你除了想当版主还想当什么??
我全力支持....
谢了,,
回复
相关推荐
发帖
Windows SDK/API
创建于2007-08-02

1206

社区成员

C++ Builder Windows SDK/API
申请成为版主
帖子事件
创建了帖子
2003-05-13 09:40
社区公告
暂无公告