|
[cpp]
#pragma once
#define _WIN32_WINNT 0x0500
#include"windows.h"
#include"tlhelp32.h"
#include"stdio.h"
#include"NativeApi.h"
#include"wchar.h"
#include"psapi.h"//SDK6.0
#pragma comment(lib,"psapi.lib")////SDK6.0,不知道为什么
vc6好像没有自带这个头文件??
int GetUserPath(WCHAR* szModPath);
BOOL GetProcessModule(DWORD dwPID)
{
BOOL bRet = FALSE;
BOOL bFound = FALSE;
HANDLE hModuleSnap = NULL;
MODULEENTRY32 me32 ={0};
hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID);//创建进程快照
if(hModuleSnap == INVALID_HANDLE_VALUE)
{
printf("获取模块失败!\n");
return FALSE;
}
me32.dwSize = sizeof(MODULEENTRY32);
if(::Module32First(hModuleSnap,&me32))//获得第一个模块
{
do{
printf("方法1列模块名:%s\n",me32.szExePath);
}while(::Module32Next(hModuleSnap,&me32));
}//递归枚举模块
CloseHandle(hModuleSnap);
return bFound;
}
bool ForceLookUpModule(DWORD dwPID)
{
typedef DWORD( WINAPI *FunLookModule)(
HANDLE ProcessHandle,
DWORD BaseAddress,
DWORD MemoryInformationClass,
DWORD MemoryInformation,
DWORD MemoryInformationLength,
DWORD ReturnLength );
HMODULE hModule = GetModuleHandle ("ntdll.dll" ) ;
if(hModule==NULL)
{
return FALSE;
}
FunLookModule ZwQueryVirtualMemory=(FunLookModule)GetProcAddress(hModule,"ZwQueryVirtualMemory");
if(ZwQueryVirtualMemory==NULL)
{
return FALSE;
}
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,1,dwPID);
if(hProcess==NULL)
return FALSE;
PMEMORY_SECTION_NAME Out_Data=(PMEMORY_SECTION_NAME) malloc(0x200u);
DWORD retLength;
WCHAR Path[256]={0};
wchar_t wstr[256]={0};
for(unsigned int i=0;i<0x7fffffff;i=i+0x10000)
{
if( ZwQueryVirtualMemory(hProcess,(DWORD)i,2,(DWORD)Out_Data,512,(DWORD)&retLength)>0)
{
if(!IsBadReadPtr((BYTE*)Out_Data->SectionFileName.Buffer,1))
{
if(((BYTE*)Out_Data->SectionFileName.Buffer)[0]==0x5c)
{
if(wcscmp(wstr, Out_Data->SectionFileName.Buffer))
{
_wsetlocale(0,L"chs");
GetUserPath(Out_Data->SectionFileName.Buffer);
wprintf(L"方法2列模块%s\n",Out_Data->SectionFileName.Buffer);
}
wcscpy(wstr, Out_Data->SectionFileName.Buffer);
}
}
}
}
CloseHandle(hProcess);
return TRUE;
}
int GetUserPath(WCHAR* szModPath)
{ //\Device\HarddiskVolume1,
WCHAR Path[256]={0};
WCHAR* Temp3=new WCHAR[3];
Temp3[2]='\0';
Temp3[1]=':';
THead* phead=new THead;
phead->Next=NULL;
phead->Num=szModPath[22];
for(int i='C';i<='Z';i++)
{Temp3[0]=i;
if(QueryDosDeviceW(Temp3,Path,30))
if(phead->Num==Path[22])
{
|