关于WIN 2000下的进程枚举

/ns/wz/comp/data/20030710051335.htm

遍历进程在每个系统中实现的方法是不一样的，在 win 98 中，系统提供 TOOLHELP32 API 接口，在 win NT 中，系统提供 PSAPI 函数，而 win 2000 既支持 TOOLHELP 又支持 PSAPI，NT 系统还提供了 NATIVE API (NtQuerySystemInformation)，这个函数功能十分强大，几乎可以查询所有的系统信息，调用此函数必须有SE_TCB_NAME特权。下面给出函数原型：

NTSTATUS
WINAPI
NtQuerySystemInformation(
int SystemInfoClass
PVOID SystemInfoBuffer,
ULONG SystemInfoBufferSize,
PULONG BytesReturned
);
当 SystemInfoClass 等于5时便可获取进程信息了。

关于 NT 系统下的特权(Privilege)及其描述见下表：

Privilege Constant Description
SE_ASSIGNPRIMARYTOKEN_NAME Required to assign the primary token of a process.
SE_AUDIT_NAME Required to generate audit-log entries. Give this privilege to secure servers.
SE_BACKUP_NAME Required to perform backup operations.
SE_CHANGE_NOTIFY_NAME Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users.
SE_CREATE_PAGEFILE_NAME Required to create a paging file.
SE_CREATE_PERMANENT_NAME Required to create a permanent object.
SE_CREATE_TOKEN_NAME Required to create a primary token.
SE_DEBUG_NAME Required to debug a process.
SE_INC_BASE_PRIORITY_NAME Required to increase the base priority of a process.
SE_INCREASE_QUOTA_NAME Required to increase the quota assigned to a process.
SE_LOAD_DRIVER_NAME Required to load or unload a device driver.
SE_LOCK_MEMORY_NAME Required to lock physical pages in memory.
SE_PROF_SINGLE_PROCESS_NAME Required to gather profiling information for a single process.
SE_REMOTE_SHUTDOWN_NAME Required to shut down a system using a network request.
SE_RESTORE_NAME Required to perform restore operations. This privilege enables you to set any valid user or group SID as the owner of an object.
SE_SECURITY_NAME Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator.
SE_SHUTDOWN_NAME Required to shut down a local system.
SE_SYSTEM_ENVIRONMENT_NAME Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
SE_SYSTEM_PROFILE_NAME Required to gather profiling information for the entire system.
SE_SYSTEMTIME_NAME Required to modify the system time.
SE_TAKE_OWNERSHIP_NAME Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
SE_TCB_NAME This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. This privilege is required to call the LogonUser function.
SE_UNSOLICITED_INPUT_NAME Required to read unsolicited input from a terminal device.
SE_MACHINE_ACCOUNT_NAME Required to create a machine account.

关于定义可见下表，或察看 WINNT.H：

SE_CREATE_TOKEN_NAME SeCreateTokenPrivilege
SE_ASSIGNPRIMARYTOKEN_NAME SeAssignPrimaryTokenPrivilege
SE_LOCK_MEMORY_NAME SeLockMemoryPrivilege
SE_INCREASE_QUOTA_NAME SeIncreaseQuotaPrivilege
SE_UNSOLICITED_INPUT_NAME SeUnsolicitedInputPrivilege
SE_MACHINE_ACCOUNT_NAME SeMachineAccountPrivilege
SE_TCB_NAME SeTcbPrivilege
SE_SECURITY_NAME SeSecurityPrivilege
SE_TAKE_OWNERSHIP_NAME SeTakeOwnershipPrivilege
SE_LOAD_DRIVER_NAME SeLoadDriverPrivilege
SE_SYSTEM_PROFILE_NAME SeSystemProfilePrivilege
SE_SYSTEMTIME_NAME SeSystemtimePrivilege
SE_PROF_SINGLE_PROCESS_NAME SeProfileSingleProcessPrivilege
SE_INC_BASE_PRIORITY_NAME SeIncreaseBasePriorityPrivilege
SE_CREATE_PAGEFILE_NAME SeCreatePagefilePrivilege
SE_CREATE_PERMANENT_NAME SeCreatePermanentPrivilege
SE_BACKUP_NAME SeBackupPrivilege
SE_RESTORE_NAME SeRestorePrivilege
SE_SHUTDOWN_NAME SeShutdownPrivilege
SE_DEBUG_NAME SeDebugPrivilege
SE_AUDIT_NAME SeAuditPrivilege
SE_SYSTEM_ENVIRONMENT_NAME SeSystemEnvironmentPrivilege
SE_CHANGE_NOTIFY_NAME SeChangeNotifyPrivilege
SE_REMOTE_SHUTDOWN_NAME SeRemoteShutdownPrivilege

ADMINISTRATOR 被默认授于以下这16个权限：

SeChangeNotifyPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege

可以用 OpenProcessToken 和 AdjustTokenPrivileges 这两个函数来提升进程的特权。

讲了那么多，现在回到主题上来。到底使用哪个方法比较好呢？在 win 2000 下有3个方法可供选择，我比较喜欢简单的方法。NtQuerySystemInformation 功能固然强大，但使用比较麻烦。而 win 2000 的 TOOLHELP32 API 其本质还是调用了 NtQuerySystemInformation 函数，由于它发生错误时，可能不能正确返回返回值，所以不是很稳定，使用起来也是很麻烦的，不符合我的懒人本性。还是采用 PSAPI 比较好，简单又方便，只需要三个函数，且没有复杂的结构体参数。函数原型：

BOOL
WINAPI
EnumProcesses(
DWORD * lpidProcess,//指针指向存放进程ID的数组
DWORD cb, //数组大小
DWORD * cbNeeded //返回的实际大小
);

BOOL
WINAPI
EnumProcessModules(
HANDLE hProcess, //进程句柄
HMODULE *lphModule, //指针指向存放模块句柄的数组
DWORD cb, //数组大小
LPDWORD lpcbNeeded //返回的实际大小
);

DWORD
WINAPI
GetModuleFileNameEx(
HANDLE hProcess, //进程句柄
HMODULE hModule, //模块句柄
LPSTR lpFilename, //存放模块文件名的字符串
DWORD nSize //字符串大小
);

他们的作用分别是：枚举进程，枚举进程模块，获取模块文件名（包含路径）。详细的源代码如下：

// EnumProcess.cpp : Defines the entry point for the console application.
// Code By : tabris17

#include "stdafx.h"
#include "Psapi.h"

#pragma comment (lib,"Psapi.lib")

void PrintFileName(DWORD processID)
{
char fn[MAX_PATH];
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,processID);
if (hProcess)
{
HMODULE hMod[1024];
DWORD cbNeeded,size;
unsigned int i;
if (EnumProcessModules(hProcess,hMod,sizeof(hMod),&cbNeeded))
{
size=cbNeeded/sizeof(HMODULE);
GetModuleFileNameEx(hProcess,hMod[0],fn,sizeof(fn));
printf("\n(%u)\t%s\n",processID,fn);
for(i=1;i<size;i++)
{
GetModuleFileNameEx(hProcess,hMod[i],fn,sizeof(fn));
printf("\t%s\n",fn);
}
}
}
CloseHandle(hProcess);
}

int plist()
{
DWORD Processesid[1024], cbNeeded,size;
unsigned int i;
if (!EnumProcesses(Processesid,sizeof(Processesid),&cbNeeded))
return 0;

size=cbNeeded/sizeof(DWORD);

for (i=0;i<size;i++)
PrintFileName(Processesid[i]);
return 0;
}

int main(int argc, char* argv[])
{
plist();
return 0;
}

===============================================
本文版权属20CN网络安全小组及其作者所有,如有转载,请保持文章完整性并注明出处
文章类型:原创 提交:四不象 核查:NetDemon