手动创建单进程: 下面通过一个实例来分别演示进程的创建函数.
#include <windows.h>
#include <stdio.h>
BOOL WinExec(char *pszExePath, UINT uiCmdShow)
{
UINT uiRet = 0;
uiRet = ::WinExec(pszExePath, uiCmdShow);
if (31 < uiRet)
{
return TRUE;
}
return FALSE;
}
BOOL ShellExecute(char *pszExePath, UINT uiCmdShow)
{
HINSTANCE hInstance = 0;
hInstance = ::ShellExecute(NULL, NULL, pszExePath, NULL, NULL, uiCmdShow);
if (32 < (DWORD)hInstance)
{
return TRUE;
}
return FALSE;
}
BOOL Exec_Run(LPCSTR exe_file)
{
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { 0 };
si.cb = sizeof(STARTUPINFO);
BOOL bRet = CreateProcessA(exe_file,
NULL, NULL, NULL, FALSE,
NULL, NULL, NULL, &si, &pi);
if (bRet != FALSE)
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return TRUE;
}
return FALSE;
}
int main(int argc, char * argv[])
{
int ret = 0;
ret = Exec_Run("c:\\windows\\system32\\notepad.exe");
printf("执行状态: %d \n", ret);
system("pause");
return 0;
}
手动创建多线程: 多线程的创建需要使用CreateThread()其内部应该传递进去ThreadProc()线程执行函数,运行结束后恢复.
#include <Windows.h>
#include <iostream>
int Global_One = 0;
CRITICAL_SECTION g_cs;
// 定义一个线程函数
DWORD WINAPI ThreadProc(LPVOID lpParam)
{
// 加锁防止线程数据冲突
EnterCriticalSection(&g_cs);
for (int x = 0; x < 10; x++)
{
Global_One++;
Sleep(1);
}
// 执行完修改以后,需要释放锁
LeaveCriticalSection(&g_cs);
return 0;
}
int main()
{
// 初始化锁
InitializeCriticalSection(&g_cs);
HANDLE hThread[10] = { 0 };
for (int x = 0; x < 10; x++)
{
// 循环创建线程
hThread[x] = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
}
// 等待多个线程执行结束.
WaitForMultipleObjects(10, hThread, TRUE, INFINITE);
// 最后循环释放资源
for (int x = 0; x < 10; x++)
{
CloseHandle(hThread[x]);
}
printf("Global: %d \n", Global_One);
DeleteCriticalSection(&g_cs);
system("pause");
return 0;
}
强制终止一个进程: 在进程正常进行退出时,会调用ExitProcess()正常关闭程序,也可以调用TerminateProcess()强制销毁进程.
#include <windows.h>
#include <stdio.h>
int Get_ProcessID(LPCSTR path)
{
HWND hWnd = FindWindow(NULL, path);
if (hWnd != NULL)
{
DWORD dwPid = 0;
GetWindowThreadProcessId(hWnd, &dwPid);
if (dwPid != 0)
return dwPid;
}
return -1;
}
int main(int argc,char * argv [])
{
int pid = 0;
pid = Get_ProcessID("新建文本文档.txt - 记事本");
printf("进程PID为: %d \n", pid);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess != NULL)
{
TerminateProcess(hProcess, 0); // 终止进程
}
system("pause");
return 0;
}
判断进程是否存在: 通过循环遍历所有进程,并对比szExeFile名称是否与pName一致,来实现判断进程是否正在运行中.
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
int Get_Process_Status(const char *procressName)
{
char pName[MAX_PATH];
strcpy(pName, procressName); // 拷贝数组
CharLowerBuff(pName, MAX_PATH); // 将名称转换为小写
PROCESSENTRY32 currentProcess; // 存放快照进程信息的一个结构体
currentProcess.dwSize = sizeof(currentProcess); // 在使用这个结构之前,先设置它的大小
HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 给系统内的所有进程拍一个快照
if (INVALID_HANDLE_VALUE != hProcess)
{
BOOL bMore = Process32First(hProcess, ¤tProcess);
while (bMore)
{
CharLowerBuff(currentProcess.szExeFile, MAX_PATH); // 将进程名转换为小写
if (strcmp(currentProcess.szExeFile, pName) == 0) // 比较是否存在此进程
{
CloseHandle(hProcess);
return 1;
}
bMore = Process32Next(hProcess, ¤tProcess);
}
CloseHandle(hProcess);
}
return -1;
}
int main(int argc,char * argv [])
{
int ret = Get_Process_Status("qq.exe");
if (ret == 1)
printf("正在运行. \n");
else
printf("没有运行. \n");
system("pause");
return 0;
}
遍历获取进程PID:
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
DWORD FindProcessID(LPCTSTR szProcessName)
{
DWORD dwPID = 0xFFFFFFFF;
HANDLE hSnapShot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
Process32First(hSnapShot, &pe);
do
{
if (!_tcsicmp(szProcessName, (LPCTSTR)pe.szExeFile))
{
dwPID = pe.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return dwPID;
}
int main(int argc,char *argv[])
{
DWORD PID = FindProcessID(L"qq.exe");
printf("该进程PID是: %d \n", PID);
system("pause");
return 0;
}
枚举系统中所有进程:
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
int EnumProcess()
{
PROCESSENTRY32 pe32 = { 0 };
pe32.dwSize = sizeof(PROCESSENTRY32);
// 获取全部进程快照
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE != hProcessSnap)
{
// 获取快照中第一条信息
BOOL bRet = Process32First(hProcessSnap, &pe32);
while (bRet)
{
printf("进程ID: %-5d --> 进程名: %s \n", pe32.th32ProcessID, pe32.szExeFile);
// 获取快照中下一条信息
bRet = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
}
return -1;
}
int main(int argc,char * argv [])
{
EnumProcess();
system("pause");
return 0;
}
枚举指定进程中的DLL模块: 枚举出指定PID进程中所加载的DLL
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
int EnumProcessModule(DWORD Pid)
{
MODULEENTRY32 me32 = { 0 };
me32.dwSize = sizeof(MODULEENTRY32);
// 获取指定进程全部模块的快照
HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, Pid);
if (INVALID_HANDLE_VALUE != hModuleSnap)
{
// 获取快照中第一条信息
BOOL bRet = Module32First(hModuleSnap, &me32);
while (bRet)
{
printf("模块基址: 0x%p --> 大小: %-8d --> 模块名: %-25s -> 路径: %s \n",
me32.modBaseAddr, me32.modBaseSize, me32.szModule,me32.szExePath);
// 获取快照中下一条信息
bRet = Module32Next(hModuleSnap, &me32);
}
CloseHandle(hModuleSnap);
return 0;
}
return -1;
}
int main(int argc,char * argv [])
{
EnumProcessModule(1920);
system("pause");
return 0;
}
枚举进程中线程ID:
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
int EnumThread(DWORD Pid)
{
THREADENTRY32 te32 = { 0 };
te32.dwSize = sizeof(THREADENTRY32);
int index = 0;
// 获取全部线程快照
HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (INVALID_HANDLE_VALUE != hThreadSnap)
{
// 获取快照中第一条信息
BOOL bRet = Thread32First(hThreadSnap, &te32);
while (bRet)
{
// 只过滤出 Owner Process ID = pid 的线程ID
if (Pid == te32.th32OwnerProcessID)
{
printf("线程ID: %6d --> 大小: %d \n", te32.th32ThreadID,te32.dwSize);
++index;
}
// 获取快照中下一条信息
bRet = Thread32Next(hThreadSnap, &te32);
}
CloseHandle(hThreadSnap);
return index;
}
return -1;
}
int main(int argc,char * argv [])
{
int tid_count = EnumThread(9868);
printf("线程数: %d \n", tid_count);
system("pause");
return 0;
}
判断进程是否重复运行:
#include <Windows.h>
#include <stdio.h>
// 判断是否重复运行
BOOL IsAlreadyRun()
{
HANDLE hMutex = NULL;
hMutex = CreateMutex(NULL, FALSE, "RUN");
if (hMutex)
{
if (ERROR_ALREADY_EXISTS == GetLastError())
return TRUE;
}
return FALSE;
}
int main(int argc, const char * argv[])
{
if (IsAlreadyRun() == TRUE)
printf("重复运行 \n");
else
printf("没有重复运行 \n");
system("pause");
return 0;
}
循环干掉特定进程: 该方式只能干掉普通的检测程序,无法干掉带有自保护的杀软,需要加载驱动。
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
int Kill_AV_Process(char *kill_list[],int Count)
{
PROCESSENTRY32 currentProcess;
currentProcess.dwSize = sizeof(currentProcess);
HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE != hProcess)
{
BOOL bMore = Process32First(hProcess, ¤tProcess);
while (bMore)
{
CharLowerBuff(currentProcess.szExeFile, MAX_PATH);
for (int each = 0; each < Count; each++)
{
if (strcmp(currentProcess.szExeFile, kill_list[each]) == 0)
{
// printf("干掉进程 --> %s \n", kill_list[each]);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, currentProcess.th32ProcessID);
TerminateProcess(hProcess, 0);
}
}
bMore = Process32Next(hProcess, ¤tProcess);
}
CloseHandle(hProcess);
}
return -1;
}
int main(int argc, char * argv[])
{
// 填写杀毒软件的进程名称,然后循环干掉进程
char *fuck[10] = { "chrome.exe", "360.exe","qqpctray.exe","qqpcrtp.exe","qmdl.exe" };
Kill_AV_Process(fuck,5);
system("pause");
return 0;
}
暂停/恢复指定的线程:
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
int Start_Stop_Thread(DWORD Pid,DWORD ThreadID)
{
THREADENTRY32 te32 = { 0 };
te32.dwSize = sizeof(THREADENTRY32);
// 获取全部线程快照
HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (INVALID_HANDLE_VALUE != hThreadSnap)
{
// 获取快照中第一条信息
BOOL bRet = Thread32First(hThreadSnap, &te32);
while (bRet)
{
// 只过滤出 pid 里面的线程
if (Pid == te32.th32OwnerProcessID)
{
// 判断是否为ThreadID,暂停指定的TID
if (ThreadID == te32.th32ThreadID)
{
// 打开线程
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
SuspendThread(hThread); // 暂停线程
//ResumeThread(hThread); // 恢复线程
CloseHandle(hThreadSnap);
}
}
// 获取快照中下一条信息
bRet = Thread32Next(hThreadSnap, &te32);
}
return 0;
}
return -1;
}
int main(int argc, char * argv[])
{
// 暂停或恢复进程ID = 4204 里面的线程ID = 10056
int ret = Start_Stop_Thread(4204,10056);
printf("状态: %d \n", ret);
system("pause");
return 0;
}
枚举进程内存权限:
#include <stdio.h>
#include <ShlObj.h>
#include <Windows.h>
void ScanMemoryAttribute()
{
DWORD Addres = 0, Size = 0;
MEMORY_BASIC_INFORMATION Basicinfo = {};
// 遍历进程所有分页, 输出内容
while (VirtualQuery((LPCVOID)Addres, &Basicinfo, sizeof(MEMORY_BASIC_INFORMATION)))
{
Size = Basicinfo.RegionSize;
printf("地址: %08p 类型: %7d 大小: %7d 状态: ", Basicinfo.BaseAddress,Basicinfo.Type,Basicinfo.RegionSize);
switch (Basicinfo.State)
{
case MEM_FREE: printf("空闲 \n"); break;
case MEM_RESERVE: printf("保留 \n"); break;
case MEM_COMMIT: printf("提交 \n"); break;
default: printf("未知 \n"); break;
}
// 如果是提交状态的内存区域,那么遍历所有块中的信息
if (Basicinfo.State == MEM_COMMIT)
{
// 遍历所有基址是 Address
LPVOID BaseBlockAddress = (LPVOID)Addres;
DWORD BlockAddress = Addres;
DWORD dwBlockSize = 0;
// 遍历大内存块中的小内存块
while (VirtualQuery((LPVOID)BlockAddress, &Basicinfo, sizeof(Basicinfo)))
{
if (BaseBlockAddress != Basicinfo.AllocationBase)
{
break;
}
printf("--> %08X", BlockAddress);
// 查看内存状态,映射方式
switch (Basicinfo.Type)
{
case MEM_PRIVATE: printf("私有 "); break;
case MEM_MAPPED: printf("映射 "); break;
case MEM_IMAGE: printf("镜像 "); break;
default: printf("未知 "); break;
}
if (Basicinfo.Protect == 0)
printf("---");
else if (Basicinfo.Protect & PAGE_EXECUTE)
printf("E--");
else if (Basicinfo.Protect & PAGE_EXECUTE_READ)
printf("ER-");
else if (Basicinfo.Protect & PAGE_EXECUTE_READWRITE)
printf("ERW");
else if (Basicinfo.Protect & PAGE_READONLY)
printf("-R-");
else if (Basicinfo.Protect & PAGE_READWRITE)
printf("-RW");
else if (Basicinfo.Protect & PAGE_WRITECOPY)
printf("WCOPY");
else if (Basicinfo.Protect & PAGE_EXECUTE_WRITECOPY)
printf("EWCOPY");
printf("\n");
// 计算所有相同块大小
dwBlockSize += Basicinfo.RegionSize;
// 累加内存块的位置
BlockAddress += Basicinfo.RegionSize;
}
// 内有可能大小位空
Size = dwBlockSize ? dwBlockSize : Basicinfo.RegionSize;
}
// 下一个区域内存信息
Addres += Size;
}
}
int main(int argc, char * argv[])
{
ScanMemoryAttribute();
system("pause");
return 0;
}
查询进程所具备的权限:
#include <stdio.h>
#include <ShlObj.h>
#include <Windows.h>
BOOL QueryPrivileges()
{
// 1. 获得本进程的令牌
HANDLE hToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
return false;
// 2. 获取提升类型
TOKEN_ELEVATION_TYPE ElevationType = TokenElevationTypeDefault;
BOOL bIsAdmin = false;
DWORD dwSize = 0;
if (GetTokenInformation(hToken, TokenElevationType, &ElevationType, sizeof(TOKEN_ELEVATION_TYPE), &dwSize))
{
// 2.1 创建管理员组的对应SID
BYTE adminSID[SECURITY_MAX_SID_SIZE];
dwSize = sizeof(adminSID);
CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &adminSID, &dwSize);
// 2.2 判断当前进程运行用户角色是否为管理员
if (ElevationType == TokenElevationTypeLimited)
{
// a. 获取连接令牌的句柄
HANDLE hUnfilteredToken = NULL;
GetTokenInformation(hToken, TokenLinkedToken, (PVOID)&hUnfilteredToken, sizeof(HANDLE), &dwSize);
// b. 检查这个原始的令牌是否包含管理员的SID
if (!CheckTokenMembership(hUnfilteredToken, &adminSID, &bIsAdmin))
return false;
CloseHandle(hUnfilteredToken);
}
else
{
bIsAdmin = IsUserAnAdmin();
}
}
// 3. 判断具体的权限状况
BOOL bFullToken = false;
switch (ElevationType)
{
case TokenElevationTypeDefault: /* 默认的用户或UAC被禁用 */
if (IsUserAnAdmin())
bFullToken = true; // 默认用户有管理员权限
else
bFullToken = false; // 默认用户不是管理员组
break;
case TokenElevationTypeFull: /* 已经成功提高进程权限 */
if (IsUserAnAdmin())
bFullToken = true; // 当前以管理员权限运行
else
bFullToken = false; // 当前未以管理员权限运行
break;
case TokenElevationTypeLimited: /* 进程在以有限的权限运行 */
if (bIsAdmin)
bFullToken = false; // 用户有管理员权限,但进程权限有限
else
bFullToken = false; // 用户不是管理员组,且进程权限有限
break;
}
return bFullToken;
}
int main(int argc, char * argv[])
{
BOOL ret = QueryPrivileges();
printf("具备权限: %d \n", ret);
system("pause");
return 0;
}
枚举指定进程权限:
#include <stdio.h>
#include <ShlObj.h>
#include <Windows.h>
void ShowPrviliges(HANDLE process)
{
// 通过进程句柄获取到进程令牌
HANDLE hToken;
OpenProcessToken(process, TOKEN_QUERY, &hToken);
// 获取查询道德令牌信息
DWORD dwSize;
GetTokenInformation(hToken,TokenPrivileges, NULL, NULL, &dwSize);
// 根据令牌中的大小分配空间
char *pBuf = new char[dwSize] {};
GetTokenInformation(hToken,TokenPrivileges, pBuf, dwSize, &dwSize);
// 将内存中的内容用要查询数据结构体解析
TOKEN_PRIVILEGES* pTp = (TOKEN_PRIVILEGES*)pBuf;
DWORD dwCount = pTp->PrivilegeCount; // 解析出权限个数
LUID_AND_ATTRIBUTES* pluid = pTp->Privileges; // 具备的权限类型
for (int i = 0; i < dwCount; i++, pluid++)
{
char szName[100] = {};
DWORD dwLen = sizeof(szName);
LookupPrivilegeNameA(0, &pluid->Luid, szName, &dwLen);
switch (pluid->Attributes)
{
case 0:
printf("[ID: %3d] ---> [关闭] ---> %s \n", i,szName); break;
case 1:
printf("[ID: %3d] ---> [默认] ---> %s \n", i,szName); break;
case 2:
printf("[ID: %3d] ---> [开启] ---> %s \n", i,szName); break;
case 3:
printf("[ID: %3d] ---> [默认开启] ---> %s \n", i,szName); break;
}
}
delete pBuf;
}
int main(int argc ,char *argv[])
{
// 拿到PID为9656程序的句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 9656);
ShowPrviliges(hProcess);
// 拿到自身程序的句柄
HANDLE LocalProcess = GetCurrentProcess();
ShowPrviliges(LocalProcess);
system("pause");
return 0;
}
提升指定进程权限:
#include <windows.h>
#include <stdio.h>
int EnbalePrivileges(HANDLE hProcess, char *pszPrivilegesName)
{
HANDLE hToken = NULL;
LUID luidValue = { 0 };
TOKEN_PRIVILEGES tokenPrivileges = { 0 };
BOOL bRet = FALSE;
DWORD dwRet = 0;
// 打开进程令牌并获取具有 TOKEN_ADJUST_PRIVILEGES 权限的进程令牌句柄
bRet = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
if (bRet != FALSE)
{
// 获取本地系统的 pszPrivilegesName 特权的LUID值
bRet = LookupPrivilegeValue(NULL, pszPrivilegesName, &luidValue);
if (bRet == FALSE)
return -1;
}
// 设置提升权限信息
tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Luid = luidValue;
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// 提升进程令牌访问权限
bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, 0, NULL, NULL);
if (bRet != FALSE)
{
// 根据错误码判断是否特权都设置成功
dwRet = GetLastError();
if (ERROR_SUCCESS == dwRet)
{
return 1;
}
}
return -1;
}
int main(int argc,char * argv [])
{
// 获取当前自身进程句柄
HANDLE Local_Pid = GetCurrentProcess();
// 修改当前进程令牌访问权限
if (FALSE != EnbalePrivileges(Local_Pid, SE_DEBUG_NAME))
printf("提权成功 \n");
system("pause");
return 0;
}