Use CBrother of CLIB library calls the windows API
2.1.0 version CBrother joined CLib libraries need to write a new tool, a Windows killing the process according to the path, study a little usage CLib library, the feeling is quite flexible.
First of all I would like to clear every API in which a system dll inside, I usually go to the Microsoft website to check this API. ( Https://docs.microsoft.com/zh-cn/windows/win32/api/ ),
For example, I check OpenProcess this API, found in the following
In Kernel32.dll inside, other API are also used to obtain this information, you can write the following code.
. 1 Import CBCLib.code 2 . 3 var g_kernel32_init = to false ; // Kernel32.dll whether initialization . 4 var g_kernel32 = null ; // Kernel32.dll handle . 5 var g_kernel32_OpenProcess = null ; // the OpenProcess function . 6 var g_kernel32_CloseHandle = null ; // the CloseHandle function . 7 var g_kernel32_GetModuleFileNameExA = null ; // GetModuleFileNameExA function . 8 var g_kernel32_GetLogicalDriveStringsA = null ; // GetLogicalDriveStringsA function . 9 var g_kernel32_QueryDosDeviceA = null ; // QueryDosDeviceA function 10 . 11 var g_psapi_init = to false ; // if initialization psapi.dll 12 is var g_psapi = null ; // psapi.dll handle 13 is var g_psapi_GetProcessImageFileNameA = null ; // GetProcessImageFileNameA function 14 151024 the MAX_PATH = const ; 16 . 17 // Get function inside kernel32.dll 18 is function initkernel32 () . 19 { 20 is IF (g_kernel32_init) 21 is { 22 is return ; 23 is } 24 25 g_kernel32_init = to true ; 26 is 27 g_kernel32 = new new CLIB ( "kernel32 .dll " ); 28 IF (! ) g_kernel32.load () 29 { 30 Print" Load Kernel32.dll ERR "! ; 31 is return; 32 } 33 34 //根据函数原型和CLib库类型对应关系写参数列表 35 g_kernel32_OpenProcess = g_kernel32.findFunc("OpenProcess","pointer","int","bool","int"); 36 g_kernel32_CloseHandle = g_kernel32.findFunc("CloseHandle","bool","int"); 37 g_kernel32_GetModuleFileNameExA = g_kernel32.findFunc("K32GetModuleFileNameExA","int","pointer","pointer","pointer","int"); 38 g_kernel32_GetLogicalDriveStringsA = g_kernel32.findFunc("GetLogicalDriveStringsA","int","int","pointer"); 39 g_kernel32_QueryDosDeviceA = g_kernel32.findFunc("QueryDosDeviceA","int","string","pointer","int"); 40 }
I also used the function inside psapi.dll
1 //Psapi.dll里面的函数 2 function initpsapi() 3 { 4 if (g_psapi_init) 5 { 6 return; 7 } 8 g_psapi_init = true; 9 10 g_psapi = new CLib("Psapi.dll"); 11 if (!g_psapi.load()) 12 { 13 print "Psapi.dll load err!"; 14 return; 15 } 16 17 //The function prototypes and the corresponding relationship types CLib library write parameter list 18 is g_psapi_GetProcessImageFileNameA = g_psapi.findFunc ( "GetProcessImageFileNameA", "int", "pointer", "pointer", "int" ); . 19 }
Here is the process of obtaining path according to the process pid
1 const STANDARD_RIGHTS_REQUIRED = 0x000F0000; 2 const SYNCHRONIZE = 0x00100000; 3 function GetProcessPath(pid) 4 { 5 initkernel32(); 6 7 //打开目标进程 8 var hProcess = g_kernel32_OpenProcess.callFunc(STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF,false,pid); 9 if (hProcess.isNull()) 10 { 11 print "openprocess err! " + pid; 12 return; 13 } 14 15 // build a buffer, GetModuleFileNameExA will path written in the buffer 16 var pathBuff = new new CLibPointer (); . 17 pathBuff.malloc (the MAX_PATH); 18 is . 19 var RES = g_kernel32_GetModuleFileNameExA.callFunc (the hProcess, null , pathBuff, the MAX_PATH); 20 is IF (RES> 0 ) 21 is { 22 is // GetModuleFileNameExA succeed 23 is RES = pathBuff.readString (); 24 } 25 the else 26 is { 27 // some system acquisition is unsuccessful, it is necessary to use another method. 32 64-bit program acquiring process also require this method. 28 = RES GetProcessPathByPsapi (the hProcess); 29 } 30 31 is // release Buffer 32 pathBuff.free (); 33 is 34 is // Close the target process handle 35 g_kernel32_CloseHandle.callFunc (the hProcess); 36 return RES; 37 [ }
If the acquisition fails GetModuleFileNameExA need to use GetProcessImageFileNameA get dos path, and then converted to absolute path
1 //使用GetProcessImageFileNameA获取进程路径 2 function GetProcessPathByPsapi(hProcess) 3 { 4 initkernel32(); 5 initpsapi(); 6 7 var newPath = ""; 8 var tempBuff = new CLibPointer(); 9 tempBuff.malloc(MAX_PATH); 10 var res = g_psapi_GetProcessImageFileNameA.callFunc(hProcess,tempBuff,MAX_PATH); 11 if(res > 0) 12 { 13 var driveStr = newCLibPointer (); 14 driveStr.malloc (the MAX_PATH); 15 // get all letters 16 IF (g_kernel32_GetLogicalDriveStringsA.callFunc (the MAX_PATH, driveStr)) . 17 { 18 is var dospath = tempBuff.readString (); . 19 var DriveName = new new CLibPointer ( ); 20 is driveName.malloc (the MAX_PATH); 21 is var copydriveStr = driveStr.copyAddr (); 22 is 23 is // traverse letter, and letter names DOS control 24 the while (. 1 ) 25 { 26 is var= szDrive copydriveStr.readString (); 27 szDrive = strget (szDrive, 0,2 ); 28 IF (g_kernel32_QueryDosDeviceA.callFunc (szDrive, DriveName, the MAX_PATH)) 29 { 30 var DNAME = driveName.readString (); 31 is var the namelen = strlen (DNAME); 32 IF (strnicmp (DNAME, dospath, the namelen) == 0 ) 33 is { 34 is // pair, indicating that the path 35 newPath = szDrive; 36 newPath + =strget (dospath, the namelen); 37 [ BREAK ; 38 is } 39 40 // letter forward pointer plus 4 acquires the next letter 41 is copydriveStr.addAddr (4 ); 42 is } 43 is the else 44 is { 45 BREAK ; 46 is } 47 } 48 49 driveName.free (); 50 } 51 is driveStr.free (); 52 is } 53 is 54 is tempBuff.free (); 55 return newPath; 56 }
Here is used in the main function
. 1 var g_path = "E: \\ \\ test.exe 111"; // process path 2 var g_name = "test.exe"; // process name . 3 function main (the params) . 4 { . 5 // this function is CBrother provided, according to the acquired process name pid, stored in the array . 6 var pidarr = the GetProcessByName (g_name); . 7 for ( var I = 0; I <pidarr.size (); I ++ ) . 8 { . 9 // progression paths obtained according pid 10 var path = GetProcessPath (pidarr [I]); . 11 IF (path ==g_path) 12 is { 13 is // If a match on the path, kill. CBrother This function is also provided, in accordance with the process ID of the process of killing 14 KillProcessByID (pidarr [I]); 15 } 16 } . 17 }
Usage is quite easy to understand, if you are familiar with windows programming, CBrother can do any of you want to do.
The api usage above I have the code to the author, the author said that follow-up will join lib library, follow-up and slowly expanded into all of the api, api's so easy to use even in the windows.