Analyze Windows Task Manager to develop and implement the principles of: TOo2y
Source code 1: T-pskit source code
Analysis of the principles and implementation of Windows Task Manager Development
Author: TOO2Y [Original] E-mail: brief@fz5fz.orghomepage: http://www.fz5fz.org && http://www.safechina.netdate: 05-01-2003 Task Manager included in Windows2000 / XP (Taskmgr) believes that everyone is familiar, compared to the amount of XP is more powerful than 2000 function, the return information is more detailed, but do you think there is still a lot of hopes that the message is not included? Do you think that things in the Windows system management toolbox are too dispersed? Let's take a look at their development principles and do a real task manager. Now we call win32api to implement these features, but everyone says that MS hides too much detail, and we will discuss more about the Windows kernel. It may be that you have managed the most familiar functions of the task manager, often we will see if there is any special process in the task manager when you suspect that there is a virus / Trojan, so the process viewer should be A very important feature. In addition to getting the name of the process, what else? Of course, it includes its process identifier, user information, CPUTIME, and memory usage, and its priority (BasePriority). CPU and Memory information can help us analyze the operation of the process, and priority can represent the priority of the process in the CPU allocation processor. These are common process information, let's take a look at other information. The Parent Process ID of the process, creation time, the program name, etc. is also our concern for our concern. Let's take a look at the process-related performance information. There are usually two modes under Windows: kernel: Level 0) and User Mode (User: Level 3), the process often switches in both modes, so the process can be used in the kernel mode and user mode. time. It also includes process-related work sets, PageDpool, non-panepagedpool, and page files (PageFile). Process related I / O operations include read / write / other, etc., we can get the number of these operations and the number of transmitted data. If you suspect a process is Trojan, what information do you want to get? Simple process name should be not enough! We hope to get the path of the actual program of the process, which can help us determine that the program is running. Some time is not to discuss what process is hidden. One is "Creating Remote Threads", and the injection is often existing in the form of dynamic link library (DLL), and we hope to see a specific process included. All modules (Module) are often DLLs. "Thread" is a familiar name, which is an implementation in the Windows system, and the process is the environment of thread running. How many threads have been created in the process? We can also enumerate all thread information inside the process. If you find a Trojan process, the following action should be analyzing its running mechanism (if you are interested in it), but ultimately you want to end it. Under Windows2k, many system key processes cannot be completed in Taskmgr, but now you don't have to worry. Ok, the operation of the process will of course include end processes.
If you have used Chinese XP, do you often encounter the taskbar "False" situation, although your computer is not hanging, but there is no movement, and we can also hang up any process, no matter what you are What does it do (except end), it will not have any response. There is a hang process, and we can also activate the process from the "hang" state. The desktop window is the most touch interface, do you want to get the title information of each window? Of course, we can also get the process associated with the window, thread and window handle properties. If you are more familiar with VC, you should know one of the Spy tools. It can get details of desktop windows, processes, and threads, but now you don't have to open this, open it, turn it through! System performance is topic for each user. It includes the number of handles, processes, and threads currently created throughout the system. There is also the total amount and usage of Physical Memory, the size of the system cache, memory retention and commit charge, and of course the use of core paging / non-paging pools (Kernel Memory) Happening. Almost include most of the information about the memory management of the Windows system. Although the price of the hard disk is now very low, I am still using 6.4G small Dongdong, so I often encounter "Low Disk"! We often have to look at the use of hard drives, but every time you have to enter my computer, it is too much trouble. We can now understand the capacity of all disks and current usage, while also have their format types (such as FAT, NTFS, CDFS, etc.) and disk tags. Speaking of the environment block, maybe not so familiar, it contains some environment variables, and each environment variable corresponds to one / multiple strings, you can set them in the system / advanced (system / advanced) of the control panel, Includes add new environment variables, delete and edit system environment variables. Event records have a great help to our analysis system. Event records are divided into three types: applications, systems, and security. The corresponding events can be divided into several types, which are routine information, warnings, and errors, respectively. This includes a record number, an event type (Type), an event type, a source, a time generated, a username, and a descriptive descriptive. Have time to look at the event information, of course, each network administrator should be very familiar with them, but other event log information. IPConfig / all this command under the Windows system is often used, because we use DHCP, nothing to see if your IP address has changed. These include information of the detailed network adapter, including adapter name, description, hardware address, and type, IP address, and corresponding subnet mask, gateways and DHCP server addresses. But whether you are also interested in network traffic? Of course, you can get the host accept / send how much (non-) broadcast datagram, how many errors, a total of receiving / sending, these are useful for each netizen. Network sharing is often a place to pay attention to. How much information you have, what is your file path, and their shared type information. When we don't need some shared information, do you don't forget to remove it, so as not to disclose your confidential information. Windows NT is a multi-user system that allows multiple types of users to exist.
We want to get the user account, remember to modify the user's password, and the User Identifier (User ID), Group Identifier (Group ID), and the type of user account (TYPE ), Different types have different permissions, we certainly hope to have the most HIGH power! See if the system has restrictions on the disk space usage of an account (Number of Logon), and logon Hours, etc., it is also helpful to analyze the usage of users. The system's Win32 service and device driver information are also important, we want to detect the specific path, status, type, start-up mode, etc. of each service / device launch program. We also want to control the service, such as stop, start, and delete operations. You can refer to "Analysis of Windows2000 / XP Service and Back Door Technology" to get more information about Win32 service. Shutdown is not so monotonous, you can log out your own system, if you want to leave, you need to lock it. I don't like shutdown recently, it's too much trouble, so I am used to using hibernation, and the system will reserve current information for us, but there is also a shutdown and sleep of power management. Users of Windows2000 noticed that we can also use the shutdown and restartments of the message prompt to the message in the XP system. The version information of the system is relatively fixed, mainly including information about the fingerprint of the operating system, registration organization / user, hostname, and system related directories. Said so much, we should also talk about how to achieve it. 1. Window Information MS provides us with functions that open a specific desktop and enumerate your desktop window. HDESK = OpenDesktop (LPSZDESKTOP, 0, FALSE, Desktop_ENUMERATE); // Open our default default desktop; EnumDesktopWindows (HDESK, (WndenumProc) EnumWindowProc, 0); // Enumerate all windows on the desktop, implement the callback function. BOOL __STDCALL ENUMWINDOWPROC (HWND, LPARAM); // In the callback function, we can get the title and related process, thread information; getWindowText (Hwnd, szwindowtext, dwmaxcount); getWindowThreadProcessId (Hwnd, & dwpid); 2. Device drive information (The service and equipment drivers are similar, here do not repeat) Device Drive Information A Service Control Manager (SCM) is managed, I want to open the service control manager and enumerate all device drivers.
OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS); // open the service control manager to all rights; EnumServicesStatus (schManager, dwDeviceType, dwDeviceState, EnumStatus, dwBufSize, & dwBytesNeeded, & dwDevicesReturned, & dwResumeHandle)) // enumerate all of the device's current status; CloseServiceHandle (schManager); // Remember, after the visit to close service handle; OpenService (schManager, szDeviceName, SERVICE_ALL_ACCESS); // open a specific device driver; QueryServiceConfig (schDevice, lpDeviceConfig, 1024 * 8, & dwBytesNeeded); // query drive service configuration information; QueryServiceStatus (schDevice, & DeviceStatus); current state // query the device driver; QueryServiceConfig2 (schDevice, SERVICE_CONFIG_DESCRIPTION, (LPBYTE) lpDeviceDescription, 8 * 1024, & dwBytesNeeded) // description information query device; the StartService ( SchDevice, 0, null; // Start device; ControlService; // stop device; deleteService (Schdevice); // Delete device; 3. Disk information We want to get all the information of all disks, including Floppy disk, hard disk, disc, etc.; getLogicalDriveStrings (dwbufferLength, lpbuffer); // Get information on logical devices; GetVolumeInformation (lprootpathname, lpvolumenamebuffer, dwvolumen ameSize, & dwVolumeSerialNumber, & dwMaximumComponentLength, & dwFileSystemFlags, lpFileSystemNameBuffer, dwFileSystemNameSize); // get the disk volume information includes volume name and format type; GetDiskFreeSpaceEx (lpRootPathName, & FreeBytesAvailable, & TotalNumberOfBytes, & TotalNumberOfFreeBytes); space // detect disk usage; 4. Environment Variables We can get ambient block from the registry: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / SESSION Manager / Environment, and of course the function of the registry is used.
RegOpenKeyEx (HKEY_LOCAL_MACHINE, RegKey, 0, KEY_QUERY_VALUE, & hKey); // open key registry; RegEnumValue (hKey, dwIndex, EnvironVariable, & dwVariableLength, NULL, NULL, NULL, NULL); // query the value of the information we need; GetEnvironmentVariable (Environvariable, EnvironString, 1024); // A string information for environment variables; 5. Event record information OpenEventLog (null, szlog); // Open time logging; getoldesteventLogRecord (HEVENT, & DWTHISRECORD); // Get the latest log information, in order to continue to find; ReadEventLog (hEvent, EVENTLOG_FORWARDS_READ │ EVENTLOG_SEQUENTIAL_READ, 0, pEventLogRecord, 1024 * 32, & dwRead, & dwNeeded) // read to log information; LookupAccountSid (NULL, pSid, szName, & dwName, szDomain, & dwDomain, & SNU); / / Get the SID of the account to get the user name of the account; getNumberofEventLogRecords (HEVENT, & DWTOTAL); // Get the total number of event logs; CloseEventLog (hever); // Don't forget to close the event handle; 6. Network sharing We use the second level of network sharing search; NetShareEnum (NULL, dwLevel, (PBYTE *) & pBuf, MAX_PREFERRED_LENGTH, & entriesread, & totalentries, & resume); // enumerate all shared directories and related information; NetApiBufferFree (pBuf); // free the buffer; NetShareDel (NULL, (char *) lpsharenamew, 0); // Delete network sharing directories; 7. Network Adapter Information We want to detect NIC information and network traffic; getAdaptersInfo (& AdapterInfo, & Outbufflen); // Get adapter information; 8. System performance acquisition system memory usage; getPerformanceInfo (& Perfinfo, sizeof (performace)) // Obtain system performance information; (HToken, False, & tokenPrivileges, sizeof (token_privileges), null, null; // enhances the process's permissions to support debugging;
CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); // create a snapshot of the process; Process32First (hProcessSnap, & ProcessEntry32); Process32First (hProcessSnap, & ProcessEntry32); // enumerate all processes; OpenProcess (PROCESS_QUERY_INFORMATION, FALSE, ProcessEntry32.th32ProcessID); // open a specific Process, with query process related information; getProcesstimes (HProcess, & CreateTime, & ExitTime, & KernelTime, & Usertime); // Get time information for the process; getProcessMemoryInfo (HProcessMEMORYINFO (HProcess, & Pmcounter, SIZEOF (PMCOUNTER)); // Get the memory area information of the process; GetPriorityClass (hProcess); // get priority process; GetProcessIoCounters (hProcess, & IoCounters); // get IO usage process; CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, dwProcessID); // create a snapshot module; Module32First (hModuleSnap, & ModuleEntry32); Module32Next (hModuleSnap, & ModuleEntry32); // enumeration process module information; CreateToolhelp32Snapshot (TH32CS_SNAPTHREAD, 0); // create threads snapshot; Thread32First (hThreadSnap, & ThreadEntry32); Thread32Next (hThreadSnap, & ThreadEntry32); // enumerate thread information; OpenThread ( Thread_all_access, false, threadentry32.th32threadid; // Open the thread, you must get this function address; TerminateProcess (hProcess, 0); // terminate the process; SuspendThread (hThread); // hanging thread; ResumeThread (hThread); // active threads; 10. Shutdown AdjustTokenPrivileges (hToken, FALSE, & TokenPrivileges, sizeof (TOKEN_PRIVILEGES), NULL, NULL); // Adjust the process token to support it; EXITWINDOWSEX (EWX_LOGOFF, 0); // Logout system; lockWorkstation (); // Lock system; InitiateSystemShutdown (Null, Szmessage, Dwtimeout, false, szmessage, dwtimeout, false, bsig); / / Support for shutdown / restart to time and message display; setSystemPowerState (BSIG, FALSE);
