First, the principle of implementation:
First create a snapshot of a process via the CreateToolHelp32Snapshot function, and then traverse the process by calling Process32First using the handle of the snapshot, the relevant information is stored in an instance of the Processentry32 structure type, by calling the internal function getProcessModule, get the module of the corresponding process Name, then read information of the ID of the corresponding thread by reading of the process address space information.
Second, mainly implementing code:
Get information about the process address space:
HProcess = openprocess (process_all_access, false, pe32.th32processid);
PfgetProcessMemoryInfo (HProcess, PMC, SIZEOF (PMC));
Get the module information of the process:
BOOL CEmuteFileDlg :: GetProcessModule (DWORD dwPID, DWORD dwModuleID, LPMODULEENTRY32 lpMe32, DWORD cbMe32) {BOOL bRet = FALSE; BOOL bFound = FALSE; HANDLE hModuleSnap = NULL; MODULEENTRY32 me32 = {0}; // Take a snapshot of all modules in The Specified Process.
HModulesnap = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, DWPID);
IF (hmodulesnap == invalid_handle_value) return (false); // Fill the size of the structure before using it.
me32.dwSize = sizeof (MODULEENTRY32);. // Walk the module list of the process, and find the module of // interest Then copy the information to the buffer pointed // to by lpMe32 so that it can be returned to the caller .
if (Module32First (hModuleSnap, & me32)) {do {if (me32.th32ModuleID == dwModuleID) {CopyMemory (lpMe32, & me32, cbMe32); bFound = TRUE;}} while (bFound && Module32Next (hModuleSnap, & me32)!); bRet = bFound; // if this sets bRet to FALSE, dwModuleID // no longer exists in specified process} else bRet = FALSE; // could not walk module list // Do not forget to clean up the snapshot object.CloseHandle (hModuleSnap Return (BRET);
Third, improve the permissions:
BOOL EnableDebugPrivilege () {HANDLE hToken; BOOL fOk = FALSE; if (OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, & hToken)) {TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1;! If (LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & tp.Privileges [0 ] .Luid)) Printf ("can't lookup privilege value./N"); tp.privileges [0] .attributes = se_privilege_enabled; if (! AdjustTokenprivileges (Htoken, False, & Tp, Sizeof (TP), NULL, NULL )) PRINTF ("can't Adjust Privilege Value./N"); fok = (GetLastError () == Error_Success); CloseHandle (HTOKEN);} returnif;}
Fourth, after the report: I feel that the information acquisition is not complete enough, for example, I really want to know how to get the module name of the process's thread, I don't know if the big man is enlightened!
Monkeycd@163.com
ThanX! :-)
Code download: http://www.vckbase.com/code/listcode.asp? Mclsid = 13 & SCLSID = 1305
