How to find hidden processes under WIN 9X

Some hacking tools in WIN 9X use undisclosed API functions to hide themselves and do not show functions in the task list. Find them, similarly, open TOOLHELP32 series functions are also required. Because different NT traversal processes in the operating system are implemented using the PSAPI function, the complete real column is given below.

Process. h
//----------------------------
# Ifndef Unit1H
# Define Unit1H
//----------------------------
# Include
# Include
# Include
# Include
# Define TH32CS_SNAPPROCESS 0x00000002 // snapshot Process
# Define PROCESS_HANDLE_NAME 255
//---------------------------------------------------------------------------
Typedef struct tagPROCESSENTRY32 // custom TOOLHELP32 Structure
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID; // process ID
DWORD th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile [MAX_PATH]; // process file name
} PROCESSENTRY32;
Typedef PROCESSENTRY32 * LPPROCESSENTRY32;
// The following defines the function pointer of the TOOLHELP32 function to be retrieved from KERENL32.DLL.
HANDLE (WINAPI * createconlhelp32snapshot) (DWORD dwFlags, DWORD th32PD );
BOOL (WINAPI * Process32First) (HANDLE hSnapshot, LPPROCESSENTRY32 pe );
BOOL (WINAPI * Process32Next) (HANDLE hSnapshot, LPPROCESSENTRY32 pe );
// The following defines the function pointer to retrieve the function from PSAPI. DLL:
BOOL (WINAPI * EnumProcesses) (DWORD * lpidProcess, DWORD cb, DWORD * cbNeeded );
DWORD (WINAPI * GetModuleFileNameExA) (HANDLE hProcess, HMODULE hModule, LPTSTR lpstrFileName, DWORD nSize );
Class TForm1: public TForm
{
_ Published: // IDE-managed Components
TButton * FindAllProcessFileName;
TListBox * ListBox1;
Void _ fastcall FindAllProcessFileNameClick (TObject * Sender );
Void _ fastcall FormResize (TObject * Sender );
Void _ fastcall Button1Click (TObject * Sender );
Void _ fastcall ListBox1Click (TObject * Sender );
Private: // User declarations
Public: // User declarations
_ Fastcall TForm1 (TComponent * Owner );
};
//---------------------------------------------------------------------------
Extern PACKAGE TForm1 * Form1;
//---------------------------------------------------------------------------
# Endif
Process. cpp
//---------------------------------------------------------------------------
# Include
# Pragma hdrstop
# Include "Unit1.h"
//---------------------------------------------------------------------------
# Pragma package (smart_init)
# Pragma resource "*. dfm"
TForm1 * Form1;
// Define variables
HANDLE process [2, 255];
PROCESSENTRY32 p32;
DWORD process_ids [255];
DWORD num_processes;
TCHAR file_name [MAX_PATH];
TCHAR class_name [MAX_PATH];
Unsigned I;
//---------------------------------------------------------------------------
// Initialize TOOLHELP32
BOOL InitToolHelp32 ()
{
// Dynamic call
HINSTANCE DLLinst = LoadLibrary ("KERNEL32.DLL ");
If (DLLinst)
{
// Obtain the address of each function in KERNEL32
Createconlhelp32snapshot = (HANDLE (WINAPI *) (DWORD dwFlags, DWORD th32PD ))
GetProcAddress (DLLinst, "createconlhelp32snapshot ");
Process32First = (BOOL (WINAPI *) (HANDLE hSnapshot, LPPROCESSENTRY32 pe ))
GetProcAddress (DLLinst, "Process32First ");
Process32Next = (BOOL (WINAPI *) (HANDLE hSnapshot, LPPROCESSENTRY32 pe ))
GetProcAddress (DLLinst, "Process32Next ");
If ((! (UINT) createconlhelp32snapshot) | (! (UINT) Process32First) | (! (UINT) Process32Next ))
Return FALSE;
Else
Return TRUE;
}
Return FALSE;
}
// Initialize PSAPI
BOOL InitPSAPI ()
{
Hinstance psapi = LoadLibrary ("PSAPI. DLL ");
If (NULL = PSAPI)
Return FALSE;
EnumProcesses = (BOOL (WINAPI *) (DWORD * lpidProcess, DWORD cb, DWORD * cbNeeded ))
GetProcAddress (PSAPI, "EnumProcesses ");
GetModuleFileNameExA = (DWORD (WINAPI *) (HANDLE hProcess, HMODULE hModule, LPTSTR lpstrFileName, DWORD nSize ))
GetProcAddress (PSAPI, "GetModuleFileNameExA ");
If (NULL = EnumProcesses | NULL = GetModuleFileName)
Return FALSE;
Else
Return TRUE;
}
_ Fastcall TForm1: TForm1 (TComponent * Owner)
: TForm (Owner)
{
}
//---------------------------------------------------------------------------
Void _ fastcall TForm1: FindAllProcessFileNameClick (TObject * Sender)
{
OSVERSIONINFO osinfo;
Osinfo. dwOSVersionInfoSize = sizeof (OSVERSIONINFO );
// Obtain the current operating system type
If (GetVersionEx (& osinfo ))
{
Switch (osinfo. dwPlatformId)
{
// The current operating system is WIN9X
Case VER_PLATFORM_WIN32_WINDOWS:
If (InitToolHelp32 ())
{
ListBox1-> Clear ();
P32.dwSize = sizeof (PROCESSENTRY32 );
// Initialize the TOOLHELP32 Snapshot
HANDLE pName = createconlhelp32snapshot (TH32CS_SNAPPROCESS, NULL );
// Start searching
BOOL Next = Process32First (pName, & p32 );
I = 0;
// Process Traversal
While (Next)
{
// Display the process
ListBox1-> Items-> Add (p32.szExeFile );
// Obtain and
Process [I] = OpenProcess (PROCESS_TERMINATE, 0, p32.th32ProcessID );
// Continue searching
Next = Process32Next (pName, & p32 );
I ++;
}
CloseHandle (pName );
}
Break;
// The current operating system is NT
Case VER_PLATFORM_WIN32_NT:
If (InitPSAPI ())
{
ListBox1-> Clear ();
// Obtain the number of current processes
EnumProcesses (process_ids, sizeof (process_ids), & num_processes );
// Process Traversal
For (I = 0; I {
// Obtain and
Process [I] = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ
, 0, process_ids [I]);
// Get the process file name through a sentence
If (GetModuleFileNameExA (process [I], NULL, file_name, sizeof (file_name )))
ListBox1-> Items-> Add (file_name );
}
}
Break;
}
}
}
//---------------------------------------------------------------------------
Void _ fastcall TForm1: ListBox1Click (TObject * Sender)
{
Int iCount;
ICount = ListBox1-> ItemIndex;
ListBox1-> Hint = ListBox1-> Items-> Strings [iCount];
}
//---------------------------------------------------------------------------
Else ShowMessage ("failed to initialize TOOLHELP32 ");
}