004th security tools: Process Manager (I)

I. Preface

A process is a program running on a computer and the basic unit for applying for resources from an operating system. When we run a program, we will create one or more processes accordingly. When the program is closed, the process will end. The most common method to view processes is to press Ctrl + Shift + Delete to open the windows built-in task manager, or use the old powerful software "ice blade ", or the more powerful process monitor launched by Microsoft can achieve the same effect. The difference is that powerful process viewing software can view hidden processes of the system, but generally only processes at the application layer can be viewed. What I have discussed in these two articles is how to implement a simple process manager, which can be used to manage the current process or the DLL loaded by the process. This article focuses on programming in process management, and the next article will discuss programming in DLL management.

 

Ii. Interface Design

This program needs to design two interfaces. This article only discusses the creation of the first interface. Here we need a "list control" and three "buttons" controls:

Figure 1 design of the main interface

Set the control attribute of "list control", select "report" in "View" of "sytles", and then select the "single selection" option. Then add a variable named "m_processlist" for it and initialize it through programming:

Void cprocessmanagedlg: initprocesslist () {// set the extended style of the "List Control" control m_processlist.setextendedstyle (Inline () | lvs_ex_gridlines // has a grid | lvs_ex_fullrowselect ); // select an exercise to highlight the entire row (only applicable to the report style) // Add the column category m_processlist.insertcolumn (0, _ T ("Serial Number"); m_processlist.insertcolumn (1, _ T ("process name"); m_processlist.insertcolumn (2, _ T ("PID value"); m_processlist.insertcolumn (3, _ T ("Number of Threads ")); m_processlist.insertcolumn (4, _ T ("parent process ID"); m_processlist.insertcolumn (5, _ T ("thread priority"); // you can specify m_processlist.setcolumnwidth (0, values); m_processlist.setcolumnwidth (1, rows); m_processlist.setcolumnwidth (2, rows); m_processlist.setcolumnwidth (3, rows); values (4, rows); values (5, rows );}

Then add the following in cprocessmanagedlg: oninitdialog:

InitProcessList();

To implement initialization, and then declare in the header file:

void InitProcessList();

3. Process EnumerationProcess enumeration is to display all processes, and some specially hidden processes cannot be enumerated through the general enumeration method. The process enumeration at the application layer is described here. To implement this function, createconlhelp32snapshot () is used here (). It takes a snapshot of the processes in the current system and enumerates the processes one by one after the creation is successful. The process of enumeration needs to use the process32first () and process32next () functions. To use these functions, you must first include the tlhelp32.h header file. The Code is as follows:

Void cprocessmanagedlg: showprocess () {// clear the list m_processlist.deleteallitems (); // take a snapshot of all processes in the system. Handle hsnap = createconlhelp32snapshot (th32cs_snapprocess, 0 ); if (hsnap = invalid_handle_value) {afxmessagebox ("process snapshot creation failed! "); Return;} processentry32 pe32 = {0}; // set the pe32.dwsize = sizeof (processentry32) before using this structure; // traverses the process snapshot, show the information of each process in turn bool Bret = process32first (hsnap, & pe32); int I = 0; cstring STR; while (BRET) {Str. format ("% d", I); m_processlist.insertitem (I, STR); // process name m_processlist.setitemtext (I, 1, pe32.szexefile); // process ID Str. format ("% d", pe32.th32processid); m_processlist.setitemtext (I, 2, STR); // count the threads enabled by this process. format ("% d", pe32.cntthreads); m_processlist.setitemtext (I, 3, STR); // parent process ID Str. format ("% d", pe32.th32parentprocessid); m_processlist.setitemtext (I, 4, STR); // thread priority Str. format ("% d", pe32.pcpriclassbase); m_processlist.setitemtext (I, 5, STR); I ++; Bret = process32next (hsnap, & pe32);} closehandle (hsnap );}

Because I want to display the system process as soon as the program is opened, I need to add the following in oninitdialog:

ShowProcess();

Add the following to the header file:

void ShowProcess();

4. Process TerminationGenerally, when a process ends normally, the exitprocess () function is called to exit itself. If you want to end a specified process, you need to use the terminateprocess () function. However, process operations usually require the PID value. For convenience, compile a program to obtain the PID value of the process to facilitate subsequent operations on the process. The principle is to return the "PID value" of the selected process after the process is enumerated and displayed in the list box:

Int cprocessmanagedlg: getselectpid () {pid =-1; // obtain the position Pos = m_processlist.getfirstselecteditemposition (); int nselect =-1; while (POS) {nselect = m_processlist.getnextselecteditem (POS);} // if no selection is made in the list box, if (-1 = nselect) {afxmessagebox ("select a process! "); Return-1;} // obtain the PID value displayed in the list box char szpid [10] = {0}; m_processlist.getitemtext (nselect, 2, szpid, 10 ); PID = atoi (szpid); Return PID ;}

This function must be declared in the header file:

int GetSelectPid();

Then add code for the "End Process" button:

void CProcessManageDlg::OnButtonTerminate() {        // TODO: Add your control notification handler code here        int nPid = GetSelectPid();            HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, nPid);            TerminateProcess(hProcess, 0);        CloseHandle(hProcess);            ShowProcess();}

The principle of the above Code is to first obtain the permissions of the process and then end.

 

5. Process suspension and Restoration

In some cases, malicious programs may create two or more processes to protect themselves, so that they can "share Honor and Disgrace ". When one process finds that another process has ended, it will re-run the process. These processes help each other, so it is difficult to completely end the malicious program process, so it cannot delete the malicious program itself. In this case, you can pause these processes and then stop them.

The suspendthread () function is usually used to suspend a process. It requires a thread handle. The thread handle can be obtained through the openthread () function, and then thread32first () and thread32next () are used () these two functions are enumerated. Add code for the pause process button:

Void cprocessmanagedlg: onbtnstop () {// todo: add your control notification handler code here int npid =-1; npid = getselectpid (); // create thread snapshot handle hsnap = createconlhelp32snapshot (th32cs_snapthread, npid); If (hsnap = invalid_handle_value) {afxmessagebox ("process suspension failed! "); Return;} threadentry32 te32 = {0}; te32.dwsize = sizeof (threadentry32); bool Bret = thread32first (hsnap, & te32); While (BRET) {// determine if (te32.th32ownerprocessid = npid) {handle hthread = openthread (thread_all_access, false, te32.th32threadid); suspendthread (hthread); closehandle (hthread );} bret = thread32next (hsnap, & te32 );}}

Because createconlhelp32snapshot () can only create system thread snapshots, you cannot create snapshots of threads in the specified process. To pause a thread, You must judge the enumerated thread to check whether it is a thread in the specified process. In the threadentry32 struct, th32threadid identifies the thread ID of the currently enumerated thread, and th32ownerprocessid identifies the ID of the process to which the thread belongs. Therefore, you need to make judgments in the above Code to find the corresponding thread.

Next, add the code for the "Recover process" button:

Void cprocessmanagedlg: onbuttonresume () {// todo: add your control notification handler code here int npid =-1; npid = getselectpid (); handle hsnap = creatw.lhelp32snapshot (th32cs_snapthread, npid); If (hsnap = invalid_handle_value) {afxmessagebox ("process recovery failed! "); Return;} threadentry32 te32 = {0}; te32.dwsize = sizeof (threadentry32); bool Bret = thread32first (hsnap, & te32); While (BRET) {If (response = npid) {handle hthread = openthread (thread_all_access, false, te32.th32threadid); resumethread (hthread); closehandle (hthread);} BRET = thread32next (hsnap, & te32 );}}

Because it works the same way as pausing a process, we will not repeat it here.

 

Vi. Program EffectAfter the above program is compiled successfully, the process can be ended, paused, and restored.

Figure 2 view the notepad Process

For example, experiment with a "Notepad" program. Open notepad, run the software, find the process in notepad, and click the pause process button. It can be seen that although the Notepad program is still visible, it cannot be operated on. After you click "Recover process", the notepad is restored to its original state. Click "End Process". The notepad is closed and disappears from the list box. It indicates that our program is valid.

 

VII. SummaryThis implementation of a simple Process Manager program, such programs are often very useful in manual virus detection. We also hope that readers can develop more comprehensive programs on this basis.

004th security tools: Process Manager (I)