Delphi obtains the process running information of windows.

Delphi obtains the process running information of windows.

 

Since the emergence of the Windows system, a variety of software has emerged. After purchasing or downloading it for free, click Install or setup to complete the installation process with some simple configuration. Obviously, this brings a lot of convenience to users, but for users, these software seems to be a "black box". What is displayed in front of users is only a gorgeous appearance and simple operations, you cannot know which files and module files are called during software running. There may not be many users who really want to know about these, or even some users are unnecessary, but it is very important for a system security administrator. This article focuses on how to obtain all the processes of the system and the module files (such as EXE and DLL files) called during the process running. It is actually further improved by the task manager provided by the Windows system, the development tool adopts the Delphi language.

I. Introduction to Functions

In Windows, the dynamic link library kernel32.dll provides many interface functions for obtaining and processing system processes. The Delphi language encapsulates these function interfaces into tlhelp32.pas for Delphi users to call the development process. For more information, see the original tlhelp32.pas file and the help file provided by the Windows SDK. Among them, the interface functions involved in this article mainly include createtoolhelp32snapshot, process32first, process32next, module32first, module32next, and tmoduleentry32 and tprocessentry32 data structures.

1. createconlhelp32snapshot

This function is the core function to achieve the above purpose. It can obtain the list of processes, threads, and heap of the specified processes) list and call module list. If the function runs successfully, a non-zero "snapshot" handle is returned. You can use this handle to call the relevant winapi function. The function format is as follows:

Handle winapi createconlhelp32snapshot (DWORD dwflags,
DWORD th32processid );

Parameter description:

Dwflags parameter: List type included in the "snapshot" created for the function. Optional options include:

Th32cs_snapheaplist: The created snapshot contains the heap list.

Th32cs_snapmodule: The created snapshot contains the list of call modules.

Th32cs_snapthread: The created snapshot contains a list of threads;

Th32cs_snapprocess: The created snapshot contains a list of processes;

Th32cs_snapall: The created snapshot contains all the above lists;

Th32processid parameter: Process Handle parameter, which can be zero to indicate the current process. This parameter takes effect only when dwflags contains th32cs_snapmodule and th32cs_snapheaplist options. When dwflags is th32cs_snapprocess and th32processid is set to zero, the system lists all processes.

2. process32first, process32next, module32first, and module32next

All the four functions are Information Retrieval for the list contained in "snapshot". According to the literal meaning of the function, it is difficult to understand the meaning and difference of each function. The formats of the four functions are as follows:

Bool winapi process32first (handle hsnapshot,
Lpprocessentry32 lppe );

Bool winapi process32next (handle hsnapshot,
Lpprocessentry32 lppe );

Bool winapi module32first (handle hsnapshot,
Lpmoduleentry32 lpme );

Bool winapi module32next (handle hsnapshot,
Lpmoduleentry32 lpme );

3. tmoduleentry32 and tprocessentry32

In the two data structures, tprocessentry32 is the data structure used in process32first and process32next functions, and tmoduleentry32 is the data structure used in module32first and module32next. The two data structures are as follows:

Typedef struct tagprocessentry32 {

DWORD dwsize;

DWORD cntusage;

DWORD th32processid; // Process Handle

DWORD th32defaultheapid;

DWORD th32moduleid;

DWORD cntthreads;

DWORD th32parentprocessid;

Long pcpriclassbase;

DWORD dwflags;

Char szexefile [max_path];

} Processentry32;

Typedef struct tagmoduleentry32 {

DWORD dwsize;

DWORD th32moduleid;

DWORD th32processid;

DWORD glblcntusage;

DWORD proccntusage;

Byte * modbaseaddr;

DWORD modbasesize;

Hmodule;

Char szmodule [max_module_name32 + 1];

Char szexepath [max_path]; // The path File Name of the call module

} Moduleentry32;

When using the above two data structures, we must emphasize that when using the variables of these two data structures, the function must first set the dwsize value, respectively using sizeof (tprocessentry32) and sizeof (tmoduleentry32 ).

Due to limited space, you can view the Windows SDK help file for more detailed information about the functions and data structures mentioned above.

 

4. Extract the call module list item information and store it in tmoduleentry32 PM.

Module32first (modulelist, PM );

Module32next (modulelist, PM );
Iii. Core source code

With the above knowledge, we can easily obtain all the processes of the system and the module files called by the processes. The procedure is as follows:

1. run Delphi to enter the IDE development environment of Delphi;

2. Create an application;

3. Add the Treeview and button controls to the default form1;

4. Set the onclick attribute of the button to processenum;

5. input the following code into processenum;

6. Compile and run the program;

The core code is as follows:

Uses tlhelp32;

Procedure tform1.processenum (Sender: tobject );

VaR

Processlist: thandle;

PE: tprocessentry32;

Node: ttreenode;

Processnumber: integer;

Procedure moduleenum (processid: DWORD );

VaR

Modulelist: thandle;

PM: tmoduleentry32;

Begin

Modulelist: = createconlhelp32snapshot
(Th32cs_snapmodule, processid );

PM. dwsize: = sizeof (tmoduleentry32 );

If module32first (modulelist, PM)

Then begin

Treeview1.items. addchild (node, PM. szexepath );

While module32next (modulelist, PM) Do

Treeview1.items. addchild (node, PM. szexepath );

End;

Closehandle (modulelist );

End; // moduleenum

Begin // processenum

Processnumber: = 0;

Treeview1.items. Clear;

Processlist: = createconlhelp32snapshot
(Th32cs_snapprocess, 0 );

PE. dwsize: = sizeof (tprocessentry32 );

If process32first (processlist, PE) then

Begin

Node: = treeview1.items. Add (nil, PE. szexefile );

Moduleenum (PE. th32processid );

INC (processnumber );

While process32next (processlist, PE) Do

Begin

Node: = treeview1.items. Add (nil, PE. szexefile );

Moduleenum (PE. th32processid );

INC (processnumber );

End;

End;

Edit1.text: = 'System process: '+ inttostr (processnumber );

Closehandle (processlist );

End;