Windows traversal process and killing process, windows Calendar process killing

Windows traversal process and killing process, windows Calendar process killing

There are multiple methods to traverse a process in windows:

Process snapshot: createconlhelp32snapshot;

Process status API: PSAPI;

The main methods used in psapi are:

EnumProcesses -- enumeration process;

EnumProcessModules-enumeration of In-process modules;

GetModuleFileNameEx -- obtains the module name;

Through these three methods, you can traverse the process and various modules in the process;

The basic data structures QString and QList are based on Qt. If the Qt library is not used, replace them with the corresponding STL standard library List and String in C ++;

// Win32Api: void AdjustPrivilege () {HANDLE hToken; if (OpenProcessToken (GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, & hToken) {TOKEN_PRIVILEGES tp; tp. privilegeCount = 1; tp. privileges [0]. attributes = SE_PRIVILEGE_ENABLED; if (LookupPrivilegeValue (NULL, SE_DEBUG_NAME, & tp. privileges [0]. luid) {AdjustTokenPrivileges (hToken, FALSE, & tp, sizeof (tp), NULL, NULL);} CloseHandle (hToken);} // according to the process Query the process in the path, and return the process ID list QList <DWORD> CheckProcess (const QString & processPath) {AdjustPrivilege (); QList <DWORD> pIDList; DWORD dwProcessId [1024]; DWORD bytesRet; if (EnumProcesses (dwProcessId, sizeof (dwProcessId), & bytesRet) {HANDLE hProcess = NULL; HMODULE hModus [1024]; DWORD suffix; tszmodulename [MAX_PATH]; QStringList tempPathList = processPath. toLower (). split (QRegExp ("[/\\\]"), QStr Ing: SkipEmptyParts); QString processPathWinStd; // convert it to the windows standard path int listLength = tempPathList. length (); for (int idx = 0; idx <listLength; ++ idx) {if (idx! = 0) processPathWinStd. push_back ("\"); processPathWinStd. push_back (tempPathList [idx]);} int ProcessNum = (bytesRet/sizeof (DWORD); for (int I = 0, j = 0; I <ProcessNum; ++ I) {hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, dwProcessId [I]); if (hProcess) {// Do not call CloseHandle on any of the handles returned by this function. // The information comes from a snapshot, so there are no resources to be freed. if (EnumProcessModules (hProcess, hModus, sizeof (hModus), & bytesModuRet) {int ModuleNum = (bytesRet/sizeof (DWORD); for (j = 0; j <ModuleNum; ++ j) {if (GetModuleFileNameEx (hProcess, hModus [j], szModuleName, sizeof (szModuleName) & processPathWinStd = QString: fromWCharArray (szModuleName, _ tcslen (szModuleName )). toLower () {pIDList. push_back (dwProcessId [I]) ;}} CloseHandle (hProcess) ;}} return pIDList ;}

Note that CloseHandle cannot be used for hModus handles in EnumProcessModules (because these handles come from a snapshot, not the actual resource ):

Do not call CloseHandle on any of the handles returned by this function.
The information comes from a snapshot, so there are no resources to be freed.

There are two ways to kill a process in windows:

TerminateProcess-system API;

NtTerminateProcess -- the export method is not publicly available in ntdll. dll;

TerminateProcess actually calls NtTerminateProcess to implement specific functions;

Under normal circumstances, either of the two can be called to end or kill a process (to kill a process, you must first escalate the privilege. For details about Elevation of Privilege, refer to "windows Elevation of Privilege "), however, in some cases, some applications hook the system's TerminateProcess method to prevent them from being killed, leading to the failure of TerminateProcess. Therefore, NtTerminateProcess can improve the success rate of killing processes;

Void Terminate (const QString & processPath) {AdjustPrivilege (); // ========================= TerminateProcess ==================================/traversing the Process List and process module, DWORD dwProcessId [1024]; DWORD bytesRet; if (EnumProcesses (dwProcessId, sizeof (dwProcessId), & bytesRet) {HANDLE hProcess = NULL; HMODULE hModus [1024]; DWORD bytesModuRet; TCHAR szModuleName [MAX_PATH]; QStringList tempPathList = processPath. toLower (). split (QRegEx P ("[// \\\]"), QString: SkipEmptyParts); QString processPathWinStd; // convert it to the standard windows path int listLength = tempPathList. length (); for (int idx = 0; idx <listLength; ++ idx) {if (idx! = 0) processPathWinStd. push_back ("\"); processPathWinStd. push_back (tempPathList [idx]);} int ProcessNum = (bytesRet/sizeof (DWORD); for (int I = 0, j = 0; I <ProcessNum; ++ I) {hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, dwProcessId [I]); if (hProcess) {// Do not call CloseHandle on any of the handles returned by this function. // The information comes from a snapshot, so there are no resources to be freed. if (EnumProcessModules (hProcess, hModus, sizeof (hModus), & bytesModuRet) {int ModuleNum = (bytesRet/sizeof (DWORD); for (j = 0; j <ModuleNum; ++ j) {if (GetModuleFileNameEx (hProcess, hModus [j], szModuleName, sizeof (szModuleName) & processPathWinStd = QString: fromWCharArray (szModuleName, _ tcslen (szModuleName )). toLower () {TerminateProcess (hProcess, 4) ;}} CloseHandle (hProcess) ;}}} void Terminate (const DWORD & pID) {AdjustPrivilege (); // ========================= TerminateProcess ==================================/// process ID HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, pID); if (hProcess) {TerminateProcess (hProcess, 4); CloseHandle (hProcess );}}

Ntdll. dll export method:

Const unsigned long duration = 0x14; typedef int (_ stdcall * fRtlAdjustPrivilege) (ULONG, BOOLEAN, BOOLEAN, PBOOLEAN); typedef DWORD (_ stdcall * fNtTerminateProcess) (HANDLE, UINT); HMODULE hNtDll = NULL; fRtlAdjustPrivilege funcAdjustPrivilege = NULL; fNtTerminateProcess funcTerminateProcess = NULL; // ============================/// NtDll method: // ====================== bool NtInit () {hNtDll = LoadLibrary (_ T ("n Tdll. dll "); if (! HNtDll) return false; response = (response) GetProcAddress (hNtDll, "response"); funcTerminateProcess = (fNtTerminateProcess) GetProcAddress (hNtDll, "NtTerminateProcess"); return true ;} void NtFree () {if (hNtDll) FreeLibrary (hNtDll);} void submit () {if (funcAdjustPrivilege) {BOOLEAN oldStatus; funcAdjustPrivilege (success, true, false, & oldStat Us) ;}} void NtTerminate (const QString & processPath) {NtAdjustPrivilege (); // ========================= TerminateProcess ==================================/traversing the Process List and process module, if (funcTerminateProcess) {DWORD dwProcessId [1024]; DWORD bytesRet; if (EnumProcesses (dwProcessId, sizeof (dwProcessId), & bytesRet) {HANDLE hProcess = NULL; HMODULE hModus [1024]; DWORD bytesModuRet; TCHAR szModuleName [MAX_PATH]; QStringList tempPath List = processPath. toLower (). split (QRegExp ("[// \\\]"), QString: SkipEmptyParts); QString processPathWinStd; // convert it to the windows standard path int listLength = tempPathList. length (); for (int idx = 0; idx <listLength; ++ idx) {if (idx! = 0) processPathWinStd. push_back ("\"); processPathWinStd. push_back (tempPathList [idx]);} int ProcessNum = (bytesRet/sizeof (DWORD); for (int I = 0, j = 0; I <ProcessNum; ++ I) {hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, dwProcessId [I]); if (hProcess) {// Do not call CloseHandle on any of the handles returned by this function. // The information comes from a snapshot, so there are no resources to be freed. if (EnumProcessModules (hProcess, hModus, sizeof (hModus), & bytesModuRet) {int ModuleNum = (bytesRet/sizeof (DWORD); for (j = 0; j <ModuleNum; ++ j) {if (GetModuleFileNameEx (hProcess, hModus [j], szModuleName, sizeof (szModuleName) & processPathWinStd = QString: fromWCharArray (szModuleName, _ tcslen (szModuleName )). toLower () {funcTerminateProcess (hProcess, 4) ;}}} CloseHandle (hProcess) ;}}} void NtTerminate (const DWORD & pID) {NtAdjustPrivilege (); // ========================= TerminateProcess ==================================/// process ID strong KILL if (funcTerminateProcess) {HANDLE hProcess = NULL; hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, pID); if (hProcess) {funcTerminateProcess (hProcess, 4); CloseHandle (hProcess );}}}