Obtain the correspondence between process name and process number

Recently, I encountered some process-related content, so as to find relevant information and lead to an API learning tool help functions series.

Complete information in: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686832 (V = vs.85). aspx # feedback

This article consists of three parts: 1. Problem description 2. Key APIs used for parsing 3. Extended tool help functions API content.

 

I. Two functions are required.

1. DWORD getprocessidbyname (lpctstr pname );

2. lpctstr getprocessnamebyid (DWORD dwprocid, lpctstr lpstr );

 

2. Obtain the process id based on the name. The processentry32 structure is used to save the information block of the process.

typedef struct tagPROCESSENTRY32 {  DWORD     dwSize;  DWORD     cntUsage;  DWORD     th32ProcessID;  ULONG_PTR th32DefaultHeapID;  DWORD     th32ModuleID;  DWORD     cntThreads;  DWORD     th32ParentProcessID;  LONG      pcPriClassBase;  DWORD     dwFlags;  TCHAR     szExeFile[MAX_PATH];} PROCESSENTRY32, *PPROCESSENTRY32;

Here, th32processid and szexefile are process numbers and process names respectively, that is, as long as the information block of enumeration is obtained, one-to-one correspondence can be determined.

Process32first and process32next can be used to enumerate all processes, but a snapshot of all processes is required. This snapshot is obtained by the parameters specified by the createconlhelp32snapshot function.

DWORD GetProcessIdByName(LPCTSTR pName){HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (INVALID_HANDLE_VALUE == hSnapshot){return 0;}PROCESSENTRY32 pe = { sizeof(pe) };BOOL fOk;for (fOk = Process32First(hSnapshot, &pe); fOk; fOk = Process32Next(hSnapshot, &pe)){if (!_tcscmp(pe.szExeFile, pName)){CloseHandle(hSnapshot);return pe.th32ProcessID;}}return 0;}

In the same way, the reverse code from process number to name is as follows:

LPCTSTR GetProcessNameByID(DWORD dwProcID, LPCTSTR lpStr){HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (INVALID_HANDLE_VALUE == hSnapshot){return 0;}PROCESSENTRY32 pe = { sizeof(pe) };BOOL fOk;for (fOk = Process32First(hSnapshot, &pe); fOk; fOk = Process32Next(hSnapshot, &pe)){if ( pe.th32ProcessID == dwProcID ){CloseHandle(hSnapshot);_tcscpy((wchar_t*)lpStr, pe.szExeFile);return lpStr;}}return NULL;}

 

Next, we will analyze the usage of the key function createconlhelp32snapshot.

The createconlhelp32snapshot function transmits different parameters to obtain snapshots of the process or the heap space, module, and thread used by the process. Function prototype:

HANDLE WINAPI CreateToolhelp32Snapshot(  __in  DWORD dwFlags,  __in  DWORD th32ProcessID);

Dwflags[In] specifies the type and content flag parameters of the information block specified by the return handle. It can be specified as a process, heap, module, thread, and other information block. Here we useTh32cs_snapprocessThe returned handle points to the information block of the process. OneProcessenter32To store process information blocks.

H32processid[In] is used together with the dwflag value to determine the meaning. This process number makes sense only when the sub-information of the process is specified.Th32cs_snapheaplist,Th32cs_snapmodule,Th32cs_snapmodule32,Th32cs_snapall

The specified content is the affiliated content of the corresponding process number. This parameter is ignored when other values are obtained. You can see that in the above example, only the 0 value is used randomly. This value is not processed by the function, as long as it is a DWORD Value compiled.

3. Extension

Http://msdn.microsoft.com/en-us/library/windows/desktop/ms686832 (V = vs.85). aspx

Twelve APIs are listed in tool help reference. Three APIs are used above.

Createconlhelp32snapshot plays a global role. The following processes are listed (process32first, process32next), heap32first, heap32next, heap32listfirst, heap32listnext), and modules are listed (module32first, module32next), thread list (thread32first, thread32next ). list and process snapshot data. The last toolhelp32readprocessmemory is officially described as copying process information to the specified buffer zone, because it does not meet the application scenarios in this area, nor has it seen examples of use. At present, it is not clear about the actual use.

The above examples are useful in analyzing the structures of some non-open-source software, and can also deepen the understanding of the PE file structure. Based on the implementation principle of the hook function mentioned in the previous article, you can make many things. For example, if some software hides its own processes and threads, does it also use this principle to hook up the above functions, filter out your processes to hide viruses and Trojans.

In this example, the processentry32 structure is used for process blocks. If the first parameter of createconlhelp32snapshot specifies another type, do you also need the corresponding information block content storage? Of course! Heapentry32, heaplist32, moduleentry32, and threadentry32 are determined for these structures. Http://msdn.microsoft.com/en-us/library/windows/desktop/ms686844 (V = vs.85). aspx

 

Summary: I can only look at the two examples above, but I can still see a lot of practical things by extending them. For example: to obtain the information of the loaded DLL, use the th32cs_snapmodule parameter to call createconlhelp32snapshot. In non-open-source software, I found the DLL address. I can do more work, hey. Anyway, you can also extend to many process-related items, such as getprocessid APIs. Http://msdn.microsoft.com/en-us/library/windows/desktop/ms683215 (V = vs.85). aspx check this list to know.