Security Class tool making No. 004: Process Manager (top)

First, preface

A process is a program that executes on a computer and is the basic unit of requesting resources from the operating system. We execute a program. Then one or more processes are created accordingly, when the program is closed. The process is over. The most frequently used means of viewing a process is to press Ctrl+shift+delete to open the Windows-brought Task Manager, or use the old powerful software "ice Blade". Or using the more powerful process Monitor that Microsoft has launched, it will basically get the same effect. The difference is. Powerful process viewing software is able to view the hidden processes of the system, while the general only can view the process of the application layer. And what I'm talking about in these two articles is how to implement a simple process manager that can manage the current process and also manage the DLLs that the process is loaded into. This article mainly discusses the process management aspects of programming, the next chapter discusses the DLL management program.

second, the interface design

This procedure needs to design two interfaces. This article only discusses the creation of the first interface. A "List control" and three "button" controls are required:

Figure 1 Design of the main interface

then set the control property of the List control. In "View" in "Sytles". Select Report, and then select the single Selection option.

Then add a variable named "M_processlist" to it and initialize it programmatically:

void Cprocessmanagedlg::initprocesslist () {//sets the extended style of the List control control M_processlist.setextendedstyle ( M_processlist.getextendedstyle () | Lvs_ex_gridlines//have network grid |  Lvs_ex_fullrowselect);          Select one of the exercise lines highlighting (only for report style)//Join the M_processlist.insertcolumn (0, _t ("serial number"));          M_processlist.insertcolumn (1, _t ("process name"));         M_processlist.insertcolumn (2, _t ("pid value"));        M_processlist.insertcolumn (3, _t ("Number of Threads"));        M_processlist.insertcolumn (4, _t ("Parent process ID"));        M_processlist.insertcolumn (5, _t ("Thread Priority"));          Sets the width of the column m_processlist.setcolumnwidth (0, Lvscw_autosize_useheader);          M_processlist.setcolumnwidth (1, Lvscw_autosize_useheader);          M_processlist.setcolumnwidth (2, Lvscw_autosize_useheader);        M_processlist.setcolumnwidth (3, Lvscw_autosize_useheader);        M_processlist.setcolumnwidth (4, Lvscw_autosize_useheader); m_processlist.seTcolumnwidth (5, lvscw_autosize_useheader);}   

after that, add the following in Cprocessmanagedlg::oninitdialog ():

Initprocesslist ();

to implement initialization, and then declare it in the header file:

void Initprocesslist ();

Iii. enumeration of processesThe enumeration of processes is to display the entire process, while some deliberately hidden processes cannot be enumerated by a regular enumeration.

What is explained here is the application layer's process enumeration.

To implement this feature. The CreateToolhelp32Snapshot () is used here. Its role is to take a snapshot of the processes in the current system. Enumerates the processes individually after they have been successfully created.

The enumeration process needs to use both Process32First () and Process32Next () functions. The use of these functions requires first including the Tlhelp32.h header file. The code is as follows:

void Cprocessmanagedlg::showprocess () {//Empty list m_processlist.deleteallitems ();        Take a snapshot of all processes within the system HANDLE Hsnap = CreateToolhelp32Snapshot (th32cs_snapprocess, 0); if (Hsnap = = Invalid_handle_value) {AfxMessageBox ("Process snapshot creation failed!                ");        return;        } PROCESSENTRY32 Pe32 = {0}; Before using this structure.        Set its size first pe32.dwsize = sizeof (PROCESSENTRY32);        Traverse the process snapshot and display information for each process in turn BOOL BRet = Process32First (Hsnap, &pe32);        int i = 0;        CString str; while (BRet) {str.                Format ("%d", I);                             M_processlist.insertitem (i, str);                Process name M_processlist.setitemtext (i, 1, pe32.szexefile); Process ID str.                Format ("%d", pe32.th32processid);                M_processlist.setitemtext (i, 2, str); This process turns on the thread Count str.                Format ("%d", pe32.cntthreads); M_processlist.setitemteXT (I, 3, str); Parent Process ID Str.                Format ("%d", pe32.th32parentprocessid);                M_processlist.setitemtext (i, 4, str); Thread Priority str.                Format ("%d", pe32.pcpriclassbase);                M_processlist.setitemtext (i, 5, str);                i + +;        BRet = Process32Next (Hsnap, &pe32); } closehandle (HSNAP);}

Since I want to just open the program, I'm going to show the process of the system, so add it in OnInitDialog ():

Showprocess ();

Finally, add the following in the header file:

void Showprocess ();

Iv. Conclusion of the processusually. When the process ends normally, the ExitProcess () function is called to exit itself. The false assumption is that to end the specified process, you need to use the TerminateProcess () function. However, for the process of operation, often need to use its PID value, for convenience. This writes a program that gets the PID value of the process. To facilitate the next series of operations for the process.

The principle is that the process is enumerated and displayed in the list box, returning the contents of the "pid value" of the selected process:

int Cprocessmanagedlg::getselectpid () {        pid =-1;        Gets the position selected in the list box        POSITION Pos = m_processlist.getfirstselecteditemposition ();        int nselect =-1;        while (POS)        {                nselect = M_processlist.getnextselecteditem (POS);        }        Assume that there is no selection in the list box. Then the error            if (-1 = = Nselect)        {                AfxMessageBox ("Please select the process!") ");                return-1;        }        Gets the PID value displayed in the list box            char  szpid[10] = {0};        M_processlist.getitemtext (Nselect, 2, Szpid, ten);        PID = Atoi (szpid);        return PID;}

This function needs to be declared in the header file:

int Getselectpid ();

then add the code for the "End Process" button:

void Cprocessmanagedlg::onbuttonterminate () {        //Todo:add your control notification handler code here        int npid = Getselectpid ();            HANDLE hprocess = OpenProcess (Process_terminate, FALSE, npid);            TerminateProcess (hprocess, 0);        CloseHandle (hprocess);            Showprocess ();}

the principle of the above code is to get the permissions of the process before the end.

v. Suspension and recovery process

Sometimes, a malicious program may create two or more processes in order to protect itself. Make it "woe".

When one of the processes finds that another process has been completed, it will execute the process again. These several processes help each other. So it is very difficult to completely end the process of malicious programs. It is not possible to remove the malicious program itself.

Encountered such a situation. Be able to pause these processes and then be able to end the malicious process.

The pause process typically uses the SuspendThread () function, which requires the use of a thread's handle. The handle of the thread can be obtained through the Openthread () function, which is then enumerated using the Thread32first () and Thread32next () functions.

To add code for the Pause process button:

void cprocessmanagedlg::onbtnstop () {//Todo:add your control notification handler C        Ode here int npid =-1;        Npid = Getselectpid ();        Create thread snapshot HANDLE hsnap = CreateToolhelp32Snapshot (Th32cs_snapthread, npid); if (Hsnap = = Invalid_handle_value) {AfxMessageBox ("Pause process failed!                
 
 
 ");        return;        } THREADENTRY32 Te32 = {0};        te32.dwsize = sizeof (THREADENTRY32);            BOOL BRet = Thread32first (Hsnap, &te32);                        while (BRet) {//inference thread belongs to if (Te32.th32ownerprocessid = = npid) {                                    HANDLE hthread = Openthread (thread_all_access, FALSE, Te32.th32threadid);                                    SuspendThread (Hthread);                CloseHandle (Hthread);        } BRet = Thread32next (Hsnap, &te32); }}

Because CreateToolhelp32Snapshot () can only create thread snapshots of the system. You cannot create a snapshot of a thread in the specified process. So suppose you want to pause the thread. The thread to which the enumeration is enumerated must be inferred. See if it is a thread in the specified process. The th32threadid in THREADENTRY32 this struct identifies the thread ID of the thread currently being enumerated to, and TH32OWNERPROCESSID identifies the ID of the process to which the thread belongs. Therefore, it is necessary to infer in the above code. To find the corresponding thread.

Next, add the code for the "Recovery process" button:

void Cprocessmanagedlg::onbuttonresume () {//Todo:add your control notification hand        Ler code here int npid =-1;            Npid = Getselectpid ();        HANDLE Hsnap = CreateToolhelp32Snapshot (Th32cs_snapthread, npid); if (Hsnap = = Invalid_handle_value) {AfxMessageBox ("Process recovery failed!                
 
 
 ");        return;        } THREADENTRY32 Te32 = {0};        te32.dwsize = sizeof (THREADENTRY32);            BOOL BRet = Thread32first (Hsnap, &te32); while (BRet) {if (Te32.th32ownerprocessid = = npid) {HAND                                    LE hthread = Openthread (thread_all_access, FALSE, Te32.th32threadid);                                    ResumeThread (Hthread);                CloseHandle (Hthread);        } BRet = Thread32next (Hsnap, &te32); }}

because it is the same as the pause process principle, do not repeat it.

Vi. Effect of the procedurewhen the above program compiles successfully, the effect of the end, pause, and restore of the process is achieved.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvaw9pb19qeq==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/southeast ">
Figure 2 Viewing the Notepad process

For example, experiment with a "notepad" program.

Open Notepad. Execute the SOFTWARE. Locate the process for Notepad, and click the Pause Process button to see that the Notepad program is still visible, but it cannot be manipulated.

Until you click Restore process, Notepad resumes as it was. Then click End Process, Notepad is closed and it has disappeared from the list box. Explain that our program is valid.

Vii. SummaryThis time implements a simple process manager program, which is often very useful for manually killing viruses. Also hope that the reader can extrapolate. On this basis to develop a more comprehensive program out.

Security Class tool making No. 004: Process Manager (top)