本程序主要功能是:获取某程序的ParentProcessID
直接上代码:
1 // parent.cpp (Windows NT/2000) 2 // 3 // This example will show the method how you can retrieve the parent 4 // process ID on Windows NT/2000 using the NT Native API 5 // 6 // 7 // (c)1999 Ashot Oganesyan K, SmartLine, Inc 8 // mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com 9 10 #include <windows.h> 11 #include <stdio.h> 12 13 #define ProcessBasicInformation 0 14 15 typedef struct 16 { 17 DWORD ExitStatus; 18 DWORD PebBaseAddress; 19 DWORD AffinityMask; 20 DWORD BasePriority; 21 ULONG UniqueProcessId; 22 ULONG InheritedFromUniqueProcessId; 23 } PROCESS_BASIC_INFORMATION; 24 25 26 // ntdll!NtQueryInformationProcess (NT specific!) 27 // 28 // The function copies the process information of the 29 // specified type into a buffer 30 // 31 // NTSYSAPI 32 // NTSTATUS 33 // NTAPI 34 // NtQueryInformationProcess( 35 // IN HANDLE ProcessHandle, // handle to process 36 // IN PROCESSINFOCLASS InformationClass, // information type 37 // OUT PVOID ProcessInformation, // pointer to buffer 38 // IN ULONG ProcessInformationLength, // buffer size in bytes 39 // OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit 40 // // variable that receives 41 // // the number of bytes 42 // // written to the buffer 43 // ); 44 typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); 45 46 47 PROCNTQSIP NtQueryInformationProcess; 48 49 DWORD GetParentProcessID(DWORD dwId); 50 51 void main(int argc, char* argv[]) 52 { 53 if (argc<2) 54 { 55 printf("Usage: parent.exe ProcId "); 56 return; 57 } 58 59 NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress( 60 GetModuleHandle("ntdll"), 61 "NtQueryInformationProcess" 62 ); 63 64 if (!NtQueryInformationProcess) 65 return; 66 67 DWORD dwId; 68 sscanf(argv[1],"%lu",&dwId); 69 70 printf("Parent PID for %lu is %lu ",dwId,GetParentProcessID(dwId)); 71 72 } 73 74 DWORD GetParentProcessID(DWORD dwId) 75 { 76 LONG status; 77 DWORD dwParentPID = (DWORD)-1; 78 HANDLE hProcess; 79 PROCESS_BASIC_INFORMATION pbi; 80 81 // Get process handle 82 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwId); 83 if (!hProcess) 84 return (DWORD)-1; 85 86 // Retrieve information 87 status = NtQueryInformationProcess( hProcess, 88 ProcessBasicInformation, 89 (PVOID)&pbi, 90 sizeof(PROCESS_BASIC_INFORMATION), 91 NULL 92 ); 93 94 // Copy parent Id on success 95 if (!status) 96 dwParentPID = pbi.InheritedFromUniqueProcessId; 97 98 CloseHandle (hProcess); 99 100 return dwParentPID; 101 }