未公开函数 NtQuerySystemInfoMation 遍历进程信息,获得进程的用户名(如: system,Admin..)

目录

遍历进程用户名

代码例子



#include <windows.h> 
#include <iostream>
#include <COMDEF.H> 
#include <stdio.h> 
#include <Tlhelp32.h>
using namespace std;


typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR   Buffer;
} UNICODE_STRING, * PUNICODE_STRING;

//SystemProcessInformation 
typedef struct _SYSTEM_PROCESS_INFORMATION
{
	DWORD             dwNextEntryOffset;
	DWORD             dwNumberOfThreads;
	LARGE_INTEGER     qSpareLi1;
	LARGE_INTEGER     qSpareLi2;
	LARGE_INTEGER     qSpareLi3;
	LARGE_INTEGER     qCreateTime;
	LARGE_INTEGER     qUserTime;
	LARGE_INTEGER     qKernelTime;
	UNICODE_STRING     ImageName;
	int                 nBasePriority;
	DWORD             dwProcessId;
	DWORD             dwInheritedFromUniqueProcessId;
	DWORD             dwHandleCount;
	DWORD             dwSessionId;
	ULONG             dwSpareUl3;
	SIZE_T             tPeakVirtualSize;
	SIZE_T             tVirtualSize;
	DWORD             dwPageFaultCount;
	DWORD             dwPeakWorkingSetSize;
	DWORD             dwWorkingSetSize;
	SIZE_T             tQuotaPeakPagedPoolUsage;
	SIZE_T             tQuotaPagedPoolUsage;
	SIZE_T             tQuotaPeakNonPagedPoolUsage;
	SIZE_T             tQuotaNonPagedPoolUsage;
	SIZE_T             tPagefileUsage;
	SIZE_T             tPeakPagefileUsage;
	SIZE_T             tPrivatePageCount;
	LARGE_INTEGER     qReadOperationCount;
	LARGE_INTEGER     qWriteOperationCount;
	LARGE_INTEGER     qOtherOperationCount;
	LARGE_INTEGER     qReadTransferCount;
	LARGE_INTEGER     qWriteTransferCount;
	LARGE_INTEGER     qOtherTransferCount;
}SYSTEM_PROCESS_INFORMATION;


/*----------------------------------------------------
	   函数说明: 动态加载动库文件
		   输入参数: pDllName 库文件名称,pProcName导出函数名字
		   输出参数: 无
		   返回值   : 返回函数的的地址
----------------------------------------------------*/

VOID* GetDllProc(const TCHAR* pDllName, const CHAR* pProcName)
{
	HMODULE         hMod;
	hMod = LoadLibrary(pDllName);
	if (hMod == NULL)
		return NULL;

	return GetProcAddress(hMod, pProcName);
}

//宏定义函数的指针 
typedef LONG(WINAPI* Fun_NtQuerySystemInformation) (int   SystemInformationClass,
	OUT PVOID SystemInformation,
	IN ULONG SystemInformationLength,
	OUT ULONG* pReturnLength OPTIONAL);

typedef BYTE(WINAPI* Fun_WinStationGetProcessSid)(HANDLE hServer, DWORD   ProcessId,

	FILETIME   ProcessStartTime, PBYTE pProcessUserSid, PDWORD dwSidSize);

typedef VOID(WINAPI* Fun_CachedGetUserFromSid)(PSID pSid, PWCHAR pUserName, PULONG cbUserName);

#define STATUS_INFO_LENGTH_MISMATCH         ((LONG)0xC0000004L)

#define SystemProcessInformation         5 


/*------------------------------------------------------------------
	 函数说明: 获取系统进程的信息
		 输入参数: SYSTEM_PROCESS_INFORMATION
		 输出参数: 无

--------------------------------------------------------------------*/
BOOL GetSysProcInfo(SYSTEM_PROCESS_INFORMATION * *ppSysProcInfo)
{
	Fun_NtQuerySystemInformation     _NtQuerySystemInformation;
	_NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc(TEXT("NTDLL.DLL"), "NtQuerySystemInformation");
	if (_NtQuerySystemInformation == NULL)
		return FALSE;

	DWORD         dwSize = 1024 * 1024;
	VOID* pBuf = NULL;
	LONG         lRetVal;

	while(true)
	{
		if (pBuf)
			free(pBuf);

		pBuf = (VOID*)malloc(dwSize);

		lRetVal = _NtQuerySystemInformation(SystemProcessInformation,pBuf, dwSize, NULL);

		if (STATUS_INFO_LENGTH_MISMATCH != lRetVal)
			break;
		dwSize *= 2;
	}

	if (lRetVal == 0)
	{
		*ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION*)pBuf;
		return TRUE;
	}
	free(pBuf);
	return FALSE;
}



BOOL GetProcessUser(DWORD dwPid, _bstr_t* pbStrUser)
{
	Fun_WinStationGetProcessSid         _WinStationGetProcessSid;
	Fun_CachedGetUserFromSid         _CachedGetUserFromSid;

	_WinStationGetProcessSid = (Fun_WinStationGetProcessSid)
		GetDllProc(TEXT("Winsta.dll"), "WinStationGetProcessSid");
	_CachedGetUserFromSid = (Fun_CachedGetUserFromSid)
		GetDllProc(TEXT("utildll.dll"), "CachedGetUserFromSid");

	if (_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL)
		return FALSE;

	BYTE         cRetVal;
	FILETIME     ftStartTime;
	DWORD         dwSize;
	BYTE* pSid;
	BOOL         bRetVal, bFind;
	SYSTEM_PROCESS_INFORMATION* pProcInfo, * pCurProcInfo;

	bRetVal = GetSysProcInfo(&pProcInfo);
	if (bRetVal == FALSE || pProcInfo == NULL)
		return FALSE;

	bFind = FALSE;
	pCurProcInfo = pProcInfo;
	for (;;)
	{
		if (pCurProcInfo->dwProcessId == dwPid)
		{
			memcpy(&ftStartTime, &pCurProcInfo->qCreateTime, sizeof(ftStartTime));
			bFind = TRUE;
			break;
		}

		if (pCurProcInfo->dwNextEntryOffset == 0)
			break;
		pCurProcInfo = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)pCurProcInfo +
			pCurProcInfo->dwNextEntryOffset);
	}
	if (bFind == FALSE)
	{
		free(pProcInfo);
		return FALSE;
	}

	
	cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, &dwSize);
	if (cRetVal != 0)
		return FALSE;

	pSid = new BYTE[dwSize];
	cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, &dwSize);
	if (cRetVal == 0)
	{
		delete[] pSid;
		return FALSE;
	}

	WCHAR   szUserName[1024];
	
	_CachedGetUserFromSid(pSid, szUserName, &dwSize);
	delete[] pSid;
	if (dwSize == 0)
		return FALSE;

	*pbStrUser = szUserName;
	return TRUE;
}


int main()
{
	/*
	1.遍历所有进程.
	2.遍历这个进程下的所有模块.
	3.读取模块特征.
	4.结束掉这个进程.
	
	*/
	//services.exe conhost.exe

	TCHAR szProcessName[] = TEXT("services.exe");
	BOOL bFind = FALSE;
	TCHAR ch[256] = { 0 };
	_bstr_t bs;
	memcpy(&bs, ch, sizeof(bs));

			GetProcessUser(pi.th32ProcessID, &bs); //第一个参数写的是你的进程ID 
			
}
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/iBinary/p/10816025.html