VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 'Fixed Single
Caption = "读取内存枚举进程"
ClientHeight = 4080
ClientLeft = 45
ClientTop = 435
ClientWidth = 5775
LinkTopic = "Form1"
LockControls = -1 'True
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 4080
ScaleWidth = 5775
StartUpPosition = 2 '屏幕中心
Begin VB.CommandButton cmdExit
Cancel = -1 'True
Caption = "退出(&C)"
Height = 345
Left = 4590
TabIndex = 2
Top = 3630
Width = 1005
End
Begin VB.CommandButton cmdRefresh
Caption = "刷新(&R)"
Height = 345
Left = 3510
TabIndex = 1
Top = 3630
Width = 1005
End
Begin VB.ListBox lstProcesses
Height = 3480
Left = 0
TabIndex = 0
Top = 0
Width = 5745
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
'退出程序
Private Sub cmdExit_Click()
Unload Me
End Sub
'刷新
Private Sub cmdRefresh_Click()
Me.lstProcesses.Clear
PrintProcesses
End Sub
Private Sub Form_Load()
'判断系统版本如果是2K以下的系统就报错退出
If GetVersionName = "不支持" Then
MsgBox "不支持此操作系统!!", vbCritical, "提示"
Unload Me: End
End If
'获取Debug权限这是必须的
EnablePrivilege
'获取常规下的进程
GetProcesses
'打印进程
PrintProcesses
End Sub
Attribute VB_Name = "modEnumProcesses"
Option Explicit
'利用PSAPI枚举进程
Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
'常规模式下的进程集合
Public lngProcArr() As Long
'常规模式枚举进程
Public Function GetProcesses() As Long()
Dim lngCbNeeded As Long
Dim lngNumElements As Long, lngRet As Long
ReDim lngProcArr(1024)
lngRet = EnumProcesses(lngProcArr(0), 4 * 1024, lngCbNeeded)
lngNumElements = lngCbNeeded / 4
ReDim Preserve lngProcArr(lngNumElements - 1)
GetProcesses = lngProcArr
End Function
'判断指定进程是否为隐藏进程
Public Function IsHideProcess(ByVal strProcessId As String) As Boolean
Dim i As Integer
For i = 0 To UBound(lngProcArr)
If CStr(lngProcArr(i)) = CStr(Val(strProcessId)) Then
IsHideProcess = False
Exit Function
End If
Next
IsHideProcess = True
End Function
Attribute VB_Name = "modKernel"
Option Explicit
'typedef struct _SYSTEM_MODULE
'{
' ULONG Reserved[2];
' ULONG Base;
' ULONG Size;
' ULONG Flags;
' USHORT Index;
' USHORT Unknown;
' USHORT LoadCount;
' USHORT ModuleNameOffset;
' CHAR ImageName[256];
'} SYSTEM_MODULE, *PSYSTEM_MODULE;
Private Type SYSTEM_MODULE
Reserved(0 To 1) As Long
Base As Long
Size As Long
Flags As Long
Index As Integer
Unknown As Integer
LoadCount As Integer
ModuleNameOffset As Integer
ImageName(255) As Byte
End Type
'typedef struct _MEMORY_CHUNKS {
' ULONG Address;
' PVOID Data;
' ULONG Length;
'}MEMORY_CHUNKS, *PMEMORY_CHUNKS;
Private Type MEMORY_CHUNKS
Address As Long
Data As Long
Length As Long
End Type
'typedef enum _SYSDBG_COMMAND {
'//以下5个在Windows NT各个版本上都有
' SysDbgGetTraceInformation = 1,
' SysDbgSetInternalBreakpoint = 2,
' SysDbgSetSpecialCall = 3,
' SysDbgClearSpecialCalls = 4,
' SysDbgQuerySpecialCalls = 5,
'
'// 以下是NT 5.1 新增的
' SysDbgDbgBreakPointWithStatus = 6,
'
' //获取KdVersionBlock
' SysDbgSysGetVersion = 7,
'
' //从内核空间拷贝到用户空间,或者从用户空间拷贝到用户空间
' //但是不能从用户空间拷贝到内核空间
' SysDbgCopyMemoryChunks_0 = 8,
' //SysDbgReadVirtualMemory = 8,
'
' //从用户空间拷贝到内核空间,或者从用户空间拷贝到用户空间
' //但是不能从内核空间拷贝到用户空间
' SysDbgCopyMemoryChunks_1 = 9,
' //SysDbgWriteVirtualMemory = 9,
'
' //从物理地址拷贝到用户空间,不能写到内核空间
' SysDbgCopyMemoryChunks_2 = 10,
' //SysDbgReadVirtualMemory = 10,
'
' //从用户空间拷贝到物理地址,不能读取内核空间
' SysDbgCopyMemoryChunks_3 = 11,
' //SysDbgWriteVirtualMemory = 11,
'
' //读写处理器相关控制块
' SysDbgSysReadControlSpace = 12,
' SysDbgSysWriteControlSpace = 13,
'
' //读写端口
' SysDbgSysReadIoSpace = 14,
' SysDbgSysWriteIoSpace = 15,
'
' //分别调用RDMSR@4和_WRMSR@12
' SysDbgSysReadMsr = 16,
' SysDbgSysWriteMsr = 17,
'
' //读写总线数据
' SysDbgSysReadBusData = 18,
' SysDbgSysWriteBusData = 19,
'
' SysDbgSysCheckLowMemory = 20,
'
'// 以下是NT 5.2 新增的
'
' //分别调用_KdEnableDebugger@0和_KdDisableDebugger@0
' SysDbgEnableDebugger = 21,
' SysDbgDisableDebugger = 22,
'
' //获取和设置一些调试相关的变量
' SysDbgGetAutoEnableOnEvent = 23,
' SysDbgSetAutoEnableOnEvent = 24,
' SysDbgGetPitchDebugger = 25,
' SysDbgSetDbgPrintBufferSize = 26,
' SysDbgGetIgnoreUmExceptions = 27,
' SysDbgSetIgnoreUmExceptions = 28
'} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
Private Enum SYSDBG_COMMAND
'以下5个在Windows NT各个版本上都有
SysDbgGetTraceInformation = 1
SysDbgSetInternalBreakpoint = 2
SysDbgSetSpecialCall = 3
SysDbgClearSpecialCalls = 4
SysDbgQuerySpecialCalls = 5
'// 以下是NT 5.1 新增的
SysDbgDbgBreakPointWithStatus = 6
'//获取KdVersionBlock
SysDbgSysGetVersion = 7
'//从内核空间拷贝到用户空间,或者从用户空间拷贝到用户空间
'//但是不能从用户空间拷贝到内核空间
SysDbgCopyMemoryChunks_0 = 8
'//SysDbgReadVirtualMemory = 8,
'//从用户空间拷贝到内核空间,或者从用户空间拷贝到用户空间
'//但是不能从内核空间拷贝到用户空间
SysDbgCopyMemoryChunks_1 = 9
'//SysDbgWriteVirtualMemory = 9,
'//从物理地址拷贝到用户空间,不能写到内核空间
SysDbgCopyMemoryChunks_2 = 10
'//SysDbgReadVirtualMemory = 10,
'//从用户空间拷贝到物理地址,不能读取内核空间
SysDbgCopyMemoryChunks_3 = 11
'//SysDbgWriteVirtualMemory = 11,
'//读写处理器相关控制块
SysDbgSysReadControlSpace = 12
SysDbgSysWriteControlSpace = 13
'//读写端口
SysDbgSysReadIoSpace = 14
SysDbgSysWriteIoSpace = 15
'//分别调用RDMSR@4和_WRMSR@12
SysDbgSysReadMsr = 16
SysDbgSysWriteMsr = 17
'//读写总线数据
SysDbgSysReadBusData = 18
SysDbgSysWriteBusData = 19
SysDbgSysCheckLowMemory = 20
'// 以下是NT 5.2 新增的
'//分别调用_KdEnableDebugger@0和_KdDisableDebugger@0
SysDbgEnableDebugger = 21
SysDbgDisableDebugger = 22
'//获取和设置一些调试相关的变量
SysDbgGetAutoEnableOnEvent = 23
SysDbgSetAutoEnableOnEvent = 24
SysDbgGetPitchDebugger = 25
SysDbgSetDbgPrintBufferSize = 26
SysDbgGetIgnoreUmExceptions = 27
SysDbgSetIgnoreUmExceptions = 28
End Enum
'读写内核空间函数
Private Declare Function NtSystemDebugControl Lib "NTDLL.DLL" (ByVal ControlCode As SYSDBG_COMMAND, _
ByRef InputBuffer As Any, _
ByVal InputBufferLength As Long, _
ByRef OutputBuffer As Any, _
ByVal OutputBufferLength As Long, _
ByRef ReturnLength As Long) As Long
'枚举Kernel Module函数
Private Declare Function NtQuerySystemInformation Lib "NTDLL.DLL" (ByVal SystemInformationClass As SYSTEM_INFORMATION_CLASS, _
ByVal pSyst
5种方法得到所有进程名(包括隐藏进程)
需积分: 16 44 浏览量
2011-11-07
20:57:17
上传
评论
收藏 20KB RAR 举报
勾月禅心
- 粉丝: 685
- 资源: 6702
最新资源
- Screenshot_2024-05-09-16-25-12-231_com.ss.android.ugc.aweme.jpg
- 834796943853388蕾の喵恋.apk
- 3DTiles.js
- stm32F103系列单片机433M无线解码程序
- 仓库管理系统文件:包含截图,SQL,源代码全套资源
- Text-2024-05-09 17-11-33.txt
- da_1715269209522..apk
- 上市公司-库存周转率、供应链效率数据集.dta
- NxShell-x64-win-1.9.5-202305200715 (1)
- tensorflow-gpu-2.2.0-cp38-cp38-win-amd64.whl
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈