5种方法得到所有进程名（包括隐藏进程）

VERSION 5.00 Begin VB.Form frmMain BorderStyle = 1 'Fixed Single Caption = "读取内存枚举进程" ClientHeight = 4080 ClientLeft = 45 ClientTop = 435 ClientWidth = 5775 LinkTopic = "Form1" LockControls = -1 'True MaxButton = 0 'False MinButton = 0 'False ScaleHeight = 4080 ScaleWidth = 5775 StartUpPosition = 2 '屏幕中心 Begin VB.CommandButton cmdExit Cancel = -1 'True Caption = "退出(&C)" Height = 345 Left = 4590 TabIndex = 2 Top = 3630 Width = 1005 End Begin VB.CommandButton cmdRefresh Caption = "刷新(&R)" Height = 345 Left = 3510 TabIndex = 1 Top = 3630 Width = 1005 End Begin VB.ListBox lstProcesses Height = 3480 Left = 0 TabIndex = 0 Top = 0 Width = 5745 End End Attribute VB_Name = "frmMain" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False '退出程序 Private Sub cmdExit_Click() Unload Me End Sub '刷新 Private Sub cmdRefresh_Click() Me.lstProcesses.Clear PrintProcesses End Sub Private Sub Form_Load() '判断系统版本如果是2K以下的系统就报错退出 If GetVersionName = "不支持" Then MsgBox "不支持此操作系统！！", vbCritical, "提示" Unload Me: End End If '获取Debug权限这是必须的 EnablePrivilege '获取常规下的进程 GetProcesses '打印进程 PrintProcesses End Sub Attribute VB_Name = "modEnumProcesses" Option Explicit '利用PSAPI枚举进程 Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long '常规模式下的进程集合 Public lngProcArr() As Long '常规模式枚举进程 Public Function GetProcesses() As Long() Dim lngCbNeeded As Long Dim lngNumElements As Long, lngRet As Long ReDim lngProcArr(1024) lngRet = EnumProcesses(lngProcArr(0), 4 * 1024, lngCbNeeded) lngNumElements = lngCbNeeded / 4 ReDim Preserve lngProcArr(lngNumElements - 1) GetProcesses = lngProcArr End Function '判断指定进程是否为隐藏进程 Public Function IsHideProcess(ByVal strProcessId As String) As Boolean Dim i As Integer For i = 0 To UBound(lngProcArr) If CStr(lngProcArr(i)) = CStr(Val(strProcessId)) Then IsHideProcess = False Exit Function End If Next IsHideProcess = True End Function Attribute VB_Name = "modKernel" Option Explicit 'typedef struct _SYSTEM_MODULE '{ ' ULONG Reserved[2]; ' ULONG Base; ' ULONG Size; ' ULONG Flags; ' USHORT Index; ' USHORT Unknown; ' USHORT LoadCount; ' USHORT ModuleNameOffset; ' CHAR ImageName[256]; '} SYSTEM_MODULE, *PSYSTEM_MODULE; Private Type SYSTEM_MODULE Reserved(0 To 1) As Long Base As Long Size As Long Flags As Long Index As Integer Unknown As Integer LoadCount As Integer ModuleNameOffset As Integer ImageName(255) As Byte End Type 'typedef struct _MEMORY_CHUNKS { ' ULONG Address; ' PVOID Data; ' ULONG Length; '}MEMORY_CHUNKS, *PMEMORY_CHUNKS; Private Type MEMORY_CHUNKS Address As Long Data As Long Length As Long End Type 'typedef enum _SYSDBG_COMMAND { '//以下5个在Windows NT各个版本上都有 ' SysDbgGetTraceInformation = 1, ' SysDbgSetInternalBreakpoint = 2, ' SysDbgSetSpecialCall = 3, ' SysDbgClearSpecialCalls = 4, ' SysDbgQuerySpecialCalls = 5, ' '// 以下是NT 5.1 新增的 ' SysDbgDbgBreakPointWithStatus = 6, ' ' //获取KdVersionBlock ' SysDbgSysGetVersion = 7, ' ' //从内核空间拷贝到用户空间，或者从用户空间拷贝到用户空间 ' //但是不能从用户空间拷贝到内核空间 ' SysDbgCopyMemoryChunks_0 = 8, ' //SysDbgReadVirtualMemory = 8, ' ' //从用户空间拷贝到内核空间，或者从用户空间拷贝到用户空间 ' //但是不能从内核空间拷贝到用户空间 ' SysDbgCopyMemoryChunks_1 = 9, ' //SysDbgWriteVirtualMemory = 9, ' ' //从物理地址拷贝到用户空间，不能写到内核空间 ' SysDbgCopyMemoryChunks_2 = 10, ' //SysDbgReadVirtualMemory = 10, ' ' //从用户空间拷贝到物理地址，不能读取内核空间 ' SysDbgCopyMemoryChunks_3 = 11, ' //SysDbgWriteVirtualMemory = 11, ' ' //读写处理器相关控制块 ' SysDbgSysReadControlSpace = 12, ' SysDbgSysWriteControlSpace = 13, ' ' //读写端口 ' SysDbgSysReadIoSpace = 14, ' SysDbgSysWriteIoSpace = 15, ' ' //分别调用RDMSR@4和_WRMSR@12 ' SysDbgSysReadMsr = 16, ' SysDbgSysWriteMsr = 17, ' ' //读写总线数据 ' SysDbgSysReadBusData = 18, ' SysDbgSysWriteBusData = 19, ' ' SysDbgSysCheckLowMemory = 20, ' '// 以下是NT 5.2 新增的 ' ' //分别调用_KdEnableDebugger@0和_KdDisableDebugger@0 ' SysDbgEnableDebugger = 21, ' SysDbgDisableDebugger = 22, ' ' //获取和设置一些调试相关的变量 ' SysDbgGetAutoEnableOnEvent = 23, ' SysDbgSetAutoEnableOnEvent = 24, ' SysDbgGetPitchDebugger = 25, ' SysDbgSetDbgPrintBufferSize = 26, ' SysDbgGetIgnoreUmExceptions = 27, ' SysDbgSetIgnoreUmExceptions = 28 '} SYSDBG_COMMAND, *PSYSDBG_COMMAND; Private Enum SYSDBG_COMMAND '以下5个在Windows NT各个版本上都有 SysDbgGetTraceInformation = 1 SysDbgSetInternalBreakpoint = 2 SysDbgSetSpecialCall = 3 SysDbgClearSpecialCalls = 4 SysDbgQuerySpecialCalls = 5 '// 以下是NT 5.1 新增的 SysDbgDbgBreakPointWithStatus = 6 '//获取KdVersionBlock SysDbgSysGetVersion = 7 '//从内核空间拷贝到用户空间，或者从用户空间拷贝到用户空间 '//但是不能从用户空间拷贝到内核空间 SysDbgCopyMemoryChunks_0 = 8 '//SysDbgReadVirtualMemory = 8, '//从用户空间拷贝到内核空间，或者从用户空间拷贝到用户空间 '//但是不能从内核空间拷贝到用户空间 SysDbgCopyMemoryChunks_1 = 9 '//SysDbgWriteVirtualMemory = 9, '//从物理地址拷贝到用户空间，不能写到内核空间 SysDbgCopyMemoryChunks_2 = 10 '//SysDbgReadVirtualMemory = 10, '//从用户空间拷贝到物理地址，不能读取内核空间 SysDbgCopyMemoryChunks_3 = 11 '//SysDbgWriteVirtualMemory = 11, '//读写处理器相关控制块 SysDbgSysReadControlSpace = 12 SysDbgSysWriteControlSpace = 13 '//读写端口 SysDbgSysReadIoSpace = 14 SysDbgSysWriteIoSpace = 15 '//分别调用RDMSR@4和_WRMSR@12 SysDbgSysReadMsr = 16 SysDbgSysWriteMsr = 17 '//读写总线数据 SysDbgSysReadBusData = 18 SysDbgSysWriteBusData = 19 SysDbgSysCheckLowMemory = 20 '// 以下是NT 5.2 新增的 '//分别调用_KdEnableDebugger@0和_KdDisableDebugger@0 SysDbgEnableDebugger = 21 SysDbgDisableDebugger = 22 '//获取和设置一些调试相关的变量 SysDbgGetAutoEnableOnEvent = 23 SysDbgSetAutoEnableOnEvent = 24 SysDbgGetPitchDebugger = 25 SysDbgSetDbgPrintBufferSize = 26 SysDbgGetIgnoreUmExceptions = 27 SysDbgSetIgnoreUmExceptions = 28 End Enum '读写内核空间函数 Private Declare Function NtSystemDebugControl Lib "NTDLL.DLL" (ByVal ControlCode As SYSDBG_COMMAND, _ ByRef InputBuffer As Any, _ ByVal InputBufferLength As Long, _ ByRef OutputBuffer As Any, _ ByVal OutputBufferLength As Long, _ ByRef ReturnLength As Long) As Long '枚举Kernel Module函数 Private Declare Function NtQuerySystemInformation Lib "NTDLL.DLL" (ByVal SystemInformationClass As SYSTEM_INFORMATION_CLASS, _ ByVal pSyst