通过Windows的Toolhlp32、psapi或ZwQuerySystemInformation系统调用能够列出进程,但这些方法一个随便的
ApiHook就能干掉,有没有其它好的方法找到隐藏进程?
有谁能转换下面代码为vb代码吗?
// Easy to Find Hided PID Code
// Author: Finback Jun.6,2006 <Finbackcpp@hotmail.com>
// NOTE:this code needn't any driver supported
#include "stdafx.h"
#include <windows.h>
#include "psapi.h"
#pragma comment(lib,"psapi.lib")
int main(int argc, char* argv[])
{
printf("\nEasy to Find Hided PID Code \n");
printf("Author: Finback Jun.6,2006 <Finbackcpp@hotmail.com> \n");
printf("NOTE:this code needn't any driver supported \n");
printf(" \n");
DWORD aProcesses[1024], cbNeeded;
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
return 0;
DWORD cProcesses = cbNeeded / sizeof(DWORD);
DWORD PidFor;
for ( PidFor = 0x0c; PidFor < 0xFFFF; PidFor +=4 )
{
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, PidFor );
if (hProcess)
{
BOOL sHide = false;
unsigned int i;
char szName[MAX_PATH]="<Unknown>";
HMODULE hModule;
for ( i = 1; i <= cProcesses; i++ )
{
if (PidFor == aProcesses)
{
sHide = true;
break;
}
}
if(EnumProcessModules(hProcess,&hModule,sizeof(hModule),&cbNeeded))
{
GetModuleFileNameEx(hProcess,hModule,szName,sizeof(szName));
printf("%-5d - %16s %s\n", PidFor, szName, (sHide) ? "" : "--[Hidden]--");
}
else
{
GetProcessImageFileName(hProcess,szName,sizeof(szName));
printf("%-5d - %16s %s\n", PidFor, szName, "--[Zombie]--");
}
}
CloseHandle( hProcess );
}
return 0;
}