标签:
参考一些网上资料, 然后自己改了改......主要是为自己写的一个监视活动进程工具用的, 有需要可以参考参考
unit ProcessInfos; interface uses Windows, TLHelp32, PsAPI, SysUtils; type TProcessInfo = record PID: Cardinal; PathName: string; CMDName: string; end; PProcessInfo = ^TProcessInfo; TProcessInfos = array of TProcessInfo; procedure GetProcessInfos(var APIList: TProcessInfos); function FindProcess(APathName: string; var API: TProcessInfo): Boolean; function GetProcessInfo(APID: Cardinal; API: PProcessInfo): Boolean; implementation type UNICODE_STRING = packed record Length: Word; MaximumLength: Word; Buffer: PWideChar; end; PUNICODE_STRING = UNICODE_STRING; PROCESS_PARAMETERS = packed record AllocationSize: ULONG; ActualSize: ULONG; Flags: ULONG; Unknown1: ULONG; Unknown2: UNICODE_STRING; InputHandle: THandle; OutputHandle: THandle; ErrorHandle: THandle; CurrentDirectory: UNICODE_STRING; CurrentDirectoryHandle: THandle; SearchPaths: UNICODE_STRING; ApplicationName: UNICODE_STRING; CommandLine: UNICODE_STRING; EnvironmentBlock: Pointer; Unknown: array[0..9 - 1] of ULONG; Unknown3: UNICODE_STRING; Unknown4: UNICODE_STRING; Unknown5: UNICODE_STRING; Unknown6: UNICODE_STRING; end; PPROCESS_PARAMETERS = ^PROCESS_PARAMETERS; PEB = packed record AllocationSize: ULONG; Unknown1: ULONG; ProcessHinstance: Longword; ListDlls: Pointer; ProcessParameters: PPROCESS_PARAMETERS; Unknown2: ULONG; Heap: THandle; end; PPEB = ^PEB; _PROCESS_BASIC_INFORMATION = packed record Reserved1: Pointer; PebBaseAddress: PPEB; Reserved2: array[0..1] of Pointer; UniqueProcessId: PULONG; Reserved3: Pointer; end; PROCESS_BASIC_INFORMATION = _PROCESS_BASIC_INFORMATION; PPROCESS_BASIC_INFORMATION = ^PROCESS_BASIC_INFORMATION; PROCESSINFOCLASS = ( ProcessBasicInformation = 0, ProcessWow64Information = 26 ); NTSTATUS = DWORD; function NtQueryInformationProcess( ProcessHandle: THandle; ProcessInformationClass: PROCESSINFOCLASS; ProcessInformation: Pointer; ProcessInformationLength: ULONG; ReturnLength: PULONG ): NTSTATUS; stdcall; external ‘ntdll.dll‘ name ‘NtQueryInformationProcess‘; var _SystemRoot: string; procedure GetProcessInfos(var APIList: TProcessInfos); var nContinueLoop: BOOL; nSnapShotHandle: THandle; nProcessEntry32: TProcessEntry32; nCount: Word; begin nSnapShotHandle := CreateToolhelp32SnapShot(TH32CS_SNAPPROCESS, 0); try nProcessEntry32.dwSize := SizeOf(nProcessEntry32); nContinueLoop := Process32First(nSnapShotHandle, nProcessEntry32); SetLength(APIList, 65536); nCount := 0; while nContinueLoop do begin if GetProcessInfo(nProcessEntry32.th32ProcessID, @APIList[nCount]) then Inc(nCount); nContinueLoop := Process32Next(nSnapShotHandle, nProcessEntry32); end; SetLength(APIList, nCount); finally CloseHandle(nSnapShotHandle); end; end; function FindProcess(APathName: string; var API: TProcessInfo): Boolean; var nContinueLoop: BOOL; nSnapShotHandle: THandle; nProcessEntry32: TProcessEntry32; nR: TProcessInfo; begin Result := False; nSnapShotHandle := CreateToolhelp32SnapShot(TH32CS_SNAPPROCESS, 0); try nProcessEntry32.dwSize := SizeOf(nProcessEntry32); nContinueLoop := Process32First(nSnapShotHandle, nProcessEntry32); while nContinueLoop do begin if GetProcessInfo(nProcessEntry32.th32ProcessID, @nR) then begin if SameText(nR.PathName, APathName) then begin API := nR; Result := True; Break; end; end; nContinueLoop := Process32Next(nSnapShotHandle, nProcessEntry32); end; finally CloseHandle(nSnapShotHandle); end; end; function GetProcessInfo(APID: Cardinal; API: PProcessInfo): Boolean; procedure _CurePath(var APath: string); begin APath := Trim(APath); if APath = ‘‘ then Exit; if Copy(APath, 1, 4) = ‘\??\‘ then {类似\??\c:\windows\system32\winlogon.exe的路径} APath := Copy(APath, 5, Length(APath)) else if Copy(APath, 1, 12) = ‘\SystemRoot\‘ then {类似\SystemRoot\system32\smss.exe的路径} APath := IncludeTrailingBackslash(_SystemRoot) + ExtractFileName(APath); end; var nPHandle: THandle; nStr: string; nStrC: WideString; nPBI: PROCESS_BASIC_INFORMATION; nR: Cardinal; nPEB: PEB; nPP: PROCESS_PARAMETERS; nCount: Word; nBuff: array [0..MAX_PATH] of Char; begin Result := False; if API = nil then Exit; nPHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, APID); if nPHandle = 0 then Exit; try if GetModuleFileNameEx(nPHandle, 0, @nBuff[0], SizeOf(nBuff)) > 0 then API^.PathName := nBuff else API^.PathName := ‘‘; try if NtQueryInformationProcess(nPHandle, ProcessBasicInformation, @nPBI, SizeOf(nPBI), @nR) <> 0 then Abort; if not ReadProcessMemory(nPHandle, nPBI.PebBaseAddress, @nPEB, SizeOf(nPEB), nR) then Abort; if not ReadProcessMemory(nPHandle, nPEB.ProcessParameters, @nPP, SizeOf(nPP), nR) then Abort; if nPP.CommandLine.Length = 0 then Abort; SetLength(nStrC, nPP.CommandLine.Length div 2); if not ReadProcessMemory(nPHandle, nPP.CommandLine.Buffer, @nStrC[1], nPP.CommandLine.Length, nR) then Abort; API^.CMDName := nStrC; except API^.CMDName := ‘‘; end; finally CloseHandle(nPHandle); end; _CurePath(API^.PathName); _CurePath(API^.CMDName); API^.PID := APID; Result := True; end; var nBuff: array [0..MAX_PATH] of Char; initialization GetSystemDirectory(nBuff, SizeOf(nBuff)); _SystemRoot := nBuff; end.
标签:
原文地址:http://www.cnblogs.com/hs-kill/p/4702571.html