首先要弄清楚的是ToolHelp的API
Tool Help Functions
The following functions are part of the tool help library.
| Function | Description |
|:-------------:|:-------------:|
|CreateToolhelp32Snapshot | Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes. |
|Heap32First | Retrieves information about the first block of a heap that has been allocated by a process.|
|Heap32ListFirst | Retrieves information about the first heap that has been allocated by a specified process.|
|Heap32ListNext | Retrieves information about the next heap that has been allocated by a process.|
|Heap32Next | Retrieves information about the next block of a heap that has been allocated by a process.|
|Module32First | Retrieves information about the first module associated with a process.|
|Module32Next | Retrieves information about the next module associated with a process or thread.|
|Process32First | Retrieves information about the first process encountered in a system snapshot.|
|Process32Next | Retrieves information about the next process recorded in a system snapshot.|
|Thread32First | Retrieves information about the first thread of any process encountered in a system snapshot.|
|Thread32Next | Retrieves information about the next thread of any process encountered in the system memory snapshot.|
|Toolhelp32ReadProcessMemory |Copies memory allocated to another process into an application-supplied buffer.|
总之就这么几个函数= =
然后第一个函数就是给进程拍快照(snapshot)
拍快照这个函数的原型如下:
HANDLE WINAPI CreateToolhelp32Snapshot(
_In_ DWORD dwFlags,
_In_ DWORD th32ProcessID
);
两个传入的参数,第一个决定快照类型,第二个进程的句柄
然后下面的函数明显分成四块(最后一个不看)
Heap Module Process Thread
Heap的一大块里面又分出来两种 一个是List的First和Next 一个是直接的First和Next,也就是堆和块,下面一段程序描述了Heap信息获取:
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <iostream>
using namespace std;
//获取指定进程下的堆信息
BOOL ListProcessHeaps(DWORD dwOwnerPID);
int main()
{
ListProcessHeaps(GetCurrentProcessId());
system("pause");
}
//获取进程堆信息
BOOL ListProcessHeaps(DWORD dwOwnerPID)
{
HEAPLIST32 hl;
HANDLE hHeapSnap = INVALID_HANDLE_VALUE;
//创建指定进程下的堆快照
hHeapSnap = CreateToolhelp32Snapshot(TH32CS_SNAPHEAPLIST, dwOwnerPID);
if (hHeapSnap == INVALID_HANDLE_VALUE)
{
return false;
}
//拍照失败QAQ
//填充结构成员
hl.dwSize = sizeof(HEAPLIST32);
//初始化
if(Heap32ListFirst(hHeapSnap, &hl)) //如果有堆(两个参数,快照和创建的HEAPLIST)
{
do
{
//堆中的一个块
HEAPENTRY32 he;
ZeroMemory(&he, sizeof(HEAPENTRY32));
he.dwSize = sizeof(HEAPENTRY32);
//遍历当前进程,指定堆 ID 下的所有块
if(Heap32First(&he, GetCurrentProcessId(), hl.th32HeapID)) //和上面一个道理(三个参数,创建的HEAPENTRY、当前进程的ID和当前堆的ID)
{
printf("\nHeap ID: %d\n", hl.th32HeapID);
do
{
printf("Block size: %d\n", he.dwBlockSize);
he.dwSize = sizeof(HEAPENTRY32);
} while(Heap32Next(&he)); //这里相当于自己“往后移了一位”
}
hl.dwSize = sizeof(HEAPLIST32); //重新初始化以便下一次获取
} while (Heap32ListNext(hHeapSnap, &hl)); //同上desu
}
CloseHandle(hHeapSnap);
return true;
}
不过我们要干的是进程的枚举而不是堆和块的枚举,所以下面才是正片- -来着
嗯。。还是贴代码最省事
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <TlHelp32.h>
#include <iostream>
using namespace std;
//获取指定进程下的堆信息
BOOL GetProcessList();
int main()
{
GetProcessList();
system("pause");
return 0;
}
//获取进程堆信息
BOOL GetProcessList()
{
HANDLE hProcessSnapshot;
HANDLE hProcess;
PROCESSENTRY32 pe32;
hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnapshot == INVALID_HANDLE_VALUE)
{
return FALSE;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
//获取第一个进程
if(!Process32First(hProcessSnapshot, &pe32))
{
CloseHandle(hProcessSnapshot);
return FALSE;
}
//如果获取失败就退出
//成功的话继续遍历
do
{
printf("-----------------------------------------\n");
printf("Process Name: %s\n", pe32.szExeFile);
printf("Parent Process ID: 0x%08X\n", pe32.th32ParentProcessID);
printf("Process ID: 0x%08X\n", pe32.th32ProcessID);
printf("Thread Acount: %d\n", pe32.cntThreads);
printf("Base Priority: %d\n", pe32.pcPriClassBase);
}while(Process32Next(hProcessSnapshot, &pe32));
CloseHandle(hProcessSnapshot);
return TRUE;
}
网友评论