如何获取父进程的ID(转)
2013-08-19 16:12
239 查看
网络上搜集到得代码段,未经过测试,先记录下来以后查阅
?
从所周知,在Windows NT/2000系统的API黑洞之一便是NTDLL.DLL,此DLL包含了许多未公开的API函数。本文将列举一、二,并用它们示范如何获取任何指定进程的父进程ID。
NTDLL.DLL中有一个函数叫NtQueryInformationProcess,用它可以将指定类型的进程信息拷贝到某个缓冲。其原型如下:
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationProcess (
IN HANDLE ProcessHandle, // 进程句柄
IN PROCESSINFOCLASS InformationClass, // 信息类型
OUT PVOID ProcessInformation, // 缓冲指针
IN ULONG ProcessInformationLength, // 以字节为单位的缓冲大小
OUT PULONG ReturnLength OPTIONAL // 写入缓冲的字节数
);
第一个参数是希望操作的进程句柄,这个句柄必须以PROCESS_QUERY_INFORMATION模式存取。为了取得一个句柄,我们必须用OpenProcess函数:
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwProcessID);
第二个参数是请求信息的类型,这个参数可以有许多个值,本文例子中将用ProcessBasicInformation (值为0)。
因此,如果第二个参数是ProcessBasicInformation的话,则第三个参数必须为一个指针指向结构PROCESS_BASIC_INFORMATION:
typedef struct
{
DWORD ExitStatus; // 接收进程终止状态
DWORD PebBaseAddress; // 接收进程环境块地址
DWORD AffinityMask; // 接收进程关联掩码
DWORD BasePriority; // 接收进程的优先级类
ULONG UniqueProcessId; // 接收进程ID
ULONG InheritedFromUniqueProcessId; //接收父进程ID
} PROCESS_BASIC_INFORMATION;
这个结构的最后一个参数是InheritedFromUniqueProcessId,它就是我们所要的东西。
DWORD dwParentPID;
LONG status;
PROCESS_BASIC_INFORMATION pbi;
status = NtQueryInformationProcess( hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL );
if (!status)
dwParentPID = pbi.InheritedFromUniqueProcessId;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[cpp]
view plaincopyprint?
// parent.cpp (Windows NT/2000)
//
// This example will show the method how you can retrieve the parent
// process ID on Windows NT/2000 using the NT Native API
//
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com
#include <windows.h>
#include <stdio.h>
#define ProcessBasicInformation 0
typedef struct
{
DWORD ExitStatus;
DWORD PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
// ntdll!NtQueryInformationProcess (NT specific!)
//
// The function copies the process information of the
// specified type into a buffer
//
// NTSYSAPI
// NTSTATUS
// NTAPI
// NtQueryInformationProcess(
// IN HANDLE ProcessHandle, // handle to process
// IN PROCESSINFOCLASS InformationClass, // information type
// OUT PVOID ProcessInformation, // pointer to buffer
// IN ULONG ProcessInformationLength, // buffer size in bytes
// OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit
// // variable that receives
// // the number of bytes
// // written to the buffer
// );
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
PROCNTQSIP NtQueryInformationProcess;
DWORD GetParentProcessID(DWORD dwId);
void main(int argc, char* argv[])
{
if (argc<2)
{
printf("Usage:\n\nparent.exe ProcId\n");
return;
}
NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(
GetModuleHandle("ntdll"),
"NtQueryInformationProcess"
);
if (!NtQueryInformationProcess)
return;
DWORD dwId;
sscanf(argv[1],"%lu",&dwId);
printf("Parent PID for %lu is %lu\n",dwId,GetParentProcessID(dwId));
}
DWORD GetParentProcessID(DWORD dwId)
{
LONG status;
DWORD dwParentPID = (DWORD)-1;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
// Get process handle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwId);
if (!hProcess)
return (DWORD)-1;
// Retrieve information
status = NtQueryInformationProcess( hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL
);
// Copy parent Id on success
if (!status)
dwParentPID = pbi.InheritedFromUniqueProcessId;
CloseHandle (hProcess);
return dwParentPID;
}
?
NTDLL.DLL中有一个函数叫NtQueryInformationProcess,用它可以将指定类型的进程信息拷贝到某个缓冲。其原型如下:
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationProcess (
IN HANDLE ProcessHandle, // 进程句柄
IN PROCESSINFOCLASS InformationClass, // 信息类型
OUT PVOID ProcessInformation, // 缓冲指针
IN ULONG ProcessInformationLength, // 以字节为单位的缓冲大小
OUT PULONG ReturnLength OPTIONAL // 写入缓冲的字节数
);
第一个参数是希望操作的进程句柄,这个句柄必须以PROCESS_QUERY_INFORMATION模式存取。为了取得一个句柄,我们必须用OpenProcess函数:
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwProcessID);
第二个参数是请求信息的类型,这个参数可以有许多个值,本文例子中将用ProcessBasicInformation (值为0)。
因此,如果第二个参数是ProcessBasicInformation的话,则第三个参数必须为一个指针指向结构PROCESS_BASIC_INFORMATION:
typedef struct
{
DWORD ExitStatus; // 接收进程终止状态
DWORD PebBaseAddress; // 接收进程环境块地址
DWORD AffinityMask; // 接收进程关联掩码
DWORD BasePriority; // 接收进程的优先级类
ULONG UniqueProcessId; // 接收进程ID
ULONG InheritedFromUniqueProcessId; //接收父进程ID
} PROCESS_BASIC_INFORMATION;
这个结构的最后一个参数是InheritedFromUniqueProcessId,它就是我们所要的东西。
DWORD dwParentPID;
LONG status;
PROCESS_BASIC_INFORMATION pbi;
status = NtQueryInformationProcess( hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL );
if (!status)
dwParentPID = pbi.InheritedFromUniqueProcessId;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[cpp]
view plaincopyprint?
// parent.cpp (Windows NT/2000)
//
// This example will show the method how you can retrieve the parent
// process ID on Windows NT/2000 using the NT Native API
//
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com
#include <windows.h>
#include <stdio.h>
#define ProcessBasicInformation 0
typedef struct
{
DWORD ExitStatus;
DWORD PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
// ntdll!NtQueryInformationProcess (NT specific!)
//
// The function copies the process information of the
// specified type into a buffer
//
// NTSYSAPI
// NTSTATUS
// NTAPI
// NtQueryInformationProcess(
// IN HANDLE ProcessHandle, // handle to process
// IN PROCESSINFOCLASS InformationClass, // information type
// OUT PVOID ProcessInformation, // pointer to buffer
// IN ULONG ProcessInformationLength, // buffer size in bytes
// OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit
// // variable that receives
// // the number of bytes
// // written to the buffer
// );
typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
PROCNTQSIP NtQueryInformationProcess;
DWORD GetParentProcessID(DWORD dwId);
void main(int argc, char* argv[])
{
if (argc<2)
{
printf("Usage:\n\nparent.exe ProcId\n");
return;
}
NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(
GetModuleHandle("ntdll"),
"NtQueryInformationProcess"
);
if (!NtQueryInformationProcess)
return;
DWORD dwId;
sscanf(argv[1],"%lu",&dwId);
printf("Parent PID for %lu is %lu\n",dwId,GetParentProcessID(dwId));
}
DWORD GetParentProcessID(DWORD dwId)
{
LONG status;
DWORD dwParentPID = (DWORD)-1;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
// Get process handle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwId);
if (!hProcess)
return (DWORD)-1;
// Retrieve information
status = NtQueryInformationProcess( hProcess,
ProcessBasicInformation,
(PVOID)&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
NULL
);
// Copy parent Id on success
if (!status)
dwParentPID = pbi.InheritedFromUniqueProcessId;
CloseHandle (hProcess);
return dwParentPID;
}
// parent.cpp (Windows NT/2000) // // This example will show the method how you can retrieve the parent // process ID on Windows NT/2000 using the NT Native API // // // (c)1999 Ashot Oganesyan K, SmartLine, Inc // mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com #include <windows.h> #include <stdio.h> #define ProcessBasicInformation 0 typedef struct { DWORD ExitStatus; DWORD PebBaseAddress; DWORD AffinityMask; DWORD BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION; // ntdll!NtQueryInformationProcess (NT specific!) // // The function copies the process information of the // specified type into a buffer // // NTSYSAPI // NTSTATUS // NTAPI // NtQueryInformationProcess( // IN HANDLE ProcessHandle, // handle to process // IN PROCESSINFOCLASS InformationClass, // information type // OUT PVOID ProcessInformation, // pointer to buffer // IN ULONG ProcessInformationLength, // buffer size in bytes // OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit // // variable that receives // // the number of bytes // // written to the buffer // ); typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); PROCNTQSIP NtQueryInformationProcess; DWORD GetParentProcessID(DWORD dwId); void main(int argc, char* argv[]) { if (argc<2) { printf("Usage:\n\nparent.exe ProcId\n"); return; } NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress( GetModuleHandle("ntdll"), "NtQueryInformationProcess" ); if (!NtQueryInformationProcess) return; DWORD dwId; sscanf(argv[1],"%lu",&dwId); printf("Parent PID for %lu is %lu\n",dwId,GetParentProcessID(dwId)); } DWORD GetParentProcessID(DWORD dwId) { LONG status; DWORD dwParentPID = (DWORD)-1; HANDLE hProcess; PROCESS_BASIC_INFORMATION pbi; // Get process handle hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,dwId); if (!hProcess) return (DWORD)-1; // Retrieve information status = NtQueryInformationProcess( hProcess, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL ); // Copy parent Id on success if (!status) dwParentPID = pbi.InheritedFromUniqueProcessId; CloseHandle (hProcess); return dwParentPID; }
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 如何通过进程名获取进程ID
- 如何通过进程ID获取进程名
- WIN32开发:如何获取父进程的ID
- 如何根据进程id获取该进程的主窗口句柄
- 如何获取当前应用app所在的进程id和进程名称
- Linux有问必答:如何在脚本中获取进程ID(PID)
- linux下如何获取进程的id和命令行参数
- Java如何获取当前进程ID以及所有Java进程的进程ID
- 如何查看Java进程并获取进程ID?
- 如何在脚本中获取进程ID(PID)
- 如何在脚本中获取进程ID(PID)
- 如何获取父进程的ID
- 如何在脚本中获取进程ID(PID)
- C++/MFC如何启动另一个应用程序并获取其进程 ID
- 【WM】如何获取Exe文件的进程ID
- WIN32开发:如何获取父进程的ID
- shell获取进程ID的方法
- C#获取当前活动窗口进程、进程ID、程序路径
- 如何获取指定id的下一个标签
- 如何用js在repeater中获取服务器控件的id