获取进程及父进程的两种方式(转)
https://www.cnblogs.com/jkcx/p/7463506.html
#include <windows.h> #include <TlHelp32.h> #include <stdio.h> #include <wtypes.h> #include <iostream> #define ProcessBasicInformation 0 typedef struct { DWORD ExitStatus; DWORD PebBaseAddress; DWORD AffinityMask; DWORD BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION; // ntdll!NtQueryInformationProcess (NT specific!) // // The function copies the process information of the // specified type into a buffer // // NTSYSAPI // NTSTATUS // NTAPI // NtQueryInformationProcess( // IN HANDLE ProcessHandle, // handle to process // IN PROCESSINFOCLASS InformationClass, // information type // OUT PVOID ProcessInformation, // pointer to buffer // IN ULONG ProcessInformationLength, // buffer size in bytes // OUT PULONG ReturnLength OPTIONAL // pointer to a 32-bit // // variable that receives // // the number of bytes // // written to the buffer // ); typedef LONG(__stdcall *PROCNTQSIP)(HANDLE, UINT, PVOID, ULONG, PULONG); DWORD GetParentProcessIDBYID(DWORD dwProcessId) { LONG status; DWORD dwParentPID = (DWORD)-1; HANDLE hProcess; PROCESS_BASIC_INFORMATION pbi; PROCNTQSIP NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress( GetModuleHandle(L"ntdll"), "NtQueryInformationProcess"); if (NULL == NtQueryInformationProcess) { return (DWORD)-1; } // Get process handle hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId); if (!hProcess) { return (DWORD)-1; } // Retrieve information status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL ); // Copy parent Id on success if (!status) { dwParentPID = pbi.InheritedFromUniqueProcessId; } CloseHandle(hProcess); return dwParentPID; } int GetProcessID(WCHAR* ProcessName) { HANDLE PHANDLE = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if (PHANDLE == INVALID_HANDLE_VALUE) { printf_s("创建进行快照失败\n"); return -1; } PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); pe32.dwFlags = sizeof(pe32); BOOL hProcess = Process32First(PHANDLE, &pe32); while (hProcess) { //std::wcout << pe32.szExeFile << "\r\n"; //std::wcout << pe32.th32ParentProcessID << "\r\n"; if (!wcscmp(pe32.szExeFile, ProcessName)) { return pe32.th32ProcessID; } hProcess = Process32Next(PHANDLE, &pe32); } return 0; // operation failed (process was not found) } int GetParentProcessID(WCHAR* ProcessName) { HANDLE PHANDLE = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if (PHANDLE == INVALID_HANDLE_VALUE) { printf_s("创建进行快照失败\n"); return -1; } PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); pe32.dwFlags = sizeof(pe32); BOOL hProcess = Process32First(PHANDLE, &pe32); while (hProcess) { //std::wcout << pe32.szExeFile << "\r\n"; //std::wcout << pe32.th32ParentProcessID << "\r\n"; if (!wcscmp(pe32.szExeFile, ProcessName)) { return pe32.th32ParentProcessID; } hProcess = Process32Next(PHANDLE, &pe32); } return 0; // operation failed (process was not found) } void C2W(const char* szSrc, WCHAR* wszDst, int nMaxLen) { int vMinLen = MultiByteToWideChar(CP_ACP, 0, szSrc, -1, NULL, 0); if (vMinLen > nMaxLen) { MessageBoxA(NULL, szSrc, "转换成UNICODE字串失败", MB_ICONWARNING); return; } MultiByteToWideChar(CP_ACP, 0, szSrc, -1, wszDst, vMinLen); } void main() { char proc[64]; WCHAR buf[64]; scanf_s("%s", &proc, 63); //printf("进程:%s\n", proc); C2W(proc, buf, sizeof(buf)); int pid = GetProcessID(buf); printf("进程ID:%d\n", pid); int ppid = GetParentProcessID(buf); printf("父进程ID:%d\n", ppid); int ppid2 = GetParentProcessIDBYID(pid); printf("父进程ID2:%d\n", ppid2); //printf("%d", Attach(buf)); system("pause\n"); }
在不同的系统中获取的进程的名字方式不一致。
void CProcess::PrintProcessNameAndID( DWORD processID ) { CString str; HMODULE hMod; DWORD cbNeeded; HANDLE hProcess = INVALID_HANDLE_VALUE; PROCESS_BASIC_INFORMATION pbi = {0}; char szProcessName[MAX_PATH] = "<unknown>"; TCHAR szImageFileName[MAX_PATH] = {0}; OSVERSIONINFOEX osver = { 0 }; tagProcess tagpro;// = {0}; osver.dwOSVersionInfoSize = sizeof(osver); GetVersionEx((OSVERSIONINFO*)&osver); EnablePrivilege(); hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID ); if (processID == 0) { //System Idle Process //null //没有父进程 strcpy_s(szProcessName, MAX_PATH, "System Idle Process"); NtQueryInformationProcess(hProcess, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); } else if (processID == 4) { //System //C:\Windows\system32\ntoskrnl.exe //父进程为0 strcpy_s(szProcessName, MAX_PATH, "System"); NtQueryInformationProcess(hProcess, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); } else { if (INVALID_HANDLE_VALUE != hProcess ) { if (osver.dwMajorVersion < 5) //2000 { EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded); GetModuleFileNameEx(hProcess, hMod, szProcessName, sizeof(szProcessName)); } else if (osver.dwMajorVersion == 5) //xp or 2003 { GetProcessImageFileName(hProcess, szProcessName, sizeof(szProcessName)); } else if (osver.dwMajorVersion >= 6) // >win7 { DWORD dwPathNameSize = sizeof(szProcessName); QueryFullProcessImageName(hProcess, 0, szProcessName, &dwPathNameSize); } NtQueryInformationProcess(hProcess, ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); } } if (hProcess != INVALID_HANDLE_VALUE) { CloseHandle(hProcess); hProcess = INVALID_HANDLE_VALUE; } tagpro.pid = processID;
//这里需要判断下当前的父进程id是否存在,负责会导致构建父子关系表出错。遍历时查不到父进程。 tagpro.ppid = pbi.InheritedFromUniqueProcessId; CString strName = szProcessName; strName = strName.Right(strName.GetLength() - strName.ReverseFind('\\') - 1); tagpro.strProcessName = strName; m_cMyProc.Add(processID, tagpro); str.Format(_T("%s pid:%u, ppid:%u\n"), szProcessName, processID, pbi.InheritedFromUniqueProcessId); // Print the process name and identifier. OutputDebugString(str); } BOOL CProcess::InitProcessList(void) { DWORD aProcesses[1024], cbNeeded, cProcesses; unsigned int i; if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) return FALSE; cProcesses = cbNeeded / sizeof(DWORD); for ( i = 0; i < cProcesses; i++ ) { PrintProcessNameAndID(aProcesses[i]); } //排列父子关系 //m_cMyProc.Sort(); //m_cMyProc.Print(); //m_cMyProc.RemoveALl(); //m_cMyProc.Print(); return FALSE; }