读书人
栏目

,隐藏进程的线程怎么扫描

发布时间: 2012-04-11 17:42:33 作者: rapoo

高手请进,隐藏进程的线程如何扫描?
如果是隐藏进程的话,用以下方法是扫不到任何结果的,真的不知道在WIN下用怎么样可扫描到隐藏进程的线程信息?

Procedure EmThreadList(ProcessID:Dword);
var
mSnapshot:THandle;
mTrEntry:TThreadEntry32;
begin
mSnapshot:=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
mTrEntry.dwSize:=Sizeof(TThreadEntry32);
Thread32First(mSnapshot,mTrEntry);
Repeat
if mTrEntry.th32OwnerProcessID=ProcessID then
begin
Form1.Memo1.Lines.Add(IntToStr(mTrEntry.th32ThreadID));
end;
Until Not Thread32Next(mSnapshot,mTrEntry);
CloseHandle(mSnapshot);
end;

[解决办法]
这个是我上月写的代码片断。
type
TProcess_ThreadInfo = record
Usage : LongWord; // 线程引用计数
ThreadID : LongWord; // 线程号
OwnerProcessID : LongWord; // 拥有线程的进程号
BasePri : Longint; // 在线程创建时的初始优先级
DeltaPri : Longint; // 现在线程的优先级的相对于初始值的改变量
Flags : LongWord; // 保留,没有使用
end;
const
WM_ThreadInfo = WM_USER + 1004;

// 枚举进程拥有的线程
procedure EnumThreadForProcess(const Hand, ProcessID: THandle);
var
ModuleList: Thandle;
te: TThreadEntry32;
ThreadInfo: TProcess_ThreadInfo;
begin
ModuleList := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessID);
try
// 初始化缓冲区
Windows.ZeroMemory(@te, SizeOf(te));
te.dwSize := SizeOf(te);

if not Thread32First(ModuleList, te) then
Exit;
repeat
if te.th32OwnerProcessID <> ProcessID then
Continue;
with ThreadInfo do
begin
Usage := te.cntUsage;
ThreadID := te.th32ThreadID;
OwnerProcessID := te.th32OwnerProcessID;
BasePri := te.tpBasePri;
DeltaPri := te.tpDeltaPri;
Flags := te.dwFlags;
end;
SendMessage(Hand, WM_ThreadInfo, Integer(@ThreadInfo), 0);
until not Thread32Next(ModuleList, te);
finally
CloseHandle(ModuleList);
end;
end; // ModuleEnum

// 刷新线程列表
procedure TTntForm1.btnThreadClick(Sender: TObject);
var
PID: LongWord;
li: TTntListItem;
begin
li := lvProcess.Selected;
with lvModule do
begin
Clear;
if li = nil then
Exit;
PID := StrToIntDef(li.Caption, 0);

Columns.BeginUpdate;
try
Columns[0].Caption := '进程ID ';
Columns[1].Caption := '线程ID ';
Columns[2].Caption := '线程计数 ';
Columns[3].Caption := '初始优先级 ';
Columns[4].Caption := '当前优先级 ';
Columns[5].Caption := '标志 ';
finally
Columns.EndUpdate;
end;

Items.BeginUpdate;
try
EnumThreadForProcess(Self.Handle, PID);
finally
Items.EndUpdate;
end;
end;
end;

// 刷新线程列表处理函数
procedure TTntForm1.My_ThreadInfo(var Msg: TMessage);
var
lpThreadInfo: ^TProcess_ThreadInfo;
li: TTntListItem;
begin
lpThreadInfo := Pointer(MSG.WParam);
li := lvModule.Items.Add;
li.Caption := IntToStr(lpThreadInfo^.OwnerProcessID);
li.SubItems.Add(IntToStr(lpThreadInfo^.ThreadID));
li.SubItems.Add(IntToStr(lpThreadInfo^.Usage));
li.SubItems.Add(IntToStr(lpThreadInfo^.BasePri));


li.SubItems.Add(IntToStr(lpThreadInfo^.DeltaPri));
li.SubItems.Add(IntToStr(lpThreadInfo^.Flags));
end;

initialization
// 获取 DEBUG 权限
SetPrivilegeA(Windows.GetCurrentProcess(), 'SeDebugPrivilege ', True);



[解决办法]
没招!

读书人网 >.NET

热点推荐

触屏版 | 电脑版

读书人网 m.reader8.net