能否拦截某进程线程创建,或者驱动创建?P版有写过类似的,但是WIN7下无用
侥幸心里,万一有高人顺路给个代码瞧瞧呢! 适用于win7及以上的系统BaseThreadInitThunk
This function is called to start a Win32 thread. Its purpose is to call the thread start address. If the thread returns it will terminate the thread and delete it's stack.
Arguments:
DWORD LdrReserved - Should always be 0 for user threads LPTHREAD_START_ROUTINE
LPTHREAD_START_ROUTINE lpStartAddress - Supplies the starting address of the new thread.
The address is a function that never returns and that accepts a single DWORD pointer argument.
LPVOID lpParameter - Supplies a single parameter value passed to the thread.
Return value is nothing.
一个win32线程的启动函数 在这个地方做hook 可以实现本进程的线程创建
edx = startaddress
可以配合着 K32GetMappedFileName 来获取该线程
(当 K32GetMappedFileName 返回值 < 1 说明该线程执行的是虚地址空间的代码)
DWORD WINAPI K32GetMappedFileName (
In HANDLE hProcess,
In LPVOID lpv,
Out LPTSTR lpFilename,
In DWORD nSize
); 以上完全不懂! #include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <ListViewConstants.au3>
#include <TabConstants.au3>
#include <WindowsConstants.au3>
#Region ### START Koda GUI section ### Form=z:\portablesync\au3project\source\pr\pr.kxf
$Form1_1 = GUICreate("Form1", 935, 783, 192, 114)
$ListView1 = GUICtrlCreateListView("进程名称|PID|映像路径|公司名称|描述", 0, 24, 930, 454)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 190)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 50)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 230)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 3, 170)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 4, -2)
$Tab1 = GUICtrlCreateTab(8, 488, 921, 289, BitOR($TCS_FLATBUTTONS,$TCS_BUTTONS,$TCS_MULTILINE), $WS_EX_STATICEDGE)
GUICtrlSetFont(-1, 9, 400, 0, "微软雅黑")
$TabSheet1 = GUICtrlCreateTabItem(" 动态链接(DLLs) ")
$ListView2 = GUICtrlCreateListView("模块句柄|模块路径|公司名称|描述", 15, 522, 906, 246)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 220)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 170)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 170)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 3, -2)
$TabSheet2 = GUICtrlCreateTabItem(" 禁止加载(Ban) ")
$TabSheet3 = GUICtrlCreateTabItem(" 加载记录(Log) ")
$Edit1 = GUICtrlCreateEdit("", 15, 519, 905, 281, BitOR($ES_AUTOVSCROLL,$ES_AUTOHSCROLL,$ES_WANTRETURN,$WS_VSCROLL))
GUICtrlCreateTabItem("")
$Checkbox1 = GUICtrlCreateCheckbox("禁止所有加载", 352, 496, 97, 17)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
#include <Array.au3>
#include <WinAPI.au3>
#include <WinAPIEx.au3>
#include <GuiListView.au3>
#include <GuiMenu.au3>
#include <lsasecur.au3>
Global $_PROC=_PEx_EnumProcess()
For $i = 1 To $_PROC
GUICtrlCreateListViewItem( _ArrayToString($_PROC, "|" , $i, $i), $ListView1)
If $_PROC[$i] <> 'Microsoft Corporation' Then GUICtrlSetColor(-1, '0xFF0000')
Next
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
EndSwitch
WEnd
Func _PEx_EnumProcess($iMaxID = 65535) ;65535
Local $_PROCESS_INDEX
Local $h_Process, $iElement, $h_pro, $d_PName, $d_IsHide
For $i = 0 To $iMaxID
$_PHandle = _WinAPI_OpenProcess(0x00000410, 0, $i)
If Not $_PHandle Then ContinueLoop;https://msdn.microsoft.com/en-us/library/windows/desktop/ms686769(v=vs.85).aspx
$_PPath = _WinAPI_GetModuleFileNameEx($_PHandle)
If @error Then ContinueLoop
$_PName = _WinAPI_GetProcessName($i)
$_PPath = StringRegExpReplace ( $_PPath, "\\SystemRoot","C:\\windows")
$_PCompanyName = FileGetVersion($_PPath, 'CompanyName')
$_PFileDescription = FileGetVersion($_PPath, 'FileDescription')
$x = UBound($_PROCESS_INDEX)
ReDim $_PROCESS_INDEX[$x + 1]
$_PROCESS_INDEX[$x] = $_PName
$_PROCESS_INDEX[$x] = $i
$_PROCESS_INDEX[$x] = $_PPath
$_PROCESS_INDEX[$x] = $_PCompanyName
$_PROCESS_INDEX[$x] = $_PFileDescription
$i += 3
_WinAPI_CloseHandle($_PHandle)
Next
$_PROCESS_INDEX = UBound($_PROCESS_INDEX) - 1
Return $_PROCESS_INDEX
EndFunc ;==>_PEx_EnumProcess
Func _PEx_EnumModules($iPID, $iSafe = 1, $iFlag = 3)
If Not ProcessExists($iPID) Then Return SetError(1);非有效进程
Local $i, $_Modules
$_ENUM_MODULE = _WinAPI_EnumProcessModules($iPID, $iFlag) ;检索指定进程中每个模块的句柄和名称. $LIST_MODULES_ALL=3(所有模块)
If $iSafe == 1 Then
For $i = 1 To $_ENUM_MODULE
$_CompanyName = FileGetVersion($_ENUM_MODULE[$i], 'CompanyName')
If $_CompanyName <> 'Microsoft Corporation' Then
ReDim $_Modules
$_Modules = $_ENUM_MODULE[$i]
$_Modules = $_ENUM_MODULE[$i]
$_Modules = $_CompanyName
EndIf
Next
EndIf
$_Modules = UBound($_Modules) - 1
Return $_Modules
EndFunc ;==>_PEx_EnumModules
奋斗一夜,弄个大概造型,顺便顶下帖子 本帖最后由 heavenm 于 2017-1-30 04:35 编辑
#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <ListViewConstants.au3>
#include <TabConstants.au3>
#include <WindowsConstants.au3>
#Region ### START Koda GUI section ### Form=z:\portablesync\au3project\source\pr\pr.kxf
$Form1_1 = GUICreate("Form1", 935, 783, 192, 114)
$ListView1 = GUICtrlCreateListView("进程名称|PID|映像路径|公司名称|描述", 0, 24, 930, 454)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 190)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 50)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 230)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 3, 170)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 4, -2)
$Tab1 = GUICtrlCreateTab(8, 488, 921, 289, BitOR($TCS_FLATBUTTONS,$TCS_BUTTONS,$TCS_MULTILINE), $WS_EX_STATICEDGE)
GUICtrlSetFont(-1, 9, 400, 0, "微软雅黑")
$TabSheet1 = GUICtrlCreateTabItem(" 动态链接(DLLs) ")
$ListView2 = GUICtrlCreateListView("模块句柄|模块路径|公司名称|描述", 15, 522, 906, 246, $LVS_NOSORTHEADER, BitOR($WS_EX_CLIENTEDGE, $LVS_EX_CHECKBOXES, $LVS_EX_FULLROWSELECT))
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 150)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 290)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 190)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 3, -2)
$TabSheet2 = GUICtrlCreateTabItem(" 禁止加载(Ban) ")
$TabSheet3 = GUICtrlCreateTabItem(" 加载记录(Log) ")
$Edit1 = GUICtrlCreateEdit("", 15, 519, 905, 281, BitOR($ES_AUTOVSCROLL,$ES_AUTOHSCROLL,$ES_WANTRETURN,$WS_VSCROLL))
GUICtrlCreateTabItem("")
$Checkbox1 = GUICtrlCreateCheckbox("禁止所有加载", 352, 496, 97, 17)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
#include <Array.au3>
#include <WinAPI.au3>
#include <WinAPIEx.au3>
#include <GuiListView.au3>
#include <GuiMenu.au3>
;~ #include <lsasecur.au3>
#include <LocalSecurityAuthority.au3>
Global Enum $UnModule = 1000
$Menu1 = _GUICtrlMenu_CreatePopup()
_GUICtrlMenu_InsertMenuItem($Menu1, 0, "卸载模块", $UnModule)
GUIRegisterMsg($WM_NOTIFY, "WM_NOTIFY")
Global $_PROC=_PEx_EnumProcess(4000)
For $i = 1 To $_PROC
GUICtrlCreateListViewItem( _ArrayToString($_PROC, "|" , $i, $i), $ListView1)
If $_PROC[$i] <> 'Microsoft Corporation' Then GUICtrlSetColor(-1, '0xFF0000')
Next
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
EndSwitch
WEnd
Func WM_NOTIFY($hWnd, $iMsg, $iwParam, $ilParam)
Local $hWndFrom, $iCode, $tNMHDR, $hWndListView1, $hWndListView2, $SelectedID, $hWndTab
Local $_PHandle,$_PCompanyName,$_PPath
$tNMHDR = DllStructCreate($tagNMHDR, $ilParam)
$hWndFrom = HWnd(DllStructGetData($tNMHDR, "hWndFrom"))
$iCode = DllStructGetData($tNMHDR, "Code")
If Not IsHWnd($ListView1) Then $hWndListView1 = GUICtrlGetHandle($ListView1)
If Not IsHWnd($ListView2) Then $hWndListView2 = GUICtrlGetHandle($ListView2)
Switch $hWndFrom ;选择产生事件的控件
Case $hWndListView1
Switch $iCode ; 选择产生的事件
Case $NM_CLICK ; 左击
_GUICtrlListView_DeleteAllItems($ListView2)
$_INDEX = _GUICtrlListView_GetSelectedIndices($ListView1)
$_SelectListView1=_GUICtrlListView_GetSelectedIndices($ListView1)
IfStringIsDigit ($_SelectListView1) == 0 Then ContinueCase
$_PModule = _WinAPI_EnumProcessModules($_PROC[$_SelectListView1 + 1], $LIST_MODULES_ALL)
;~ _ArrayDisplay($_PModule)
If IsArray($_PModule) Then
For $i = 1 To $_PModule
$_PHandle=$_PModule[$i]
$_PPath=$_PModule[$i]
$_PPath = StringRegExpReplace ( $_PPath, "\\SystemRoot","C:\\windows")
$_PCompanyName = FileGetVersion($_PPath, 'CompanyName')
$_PFileDescription = FileGetVersion($_PPath, 'FileDescription')
If $_PCompanyName <> 'Microsoft Corporation' Then
GUICtrlCreateListViewItem( _ArrayToString($_PModule, "|" , $i, $i)&'|'&$_PCompanyName&'|'&$_PFileDescription, $ListView2)
GUICtrlSetColor(-1, '0xFF0000')
EndIf
Next
EndIf
Case $NM_DBLCLK ; 双击
Case $NM_RCLICK ; 右击
EndSwitch
Case $hWndListView2
Switch $iCode ; 选择产生的事件
Case $NM_RCLICK ; 右击
If _GUICtrlListView_GetSelectedIndices($hWndListView2) = "" Then
_GUICtrlMenu_SetItemDisabled($Menu1, 0)
Else
_GUICtrlMenu_SetItemEnabled($Menu1, 0)
EndIf
$SelectedID = _GUICtrlMenu_TrackPopupMenu($Menu1, $hWndListView2, -1, -1, 1, 1, 2)
Switch $SelectedID
Case $UnModule
$_INDEX = _GUICtrlListView_GetSelectedIndices($hWndListView2)
$_SelectListView1 = _GUICtrlListView_GetSelectedIndices($hWndListView1)
$_ListView1_PID=_GUICtrlListView_GetItemText($hWndListView1, $_SelectListView1, 1)
$_ListView2_DLL=_GUICtrlListView_GetItemText($hWndListView2, $_INDEX, 1)
MsgBox(0, $_ListView1_PID,$_ListView2_DLL )
_UnloadDll($_ListView1_PID, $_ListView2_DLL)
_UnloadDll(4, _GUICtrlListView_GetItemText($hWndListView2, $_INDEX, 1))
;~ RunWait('Unlocker.exe '&_GUICtrlListView_GetItemText ($hWndListView2, $_INDEX,2)&' /S /D')
EndSwitch
EndSwitch
EndSwitch
Return $GUI_RUNDEFMSG
EndFunc ;==>WM_NOTIFY
Func _PEx_EnumProcess($iMaxID = 65535) ;65535
Local $_PROCESS_INDEX
Local $h_Process, $iElement, $h_pro, $d_PName, $d_IsHide
For $i = 0 To $iMaxID
$_PHandle = _WinAPI_OpenProcess(0x00000410, 0, $i)
If Not $_PHandle Then ContinueLoop;https://msdn.microsoft.com/en-us/library/windows/desktop/ms686769(v=vs.85).aspx
$_PPath = _WinAPI_GetModuleFileNameEx($_PHandle)
If @error Then ContinueLoop
$_PName = _WinAPI_GetProcessName($i)
$_PPath = StringRegExpReplace ( $_PPath, "\\SystemRoot","C:\\windows")
$_PCompanyName = FileGetVersion($_PPath, 'CompanyName')
$_PFileDescription = FileGetVersion($_PPath, 'FileDescription')
$x = UBound($_PROCESS_INDEX)
ReDim $_PROCESS_INDEX[$x + 1]
$_PROCESS_INDEX[$x] = $_PName
$_PROCESS_INDEX[$x] = $i
$_PROCESS_INDEX[$x] = $_PPath
$_PROCESS_INDEX[$x] = $_PCompanyName
$_PROCESS_INDEX[$x] = $_PFileDescription
$i += 3
_WinAPI_CloseHandle($_PHandle)
Next
$_PROCESS_INDEX = UBound($_PROCESS_INDEX) - 1
Return $_PROCESS_INDEX
EndFunc ;==>_PEx_EnumProcess
Func _PEx_EnumModules($iPID, $iSafe = 1, $iFlag = 3)
If Not ProcessExists($iPID) Then Return SetError(1);非有效进程
Local $i, $_Modules
$_ENUM_MODULE = _WinAPI_EnumProcessModules($iPID, $iFlag) ;检索指定进程中每个模块的句柄和名称. $LIST_MODULES_ALL=3(所有模块)
If $iSafe == 1 Then
For $i = 1 To $_ENUM_MODULE
$_CompanyName = FileGetVersion($_ENUM_MODULE[$i], 'CompanyName')
If $_CompanyName <> 'Microsoft Corporation' Then
ReDim $_Modules
$_Modules = $_ENUM_MODULE[$i]
$_Modules = $_ENUM_MODULE[$i]
$_Modules = $_CompanyName
EndIf
Next
EndIf
$_Modules = UBound($_Modules) - 1
Return $_Modules
EndFunc ;==>_PEx_EnumModules
Func _UnloadDll($iProcessID, $sModule)
Local $aModule, $hModule, $pFreeLibrary, $hThread, $hProcess
Local $hToken, $aPriv = [[$SE_DEBUG_NAME, 2]], $iFlags
$hToken = _OpenProcessToken(-1)
_AdjustTokenPrivileges($hToken, $aPriv)
_LsaCloseHandle($hToken)
$hProcess = _OpenProcess($iProcessID)
If $hProcess < 1 Then Return SetError(@error, 0, 0)
$sModule = _GetFullPathName($sModule)
$hModule = _GetModuleHandle("Kernel32.dll")
$pFreeLibrary = _GetProcAddress($hModule, "FreeLibrary")
$aModule = _EnumProcessModules($hProcess)
For $i = 1 To $aModule
;~ If FileGetVersion($aModule[$i],'CompanyName') <> 'Microsoft Corporation' Then MsgBox(0, '', $aModule[$i])
If $aModule[$i] <> $sModule Then ContinueLoop
$hThread = _CreateRemoteThread($hProcess, 0, 0, $pFreeLibrary, $aModule[$i], 0)
If @extended Then $iFlags = 1
_LsaCloseHandle($hThread)
Next
$aModule = _EnumProcessModules($hProcess)
For $i = 1 To $aModule
If $aModule[$i] = $sModule Then $iFlags = 0
Next
Return SetError(0, _LsaCloseHandle($hProcess), $iFlags)
EndFunc ;==>_UnloadDll
Func _GetFullPathName($sFile)
Local $iResult
$iResult = DllCall("Kernel32.dll", "int", "GetFullPathName", _
"str", $sFile, "dword", 260, "str", "", "str", "")
Return $iResult
EndFunc ;==>_GetFullPathName
Func _GetModuleHandle($sModule)
Local $iResult
$iResult = DllCall("Kernel32.dll", "long", "GetModuleHandle", "str", $sModule)
Return SetError(_GetLastError(), 0, $iResult)
EndFunc ;==>_GetModuleHandle
Func _EnumProcessModules($hProcess)
Local $pBuffer, $tBuffer, $iResult, $aResult
$iResult = DllCall("Psapi.dll", "int", "EnumProcessModules", "hWnd", $hProcess, _
"ptr", 0, "dword", 0, "dword*", 0)
$pBuffer = _HeapAlloc($iResult)
$iResult = DllCall("Psapi.dll", "int", "EnumProcessModules", "hWnd", $hProcess, _
"ptr", $pBuffer, "dword", $iResult, "dword*", 0)
$tBuffer = DllStructCreate("hWnd Modules[" & ($iResult / 4) & "]", $pBuffer)
$aResult = $iResult / 4
Redim $aResult[$aResult + 1]
For $i = 1 To $aResult
$aResult[$i] = DllStructGetData($tBuffer, "Modules", $i)
$aResult[$i] = _GetModuleFileNameEx($hProcess, $aResult[$i])
Next
_HeapFree($pBuffer)
Return SetError(0, _FreeVariable($tBuffer), $aResult)
EndFunc ;==>_EnumProcessModules
Func _GetModuleFileNameEx($hProcess, $hModule)
Local $iResult
$iResult = DllCall("Psapi.dll", "dword", "GetModuleFileNameEx", "hWnd", $hProcess, _
"hWnd", $hModule, "str", "", "dword", 260)
Return $iResult
EndFunc ;==>_GetModuleFileNameEx
Func _GetProcAddress($hModule, $sProcdure)
Local $iResult
$iResult = DllCall("Kernel32.dll", "hWnd", "GetProcAddress", "hWnd", $hModule, "str", $sProcdure)
Return $iResult
EndFunc ;==>_GetProcAddress
Func _CreateRemoteThread($hProcess, $pThreadSecur, $iStackSize, $pStartAddr, $pParam, $iFlags)
Local $iResult
$iResult = DllCall("Kernel32.dll", "hWnd", "CreateRemoteThread", "hWnd", $hProcess, _
"ptr", $pThreadSecur, "dword", $iStackSize, "ptr", $pStartAddr, _
"ptr", $pParam, "dword", $iFlags, "dword*", 0)
Return SetError(_GetLastError(), $iResult, $iResult)
EndFunc ;==>_CreateRemoteThread
#cs
Func _UnloadDll($iProcessID, $sModule)
Local $aModule, $hModule, $pFreeLibrary, $hThread, $hProcess
Local $hToken, $aPriv = [[$SE_DEBUG_NAME, 2]], $iFlags
$hToken = _SeOpenProcessToken(-1)
_SeAdjustTokenPrivs($hToken, $aPriv)
_SeCloseHandle($hToken)
$hProcess = _SeOpenProcessToken($iProcessID)
If $hProcess < 1 Then Return SetError(@error, 0, 0)
$sModule = _GetFullPathName($sModule)
$hModule = _GetModuleHandle("Kernel32.dll")
$pFreeLibrary = _GetProcAddress($hModule, "FreeLibrary")
$aModule = _EnumProcessModules($hProcess)
For $i = 1 To $aModule
;~ If FileGetVersion($aModule[$i],'CompanyName') <> 'Microsoft Corporation' Then MsgBox(0, '', $aModule[$i])
If $aModule[$i] <> $sModule Then ContinueLoop
$hThread = _CreateRemoteThread($hProcess, 0, 0, $pFreeLibrary, $aModule[$i], 0)
If @extended Then $iFlags = 1
_SeCloseHandle($hThread)
Next
$aModule = _EnumProcessModules($hProcess)
For $i = 1 To $aModule
If $aModule[$i] = $sModule Then $iFlags = 0
Next
Return SetError(0, _SeCloseHandle($hProcess), $iFlags)
EndFunc ;==>_UnloadDll
Func _GetFullPathName($sFile)
Local $iResult
$iResult = DllCall("Kernel32.dll", "int", "GetFullPathName", _
"str", $sFile, "dword", 260, "str", "", "str", "")
Return $iResult
EndFunc ;==>_GetFullPathName
Func _GetModuleHandle($sModule)
Local $iResult
$iResult = DllCall("Kernel32.dll", "long", "GetModuleHandle", "str", $sModule)
Return SetError(_SeLastError(), 0, $iResult)
EndFunc ;==>_GetModuleHandle
Func _EnumProcessModules($hProcess)
Local $pBuffer, $tBuffer, $iResult, $aResult
$iResult = DllCall("Psapi.dll", "int", "EnumProcessModules", "hWnd", $hProcess, _
"ptr", 0, "dword", 0, "dword*", 0)
$pBuffer = _SeHeapAlloc($iResult)
$iResult = DllCall("Psapi.dll", "int", "EnumProcessModules", "hWnd", $hProcess, _
"ptr", $pBuffer, "dword", $iResult, "dword*", 0)
$tBuffer = DllStructCreate("hWnd Modules[" & ($iResult / 4) & "]", $pBuffer)
$aResult = $iResult / 4
ReDim $aResult[$aResult + 1]
For $i = 1 To $aResult
$aResult[$i] = DllStructGetData($tBuffer, "Modules", $i)
$aResult[$i] = _GetModuleFileNameEx($hProcess, $aResult[$i])
Next
_SeHeapFree($pBuffer)
Return SetError(0, _FreeVariable($tBuffer), $aResult)
EndFunc ;==>_EnumProcessModules
Func _FreeVariable(ByRef $vVariable, $vValue = 0, $vReturn = "", $iError = @error, $iExtended = @extended)
$vVariable = $vValue
Return SetError($iError, $iExtended, $vReturn)
EndFunc ;==>_FreeVariable
Func _GetModuleFileNameEx($hProcess, $hModule)
Local $iResult
$iResult = DllCall("Psapi.dll", "dword", "GetModuleFileNameEx", "hWnd", $hProcess, _
"hWnd", $hModule, "str", "", "dword", 260)
Return $iResult
EndFunc ;==>_GetModuleFileNameEx
Func _GetProcAddress($hModule, $sProcdure)
Local $iResult
$iResult = DllCall("Kernel32.dll", "hWnd", "GetProcAddress", "hWnd", $hModule, "str", $sProcdure)
Return $iResult
EndFunc ;==>_GetProcAddress
Func _CreateRemoteThread($hProcess, $pThreadSecur, $iStackSize, $pStartAddr, $pParam, $iFlags)
Local $iResult
$iResult = DllCall("Kernel32.dll", "hWnd", "CreateRemoteThread", "hWnd", $hProcess, _
"ptr", $pThreadSecur, "dword", $iStackSize, "ptr", $pStartAddr, _
"ptr", $pParam, "dword", $iFlags, "dword*", 0)
Return SetError(_SeLastError(), $iResult, $iResult)
EndFunc ;==>_CreateRemoteThread
#ce
再升级一下! 大过年的 该休息休息了{:face (125):} #include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <ListViewConstants.au3>
#include <TabConstants.au3>
#include <WindowsConstants.au3>
#Region ### START Koda GUI section ### Form=z:\portablesync\au3project\source\pr\pr.kxf
$Form1_1 = GUICreate("Form1", 935, 783, 192, 114)
$ListView1 = GUICtrlCreateListView("进程名称|PID|映像路径|公司名称|描述", 0, 24, 930, 454)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 190)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 50)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 230)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 3, 170)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 4, -2)
$Tab1 = GUICtrlCreateTab(8, 488, 921, 289, BitOR($TCS_FLATBUTTONS, $TCS_BUTTONS, $TCS_MULTILINE), $WS_EX_STATICEDGE)
GUICtrlSetFont(-1, 9, 400, 0, "微软雅黑")
$TabSheet1 = GUICtrlCreateTabItem(" 动态链接(DLLs) ")
$ListView2 = GUICtrlCreateListView("模块句柄|模块路径|公司名称|描述", 15, 522, 906, 246, $LVS_NOSORTHEADER, BitOR($WS_EX_CLIENTEDGE, $LVS_EX_CHECKBOXES, $LVS_EX_FULLROWSELECT))
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 150)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 290)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 190)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 3, -2)
$TabSheet2 = GUICtrlCreateTabItem(" 禁止加载(Ban) ")
$TabSheet3 = GUICtrlCreateTabItem(" 加载记录(Log) ")
$Edit1 = GUICtrlCreateEdit("", 15, 519, 905, 281, BitOR($ES_AUTOVSCROLL, $ES_AUTOHSCROLL, $ES_WANTRETURN, $WS_VSCROLL))
GUICtrlCreateTabItem("")
$Checkbox1 = GUICtrlCreateCheckbox("禁止所有加载", 352, 496, 97, 17)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###
#include <Array.au3>
#include <WinAPI.au3>
#include <WinAPIEx.au3>
#include <GuiListView.au3>
#include <GuiMenu.au3>
;~ #include <lsasecur.au3>
#include <LocalSecurityAuthority.au3>
Global Enum $UnModule = 1000
$Menu1 = _GUICtrlMenu_CreatePopup()
_GUICtrlMenu_InsertMenuItem($Menu1, 0, "卸载模块", $UnModule)
GUIRegisterMsg($WM_NOTIFY, "WM_NOTIFY")
;~ $a=_WinAPI_EnumProcessThreads( 2208 )
;~ _ArrayDisplay($a)
;~ Exit
Global $_PROC = _PEx_EnumProcess(30000)
For $i = 1 To $_PROC
GUICtrlCreateListViewItem(_ArrayToString($_PROC, "|", $i, $i), $ListView1)
If $_PROC[$i] <> 'Microsoft Corporation' Then GUICtrlSetColor(-1, '0xFF0000')
Next
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
EndSwitch
WEnd
Func _PEx_EnumProcessModules($iPID)
_GUICtrlListView_DeleteAllItems($ListView2)
$_PModule = _WinAPI_EnumProcessModules($iPID, $LIST_MODULES_ALL)
If IsArray($_PModule) Then
For $i = 1 To $_PModule
$_PHandle = $_PModule[$i]
$_PPath = $_PModule[$i]
$_PPath = StringRegExpReplace($_PPath, "\\SystemRoot", "C:\\windows")
$_PCompanyName = FileGetVersion($_PPath, 'CompanyName')
$_PFileDescription = FileGetVersion($_PPath, 'FileDescription')
If $_PCompanyName <> 'Microsoft Corporation' Then
GUICtrlCreateListViewItem(_ArrayToString($_PModule, "|", $i, $i) & '|' & $_PCompanyName & '|' & $_PFileDescription, $ListView2)
GUICtrlSetColor(-1, '0xFF0000')
EndIf
Next
EndIf
EndFunc ;==>_PEx_EnumProcessModules
Func WM_NOTIFY($hWnd, $iMsg, $iwParam, $ilParam)
Local $hWndFrom, $iCode, $tNMHDR, $hWndListView1, $hWndListView2, $SelectedID, $hWndTab
Local $_PHandle, $_PCompanyName, $_PPath
$tNMHDR = DllStructCreate($tagNMHDR, $ilParam)
$hWndFrom = HWnd(DllStructGetData($tNMHDR, "hWndFrom"))
$iCode = DllStructGetData($tNMHDR, "Code")
If Not IsHWnd($ListView1) Then $hWndListView1 = GUICtrlGetHandle($ListView1)
If Not IsHWnd($ListView2) Then $hWndListView2 = GUICtrlGetHandle($ListView2)
Switch $hWndFrom ;选择产生事件的控件
Case $hWndListView1
Switch $iCode ; 选择产生的事件
Case $NM_CLICK ; 左击
$_INDEX = _GUICtrlListView_GetSelectedIndices($ListView1)
$_SelectListView1 = _GUICtrlListView_GetSelectedIndices($ListView1)
If StringIsDigit($_SelectListView1) == 0 Then ContinueCase
_PEx_EnumProcessModules($_PROC[$_SelectListView1 + 1])
Case $NM_DBLCLK ; 双击
Case $NM_RCLICK ; 右击
EndSwitch
Case $hWndListView2
Switch $iCode ; 选择产生的事件
Case $NM_RCLICK ; 右击
If _GUICtrlListView_GetSelectedIndices($hWndListView2) = "" Then
_GUICtrlMenu_SetItemDisabled($Menu1, 0)
Else
_GUICtrlMenu_SetItemEnabled($Menu1, 0)
EndIf
$SelectedID = _GUICtrlMenu_TrackPopupMenu($Menu1, $hWndListView2, -1, -1, 1, 1, 2)
Switch $SelectedID
Case $UnModule
$_INDEX = _GUICtrlListView_GetSelectedIndices($hWndListView2)
$_SelectListView1 = _GUICtrlListView_GetSelectedIndices($hWndListView1)
$_ListView1_PID = _GUICtrlListView_GetItemText($hWndListView1, $_SelectListView1, 1)
$_ListView2_DLL = _GUICtrlListView_GetItemText($hWndListView2, $_INDEX, 1)
_UnloadDll($_ListView1_PID, $_ListView2_DLL)
;~ _UnloadDll(4, _GUICtrlListView_GetItemText($hWndListView2, $_INDEX, 1))
_PEx_EnumProcessModules($_ListView1_PID)
;~ RunWait('Unlocker.exe '&_GUICtrlListView_GetItemText ($hWndListView2, $_INDEX,2)&' /S /D')
EndSwitch
EndSwitch
EndSwitch
Return $GUI_RUNDEFMSG
EndFunc ;==>WM_NOTIFY
Func _PEx_EnumProcess($iMaxID = 65535) ;65535
Local $_PROCESS_INDEX
Local $h_Process, $iElement, $h_pro, $d_PName, $d_IsHide
For $i = 0 To $iMaxID
$_PHandle = _WinAPI_OpenProcess(0x00000410, 0, $i)
If Not $_PHandle Then ContinueLoop;https://msdn.microsoft.com/en-us/library/windows/desktop/ms686769(v=vs.85).aspx
$_PPath = _WinAPI_GetModuleFileNameEx($_PHandle)
If @error Then ContinueLoop
$_PName = _WinAPI_GetProcessName($i)
$_PPath = StringRegExpReplace($_PPath, "\\SystemRoot", "C:\\windows")
$_PCompanyName = FileGetVersion($_PPath, 'CompanyName')
$_PFileDescription = FileGetVersion($_PPath, 'FileDescription')
$x = UBound($_PROCESS_INDEX)
ReDim $_PROCESS_INDEX[$x + 1]
$_PROCESS_INDEX[$x] = $_PName
$_PROCESS_INDEX[$x] = $i
$_PROCESS_INDEX[$x] = $_PPath
$_PROCESS_INDEX[$x] = $_PCompanyName
$_PROCESS_INDEX[$x] = $_PFileDescription
$i += 3
_WinAPI_CloseHandle($_PHandle)
Next
$_PROCESS_INDEX = UBound($_PROCESS_INDEX) - 1
Return $_PROCESS_INDEX
EndFunc ;==>_PEx_EnumProcess
Func _PEx_EnumModules($iPID, $iSafe = 1, $iFlag = 3)
If Not ProcessExists($iPID) Then Return SetError(1);非有效进程
Local $i, $_Modules
$_ENUM_MODULE = _WinAPI_EnumProcessModules($iPID, $iFlag) ;检索指定进程中每个模块的句柄和名称. $LIST_MODULES_ALL=3(所有模块)
If $iSafe == 1 Then
For $i = 1 To $_ENUM_MODULE
$_CompanyName = FileGetVersion($_ENUM_MODULE[$i], 'CompanyName')
If $_CompanyName <> 'Microsoft Corporation' Then
ReDim $_Modules
$_Modules = $_ENUM_MODULE[$i]
$_Modules = $_ENUM_MODULE[$i]
$_Modules = $_CompanyName
EndIf
Next
EndIf
$_Modules = UBound($_Modules) - 1
Return $_Modules
EndFunc ;==>_PEx_EnumModules
Func _UnloadDll($iProcessID, $sModule)
Local $aModule, $hModule, $pFreeLibrary, $hThread, $hProcess
Local $hToken, $aPriv = [[$SE_DEBUG_NAME, 2]], $iFlags
$hToken = _OpenProcessToken(-1)
_AdjustTokenPrivileges($hToken, $aPriv)
_LsaCloseHandle($hToken)
$hProcess = _OpenProcess($iProcessID)
If $hProcess < 1 Then Return SetError(@error, 0, 0)
$sModule = _GetFullPathName($sModule)
$hModule = _GetModuleHandle("Kernel32.dll")
$pFreeLibrary = _GetProcAddress($hModule, "FreeLibrary")
$aModule = _EnumProcessModules($hProcess)
For $i = 1 To $aModule
;~ If FileGetVersion($aModule[$i],'CompanyName') <> 'Microsoft Corporation' Then MsgBox(0, '', $aModule[$i])
If $aModule[$i] <> $sModule Then ContinueLoop
$hThread = _CreateRemoteThread($hProcess, 0, 0, $pFreeLibrary, $aModule[$i], 0)
If @extended Then $iFlags = 1
_LsaCloseHandle($hThread)
Next
$aModule = _EnumProcessModules($hProcess)
For $i = 1 To $aModule
If $aModule[$i] = $sModule Then $iFlags = 0
Next
Return SetError(0, _LsaCloseHandle($hProcess), $iFlags)
EndFunc ;==>_UnloadDll
Func _GetFullPathName($sFile)
Local $iResult
$iResult = DllCall("Kernel32.dll", "int", "GetFullPathName", _
"str", $sFile, "dword", 260, "str", "", "str", "")
Return $iResult
EndFunc ;==>_GetFullPathName
Func _GetModuleHandle($sModule)
Local $iResult
$iResult = DllCall("Kernel32.dll", "long", "GetModuleHandle", "str", $sModule)
Return SetError(_GetLastError(), 0, $iResult)
EndFunc ;==>_GetModuleHandle
Func _EnumProcessModules($hProcess)
Local $pBuffer, $tBuffer, $iResult, $aResult
$iResult = DllCall("Psapi.dll", "int", "EnumProcessModules", "hWnd", $hProcess, _
"ptr", 0, "dword", 0, "dword*", 0)
$pBuffer = _HeapAlloc($iResult)
$iResult = DllCall("Psapi.dll", "int", "EnumProcessModules", "hWnd", $hProcess, _
"ptr", $pBuffer, "dword", $iResult, "dword*", 0)
$tBuffer = DllStructCreate("hWnd Modules[" & ($iResult / 4) & "]", $pBuffer)
$aResult = $iResult / 4
ReDim $aResult[$aResult + 1]
For $i = 1 To $aResult
$aResult[$i] = DllStructGetData($tBuffer, "Modules", $i)
$aResult[$i] = _GetModuleFileNameEx($hProcess, $aResult[$i])
Next
_HeapFree($pBuffer)
Return SetError(0, _FreeVariable($tBuffer), $aResult)
EndFunc ;==>_EnumProcessModules
Func _GetModuleFileNameEx($hProcess, $hModule)
Local $iResult
$iResult = DllCall("Psapi.dll", "dword", "GetModuleFileNameEx", "hWnd", $hProcess, _
"hWnd", $hModule, "str", "", "dword", 260)
Return $iResult
EndFunc ;==>_GetModuleFileNameEx
Func _GetProcAddress($hModule, $sProcdure)
Local $iResult
$iResult = DllCall("Kernel32.dll", "hWnd", "GetProcAddress", "hWnd", $hModule, "str", $sProcdure)
Return $iResult
EndFunc ;==>_GetProcAddress
Func _CreateRemoteThread($hProcess, $pThreadSecur, $iStackSize, $pStartAddr, $pParam, $iFlags)
Local $iResult
$iResult = DllCall("Kernel32.dll", "hWnd", "CreateRemoteThread", "hWnd", $hProcess, _
"ptr", $pThreadSecur, "dword", $iStackSize, "ptr", $pStartAddr, _
"ptr", $pParam, "dword", $iFlags, "dword*", 0)
Return SetError(_GetLastError(), $iResult, $iResult)
EndFunc ;==>_CreateRemoteThread可以卸载DLL,但是只有某些进程可以,很多进程还是不可以的!
页:
[1]