📄 toolhelp.c
字号:
Snapshot->ProcessListOffset = DataOffset;
ProcessListEntry = (LPPROCESSENTRY32W)OffsetToPtr(Snapshot, DataOffset);
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)ProcThrdInfo;
do
{
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)ProcessInfo + ProcOffset);
ProcessListEntry->dwSize = sizeof(PROCESSENTRY32W);
ProcessListEntry->cntUsage = 0; /* no longer used */
ProcessListEntry->th32ProcessID = (ULONG)ProcessInfo->UniqueProcessId;
ProcessListEntry->th32DefaultHeapID = 0; /* no longer used */
ProcessListEntry->th32ModuleID = 0; /* no longer used */
ProcessListEntry->cntThreads = ProcessInfo->NumberOfThreads;
ProcessListEntry->th32ParentProcessID = (ULONG)ProcessInfo->InheritedFromUniqueProcessId;
ProcessListEntry->pcPriClassBase = ProcessInfo->BasePriority;
ProcessListEntry->dwFlags = 0; /* no longer used */
if(ProcessInfo->ImageName.Buffer != NULL)
{
lstrcpynW(ProcessListEntry->szExeFile,
ProcessInfo->ImageName.Buffer,
min(ProcessInfo->ImageName.Length / sizeof(WCHAR), sizeof(ProcessListEntry->szExeFile) / sizeof(ProcessListEntry->szExeFile[0])));
}
else
{
lstrcpyW(ProcessListEntry->szExeFile, L"[System Process]");
}
ProcessListEntry++;
ProcOffset = ProcessInfo->NextEntryOffset;
} while(ProcOffset != 0);
DataOffset += nProcesses * sizeof(PROCESSENTRY32W);
}
/* initialize the thread list */
if(dwFlags & TH32CS_SNAPTHREAD)
{
ULONG ProcOffset = 0;
Snapshot->ThreadListCount = nThreads;
Snapshot->ThreadListOffset = DataOffset;
ThreadListEntry = (LPTHREADENTRY32)OffsetToPtr(Snapshot, DataOffset);
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)ProcThrdInfo;
do
{
PSYSTEM_THREAD_INFORMATION ThreadInfo;
ULONG n;
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)ProcessInfo + ProcOffset);
ThreadInfo = (PSYSTEM_THREAD_INFORMATION)(ProcessInfo + 1);
for(n = 0; n < ProcessInfo->NumberOfThreads; n++)
{
ThreadListEntry->dwSize = sizeof(THREADENTRY32);
ThreadListEntry->cntUsage = 0; /* no longer used */
ThreadListEntry->th32ThreadID = (ULONG)ThreadInfo->ClientId.UniqueThread;
ThreadListEntry->th32OwnerProcessID = (ULONG)ThreadInfo->ClientId.UniqueProcess;
ThreadListEntry->tpBasePri = ThreadInfo->BasePriority;
ThreadListEntry->tpDeltaPri = 0; /* no longer used */
ThreadListEntry->dwFlags = 0; /* no longer used */
ThreadInfo++;
ThreadListEntry++;
}
ProcOffset = ProcessInfo->NextEntryOffset;
} while(ProcOffset != 0);
}
/*
* We're done, unmap the view and return the section handle
*/
Status = NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
if(NT_SUCCESS(Status))
{
*SectionHandle = hSection;
}
else
{
NtClose(hSection);
}
return Status;
}
/* PUBLIC FUNCTIONS ***********************************************************/
/*
* @unimplemented
*/
BOOL
STDCALL
Heap32First(LPHEAPENTRY32 lphe, DWORD th32ProcessID, DWORD th32HeapID)
{
CHECK_PARAM_SIZE(lphe, sizeof(HEAPENTRY32));
SetLastError(ERROR_NO_MORE_FILES);
return FALSE;
}
/*
* @unimplemented
*/
BOOL
STDCALL
Heap32Next(LPHEAPENTRY32 lphe)
{
CHECK_PARAM_SIZE(lphe, sizeof(HEAPENTRY32));
SetLastError(ERROR_NO_MORE_FILES);
return FALSE;
}
/*
* @implemented
*/
BOOL
STDCALL
Heap32ListFirst(HANDLE hSnapshot, LPHEAPLIST32 lphl)
{
PTH32SNAPSHOT Snapshot;
LARGE_INTEGER SOffset;
ULONG ViewSize;
NTSTATUS Status;
CHECK_PARAM_SIZE(lphl, sizeof(HEAPLIST32));
SOffset.QuadPart = 0;
ViewSize = 0;
Snapshot = NULL;
Status = NtMapViewOfSection(hSnapshot,
NtCurrentProcess(),
(PVOID*)&Snapshot,
0,
0,
&SOffset,
&ViewSize,
ViewShare,
0,
PAGE_READWRITE);
if(NT_SUCCESS(Status))
{
BOOL Ret;
if(Snapshot->HeapListCount > 0)
{
LPHEAPLIST32 Entries = (LPHEAPLIST32)OffsetToPtr(Snapshot, Snapshot->HeapListOffset);
Snapshot->HeapListIndex = 1;
RtlCopyMemory(lphl, &Entries[0], sizeof(HEAPLIST32));
Ret = TRUE;
}
else
{
SetLastError(ERROR_NO_MORE_FILES);
Ret = FALSE;
}
NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
return Ret;
}
SetLastErrorByStatus(Status);
return FALSE;
}
/*
* @implemented
*/
BOOL
STDCALL
Heap32ListNext(HANDLE hSnapshot, LPHEAPLIST32 lphl)
{
PTH32SNAPSHOT Snapshot;
LARGE_INTEGER SOffset;
ULONG ViewSize;
NTSTATUS Status;
CHECK_PARAM_SIZE(lphl, sizeof(HEAPLIST32));
SOffset.QuadPart = 0;
ViewSize = 0;
Snapshot = NULL;
Status = NtMapViewOfSection(hSnapshot,
NtCurrentProcess(),
(PVOID*)&Snapshot,
0,
0,
&SOffset,
&ViewSize,
ViewShare,
0,
PAGE_READWRITE);
if(NT_SUCCESS(Status))
{
BOOL Ret;
if(Snapshot->HeapListCount > 0 &&
Snapshot->HeapListIndex < Snapshot->HeapListCount)
{
LPHEAPLIST32 Entries = (LPHEAPLIST32)OffsetToPtr(Snapshot, Snapshot->HeapListOffset);
RtlCopyMemory(lphl, &Entries[Snapshot->HeapListIndex++], sizeof(HEAPLIST32));
Ret = TRUE;
}
else
{
SetLastError(ERROR_NO_MORE_FILES);
Ret = FALSE;
}
NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
return Ret;
}
SetLastErrorByStatus(Status);
return FALSE;
}
/*
* @implemented
*/
BOOL
STDCALL
Module32First(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
{
MODULEENTRY32W me;
BOOL Ret;
CHECK_PARAM_SIZEA(lpme, sizeof(MODULEENTRY32));
me.dwSize = sizeof(MODULEENTRY32W);
Ret = Module32FirstW(hSnapshot, &me);
if(Ret)
{
lpme->th32ModuleID = me.th32ModuleID;
lpme->th32ProcessID = me.th32ProcessID;
lpme->GlblcntUsage = me.GlblcntUsage;
lpme->ProccntUsage = me.ProccntUsage;
lpme->modBaseAddr = me.modBaseAddr;
lpme->modBaseSize = me.modBaseSize;
lpme->hModule = me.hModule;
WideCharToMultiByte(CP_ACP, 0, me.szModule, -1, lpme->szModule, sizeof(lpme->szModule), 0, 0);
WideCharToMultiByte(CP_ACP, 0, me.szExePath, -1, lpme->szExePath, sizeof(lpme->szExePath), 0, 0);
}
return Ret;
}
/*
* @implemented
*/
BOOL
STDCALL
Module32FirstW(HANDLE hSnapshot, LPMODULEENTRY32W lpme)
{
PTH32SNAPSHOT Snapshot;
LARGE_INTEGER SOffset;
ULONG ViewSize;
NTSTATUS Status;
CHECK_PARAM_SIZE(lpme, sizeof(MODULEENTRY32W));
SOffset.QuadPart = 0;
ViewSize = 0;
Snapshot = NULL;
Status = NtMapViewOfSection(hSnapshot,
NtCurrentProcess(),
(PVOID*)&Snapshot,
0,
0,
&SOffset,
&ViewSize,
ViewShare,
0,
PAGE_READWRITE);
if(NT_SUCCESS(Status))
{
BOOL Ret;
if(Snapshot->ModuleListCount > 0)
{
LPMODULEENTRY32W Entries = (LPMODULEENTRY32W)OffsetToPtr(Snapshot, Snapshot->ModuleListOffset);
Snapshot->ModuleListIndex = 1;
RtlCopyMemory(lpme, &Entries[0], sizeof(MODULEENTRY32W));
Ret = TRUE;
}
else
{
SetLastError(ERROR_NO_MORE_FILES);
Ret = FALSE;
}
NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
return Ret;
}
SetLastErrorByStatus(Status);
return FALSE;
}
/*
* @implemented
*/
BOOL
STDCALL
Module32Next(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
{
MODULEENTRY32W me;
BOOL Ret;
CHECK_PARAM_SIZEA(lpme, sizeof(MODULEENTRY32));
me.dwSize = sizeof(MODULEENTRY32W);
Ret = Module32NextW(hSnapshot, &me);
if(Ret)
{
lpme->th32ModuleID = me.th32ModuleID;
lpme->th32ProcessID = me.th32ProcessID;
lpme->GlblcntUsage = me.GlblcntUsage;
lpme->ProccntUsage = me.ProccntUsage;
lpme->modBaseAddr = me.modBaseAddr;
lpme->modBaseSize = me.modBaseSize;
lpme->hModule = me.hModule;
WideCharToMultiByte(CP_ACP, 0, me.szModule, -1, lpme->szModule, sizeof(lpme->szModule), 0, 0);
WideCharToMultiByte(CP_ACP, 0, me.szExePath, -1, lpme->szExePath, sizeof(lpme->szExePath), 0, 0);
}
return Ret;
}
/*
* @implemented
*/
BOOL
STDCALL
Module32NextW(HANDLE hSnapshot, LPMODULEENTRY32W lpme)
{
PTH32SNAPSHOT Snapshot;
LARGE_INTEGER SOffset;
ULONG ViewSize;
NTSTATUS Status;
CHECK_PARAM_SIZE(lpme, sizeof(MODULEENTRY32W));
SOffset.QuadPart = 0;
ViewSize = 0;
Snapshot = NULL;
Status = NtMapViewOfSection(hSnapshot,
NtCurrentProcess(),
(PVOID*)&Snapshot,
0,
0,
&SOffset,
&ViewSize,
ViewShare,
0,
PAGE_READWRITE);
if(NT_SUCCESS(Status))
{
BOOL Ret;
if(Snapshot->ModuleListCount > 0 &&
Snapshot->ModuleListIndex < Snapshot->ModuleListCount)
{
LPMODULEENTRY32W Entries = (LPMODULEENTRY32W)OffsetToPtr(Snapshot, Snapshot->ModuleListOffset);
RtlCopyMemory(lpme, &Entries[Snapshot->ProcessListIndex++], sizeof(MODULEENTRY32W));
Ret = TRUE;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -