作为一个杀毒软件,必须扫描所有的进程的每一个线程,才能分析出病毒的行为!
下面我们演示下,基于Visual C++2010开发基于Windows7杀毒应用程序范例,
检测所有的进程线程信息
打开VS2010新建一个CLR工程,
插入下列代码,详情见注释
#pragma once namespace yincheng01 { using namespace System; using namespace System::ComponentModel; using namespace System::Collections; using namespace System::Windows::Forms; using namespace System::Data; using namespace System::Drawing; using namespace System::Diagnostics; /// <summary> /// Form1 摘要 /// /// 警告: 如果更改此类的名称,则需要更改 /// 与此类所依赖的所有 .resx 文件关联的托管资源编译器工具的 /// “资源文件名”属性。否则, /// 设计器将不能与此窗体的关联 /// 本地化资源正确交互。 /// </summary> public ref class Form1 : public System::Windows::Forms::Form { public: Form1(void) { InitializeComponent(); // //TODO: 在此处添加构造函数代码 // } protected: /// <summary> /// 清理所有正在使用的资源。 /// </summary> ~Form1() { if (components) { delete components; } } private: System::Windows::Forms::Button^ button1; protected: private: System::Windows::Forms::TreeView^ treeView1; private: System::Windows::Forms::ListView^ listView1; private: System::Windows::Forms::ColumnHeader^ columnHeader1; private: System::Windows::Forms::ColumnHeader^ columnHeader2; private: /// <summary> /// 必需的设计器变量。 /// </summary> System::ComponentModel::Container ^components; #pragma region Windows Form Designer generated code /// <summary> /// 设计器支持所需的方法 - 不要 /// 使用代码编辑器修改此方法的内容。 /// </summary> void InitializeComponent(void) { this->button1 = (gcnew System::Windows::Forms::Button()); this->treeView1 = (gcnew System::Windows::Forms::TreeView()); this->listView1 = (gcnew System::Windows::Forms::ListView()); this->columnHeader1 = (gcnew System::Windows::Forms::ColumnHeader()); this->columnHeader2 = (gcnew System::Windows::Forms::ColumnHeader()); this->SuspendLayout(); // // button1 // this->button1->Location = System::Drawing::Point(2, 2); this->button1->Name = L"button1"; this->button1->Size = System::Drawing::Size(156, 23); this->button1->TabIndex = 0; this->button1->Text = L"获取系统所有进程及线程"; this->button1->UseVisualStyleBackColor = true; this->button1->Click += gcnew System::EventHandler(this, &Form1::button1_Click); // // treeView1 // this->treeView1->Anchor = static_cast<System::Windows::Forms::AnchorStyles>(((System::Windows::Forms::AnchorStyles::Top | System::Windows::Forms::AnchorStyles::Bottom) | System::Windows::Forms::AnchorStyles::Left)); this->treeView1->Location = System::Drawing::Point(2, 28); this->treeView1->Name = L"treeView1"; this->treeView1->Size = System::Drawing::Size(156, 365); this->treeView1->TabIndex = 1; this->treeView1->AfterSelect += gcnew System::Windows::Forms::TreeViewEventHandler(this, &Form1::treeView1_AfterSelect); // // listView1 // this->listView1->Anchor = static_cast<System::Windows::Forms::AnchorStyles>((((System::Windows::Forms::AnchorStyles::Top | System::Windows::Forms::AnchorStyles::Bottom) | System::Windows::Forms::AnchorStyles::Left) | System::Windows::Forms::AnchorStyles::Right)); this->listView1->Columns->AddRange(gcnew cli::array< System::Windows::Forms::ColumnHeader^ >(2) {this->columnHeader1, this->columnHeader2}); this->listView1->FullRowSelect = true; this->listView1->GridLines = true; this->listView1->Location = System::Drawing::Point(163, 2); this->listView1->Name = L"listView1"; this->listView1->Size = System::Drawing::Size(759, 391); this->listView1->TabIndex = 2; this->listView1->UseCompatibleStateImageBehavior = false; this->listView1->View = System::Windows::Forms::View::Details; // // columnHeader1 // this->columnHeader1->Text = L"对象名称"; this->columnHeader1->Width = 120; // // columnHeader2 // this->columnHeader2->Text = L"对象信息"; this->columnHeader2->Width = 300; // // Form1 // this->AutoScaleDimensions = System::Drawing::SizeF(6, 12); this->AutoScaleMode = System::Windows::Forms::AutoScaleMode::Font; this->ClientSize = System::Drawing::Size(927, 396); this->Controls->Add(this->listView1); this->Controls->Add(this->treeView1); this->Controls->Add(this->button1); this->Name = L"Form1"; this->StartPosition = System::Windows::Forms::FormStartPosition::CenterScreen; this->Text = L"演示在Windows7下获取指定进程线程信息-CSDN著名技术专家尹成的杰作"; this->ResumeLayout(false); } #pragma endregion public: TreeNode^ MyRootNode ; public: Process^ MyCurrentProcess; //取得当前选择的进程 private: void GetCurrentProcess(TreeNode^ SelectNode, String^ SelectNodeName) { //利用选中的树形视图的节点名称获取具有相同名称的一组进程对象. array<Process^>^ MyProcessNode = Process::GetProcessesByName(SelectNodeName); int i = 1; TreeNode^ MyTempNode = SelectNode; //判断在树形视图中选中的进程. while ((i <MyProcessNode->Length)&&(MyTempNode->PrevNode->Text == SelectNodeName)) { i++; MyTempNode = MyTempNode->PrevNode; } this->MyCurrentProcess=MyProcessNode[i-1]; } //获取系统所有进程及线程 private: System::Void button1_Click(System::Object^ sender, System::EventArgs^ e) { int i = 0 ; //清空树形视图节点. treeView1->Nodes->Clear(); //初始化TreeView 的节点对象MYRootNode. MyRootNode = gcnew TreeNode("当前系统所有进程") ; //获取本机中运行的进程的列表.保存在Process类型的数组MyProcesses中. array<Process^>^ MyProcesses = Process::GetProcesses(); //添加Process数组MyProcesses的每一个成员为MyRootNode对象的一个节点,并将与该进程关联的所有模块作为该节点的子节点添加到视图。 for each (Process^ MyProcess in MyProcesses) { MyRootNode->Nodes->Add(MyProcess->ProcessName); ProcessModuleCollection^ MyModules = nullptr; try { MyModules =MyProcess->Modules; } catch(Exception^ MyEx) { // 拒绝访问的进程模块. continue; } //添加所有的线程为子节点. int MyCount=0; while(MyCount<MyProcess->Threads->Count) { MyRootNode->Nodes[i]->Nodes->Add(MyProcess->Threads[MyCount]->Id.ToString()); MyCount++; } i++ ; } //添加对象MyRootNode为treeView1的节点. treeView1->Nodes->Add(MyRootNode); } // 显示进程线程信息 private: System::Void treeView1_AfterSelect(System::Object^ sender, System::Windows::Forms::TreeViewEventArgs^ e) { if (treeView1->SelectedNode->Parent == nullptr) { ; } else if(treeView1->SelectedNode->Parent == MyRootNode) { //取得当前选择的进程 GetCurrentProcess(treeView1->SelectedNode,treeView1->SelectedNode->Text); } else { //显示线程详细信息 int MyCount; String^ MyName=treeView1->SelectedNode->Text; ProcessThread^ MyThread; try { this->listView1->Items->Clear(); MyCount=0; while(MyCount<this->MyCurrentProcess->Threads->Count) { MyThread=this->MyCurrentProcess->Threads[MyCount]; if(MyThread->Id.ToString()==MyName) { this->listView1->Items->Add("标识符")->SubItems->Add(MyThread->Id.ToString()); this->listView1->Items->Add("基本优先级")->SubItems->Add(MyThread->BasePriority.ToString()); this->listView1->Items->Add("当前优先级")->SubItems->Add(MyThread->CurrentPriority.ToString()); this->listView1->Items->Add("内存地址")->SubItems->Add(MyThread->StartAddress.ToString()); this->listView1->Items->Add("启动时间")->SubItems->Add(MyThread->StartTime.ToString()); this->listView1->Items->Add("使用时间")->SubItems->Add(MyThread->UserProcessorTime.ToString()); if(MyThread->ThreadState==ThreadState::Initialized) this->listView1->Items->Add("当前状态")->SubItems->Add("线程已初始化但尚未启动"); if (MyThread->ThreadState==ThreadState::Ready ) this->listView1->Items->Add("当前状态")->SubItems->Add("线程准备在下一个可用的处理器上运行"); if (MyThread->ThreadState==ThreadState::Running) this->listView1->Items->Add("当前状态")->SubItems->Add("当前正在使用处理器"); if (MyThread->ThreadState==ThreadState::Standby) this->listView1->Items->Add("当前状态")->SubItems->Add("将要使用处理器"); if (MyThread->ThreadState==ThreadState::Terminated) this->listView1->Items->Add("当前状态")->SubItems->Add("已完成执行并已退出"); if (MyThread->ThreadState==ThreadState::Transition) this->listView1->Items->Add("当前状态")->SubItems->Add("在可以执行前等待处理器之外的资源"); if (MyThread->ThreadState==ThreadState::Unknown) this->listView1->Items->Add("当前状态")->SubItems->Add("状态未知"); if (MyThread->ThreadState==ThreadState::Wait) this->listView1->Items->Add("当前状态")->SubItems->Add("正在等待外围操作完成或等待资源释放"); if (MyThread->WaitReason==ThreadWaitReason::EventPairHigh) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待事件对高"); if (MyThread->WaitReason==ThreadWaitReason::EventPairLow) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待事件对低"); if (MyThread->WaitReason==ThreadWaitReason::ExecutionDelay) this->listView1->Items->Add("等待原因")->SubItems->Add("线程执行延迟"); if (MyThread->WaitReason==ThreadWaitReason::Executive) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待计划程序"); if (MyThread->WaitReason==ThreadWaitReason::FreePage) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待可用的虚拟内存页"); if (MyThread->WaitReason==ThreadWaitReason::LpcReceive) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待本地过程调用到达"); if (MyThread->WaitReason==ThreadWaitReason::LpcReply) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待对本地过程调用的回复到达"); if (MyThread->WaitReason==ThreadWaitReason::PageIn) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待虚拟内存页到达内存"); if (MyThread->WaitReason==ThreadWaitReason::PageOut) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待虚拟内存页写入磁盘"); if (MyThread->WaitReason==ThreadWaitReason::Suspended) this->listView1->Items->Add("等待原因")->SubItems->Add("线程执行暂停"); if (MyThread->WaitReason==ThreadWaitReason::SystemAllocation) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待系统分配"); if (MyThread->WaitReason==ThreadWaitReason::Unknown) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在因未知原因而等待"); if (MyThread->WaitReason==ThreadWaitReason::UserRequest) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待用户请求"); if (MyThread->WaitReason==ThreadWaitReason::VirtualMemory) this->listView1->Items->Add("等待原因")->SubItems->Add("线程正在等待系统分配虚拟内存"); } MyCount++; } if(this->listView1->Items->Count<1) MessageBox::Show("请首先单击进程名称后再单击进程下的线程!","信息提示",MessageBoxButtons::OK,MessageBoxIcon::Information); } catch(Exception^ MyEx) { MessageBox::Show("请首先单击进程名称后再单击进程下的线程!","信息提示",MessageBoxButtons::OK,MessageBoxIcon::Information); } } } }; }
按下F5,执行