3

我有一些问题。我将尝试获取我机器上所有进程的所有模块(dll 文件)。我尝试在 CMD 中执行此命令:

tasklist /m

但这是 64 位系统的问题。如果您在 64 位机器上运行 32 位程序,它不会列出所有模块,仅

ntdll.dll, wow64.dll, wow64win.dll, wow64cpu.dll

然后我尝试使用 pywin32 (win32api) 使用 Python 脚本执行此操作。

这是代码:

import win32security,win32file,win32api,ntsecuritycon,win32con,win32process

processes = win32process.EnumProcesses()

for pid in processes:
    dll_list = []
    try:
        if pid:
            print('pid:', pid)
            ph = win32api.OpenProcess(win32con.MAXIMUM_ALLOWED, False, pid)
            dll = win32process.EnumProcessModules(ph)
            for dll_name in dll:
                dll_name_norm = win32process.GetModuleFileNameEx(ph, dll_name)
                dll_list.append(dll_name_norm)

            print("dll_list: ", dll_list)
            print("--------------")
    except:
        print("Error")
        print("--------------")

但结果是一样的。=(请帮我解决这个问题,我如何查看所有 dll 文件,由每个进程加载。

PS 它只能是标准的 Windows 工具,如命令行、任务列表(不是 ListDlls、Process Explorer 或相同的东西)或 Python 中的脚本。

十分感谢!

4

1 回答 1

4

EnumProcessModules只显示与 Python 相同的进程。相反,调用EnumProcessModulesEx.dwFilterFlag=LIST_MODULES_ALL

您当前的代码需要该win32api模块,该模块最近才添加EnumProcessModulesEx,并且不在标准库中。这是一个仅使用标准库的解决方案:

from ctypes import byref, create_unicode_buffer, sizeof, WinDLL
from ctypes.wintypes import DWORD, HMODULE, MAX_PATH

Psapi = WinDLL('Psapi.dll')
Kernel32 = WinDLL('kernel32.dll')

PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010

LIST_MODULES_ALL = 0x03

def EnumProcesses():
    buf_count = 256
    while True:
        buf = (DWORD * buf_count)()
        buf_size = sizeof(buf)
        res_size = DWORD()
        if not Psapi.EnumProcesses(byref(buf), buf_size, byref(res_size)):
            raise OSError('EnumProcesses failed')
        if res_size.value >= buf_size:
            buf_count *= 2
            continue
        count = res_size.value // (buf_size // buf_count)
        return buf[:count]

def EnumProcessModulesEx(hProcess):
    buf_count = 256
    while True:
        buf = (HMODULE * buf_count)()
        buf_size = sizeof(buf)
        needed = DWORD()
        if not Psapi.EnumProcessModulesEx(hProcess, byref(buf), buf_size,
                                          byref(needed), LIST_MODULES_ALL):
            raise OSError('EnumProcessModulesEx failed')
        if buf_size < needed.value:
            buf_count = needed.value // (buf_size // buf_count)
            continue
        count = needed.value // (buf_size // buf_count)
        return map(HMODULE, buf[:count])

def GetModuleFileNameEx(hProcess, hModule):
    buf = create_unicode_buffer(MAX_PATH)
    nSize = DWORD()
    if not Psapi.GetModuleFileNameExW(hProcess, hModule,
                                      byref(buf), byref(nSize)):
        raise OSError('GetModuleFileNameEx failed')
    return buf.value

def get_process_modules(pid):
    hProcess = Kernel32.OpenProcess(
        PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
        False, pid)
    if not hProcess:
        raise OSError('Could not open PID %s' % pid)
    try:
        return [
            GetModuleFileNameEx(hProcess, hModule)
            for hModule in EnumProcessModulesEx(hProcess)]
    finally:
        Kernel32.CloseHandle(hProcess)

for pid in EnumProcesses():
    try:
        dll_list = get_process_modules(pid)
        print('dll_list: ', dll_list)
    except OSError as ose:
        print(str(ose))
    print('-' * 14)
于 2013-07-04T20:40:26.923 回答