4

问题

我已经挂钩TerminateProcess调用以识别正在终止的进程,但是我得到了一个意外的句柄TerminateProcess,它与我尝试拦截的真实进程句柄不匹配。

我正在使用Deviare库,但我认为只要知道TerminateProcess函数的工作原理以及执行正确的句柄比较需要做什么,这个问题就可以解决。

问题:

如果我知道要识别其终止的进程的句柄,我如何从函数的hProcess参数中识别该句柄TerminateProcess

代码:

请注意我尝试比较句柄的部分:

If Process.GetProcessesByName("notepad").FirstOrDefault.Handle = hProcessValue Then ...

它永远不会是相同的句柄(我也尝试过MainWindowHandleProcess ID ID

所以,hProcess参数的值对我来说是非常未知的。

Imports Nektra.Deviare2

Public NotInheritable Class Form1

Public WithEvents SpyMgr As NktSpyMgr
Public Hook As NktHook

ReadOnly libName As String = "kernel32.dll"
ReadOnly funcName As String = "TerminateProcess"
ReadOnly hookFlags As eNktHookFlags = eNktHookFlags.flgOnlyPreCall

' Processes to attach the hook.
ReadOnly processesToAttach As IEnumerable(Of Process) =
    Process.GetProcessesByName("taskmgr")

Private Sub Test() Handles MyBase.Load

    If Me.processesToAttach.Count = 0 Then
        MsgBox("Any process found.")

    Else
        Me.SpyMgr = New NktSpyMgr()
        Me.SpyMgr.Initialize()

        Me.Hook = SpyMgr.CreateHook(String.Format("{0}!{1}", libName, funcName), hookFlags)
        Me.Hook.Hook(sync:=True)

        For Each proc As Process In processesToAttach
            Debug.WriteLine("Attaching to: " & proc.ProcessName)
            Me.Hook.Attach(procOrId:=proc.Id, sync:=True)
        Next proc

    End If

End Sub

<MTAThread>
Private Sub OnTerminateProcess_Called(ByVal hook As NktHook,
                                      ByVal proc As NktProcess,
                                      ByVal callInfo As NktHookCallInfo) Handles SpyMgr.OnFunctionCalled

    ' Function params.
    Dim hProcessParam As NktParam = DirectCast(callInfo.Params(0), NktParam)
    Dim uExitCodeParam As NktParam = DirectCast(callInfo.Params(1), NktParam)

    ' Param values.
    Dim hProcessValue As IntPtr = New IntPtr(CInt(hProcessParam.Value))
    Dim uExitCodeValue As UInteger = CUInt(uExitCodeParam.Value)

    ' Debuf info.
    Trace.WriteLine(String.Format("hProcess : '{0}'", hProcessValue))
    Trace.WriteLine(String.Format("uExitCode: '{0}'", uExitCodeValue))

    ' Handle Comparison
    If Process.GetProcessesByName("notepad").FirstOrDefault.Handle = hProcessValue Then

        ' Skip precall to avoid process termination.
        If callInfo.IsPreCall Then
            callInfo.Result.Value = 1
            callInfo.SkipCall()
        End If

    End If

End Sub

End Class

研究:

我一直在阅读TerminateProcess的 MSDN 文档。

注意它说的部分:

句柄必须具有 PROCESS_TERMINATE 访问权限

我不确定我是否错过了比较手柄的东西。

我也一直在这里阅读,但我没有明确表示:

挂钩 TerminateProcess 并从它提供的句柄中获取信息

如果有必要进行良好的句柄比较,我还设计了这个枚举:

    Public Enum ProcessAccessFlags As UInteger
       All = &H1F0FFF
       Terminate = &H1
       CreateThread = &H2
       VirtualMemoryOperation = &H8
       VirtualMemoryRead = &H10
       VirtualMemoryWrite = &H20
       DuplicateHandle = &H40
       CreateProcess = &H80
       SetQuota = &H100
       SetInformation = &H200
       QueryInformation = &H400
       QueryLimitedInformation = &H1000
       Synchronize = &H100000
   End Enum
4

1 回答 1

2

您的代码假设每个进程只有一个句柄。这个不对。每个进程有一个进程 ID。但是每次有人请求一个进程的句柄时,例如OpenProcess(..., ..., procid)他得到一个新的进程句柄(这也取决于所需的访问权限)。

所以你不能比较句柄,你应该检查模块名称或进程ID。

于 2015-04-16T12:44:51.170 回答