好友
阅读权限10
听众
最后登录1970-1-1
|
'mod
Option Explicit
'************************************* 用于枚举进程*********************************
'CreateToolhelpSnapshot为指定的进程、进程使用的堆[HEAP]、模块[MODULE]、线程[THREAD])建立一个快照[snapshot]。
'参数:
'dwFlags
'TH32CS_INHERIT -声明快照句柄是可继承的
'TH32CS_SNAPall -在快照中包含系统中所有的进程和线程
'TH32CS_SNAPheaplist -在快照中包含在th32ProcessID中指定的进程的所有的堆
'TH32CS_SNAPmodule -在快照中包含在th32ProcessID中指定的进程的所有的模块
'TH32CS_SNAPPROCESS -在快照中包含系统中所有的进程
'TH32CS_SNAPthread -在快照中包含系统中所有的线程
'th32ProcessID
'[输入]指定将要快照的进程ID。如果该参数为0表示快照当前进程。
'该参数只有在设置了TH32CS_SNAPHEAPLIST或 TH32CS_SNAPMOUDLE后才有效,在其他情况下该参数被忽略,所有的进程都会被快照。
Public Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias "CreateToolhelp32Snapshot" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
'lpString1目的空间指针
'源字符串指针
'lstrcpy一个是字符串拷贝
Public Declare Function lstrcpy Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As Any) As Long
'lpString要计算长度的字符串地址指针
'lstrlen是获取字符串长度
Public Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Any) As Long
'GetProcessHeap获取进程当前的默认堆,返回值 Long,当前进程堆的句柄
Public Declare Function GetProcessHeap Lib "kernel32" () As Long
'OpenProcess打开指定进程
'参数
'dwDesiredAccess访问标识
'bInheritHandle,//句柄是否可继承
'dwProcessId //系统进程ID
'其中dwDesiredAccess参数可以是以下常量的任意组合:
'PROCESS_ALL_ACCESS//所有可能的权限
'PROCESS_CREATE_PROCESS//内部使用
'PROCESS_CREATE_THREAD//产生线程权限
'PROCESS_DUP_HANDLE//复制句柄权限
'PROCESS_QUERY_INformATION//查询信息权限
'PROCESS_SET_INformATION//设置信息权限
'PROCESS_TERMINATE//中止进程权限
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'GetModuleFileNameExA可以实现通过进程句柄获取进程文件名
'参数
'hProcess: 接受进程句柄的参数,是HANDLE类型的变量
'hModule: 指针型参数,在本文的程序中取值为NULL
'lpstrFileName:LPTSTR类型的指针,用于接受主调函数传递来的用于存放进程名的字符数组指针
'nsize: lpstrFileName所指数组的长度
Public Declare Function GetModuleFileNameExA Lib "PSAPI.DLL" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long
'pTcpTable连接表缓冲区
'参数
'pTcpTable 指向一个TcpTable的指针,函数执行后会填充相应的Tcp信息
'bOrder -> true, the TCP connection entries in the table returned in ppTcpTable are sorted; if false, they are not,未知
'heap 本地进程堆
'dwFlags One or more flags that indicate specific heap allocation control behaviors,未知
'dwFamily The family of the TCP addresses in the table.
Public Declare Function AllocateAndGetTcpExTableFromStack Lib "iphlpapi.dll" _
(ByRef pTcpTable As Any, _
ByVal bOrder As Boolean, _
ByVal heap As Long, _
ByVal dwFlags As Long, _
ByVal dwFamily As Long) _
As Long
'和上面的Api在Dephi2007帮助文档中有介绍
Public Declare Function AllocateAndGetUdpExTableFromStack Lib "iphlpapi.dll" _
(ByRef pUdpTable As Any, _
ByVal bOrder As Boolean, _
ByVal heap As Long, _
ByVal dwFlags As Long, _
ByVal dwFamily As Long) _
As Long
'SetTcpEntry函数可以帮助我们删除可疑连接
Public Declare Function SetTcpEntry Lib "iphlpapi.dll" (pTcpRow As MIB_TCPROW) As Long
Public Declare Function ntohs Lib "wsock32.dll" (ByVal netshort As Long) As Integer '返回一个以主机字节顺序表达的数。 将主机的无符号短整形数转换成网络字节顺序。
Public Declare Function htons Lib "wsock32.dll" (ByVal hostshort As Integer) As Long '将主机的无符号短整形数转换成网络字节顺序。
Public Declare Function inet_ntoa Lib "wsock32.dll" (ByVal inadr As Long) As Long '一个表示Internet主机地址的结构
Public Declare Function inet_addr Lib "wsock32.dll" (ByVal cp As String) As Long '若无错误发生,inet_addr()返回一个无符号长整型数,其中以适当字节顺序存放Internet地址
'获得系统快照中的第一个进程的信息
Public Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long
'获得系统快照中的下一个进程的信息
Public Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long
'关闭句柄
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const MIB_TCP_STATE_DELETE_TCB = 12
Public Type MIB_TCPROW
dwState As Long
dwLocalAddr As Long
dwLocalPort As Long
dwRemoteAddr As Long
dwRemotePort As Long
End Type
Public Type MIB_TCPROW_EX
dwState As Long '连接状态
dwLocalAddr As Long '本地IP地址
dwLocalPort As Long '本地端口号
dwRemoteAddr As Long '远程IP地址
dwRemotePort As Long '远程端口号
dwProcessId As Long '进程ID
End Type
Public Type MIB_TCPTABLE_EX
dwNumEntries As Long '指出本机安装的网卡数
table() As MIB_TCPROW_EX 'table指向一系列 MIB_IFROW 结构,每个结构指定了当前网卡的状态。这个结构包括了一些很实用的信息,包括网卡的名字(注意,WCHAR类型),网卡描述字串,最大速率,索引,接收到的字
End Type
Public Type MIB_UDPROW_EX
dwLocalAddr As Long
dwLocalPort As Long
dwProcessId As Long
End Type
Public Type MIB_UDPTABLE_EX
dwNumEntries As Long
table() As MIB_UDPROW_EX
End Type
Public Type PROCESSENTRY32
dwSize As Long '结构大小
cntUsage As Long '此进程的引用计数
th32ProcessID As Long '进程ID
th32DefaultHeapID As Long '进程默认堆ID
th32ModuleID As Long '进程模块ID
cntThreads As Long '此进程开启的线程计数
th32ParentProcessID As Long '父进程ID
pcPriClassBase As Long '线程优先权
dwFlags As Long '保留
szExeFile As String * 260 '进程全名
End Type
Public Declare Function RtlAdjustPrivilege Lib "ntdll.dll" (ByVal Privilege As Long, ByVal Enable As Long, ByVal CurrentThread As Long, Enabled As Long) As Long
Public Const SE_DEBUG_PRIVILEGE = &H14
Public Const AF_INET = 2
'翻译地址
Public Function IpAddr(ByVal hAddr As Long) As String
Dim sBuf As String
Dim ret As Long
ret = inet_ntoa(hAddr)
sBuf = Space$(lstrlen(ret))
If lstrcpy(sBuf, ret) Then IpAddr = sBuf
End Function |
|
发表于 2010-7-5 23:34
|
发表于 2010-7-5 23:34
