by测试题－未完

// GetFilePathByPid.cpp : Defines the entry point for the console application.

//

#include "stdafx.h"

int main()

{

BOOL b = FALSE;

HANDLE hnd = NULL;

PROCESSENTRY32 pe = {0};

DWORD dwPid2Inject = 0;

//char szRawFilePath[MAX_PATH] = {0};

WCHAR *szRawFilePath ;

WCHAR *szFile2Inject = L"notepad.exe";

//得到进程快照

hnd=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

pe.dwSize=sizeof(pe);

b=Process32First(hnd, &pe);

// 获取指定文件的进程信息PROCESSENTRY32

while(b)

{

if(wcscmp(szFile2Inject, pe.szExeFile)==0)

{

dwPid2Inject = pe.th32ParentProcessID;

szRawFilePath = pe.szExeFile;

//printf("%s\n", pe.szExeFile);

break;

}

b=Process32Next(hnd,&pe);

}

TCHAR strTmpPID[128] = {0};

TCHAR strImagePath[MAX_PATH] = {0};

wsprintf(strTmpPID, TEXT("%4d"), pe.th32ProcessID);

// 获取进程对应的文件的绝对路径名

HINSTANCE hProc = (HINSTANCE)OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,

FALSE,

pe.th32ProcessID);

GetModuleFileNameEx(hProc, NULL, strImagePath, MAX_PATH - 1);

//printf("%s\n", strImagePath);

CloseHandle(hProc);

HANDLE hFile = INVALID_HANDLE_VALUE;                          // 文件内核对象句柄

HANDLE hMapFile = INVALID_HANDLE_VALUE;;               // 文件映射对象句柄

LPVOID lpMapAddr ;                                                          // 映射基地址

//strImagePath = L"C:\\Program Files\\rl\\Rolan.exe";

//ZeroMemory(strImagePath, MAX_PATH);

//memcpy(strImagePath, L"C:\\Program Files\\rl\\Rolan.exe", sizeof(L"C:\\Program Files\\rl\\Rolan.exe"));

// 打开内存映射文件

hFile =

CreateFile (

strImagePath,

GENERIC_READ,

FILE_SHARE_READ,

NULL,

OPEN_EXISTING,

FILE_ATTRIBUTE_NORMAL ,

NULL

);

if ( hFile == INVALID_HANDLE_VALUE )

{

DWORD dwRet = GetLastError();

printf("Fail to create the exactly pe file @ %X.\n%s\n", dwRet, strImagePath);

return FALSE;

}

hMapFile = CreateFileMapping ( hFile, NULL, PAGE_READONLY, 0, 0, NULL      ) ;

if ( hMapFile == NULL )

{

CloseHandle ( hFile ) ;

return FALSE;

}

lpMapAddr = (PBYTE)MapViewOfFile ( hMapFile, FILE_MAP_READ, 0, 0, 0 ) ;

if ( lpMapAddr == NULL )

{

DWORD dwErrorCode = GetLastError () ;

CloseHandle ( hMapFile ) ;

CloseHandle ( hFile ) ;

return FALSE;

}

// 读取PE结构中的导入表和导出表

PIMAGE_DOS_HEADER pDosHeader = NULL;

PIMAGE_NT_HEADERS pNtHeader = NULL;

PIMAGE_OPTIONAL_HEADER pOptHeader = NULL;

char *pExptBaseRva ;

char *pImptBaseRva ;

char *pExptBase ;

char *pImptBase ;

DWORD dwExptSize = 0;

DWORD dwImptSize = 0;

/*ZeroMemory(pExptBaseRva, 1024);

ZeroMemory(pImptBaseRva, 1024);

ZeroMemory(pExptBase, 1024);

ZeroMemory(pImptBase, 1024);*/

pDosHeader = (PIMAGE_DOS_HEADER)lpMapAddr;

pNtHeader = (PIMAGE_NT_HEADERS)((DWORD)lpMapAddr + pDosHeader->e_lfanew);

pOptHeader = (PIMAGE_OPTIONAL_HEADER)(&(pNtHeader->OptionalHeader));

pExptBaseRva = (char*)pOptHeader->DataDirectory[0].VirtualAddress;

dwExptSize = pOptHeader->DataDirectory->Size;

pExptBase = (char *)ImageRvaToVa(pNtHeader, lpMapAddr, pOptHeader->DataDirectory[0].VirtualAddress, NULL);

pImptBaseRva = (char*)pOptHeader->DataDirectory[1].VirtualAddress;

dwImptSize = pOptHeader->DataDirectory->Size;

pImptBase = (char *)ImageRvaToVa(pNtHeader, lpMapAddr, pOptHeader->DataDirectory[1].VirtualAddress, NULL);

//复制到正在运行的程序中去

unsigned int nAddr2Fix = 0x40000;

pDosHeader = (PIMAGE_DOS_HEADER) nAddr2Fix;

////printf("%s\n", pDosHeader->e_magic);

MessageBox(NULL, (WCHAR *)pDosHeader->e_magic, (WCHAR *)pDosHeader->e_magic, MB_OK);

//printf("...........................................................\n");

pNtHeader = (PIMAGE_NT_HEADERS)(pDosHeader + pDosHeader->e_lfanew);

//printf("%08X\n", pNtHeader->FileHeader.Machine);

return 0;

}