标题: 获取进程加载模块、pid [打印本页]
作者: rs369007 时间: 2010-3-11 19:36 标题: 获取进程加载模块、pid
这几天在编写个后门,利用远程线程注入,每次要查看指定进程的加载模块,要反复人工查找,很麻烦,便借鉴pmc工具,自己动手编写了一个获取进程模块、和pid的控制台程序,这里与联盟的同志一起分享
功能:
1, getpid [processname] [processname] ... 获取进程pid
2, getpid -l 获取进程列表
3, getpid -m processname 获取进程加载的所有模块
4, getpid -c processname dllname 判断某模块是否被进程加载
[ Last edited by rs369007 on 2010-3-11 at 19:38 ]
附件 1:getpid.rar (2010-3-11 19:37, 6.5 K,下载次数: 40)
作者: 000000000000000 时间: 2010-3-12 00:06
tasklist 有这些功能,不过不能显示路径。
作者: rs369007 时间: 2010-3-12 11:17
tasklist 有这些功能,但是你要一片一片去在屏幕上查找,很费时。
如果知道进程映像名(程序名字) 想查看其 pid 输入 :getpid share.exe 就行了
如果想查看进程share.exe 加载了哪些模块, 输入 :getpid share.exe -m
如果你在远程加载某个dll到别的进程,你想查
看是否加载成功 输入 :getpid x.exe y.dll -c
作者: 000000000000000 时间: 2010-3-12 11:42
查看 pid: tasklist /fi "imagename eq cmd.exe"
查看模块: tasklist /m /fi "imagename eq cmd.exe"
查看是否加载了某个 dll: tasklist /m test.dll /fi "imagename eq cmd.exe"
[ Last edited by 000000000000000 on 2010-3-12 at 12:12 ]
作者: Hanyeguxing 时间: 2010-3-12 14:21
可以使用
wmic process get
直接获取更多有关进程的信息,也可以对其属性(CSName,CommandLine,Description,ExecutablePath,ExecutionState,Handle,HandleCount,InstallDate,KernelModeTime,MaximumWorkingSetSize,MinimumWorkingSetSize,Name,OSName,OtherOperationCount,OtherTransferCount,PageFaults,PageFileUsage,ParentProcessId,PeakPageFileUsage,PeakVirtualSize,PeakWorkingSetSize,Priority,PrivatePageCount,ProcessId,QuotaNonPagedPoolUsage,QuotaPagedPoolUsage,QuotaPeakNonPagedPoolUsage,QuotaPeakPagedPoolUsage,ReadOperationCount,ReadTransferCount,SessionId,Status,TerminationDate,ThreadCount,UserModeTime,VirtualSize,WindowsVersion,WorkingSetSize,WriteOperationCount,WriteTransferCount)进行指定查询
例如要只查询进程qq.exe的绝对路径,可运行
wmic process get Caption,commandline | findstr /b /i "qq.exe"
[ Last edited by Hanyeguxing on 2010-3-12 at 15:32 ]作者: rs369007 时间: 2010-3-12 15:30 标题: 增加 远程注入dl、 卸载dlll
[---write by rs---]
Options:
-h to get help infomation.
-l to list all the process and it's pid.
-c to check if the specified dll just in the process.
-load to inject one dll into a process.
-free to free the specified dll from a process.
-m processname to list All the Modules in a Process.
Usage: getpid [processname] [processname] ...
getpid -l.
getpid -m processname or processname -m.
getpid -c processname dllname
getpid -load notepad.exe c:\test.dll
getpid -free notepad.exe test.dll.
Remarks:
when you specified -load , you have to use full
path for the dll. otherwise, unknown errors maybe ...
[ Last edited by rs369007 on 2010-3-12 at 15:35 ]Options:
-h to get help infomation.
-l to list all the process and it's pid.
-c to check if the specified dll just in the process.
-load to inject one dll into a process.
-free to free the specified dll from a process.
-m processname to list All the Modules in a Process.
Usage: getpid [processname] [processname] ...
getpid -l.
getpid -m processname or processname -m.
getpid -c processname dllname
getpid -load notepad.exe c:\test.dll
getpid -free notepad.exe test.dll.
Remarks:
when you specified -load , you have to use full
path for the dll. otherwise, unknown errors maybe ...
附件 1:
作者: plp626 时间: 2010-3-12 17:42
wmic 是很强,可一般它的服务默认都是手动的,用的时候不方便,若一直开着又占资源。还有,它要管理员权限,所以不能流行。。。
用vbs吧