合肥 朱宗国:Running processes:

来源:百度文库 编辑:神马品牌网 时间:2024/05/02 19:08:08
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v4.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - E:\讯雷4\ComDlls\XunLeiBHO_002.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [RavStub] "C:\Program Files\Rising\Rav\ravstub.exe" /RUNONCE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - E:\讯雷4\Program\GetUrl.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - RsAutorunsDisabled - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DF189CF-D17F-49AF-9F51-D520169C2C95}: NameServer = 202.96.64.68 202.96.69.38
O23 - Service: Diskeeper - Diskeeper? Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Proxy Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwproxy.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\Ravmond.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

/*

DLL OCCURENCY FINDER UTILITY
it simply searches in all running process for <DLL_NAME> occurency.

Very useful with malware detecting/removing. Imagine you
find a dll which you can't delete and you need to know
which process is running it...

coded by Piotr Bania <bania.piotr@gmail.com>

Sample usage:

E:\projekty\finddll\Debug>finddll jar50.dll

....
[+] Searching in ping.exe (PID=0x564) for module occurency.
[+] Searching in firefox.exe (PID=0xFC4) for module occurency.

[*] --- MODULE OCCURENCY FOUND ---
[+] jar50.dll found in firefox.exe (PID=0xFC4)
[+] jar50.dll base located at: 0x023c0000
[+] jar50.dll handle in process: 0x23C0000
[+] jar50.dll size of module: 0xD000 bytes
[+] jar50.dll path: C:\Program Files\Mozilla Firefox\components\jar50.dll
[*] --- PRESS ANY KEY TO CONTINUE ---
....

*/

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <windows.h>
#include <Tlhelp32.h>

int find_dll(char *filename);
void display_info(PROCESSENTRY32 pe32,MODULEENTRY32 me32);

int c=0;

int main(int argc, char *argv[]) {

printf("[$] dll occurency finder utility \n");
printf("[$] coded by Piotr Bania <bania.piotr@gmail.com\n\n");
if (argc!=2) {
printf("[!] Usage: %s <dll_name>\n",argv[0]);
printf("[!] For example: %s KERNEL32.DLL\n",argv[0]);
return 0;
}

find_dll(argv[1]);

printf("\n[+] Scaning ended, found %d occurences.\n",c);
printf("Bye :)\n");
getch();

return 0;
}

void display_info(char *filename,PROCESSENTRY32 pe32,MODULEENTRY32 me32) {

printf("\n[*] --- MODULE OCCURENCY FOUND ---\n");
printf("[+] %s found in %s (PID=0x%X)\n",filename,pe32.szExeFile,pe32.th32ProcessID);
printf("[+] %s base located at: 0x%08x\n",filename,me32.modBaseAddr);
printf("[+] %s handle in process: 0x%X\n",filename,me32.hModule);
printf("[+] %s size of module: 0x%X bytes\n",filename,me32.modBaseSize);
printf("[+] %s path: %s\n",filename,me32.szExePath);
printf("[*] --- PRESS ANY KEY TO CONTINUE ---\n\n");
c++;

// super pseudo randomization fatal exit *:)*
if (getch()==27) exit(GetTickCount());
}

int find_dll(char *filename) {
HANDLE hSnap,hMSnap;
PROCESSENTRY32 pe32;
MODULEENTRY32 me32;

hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);

if (hSnap==INVALID_HANDLE_VALUE) {
printf("[!] Error: Cannot create snapshot for processes, error=%d\n",GetLastError());
return FALSE;
}

printf("[+] Snapshot for processes created, handle=0x%X\n",hSnap);

if (Process32First(hSnap,&pe32)==FALSE) {
printf("[!] Error: Process32First() failed, error=%d\n",GetLastError());
return FALSE;
}

hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);
if (hMSnap==INVALID_HANDLE_VALUE) {
printf("[!] Error: Cannot create snapshot for modules, error=%d\n",GetLastError());
return FALSE;
}

printf("[+] Searching in %s (PID=0x%X) for module occurency.\n",pe32.szExeFile,pe32.th32ProcessID);
if (Module32First(hMSnap,&me32)==NULL) {
printf("[!] Error: Module32First() failed, error=%d\n",GetLastError());
return FALSE;
}

if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
while(Module32Next(hMSnap,&me32)!=FALSE) {
if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
}
CloseHandle(hMSnap);
//printf("\nNext process\n");

while(Process32Next(hSnap,&pe32)!=NULL) {
hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);
if (hMSnap==INVALID_HANDLE_VALUE) {
printf("[!] Error: Cannot create modules snapshot for %s (PID=0x%X), error=%d\n",pe32.szExeFile,pe32.th32ProcessID,GetLastError());
goto next_process;
}

printf("[+] Searching in %s (PID=0x%X) for module occurency.\n",pe32.szExeFile,pe32.th32ProcessID);
if (Module32First(hMSnap,&me32)!=NULL) {
if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
while(Module32Next(hMSnap,&me32)!=FALSE) {
if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
}
next_process:
CloseHandle(hMSnap);
}
else {
printf("[!] Error: Cannot creat snapshot for modules, error=%d\n",GetLastError());
return FALSE;
}
}

CloseHandle(hMSnap);
CloseHandle(hSnap);
}

Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=463047

汗..学习中

Running processes: 用HijackThis扫描的结果,高手看看有没有问题Running processes: hijackthis扫描,请高手帮忙看一下哪写需要使用FIX CHECKED!再追加5分!Running processes: 随机过程(Stochastic Processes) about running 翻译一下Relationship processes describe 。。。。。。。。 running-at-the ring dry running condition 是什么意思? they keep running away DSLMON is aiready running