RING3下打开进程的第三种方法

传说中的路痴

新建一个mod，把代码复制进去，窗体里直接调用FxOpenProcess(PROCESS_ALL_ACCESS, pid)
即可：OptionExplicit
'**************
'Code by Naylon
'**************
PrivateDeclareFunction GetCurrentProcessId Lib "kernel32" () AsLong
PrivateDeclareFunction ZwQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle AsLong, ByVal InformationClass AsLong, ByRef ProcessInformation As Any, ByVal ProcessInformationLength AsLong, ByRef ReturnLenght AsLong) AsLong
PrivateDeclareFunction ZwGetNextProcess Lib "NTDLL.DLL" (ByVal ProcessHandle AsLong, ByVal DesiredAccess AsLong, ByVal HandleAttributes AsLong, ByVal Flags AsLong, ByRef NewProcessHandle AsLong) AsLong
PrivateDeclareFunction CloseHandle Lib "kernel32" (ByVal Handle AsLong) AsLong

PrivateType PROCESS_BASIC_INFORMATION
    ExitStatus AsLong
    PebBaseAddress AsLong
    AffinityMask AsLong
    BasePriority AsLong
    UniqueProcessId AsLong
    InheritedFromUniqueProcessId AsLong
EndType

PublicConst STANDARD_RIGHTS_REQUIRED = &HF0000
PublicConst SYNCHRONIZE = &H100000

PublicConst PROCESS_TERMINATE = &H1
PublicConst PROCESS_CREATE_THREAD = &H2
PublicConst PROCESS_SET_SESSIONID = &H4
PublicConst PROCESS_VM_OPERATION = &H8
PublicConst PROCESS_VM_READ = &H10
PublicConst PROCESS_VM_WRITE = &H20
PublicConst PROCESS_DUP_HANDLE = &H40
PublicConst PROCESS_CREATE_PROCESS = &H80
PublicConst PROCESS_SET_QUOTA = &H100
PublicConst PROCESS_SET_INFORMATION = &H200
PublicConst PROCESS_QUERY_INFORMATION = &H400
PublicConst PROCESS_SUSPEND_RESUME = &H800
PublicConst PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)

PublicFunction FxOpenProcess(ByVal dwDesiredAccess AsLong, ByVal dwProcessId AsLong) AsLong
    Dim pbi As PROCESS_BASIC_INFORMATION
    Dim hCurrent AsLong
    Dim hNext AsLong
    Dim Status AsLong
    Dim errStr AsString
      
    Status = ZwGetNextProcess(0, dwDesiredAccess, 0, 0, hNext)
    If Status >= 0 Then
        Do
            hCurrent = hNext
            Status = ZwQueryInformationProcess(hCurrent, 0, pbi, LenB(pbi), 0)
            If Status < 0 Then
                errStr = "获取进程信息失败"
                GoTo errors
            EndIf
            
            If pbi.UniqueProcessId = dwProcessId Then
                FxOpenProcess = hCurrent
                ExitFunction
            EndIf
            
            Status = ZwGetNextProcess(hCurrent, dwDesiredAccess, 0, 0, hNext)
            CloseHandle hCurrent
            If Status < 0 Then
                errStr = "获取下一个进程失败"
                GoTo errors
            EndIf
        LoopWhile hCurrent <> 0
         
        errStr = "打开进程失败"
        GoTo errors
    Else
        errStr = "开始获取进程失败"
        GoTo errors
    EndIf
ExitFunction

errors:
    'Debug.Print errStr
    MsgBox errStr
    FxOpenProcess = 0
EndFunction