View Full Version : APM / Advanced Process Manipulation

شنبه 03 اردیبهشت 1384, 03:06 صبح



<span dir=ltr>

Get Command Line
The most elementary of all the features, Get Command Line simply retrieves and displays the execution command line that started the process. This can be useful to determine what parameters (if any) a program was launched with.
Main API function(s): GetCommandLine

Unload DLL\Load DLL
These two related functions allow you to unload existing modules (ie. DLLs) and load new modules into a target process. The Unload DLL feature is particular useful if you wish to free a DLL (eg. to replace or delete it). Software programmers and researchers will find the Load DLL feature particularly interesting as they can then develop their own DLLs that can be loaded into other processes, giving your DLL the same level of control (and more) over the process as APM itself! The DLLs are loaded by the LoadLibrary API, so all 'normal' Win32 DLLs are supported.
Main API function(s): FreeLibrary, LoadLibrary

Because of the Load DLL capability, you can write plugins for any virtually application! See the \testdll\ subdirectory in your APM directory for an example.

Port Mapper
This uses a brute-force port-to-process mapping technique that is technically the same as the one used by another interesting freeware utility called Inzider by Arne Vidstrom, which is to be credited as the first program known to use this relatively undocumented technique. Unfortunately, the technique itself is generally not recommended as it is relatively slow (takes approximately 1-2 seconds per process due to 'brute-force' repeated calls to a Winsock API function), and results aren't very reliable. Additionally, not all processes can be attached to, so this technique doesn't always work. Nevertheless, this feature has been included in APM as a further demonstration of what is possible when you are inside another process.
Recommendation: For a serious port-to-process mapping program that utilises three advanced port-to-process mapping techniques, please visit the Port Explorer website at http://www.diamondcs.com.au/portexplorer/

Unload Winsock
This feature invokes the Winsock WSACleanup function, attempting to gracefully cause the target process to terminate its use of ws2_32.dll. In turn this closes all connections and sockets.
Main API function(s): WSACleanup

Close All Handles
All handles used by the target process will be closed.
Main API function(s): CloseHandle

Close File Handles
All file and directory handles used by the target process will be closed. This is ideal if you need to delete or move a particular file but can't because it's in use by another process.
Main API function(s): CloseHandle

Close Mutex Handles
All mutant handles used by the target process will be closed, freeing any mutexes that were in use.
Main API function(s): CloseHandle

Use Less Memory
Empties the working set of the target process to reduce physical memory use.
Main API function(s): SetProcessWorkingSetSize

Get SeDebugPrivilege
Attempts to adjust the token privileges of the target process so as to give it SeDebugPrivilege - a special privilege that grants unique capabilities such as being able to terminate most processes, including ones that normally say 'Access Denied' (see also the TaskMan+ utility).
Main API function(s): AdjustTokenPrivileges

Exit Process
Most process viewers allow you to terminate processes. This is nearly always done via the TerminateProcess API, which forcefully terminates the target process. However, this is not always desirable, and APM provides a safer alternative - the ExitProcess function. By MSDN definition - "ExitProcess is the preferred method of ending a process. This function provides a clean process shutdown."
Main API function(s): ExitProcess

Memory Statistics
The memory statistics utility is a floating window that allows you to see memory statistics in real-time. Statistics are automatically updated every 2 seconds.</span>