Obtaining process name from process handle [modified]
-
Hello everyone, It's a really straightforward question this time: I have a process handle and I wish to detect if that handle is one to my app. I have a function where I receive a handle to a process, and if the handle is a handle to any other app but mine, I send a message to it. I've tried using GetProcessImageFileName, but unfortunately it returns garbage data...
char processName\[255\]; GetProcessImageFileName(ProcessHandle,processName,256); MessageBox(NULL,processName,"hehehaha",MB\_ICONINFORMATION);Which leads to another non-related question. You see, I'm trying to hook NtTerminateProcess and deny all requests to terminate my own process. The hook works fine, but when I call the real NtTerminateProcess from inside the hookproc the process it's called on crashes. I am completely at a loss of why this is happening and would appreciate it if someone explained it to me. When it crashes the error is
The instruction at "0x10002383" referenced memory at "0x0000000c". The memory could not be "read". It's always the same two addresses for any process. Thanks a lot. :) P.S. Please, please, PLEASE do not reply with a message asking "Why would you want to do such a thing". This is for educational purposes only, and I mean that. :laugh:modified on Friday, March 20, 2009 1:51 AM
-
Hello everyone, It's a really straightforward question this time: I have a process handle and I wish to detect if that handle is one to my app. I have a function where I receive a handle to a process, and if the handle is a handle to any other app but mine, I send a message to it. I've tried using GetProcessImageFileName, but unfortunately it returns garbage data...
char processName\[255\]; GetProcessImageFileName(ProcessHandle,processName,256); MessageBox(NULL,processName,"hehehaha",MB\_ICONINFORMATION);Which leads to another non-related question. You see, I'm trying to hook NtTerminateProcess and deny all requests to terminate my own process. The hook works fine, but when I call the real NtTerminateProcess from inside the hookproc the process it's called on crashes. I am completely at a loss of why this is happening and would appreciate it if someone explained it to me. When it crashes the error is
The instruction at "0x10002383" referenced memory at "0x0000000c". The memory could not be "read". It's always the same two addresses for any process. Thanks a lot. :) P.S. Please, please, PLEASE do not reply with a message asking "Why would you want to do such a thing". This is for educational purposes only, and I mean that. :laugh:modified on Friday, March 20, 2009 1:51 AM
Check the return value of the function to see if returns an error. The call
GetLastErrorto get the error value. Its possible that the process handle does not have thePROCESS_QUERY_INFORMATIONaccess right.«_Superman_» I love work. It gives me something to do between weekends.
-
Check the return value of the function to see if returns an error. The call
GetLastErrorto get the error value. Its possible that the process handle does not have thePROCESS_QUERY_INFORMATIONaccess right.«_Superman_» I love work. It gives me something to do between weekends.
-
Return value is 0 for the GetProcessImageFileName function. Even though it returns garbage data.
Are you using a
UNICODEbuild? If so declare the array asTCHARinstead ofchar. Or you can try theGetModuleBaseNamefunction.«_Superman_» I love work. It gives me something to do between weekends.
-
Hello everyone, It's a really straightforward question this time: I have a process handle and I wish to detect if that handle is one to my app. I have a function where I receive a handle to a process, and if the handle is a handle to any other app but mine, I send a message to it. I've tried using GetProcessImageFileName, but unfortunately it returns garbage data...
char processName\[255\]; GetProcessImageFileName(ProcessHandle,processName,256); MessageBox(NULL,processName,"hehehaha",MB\_ICONINFORMATION);Which leads to another non-related question. You see, I'm trying to hook NtTerminateProcess and deny all requests to terminate my own process. The hook works fine, but when I call the real NtTerminateProcess from inside the hookproc the process it's called on crashes. I am completely at a loss of why this is happening and would appreciate it if someone explained it to me. When it crashes the error is
The instruction at "0x10002383" referenced memory at "0x0000000c". The memory could not be "read". It's always the same two addresses for any process. Thanks a lot. :) P.S. Please, please, PLEASE do not reply with a message asking "Why would you want to do such a thing". This is for educational purposes only, and I mean that. :laugh:modified on Friday, March 20, 2009 1:51 AM
hxhl95 wrote:
I have a process handle and I wish to detect if that handle is one to my app.
Call
GetProcessId(), and then callEnumWindows()to find the matching process id."Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
hxhl95 wrote:
I have a process handle and I wish to detect if that handle is one to my app.
Call
GetProcessId(), and then callEnumWindows()to find the matching process id."Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
Are you using a
UNICODEbuild? If so declare the array asTCHARinstead ofchar. Or you can try theGetModuleBaseNamefunction.«_Superman_» I love work. It gives me something to do between weekends.
Not
UNICODE. I'm going to give GetModuleBaseName a try, but according to msdn:MSDN:
To retrieve the base name of the main executable module for a remote process, use the GetProcessImageFileName or QueryFullProcessImageName function to retrieve the module name and then use the strrchr function as described in the previous paragraph. This is more efficient and more reliable than calling GetModuleBaseName with a NULL module handle.
EDIT/update: GetModuleBaseName also returns garbage...
GetModuleBaseName(ProcessHandle,NULL,processName,1024); MessageBox(NULL,processName,"test",MB\_ICONINFORMATION);modified on Friday, March 20, 2009 12:02 PM
-
error C2065: 'GetProcessId' : undeclared identifier, even though I've included windows.h. Does the fact that I'm using VC++ 6.0 make a difference?hxhl95 wrote:
Does the fact that I'm using VC++ 6.0 make a difference?
Only if you need to define
_WIN32_WINNT. Look inwinbase.hfor the appropriate value (if any). See here for more."Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
hxhl95 wrote:
Does the fact that I'm using VC++ 6.0 make a difference?
Only if you need to define
_WIN32_WINNT. Look inwinbase.hfor the appropriate value (if any). See here for more."Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
winbase.hdoesn't contain a definition ofGetProcessId. I tried defining it manually withDWORD WINAPI GetProcessId(__in HANDLE ProcessHandle), but then I get an unresolved external symbol error, even though I'm obviously including kernel32.lib...hxhl95 wrote:
winbase.h doesn't contain a definition of GetProcessId.
You need to install the Platform SDK.
"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
hxhl95 wrote:
winbase.h doesn't contain a definition of GetProcessId.
You need to install the Platform SDK.
"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
So are you looking in C:\Program Files\Microsoft SDK\include\winbase.h instead of C:\Program Files\Microsoft Visual Studio\VC98\Include\winbase.h? If you add
#includeto the top of a file, right-click it and select Open, which of the two files opens?"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
So are you looking in C:\Program Files\Microsoft SDK\include\winbase.h instead of C:\Program Files\Microsoft Visual Studio\VC98\Include\winbase.h? If you add
#includeto the top of a file, right-click it and select Open, which of the two files opens?"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
I did
#include <C:\Program Files\Microsoft Platform SDK\Include\winbase.h>just in case, and it's still giving me an undeclared error. When I open the file the SDK file opens, and I can see the definition of GetProcessId in the file. However the compiler just doesn't find it. :sigh: -
I did
#include <C:\Program Files\Microsoft Platform SDK\Include\winbase.h>just in case, and it's still giving me an undeclared error. When I open the file the SDK file opens, and I can see the definition of GetProcessId in the file. However the compiler just doesn't find it. :sigh:I'm out of suggestions at this point. This compiles fine for me:
#include <windows.h>
void main( void )
{
GetProcessId(0);
}"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
I'm out of suggestions at this point. This compiles fine for me:
#include <windows.h>
void main( void )
{
GetProcessId(0);
}"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
-
Not
UNICODE. I'm going to give GetModuleBaseName a try, but according to msdn:MSDN:
To retrieve the base name of the main executable module for a remote process, use the GetProcessImageFileName or QueryFullProcessImageName function to retrieve the module name and then use the strrchr function as described in the previous paragraph. This is more efficient and more reliable than calling GetModuleBaseName with a NULL module handle.
EDIT/update: GetModuleBaseName also returns garbage...
GetModuleBaseName(ProcessHandle,NULL,processName,1024); MessageBox(NULL,processName,"test",MB\_ICONINFORMATION);modified on Friday, March 20, 2009 12:02 PM
You say that the error code is success and still you're getting garbage. This is highly unlikely. I believe you're not doing any error checking. So its probably gone wrong somewhere else.
GetModuleBaseNamefor instance returns the length of the string copied. What is this value?«_Superman_» I love work. It gives me something to do between weekends.
-
You say that the error code is success and still you're getting garbage. This is highly unlikely. I believe you're not doing any error checking. So its probably gone wrong somewhere else.
GetModuleBaseNamefor instance returns the length of the string copied. What is this value?«_Superman_» I love work. It gives me something to do between weekends.
Oh, I'm sorry. I thought
GetModuleBaseNamereturns an error code instead of the length of the string copied. I assumed the 0 it returned meant success :doh: That explains the garbage data. EDIT: I checkedGetLastError, it's returning an invalid handle error. :wtf: Might this be because I'm getting the handle from NtTerminateProcess?modified on Saturday, March 21, 2009 2:37 PM