Running processes and OpenProcess joys

averagejoe

For most windows users, this is as simple as control alt delete, or failing that, TASK.exe from the command prompt. nut how do you do it programmatically(it is so a word)?

 

There are a few ways, but I like to use one particular library for its small size and speed. Procs.dll. The contents ofthe procs header are as follows:

// PROCS.dll info
typedef struct Procs
{
DWORD  __stdcall GetNumberOfProcesses();
BOOL   __stdcall GetProcessIDList(DWORD *dwIDArray, DWORD dwArraySize);
BOOL   __stdcall GetProcessPath(DWORD dwPID, char *szBuff, DWORD dwBuffSize);
BOOL   __stdcall GetProcessBaseSize(DWORD dwPID, DWORD *dwImageBase, DWORD *dwImageSize);

DWORD  __stdcall GetNumberOfModules(DWORD dwPID);
BOOL   __stdcall GetModuleHandleList(DWORD dwPID,DWORD *dwHandleArray, DWORD dwArraySize);
BOOL   __stdcall GetModulePath(DWORD dwPID, DWORD dwModh, char *szBuff, DWORD dwBuffSize);
BOOL   __stdcall GetModuleSize(DWORD dwPID, DWORD dwModh, DWORD *dwImageSize);

DWORD  __stdcall GetProcessPathID(char* szPath);
HANDLE __stdcall GetModuleHandleEx(DWORD dwPID, char* szModule);

};

Short and sweet. The back end code was made by great cracker hacker. yoda/FReAK2FReAK. This guy wrote LordPE, several custom debuggers, and a number of other things that put me to shame. I trust his code. So how do we invoke? Easily:

unsigned int pid;
pid =ProcList();

// open the process with VM_READ so it dont crash:
HANDLE myproc = OpenProcess(PROCESS_VM_READ ,TRUE,pid); // open it
if(myproc == NULL)
{
MessageBox(NULL,”Invalid Process ID”,”U BROKE IT!”,MB_OK);
return 0;
}

DWORD ProcList()
{

DWORD pid,psz;
DWORD list[512];
DWORD numoprocs = GetNumberOfProcesses();
if(!GetProcessIDList(list,psz))
{
MessageBox(NULL,”Damnit!”,”Double Damnit!”,MB_OK);
ExitProcess(0);
}
int cnt = 0;
for(;cnt<numoprocs;cnt++)
{
printf(“Process ID: %d\r\n”,list[cnt]);

}
printf(“There are %d live processes. Enter a Process ID to attach to: \r\n”,numoprocs);
scanf(“%d”,&pid);
return pid;
}

That just gets us the process ID’s. We can one up this with a call to GetModuleFileNameEx(). This function returns to us a string that contains where the process lives on the file system.

 

What can we do with the process ID? OpenProcess() of course! And that opens up an avenue of awesome functions at our disposal. We can read process memory. Modify it if we want to. Here’s a little function for sifting through a live processes memory. The ‘proc’ function arg is returned by each subsequent call to OpenProcess that’s what the function returns:

int liveproc(HANDLE proc)
{
DWORD baseaddr = 0x0401000;
char holdme[256];
int x =0;
printf(“memory listing: \r\n”);
for(;x<sizeof(holdme);x++)
{
ReadProcessMemory(proc,&baseaddr,&holdme,1,NULL); // read 1 byte at a type
printf(“%02x “, holdme[x]);
}

As for writing process memory, you would use the function WriteProcessMemory.

I’ll go over WriteProcessMemory() in another blog post, specifically how to do it without crashing the application.

 

Any other cool functions? GetThreadContext() of course! With this little number, we can read registers. A psuedo debugger as it were.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.