{"id":118,"date":"2012-03-07T23:54:42","date_gmt":"2012-03-07T23:54:42","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=118"},"modified":"2012-06-04T19:49:26","modified_gmt":"2012-06-04T19:49:26","slug":"mimicking-task-manager","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2012\/03\/mimicking-task-manager\/","title":{"rendered":"Mimicking task manager"},"content":{"rendered":"

Have you ever wondered how to make your own task manager? That thing that pops up when you press control+shift+escape and shows all the process names, ids and files associated with them? Well now you can!<\/p>\n

 <\/p>\n

What you need is a C compiler, the dll, and the library. You can download them here: PROCS<\/a><\/p>\n

The code below creates a window, and a listbox control then proceeds to populate the contents of said listbox with a for loop going through each process.<\/p>\n

The meat and potatoes are in the ‘procs’ library which make the calls easy as pie. The definitions in procs.h are as such:
\n

\nDWORD __stdcall GetNumberOfProcesses();\nBOOL __stdcall GetProcessIDList(DWORD dwIDArray, DWORD dwArraySize);\nBOOL __stdcall GetProcessPath(DWORD dwPID, char *szBuff, DWORD dwBuffSize);\nBOOL __stdcall GetProcessBaseSize(DWORD dwPID, DWORD *dwImageBase, DWORD *dwImageSize);\nDWORD __stdcall GetNumberOfModules(DWORD dwPID);\nBOOL __stdcall GetModuleHandleList(DWORD dwPID,DWORD *dwHandleArray, DWORD dwArraySize);\nBOOL __stdcall GetModulePath(DWORD dwPID, DWORD dwModh, char *szBuff, DWORD dwBuffSize);\nBOOL __stdcall GetModuleSize(DWORD dwPID, DWORD dwModh, DWORD *dwImageSize);\nDWORD __stdcall GetProcessPathID(char szPath);\nHANDLE __stdcall GetModuleHandleEx(DWORD dwPID, char szModule);\n<\/code><\/pre><\/p>\n
Internally the library makes use of the PSAPI functions supported from the win32 lib for creating a working set from the process list. This library saves me a ton of time and was written by a rockstar of the reverse engineering community – Yoda. I found the library within his tool LordPE available here:<\/p>\n
http:\/\/www.woodmann.com\/collaborative\/tools\/index.php\/LordPE<\/p>\n
Here’s what it looks like compiled:<\/p>\n
\"\"<\/a><\/p>\n
Here’s the code:<\/p>\n
<\/code><\/pre>\n
#include <\/p>\n
#include \n
#include \u201cprocs.h\u201d<\/p>\n
#include <\/p>\n
DWORD ProcList(void);<\/p>\n
LRESULT CALLBACK WindowProcedure (HWND, UINT, WPARAM, LPARAM);<\/p>\n
char szClassName[ ] = \u201cOh god not the bees!\u201d;<\/p>\n
int WINAPI WinMain (HINSTANCE hThisInstance,<\/p>\n
HINSTANCE hPrevInstance,<\/p>\n
LPSTR lpszArgument,<\/p>\n
int nCmdShow)<\/p>\n
{<\/p>\n
HWND hwnd;<\/p>\n
MSG messages;<\/p>\n
WNDCLASSEX wincl;<\/p>\n
wincl.hInstance = hThisInstance;<\/p>\n
wincl.lpszClassName = szClassName;<\/p>\n
wincl.lpfnWndProc = WindowProcedure;<\/p>\n
wincl.style = CS_DBLCLKS;<\/p>\n
wincl.cbSize = sizeof (WNDCLASSEX);<\/p>\n
wincl.hIcon = LoadIcon (NULL, IDI_APPLICATION);<\/p>\n
wincl.hIconSm = LoadIcon (NULL, IDI_APPLICATION);<\/p>\n
wincl.hCursor = LoadCursor (NULL, IDC_ARROW);<\/p>\n
wincl.lpszMenuName = NULL;<\/p>\n
wincl.cbClsExtra = 0;<\/p>\n
wincl.cbWndExtra = 0;<\/p>\n
wincl.hbrBackground = (HBRUSH) COLOR_BACKGROUND;<\/p>\n
if (!RegisterClassEx (&wincl))<\/p>\n
return 0;<\/p>\n
hwnd = CreateWindowEx (<\/p>\n
0,<\/p>\n
szClassName,<\/p>\n
\u201cProcess Listing\u201d,<\/p>\n
WS_OVERLAPPEDWINDOW,<\/p>\n
CW_USEDEFAULT,<\/p>\n
CW_USEDEFAULT,<\/p>\n
800,<\/p>\n
600,<\/p>\n
HWND_DESKTOP,<\/p>\n
NULL,<\/p>\n
hThisInstance,<\/p>\n
NULL<\/p>\n
);<\/p>\n
HWND hListBox = CreateWindowEx(WS_EX_CLIENTEDGE, \u201cLISTBOX\u201d, NULL, WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_HSCROLL, 35, 15, 700, 500, hwnd, 666, hThisInstance, NULL);<\/p>\n
DWORD psz,pid;<\/p>\n
HANDLE process;<\/p>\n
char process_name[1024];<\/p>\n
char pidmsg1[512];<\/p>\n
char pidmsg2[512];<\/p>\n
DWORD list[1024];<\/p>\n
DWORD numoprocs = GetNumberOfProcesses();<\/p>\n
if(!GetProcessIDList(list,psz))<\/p>\n
{<\/p>\n
MessageBox(NULL,\u201dDamnit!\u201d,\u201dGetProcessIDList failed for some reason.\u201d,MB_OK);<\/p>\n
ExitProcess(0);<\/p>\n
}<\/p>\n
int cnt;<\/p>\n
for(cnt = 0;cnt\"\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Have you ever wondered how to make your own task manager? That thing that pops up when you press control+shift+escape and shows all the process names, ids and files associated with them? Well now you can!   What you need is a C compiler, the dll, and the library. You can download them here: PROCS […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/118"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=118"}],"version-history":[{"count":7,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/118\/revisions"}],"predecessor-version":[{"id":173,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/118\/revisions\/173"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}