{"id":81,"date":"2011-09-19T01:31:30","date_gmt":"2011-09-19T01:31:30","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=81"},"modified":"2011-09-19T01:31:43","modified_gmt":"2011-09-19T01:31:43","slug":"running-processes-and-openprocess-joys","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2011\/09\/running-processes-and-openprocess-joys\/","title":{"rendered":"Running processes and OpenProcess joys"},"content":{"rendered":"

For most windows users, this is as simple as control alt delete, or failing that, TASK.exe from the command prompt. nut how do you do it programmatically(it is so a word)?<\/p>\n

 <\/p>\n

There are a few ways, but I like to use one particular library for its small size and speed. Procs.dll. The contents ofthe procs header are as follows:<\/p>\n

\/\/ PROCS.dll info
\ntypedef struct Procs
\n{
\nDWORD\u00a0 __stdcall GetNumberOfProcesses();
\nBOOL\u00a0\u00a0 __stdcall GetProcessIDList(DWORD *dwIDArray, DWORD dwArraySize);
\nBOOL\u00a0\u00a0 __stdcall GetProcessPath(DWORD dwPID, char *szBuff, DWORD dwBuffSize);
\nBOOL\u00a0\u00a0 __stdcall GetProcessBaseSize(DWORD dwPID, DWORD *dwImageBase, DWORD *dwImageSize);<\/p>\n

DWORD\u00a0 __stdcall GetNumberOfModules(DWORD dwPID);
\nBOOL\u00a0\u00a0 __stdcall GetModuleHandleList(DWORD dwPID,DWORD *dwHandleArray, DWORD dwArraySize);
\nBOOL\u00a0\u00a0 __stdcall GetModulePath(DWORD dwPID, DWORD dwModh, char *szBuff, DWORD dwBuffSize);
\nBOOL\u00a0\u00a0 __stdcall GetModuleSize(DWORD dwPID, DWORD dwModh, DWORD *dwImageSize);<\/p>\n

DWORD\u00a0 __stdcall GetProcessPathID(char* szPath);
\nHANDLE __stdcall GetModuleHandleEx(DWORD dwPID, char* szModule);<\/p>\n

};<\/p>\n

Short and sweet. The back end code was made by great cracker hacker. yoda\/FReAK2FReAK. This guy wrote LordPE, several custom debuggers, and a number of other things that put me to shame. I trust his code. So how do we invoke? Easily:<\/p>\n

unsigned int pid;
\npid =ProcList();<\/p>\n

\/\/ open the process with VM_READ so it dont crash:
\nHANDLE myproc = OpenProcess(PROCESS_VM_READ ,TRUE,pid); \/\/ open it
\nif(myproc == NULL)
\n{
\nMessageBox(NULL,”Invalid Process ID”,”U BROKE IT!”,MB_OK);
\nreturn 0;
\n}<\/p>\n

DWORD ProcList()
\n{<\/p>\n

DWORD pid,psz;
\nDWORD list[512];
\nDWORD numoprocs = GetNumberOfProcesses();
\nif(!GetProcessIDList(list,psz))
\n{
\nMessageBox(NULL,”Damnit!”,”Double Damnit!”,MB_OK);
\nExitProcess(0);
\n}
\nint cnt = 0;
\nfor(;cnt<numoprocs;cnt++)
\n{
\nprintf(“Process ID: %d\\r\\n”,list[cnt]);<\/p>\n

}
\nprintf(“There are %d live processes. Enter a Process ID to attach to: \\r\\n”,numoprocs);
\nscanf(“%d”,&pid);
\nreturn pid;
\n}<\/p>\n

That just gets us the process ID’s. We can one up this with a call to GetModuleFileNameEx(). This function returns to us a string that contains where the process lives on the file system.<\/p>\n

 <\/p>\n

What can we do with the process ID? OpenProcess() of course! And that opens up an avenue of awesome functions at our disposal. We can read process memory. Modify it if we want to. Here’s a little function for sifting through a live processes memory. The ‘proc’ function arg is returned by each subsequent call to OpenProcess that’s what the function returns:<\/p>\n

int liveproc(HANDLE proc)
\n{
\nDWORD baseaddr = 0x0401000;
\nchar holdme[256];
\nint x =0;
\nprintf(“memory listing: \\r\\n”);
\nfor(;x<sizeof(holdme);x++)
\n{
\nReadProcessMemory(proc,&baseaddr,&holdme,1,NULL); \/\/ read 1 byte at a type
\nprintf(“%02x “, holdme[x]);
\n}<\/p>\n

As for writing process memory, you would use the function WriteProcessMemory.<\/p>\n

I’ll go over WriteProcessMemory() in another blog post, specifically how to do it without crashing the application.<\/p>\n

 <\/p>\n

Any other cool functions? GetThreadContext() of course! With this little number, we can read registers. A psuedo debugger as it were.<\/p>\n","protected":false},"excerpt":{"rendered":"

For most windows users, this is as simple as control alt delete, or failing that, TASK.exe from the command prompt. nut how do you do it programmatically(it is so a word)?   There are a few ways, but I like to use one particular library for its small size and speed. Procs.dll. The contents ofthe […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/81"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=81"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/81\/revisions"}],"predecessor-version":[{"id":83,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/81\/revisions\/83"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=81"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=81"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=81"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}