Can someone please explain to me what is the differance between:
OpenProcess and CreatProcess.
(I am trying to inject a DLL into a program and I dont know which one to use.)
OpenProcess is passed a process ID for an existing process, and returns a process handle for that process.
CreateProcess creates a brand new process, returning a handle to that new process (amongst other things).
If you want to inject into a process that is already running, then you will need OpenProcess.
In relation to injecting a .dll into another process,there are a couple of major benefits and differences between OpenProcess and CreateProcess.
The first is timing. You can inject the dll before the target process has had a chance to perform any of their own code by creating the process in a suspended state (dwCreationFlags with CREATE_SUSPENDED(0x00000004) set). Don't forget to resume the process once you are ready for it to execute.
The second is privilege. The process handle returned by CreateProcess automatically has PROCESS_ALL_ACCESS without the need to set SeDebugPrivilege first. OpenProcess does require your program to gain this privilege before it is allowed to use the PROCESS_ALL_ACCESS flag.
Some other minor things to remember:
CreateProcess cannot be called on a running process, but you can always call OpenProcess after CreateProcess if you needed to for whatever reason.
CreateProcess requires you to CloseHandle both the process and thread handles returned in PROCESS_INFORMATION, where OpenProcess only requires you to CloseHandle on it's return value (No thread handle gets opened).
If you need to change the Environment for whatever reason(unlikely), you'll have to use CreateProcess.
Further reading can be found:
CreateProcess
OpenProcess
process-security-and-access-rights
Related
I use CreateProcess to start a .exe of mine. I want to know if everything worked fine or if it encouter errors when I tried to start this .exe.
From what I can tell, I need to use GetLastError(), but I tried to simulate an error in the process path but it return the same last error code.
So I want to catch if CreateProcess is successfull or not and if the process is done. What should I do to achieve that ?
Thanks.
All the information you are looking for is spelled out in the documentation for CreateProcess:
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
Note that the function returns before the process has finished initialization. If a required DLL cannot be located or fails to initialize, the process is terminated. To get the termination status of a process, call GetExitCodeProcess.
If you need to wait for the target process to terminate, call WaitForSingleObject on the process handle returned in the PROCESS_INFORMATION filled out by the call to CreateProcess.
Since you control the target process, you are free to choose any scheme that allows you to determine success or failure from the process' exit code. You can call GetExitCodeProcess at any time after the process' handle transitioned to the signaled state, and before you call CloseHandle on it.
There are several approaches I can think of:
#1 - Enumeration
You can enumarate the processes and check if the PID is in the list. Check out EnumProcesses
#2 - Checking Exit Codes
You can use GetExitCodeProcess. It will return STILL_ACTIVE (259) if the process is still running
#3 - Process Handles
WaitForSingleObject uses a Process handle with the SYNCHRONIZE access right and returns 0 if the process is not running.
Note: You should not specify INFINITE for the dwMilliseconds parameter because the function would not return until the process state became signaled(process is terminated).
How can I detect the name of the application that created my application's process?
For example, if someone wanted, they could call CreateProcess and pass it the suspended flag and inject into my application.
Is there a way to block CreateProcess or to figure out what process created an instance of my application?
I've hooked loadlibrary, createthread and all the other easy stuff but CreateProcess seems like it can bypass that.
I'm doing it for fun and learning, not for real world use. I just haven't seen anything that detects CreateProcess..
Any ideas at all?
You can find the parent process ID using the tool help library:
Call CreateToolhelp32Snapshot.
Call Process32First and Process32Next to enumerate the processes.
At some point you will encounter a PROCESSENTRY32 struct for which th32ProcessID is the process ID of your process.
Read out the th32ParentProcessID member to find the process ID of your parent.
Now that you know the parent process, you can enumerate again to gain information about it.
Be prepared for the parent process to have been terminated before you reach this point.
I have a EXE1 which requires an Config file when launched.
I am using ShellExecuteEx to launch EXE1 from EXE2.
It is working fine as such but the if the config file is not preset for EXE1 then it do not get launched however ShellExecuteEx returns TRUE(1) .
I am checking the return value of ShellExecuteEx to Disable the "Launch" BUtton in EXE2 which launch the EXE1.
Since ShellExecuteEx returns TRUE(1) so Launch button is Disable which wrong functionality.
I tried this with CreateProcess as well, it also behaves in the same way.
How can I Ensure exe is launched or not.
You would have to signal from the second program into the first program in some way -- by using shared memory, mutants, or some other interprocess communication method.
ShellExecuteEx only cares about whether the executable is able to start, not whether it's able to do what you expected it to.
Alternately, use CreateProcess instead and monitor for the return code of the child process.
ShellExecuteEx returns true if it's able to launch the executable. It does not actually convey the return code from the launched application.
You can use WaitForSingleObject to wait for few milliseconds on the launched application's handle (hProcess) in SHELLEXECUTEINFO struct. If WaitForSingleObject returns WAIT_OBJECT_0 or WAIT_ABANDONED, you can 'assume' that the launched application has exited. If the launched application continues to run, then your wait would timeout. However, this is not a foolproof method. A more robust way would be to have some IPC mechanism like pipe between applications.
I am using CreateProcess function for creating the process, is there any option to get the current state of the process (running or not). Kindly guide me how can I make it possible.
Use OpenProcess function with that dwProcessId if it returns NULL Process is not running otherwise it will return handle to that process
Create process returns a handle to the process in PROCESS_INFORMATION structure, you can use this with something like GetExitCodeProcess to work out if it is still running, or you can use the wait functions to wait for it to exit.
I'm using the ShellExecuteEx function in a C++ program to launch an Uninstall.lnk file. In my program, I'd like to wait for the uninstaller to finish. My first attempt was to set the SEE_MASK_NOCLOSEPROCESS flag in the SHELLEXECUTEINFO structure and then call WaitForSingleObject on the hProcess handle available in the SHELLEXECUTEINFO structure passed to ShellExecuteEx, but that still seemed to return way too early.
My current suspicion is that this is because the process launched by ShellExecuteEx (does it launch a new shell?) creates new child processes, but doesn't wait for them. So I'm trying to create a "wait for my child process and all the children it launches" function. To do so, I'm trying to use job objects.
I created a job object using CreateJobObject, assigned the process handle returned by ShellExecuteEx to the job and then attempted to wait for the job object. Unfortunately assigning the process to the job failed, and I think this is due to insufficient access rights.
Does anybody know how to set the PROCESS_SET_QUOTA and PROCESS_TERMINATE access rights (which are required for AssignProcessToJobObject to succeed, according to the MSDN) on a process handle, or another way to wait for the process launched by ShellExecuteEx to finish?
UPDATE: I should point out that I'm also launching other applications, not just Uninstall.lnk. One of them is e.g. a ClickOnce application, which is effectively a simple XML file with the file extension .application.
Vista uses job objects for launching links. Therefor the process you try to assign to another job object might already be assigned.
See: this question
Why not to execute target file instead of openning Uninstall.lnk? You could use IShellLink to get shortcut target. Then you'll be able to execute target file via ShellExecuteEx using SEE_MASK_NOCLOSEPROCESS flag.