How can I detect the name of the application that created my application's process?
For example, if someone wanted, they could call CreateProcess and pass it the suspended flag and inject into my application.
Is there a way to block CreateProcess or to figure out what process created an instance of my application?
I've hooked loadlibrary, createthread and all the other easy stuff but CreateProcess seems like it can bypass that.
I'm doing it for fun and learning, not for real world use. I just haven't seen anything that detects CreateProcess..
Any ideas at all?
You can find the parent process ID using the tool help library:
Call CreateToolhelp32Snapshot.
Call Process32First and Process32Next to enumerate the processes.
At some point you will encounter a PROCESSENTRY32 struct for which th32ProcessID is the process ID of your process.
Read out the th32ParentProcessID member to find the process ID of your parent.
Now that you know the parent process, you can enumerate again to gain information about it.
Be prepared for the parent process to have been terminated before you reach this point.
Related
Can someone please explain to me what is the differance between:
OpenProcess and CreatProcess.
(I am trying to inject a DLL into a program and I dont know which one to use.)
OpenProcess is passed a process ID for an existing process, and returns a process handle for that process.
CreateProcess creates a brand new process, returning a handle to that new process (amongst other things).
If you want to inject into a process that is already running, then you will need OpenProcess.
In relation to injecting a .dll into another process,there are a couple of major benefits and differences between OpenProcess and CreateProcess.
The first is timing. You can inject the dll before the target process has had a chance to perform any of their own code by creating the process in a suspended state (dwCreationFlags with CREATE_SUSPENDED(0x00000004) set). Don't forget to resume the process once you are ready for it to execute.
The second is privilege. The process handle returned by CreateProcess automatically has PROCESS_ALL_ACCESS without the need to set SeDebugPrivilege first. OpenProcess does require your program to gain this privilege before it is allowed to use the PROCESS_ALL_ACCESS flag.
Some other minor things to remember:
CreateProcess cannot be called on a running process, but you can always call OpenProcess after CreateProcess if you needed to for whatever reason.
CreateProcess requires you to CloseHandle both the process and thread handles returned in PROCESS_INFORMATION, where OpenProcess only requires you to CloseHandle on it's return value (No thread handle gets opened).
If you need to change the Environment for whatever reason(unlikely), you'll have to use CreateProcess.
Further reading can be found:
CreateProcess
OpenProcess
process-security-and-access-rights
I need to get the PROCESS_INFORMATION of an external process for use in my application, I have the process handle and process ID, but I don't know how to go about getting the PROCESS_INFORMATION out of that.
I'm using C++(11), Visual Studio 2012, running on Windows. Any help would be greatly appreciated.
PROCESS_INFORMATION is filled by CreateProcess(). That ship has sailed; the process was already started.
Let's focus on what you really want to do. To find out if a process has terminated, first use OpenProcess() to obtain a handle to the process. You'll need the PID, which you already have. Then WaitForSingleObject() will tell you if it is terminated. Pass INFINITE for the 2nd argument to block until the process terminates. Pass 0 if you want to poll. Finally, use CloseHandle() to clean up.
PROCESS_INFORMMATION provides 4 pieces of information:
HANDLE hProcess
HANDLE hThread
DWORD dwProcessID
DWORD dwThreadID
You say you already have two of those values - the Process Handle and Process ID. So that just leaves the Thread Handle and Thread ID. Those belong to the first thread created for the process. You can use CreateToolhelp32Snapshot(), Thread32First(), and Thread32Next() to enumerate the running threads looking for Thread IDs that belong to a given Process ID, and then use OpenThread() to get the Thread Handle of a given Thread ID. The tricky part is identifying which Thread ID is the first thread. That information is not readily available outside of CreateProcess().
The information you need can be obtained with the CreateToolhelp32Snapshot function since it returns both the process ID and the parent process ID. An example of its use can be found here.
Is there a way to kill my app's child process and perform it's cleanup(calling deconstructors and atexit functions), similarly to exit(exit_code), but on another process?
If you are on windows, you probably start your child processes by CreateProcess, which has a PROCESS_INFORMATION as the last parameter.
CreateProcess on MSDN
Process Information on MSDN
Option 1:
This process information contains a handle to the process started in the hProcess member.
You can store this handle and use it to kill your child processes.
Insert
You probably want to send WM_CLOSE and / or WM_QUIT?
to "cleanly" end the process:
Here is a KB Article on what to do KB how to cleanly kill win32 processes
** End Insert**
Option 2:
Here is an discussion on how to properly kill a process tree: Terminate a process tree on windows
There's no simple Win32 API for that kind of thing. The OS doesn't care what language your program's source code was written in, the compiled program appears to it as just a sequence of CPU instructions plus data.
The cleanest way would be to establish some kind of a communication channel between the processes (e.g. via shared memory) and simply request process termination.
You can achieve the same by starting the child process as a debugged process and then using debug APIs to alter the child's behavior, but that's too intrusive and not very straightforward to implement.
Is it possible to, in Windows, create a sort of anonymous process? For instance, creating a process that shows up in task manager, which has a PID, etc. However, instead of starting it up with an EXE, you just give it an entry point address to a currently running process (sort of like a DLL) and it starts its own thread.
Is something like this possible? If so, how would one go about it?
EDIT: Also, preferably, the child process would die along with the parent process if the parent process returns or is terminated.
I want to make an application in C or C++ which have to monitor some specific processes. How can I make it possible in C?
You said that you have tomaonitor "some specific processes". If your application started the processes, you can extract the process handles from the PROCESS_INFORMATION structure (field hProcess) you passed to the CreateProcess function. If the process you want to track has been launched in some different way, you need the process' ID (PID), and use it as third argument of OpenProcess to obtain an handle. So you can use the WaitForSingleObject or WaitForMultipleObjects functions to wait for the process completion. Optionally you can obtain the process' exit code with the GetExitCodeProcess function.
There are other ways by which an application can start a new process (e.g. by the _system() library function), but I strongly suggest to use CreateProcess directly in your code, since you can control the child process' behaviour completely (e.g. you can select the priority, pass stdin/stdout/stderr handles, decide the startup window's characteristics...).
Suggested example:
http://msdn.microsoft.com/en-us/library/ms682512%28VS.85%29.aspx
You start a process in Windows with the CreateProcess() function. It returns a HANDLE to the process in PROCESS_INFORMATION.hProcess. That handle will be signaled when the process terminates, allowing you to keep track of its lifetime. Use WaitForSingleObject() or WaitForMultipleObjects() to do so. There's a code sample available here...
Before you write your own, have you looked at Process Monitor v2.8?
Process Monitor is an advanced
monitoring tool for Windows that shows
real-time file system, Registry and
process/thread activity. It combines the features of two legacy
Sysinternals utilities, Filemon and
Regmon, and adds an extensive list of
enhancements including rich and
non-destructive filtering,
comprehensive event properties such
session IDs and user names, reliable
process information, full thread
stacks with integrated symbol support
for each operation, simultaneous
logging to a file, and much more.
Boost.Process
sample for Win32 Platform.