I need to get the PROCESS_INFORMATION of an external process for use in my application, I have the process handle and process ID, but I don't know how to go about getting the PROCESS_INFORMATION out of that.
I'm using C++(11), Visual Studio 2012, running on Windows. Any help would be greatly appreciated.
PROCESS_INFORMATION is filled by CreateProcess(). That ship has sailed; the process was already started.
Let's focus on what you really want to do. To find out if a process has terminated, first use OpenProcess() to obtain a handle to the process. You'll need the PID, which you already have. Then WaitForSingleObject() will tell you if it is terminated. Pass INFINITE for the 2nd argument to block until the process terminates. Pass 0 if you want to poll. Finally, use CloseHandle() to clean up.
PROCESS_INFORMMATION provides 4 pieces of information:
HANDLE hProcess
HANDLE hThread
DWORD dwProcessID
DWORD dwThreadID
You say you already have two of those values - the Process Handle and Process ID. So that just leaves the Thread Handle and Thread ID. Those belong to the first thread created for the process. You can use CreateToolhelp32Snapshot(), Thread32First(), and Thread32Next() to enumerate the running threads looking for Thread IDs that belong to a given Process ID, and then use OpenThread() to get the Thread Handle of a given Thread ID. The tricky part is identifying which Thread ID is the first thread. That information is not readily available outside of CreateProcess().
The information you need can be obtained with the CreateToolhelp32Snapshot function since it returns both the process ID and the parent process ID. An example of its use can be found here.
Related
I am using
HANDLE hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
To get the threads in the system, and then by checking the corresponding pid, i gather all the threads of a particular process and open handle to each of them.
My question is, how can i get the module path that corresponds to this thread, just like process hacker? Meaning lets say this thread's start address is pointing to xxx.dll, how can i find the name of this xxx.dll?
I tried using GetModuleFileNameEx but this doesn't work with thread handle and basically doesn't do anything for me.
Can someone please explain to me what is the differance between:
OpenProcess and CreatProcess.
(I am trying to inject a DLL into a program and I dont know which one to use.)
OpenProcess is passed a process ID for an existing process, and returns a process handle for that process.
CreateProcess creates a brand new process, returning a handle to that new process (amongst other things).
If you want to inject into a process that is already running, then you will need OpenProcess.
In relation to injecting a .dll into another process,there are a couple of major benefits and differences between OpenProcess and CreateProcess.
The first is timing. You can inject the dll before the target process has had a chance to perform any of their own code by creating the process in a suspended state (dwCreationFlags with CREATE_SUSPENDED(0x00000004) set). Don't forget to resume the process once you are ready for it to execute.
The second is privilege. The process handle returned by CreateProcess automatically has PROCESS_ALL_ACCESS without the need to set SeDebugPrivilege first. OpenProcess does require your program to gain this privilege before it is allowed to use the PROCESS_ALL_ACCESS flag.
Some other minor things to remember:
CreateProcess cannot be called on a running process, but you can always call OpenProcess after CreateProcess if you needed to for whatever reason.
CreateProcess requires you to CloseHandle both the process and thread handles returned in PROCESS_INFORMATION, where OpenProcess only requires you to CloseHandle on it's return value (No thread handle gets opened).
If you need to change the Environment for whatever reason(unlikely), you'll have to use CreateProcess.
Further reading can be found:
CreateProcess
OpenProcess
process-security-and-access-rights
How can I detect the name of the application that created my application's process?
For example, if someone wanted, they could call CreateProcess and pass it the suspended flag and inject into my application.
Is there a way to block CreateProcess or to figure out what process created an instance of my application?
I've hooked loadlibrary, createthread and all the other easy stuff but CreateProcess seems like it can bypass that.
I'm doing it for fun and learning, not for real world use. I just haven't seen anything that detects CreateProcess..
Any ideas at all?
You can find the parent process ID using the tool help library:
Call CreateToolhelp32Snapshot.
Call Process32First and Process32Next to enumerate the processes.
At some point you will encounter a PROCESSENTRY32 struct for which th32ProcessID is the process ID of your process.
Read out the th32ParentProcessID member to find the process ID of your parent.
Now that you know the parent process, you can enumerate again to gain information about it.
Be prepared for the parent process to have been terminated before you reach this point.
I need to know how to get a handle of a newly created process in C/C++ code. I don't know much about all those Microsoft libraries and I've just read about 2 ways to create a process. First is via ShellExcecute call and the second via CreateProcess but none of these retern a HANDLE. I need to know a handle of the process because I want the main thread to wait for process to finish before it continues. Best of all I'd like if someone help me write a function which looks like this:
HANDLE create_process(/*parameters same as for ShellExecute*/)
{
...
}
Please help.
CreateProcess() returns a PROCESS_INFORMATION structure which contains the process handle. See here and here.
Whilst ShellExecute() does not give you the information that you need, ShellExecuteEx() returns the process handle in the SHELLEXECUTEINFO structure. See here and here.
I would suggest that you look at the MSDN documentation for the API functions that you're using as it's very useful.
CreateProcess returns the handle to the process in PROCESS_INFORMATION.
I am using CreateProcess function for creating the process, is there any option to get the current state of the process (running or not). Kindly guide me how can I make it possible.
Use OpenProcess function with that dwProcessId if it returns NULL Process is not running otherwise it will return handle to that process
Create process returns a handle to the process in PROCESS_INFORMATION structure, you can use this with something like GetExitCodeProcess to work out if it is still running, or you can use the wait functions to wait for it to exit.