I am wondering if there is a quick and efficient way to identify a program by its process?

For instance, someone changes the name of netscape.exe and runs it to hide it from a trojan or something. Can you identify it somehow by any other means outside of FindWindow() and such?

Just curious.
Posted on 2003-12-20 09:22:46 by The Beginner
Just changing the name of the executable does not change the version information, you can just get the version string (using GetFileVersionInfo) the app name is usually embedded in it, and use that to find out if it is Netscape.
Posted on 2003-12-20 09:33:51 by donkey
Here's an example of how to get the product name using VerQueryValue, the example and explanation at MSDN is pretty vague and mostly useless. This will retrieve the Product Name from the version information that is stored in your executable. You can just get the process number and extract a different path to check i you want to verify a different executable.

GetProdName proc uses edi

LOCAL Verifictaion :DWORD
LOCAL pMem :DWORD
LOCAL pProdName :DWORD
LOCAL pVersionLen :DWORD
LOCAL Application[MAX_PATH] :BYTE

jmp @F
[color=red]; 040904B0 = US English[/color]
VersionFormat db "\StringFileInfo\040904B0\ProductName",0
@@:

[color=red]; This will get the application path, you can substitute it with another.[/color]
invoke GetCL,0,ADDR Application

invoke GetFileVersionInfoSize,ADDR Application,ADDR Verifictaion
.IF eax == 0
ret
.endif
push eax
invoke GlobalAlloc,GPTR,eax
mov pMem,eax
pop eax
invoke GetFileVersionInfo,ADDR Application,NULL,eax,pMem
invoke VerQueryValue,pMem,ADDR VersionFormat,ADDR pProdName,ADDR pVersionLen

.IF eax
[color=red]; display the product name (pProdName)[/color]
invoke MessageBox,NULL,pProdName,NULL,MB_OK
.ENDIF

invoke GlobalFree,pMem
ret
GetProdName endp
Posted on 2003-12-20 10:06:34 by donkey
You know, I never would have thought about doing it this way. Thanks a lot, donkey.

Now I will kick around the code and see what I can make it do for me.

TB

P.S.
Thanks for the code example. Even though you don't have to, you always go that extra distance to help folks out.
Posted on 2003-12-20 17:02:05 by The Beginner