Hello everybody!

I'm spying one process and want to know when it tries to kill my process. But, TerminateProcess gets the handle to the previously opened process with OpenProcess... How can I using this handle get the process ID?

Thanx in advance. :rolleyes:
Posted on 2004-03-15 20:07:18 by The CHEMI$T
invoke GetProcessId,[hProcess]
Posted on 2004-03-15 20:09:52 by donkey
Hi donkey !
The GetProcessId, GetThreadId, GetProcessIdOfThread functions not existed in Win2000, WinNT, Win9x...It only in WinXP SP1 and Win2003 Server. I afraid we can not use them.
Best regards !
Posted on 2004-03-15 21:17:46 by TQN

invoke GetProcessId,[hProcess]


Some text from MSDN:
Client: Requires Windows XP SP1.
Server: Requires Windows Server 2003.


Excuse me, I didna tell, that I need it for Windows NT 4 and Windows 2000

Thanx
Posted on 2004-03-15 21:44:00 by The CHEMI$T
Assuming that the handle you have is valid in the context of your program and not a pseudohandle from another process, you might be able to use this :

GetProcessID FRAME hProcess

LOCAL ProcessName[MAX_PATH] :B
LOCAL ModBaseName[MAX_PATH] :B
LOCAL hModHandles[256] :D
LOCAL hProcessIDs[256] :D
LOCAL cbNeeded :D
LOCAL hCheckProcess :D

invoke EnumProcessModules,[hProcess],offset hModHandles,1024,offset cbNeeded

invoke GetModuleBaseName,[hProcess],[hModHandles],offset ProcessName,MAX_PATH

; scan all processes
invoke EnumProcesses,offset hProcessIDs,1024,offset cbNeeded
xor edi,edi
L1:
lea ecx,[hProcessIDs+edi]
mov eax,[ecx]
invoke OpenProcess,PROCESS_QUERY_INFORMATION + PROCESS_VM_READ,FALSE,eax
mov [hCheckProcess],eax
or eax,eax
jz >L2
invoke GetModuleBaseName,[hCheckProcess],0,offset ModBaseName,MAX_PATH
invoke CloseHandle,[hCheckProcess]
invoke lstrcmpi,offset ModBaseName,offset ProcessName
or eax,eax
jz >L3
L2:
add edi,4
cmp edi,[cbNeeded]
jl <<L1

L3:
mov eax,[hProcessIDs+edi]
RET
ENDF
Posted on 2004-03-15 23:25:47 by donkey
Hi The CHEMI$T,

I verified the routine above and it seems to work OK. I made a small app with a window that was easy to find and did this:

invoke FindWindow,"FindPIDClass",0

invoke GetWindowThreadProcessId,eax,offset pid
invoke OpenProcess,PROCESS_ALL_ACCESS,NULL,[pid]
mov [hPrc],eax
invoke GetProcessID,eax
PrintDec(eax)
PrintDec([pid])
invoke CloseHandle,[hPrc]


In all tests the PID returned from GetProcessID matched and also matched the PID in Task Manager.
Posted on 2004-03-15 23:51:34 by donkey
Hi!

Sorry, but that procedure didna help... :( Maybe my english makes its bad work, but... I'll try to explain once more... Your procedure needs the process module handle in the system, but, as I said I need to get id by the handle to the opened process like that:



[B] ... main code ... [/B]

invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, [B]SomeId[/B]
mov hProcess, eax

[B] ... Some time later ... [/B]

invoke GetModuleId, hProcess
.if eax == ProtectedId [B]...[/B]


Can it be realized in any way? :confused:
Thanx in advance...
Posted on 2004-03-17 00:02:58 by The CHEMI$T
Did you close the process handle after the call to OpenProcess ? In that case the handle is no longer valid, it must be an open handle to a process or what you want is impossible. If the process has a window you can use FindWindow/GetWindowThreadProcessId to get a process ID. I suspect that if the above routine did not work then the handle you have is either not valid (ie it has been closed) or it is a pseudo-handle passed to a process other than your own and it cannot be used in the context of your process. If that is the case you have no choice but to use the FindWindow/GetWindowThreadProcessId method.
Posted on 2004-03-17 00:12:25 by donkey
Hi!

I've tried it again, and it didna work, but I found out, why... The process, which handle I receive opened with PROCESS_TERMINATE rights flag set only... So... How can I modify that right flag? Maybe I can modify the rights under which the process is opened?

P.S. Of cause I can handle the OpenProcess function and correct the rights flag from there, but... Can I do it any other way?

Thanx.
Posted on 2004-03-17 01:57:56 by The CHEMI$T
You cannot modify the security descriptor of another process once it has been created, at least I don't know of any way to do that and I truly hope that there is no way ;)

The target process must allow both PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access or the function will fail.
Posted on 2004-03-17 02:04:09 by donkey
Hi!

I've made it!!! Since I've hooked all the API that program used I've corrected the call of a program to OpenProcess.

Thanx very much for your help!
Posted on 2004-03-17 03:04:30 by The CHEMI$T

Hi!

I've made it!!! Since I've hooked all the API that program used I've corrected the call of a program to OpenProcess.

Thanx very much for your help!


You're welcome but I suspect you were much more help to yourself than I was :)
Posted on 2004-03-17 03:08:25 by donkey