Hello!
I'm trying to figure out how I can find another process which is running in RAM?
Let's say notepad.exe is running. How can I find the adress in memory?
Are there any OS functions to do it?
What do I need to know? Just the file name or any other stuff?
Sample codes & tutorials would be appreciated.
Thx vry much for help!
atz
I'm trying to figure out how I can find another process which is running in RAM?
Let's say notepad.exe is running. How can I find the adress in memory?
Are there any OS functions to do it?
What do I need to know? Just the file name or any other stuff?
Sample codes & tutorials would be appreciated.
Thx vry much for help!
atz
i dont really understand your question.
do you just want to check if the file is running (without knowing the path of the file).
or do you want find out the process handle.
do you just want to check if the file is running (without knowing the path of the file).
or do you want find out the process handle.
It would be great to have both solutions.
Actually I want to analyse the memory content of that program. So if it involves to get the process handle, yes I want to find that one too.
atz
Actually I want to analyse the memory content of that program. So if it involves to get the process handle, yes I want to find that one too.
atz
Read about:
EnumProcesses, OpenProcess, GetModuleInformation, HeapWalk, VirtualQuery, ReadProcessMemory...
EnumProcesses, OpenProcess, GetModuleInformation, HeapWalk, VirtualQuery, ReadProcessMemory...
i have written a little proc. dont d#know if it work .
it will return the process handle. when you have it, you can
access the process memory with ReadProcessMemory & WriteProcessMemory
it will return the process handle. when you have it, you can
access the process memory with ReadProcessMemory & WriteProcessMemory
;:::FINDIND BY WINDOW NAME:::
.code
GetProcessHandleByWindowName proc window_name:DWORD
LOCAL pWinHandle :DWORD
LOCAL pID :DWORD
LOCAL pHandle :DWORD
pushad
invoke FindWindow,NULL,window_name ;returns window handle
;or find window by class
;invoke FindWindow,class_name,NULL
.if eax!=NULL
mov pWinHandle,eax
invoke GetWindowThreadProcessId,pWinHandle,addr pID ;eax is window handle
.else
popad
xor eax,eax ;failed
ret
.endif
invoke OpenProcess,PROCESS_ALL_ACCESS,NULL,pID ;get open process handle
.if eax!=NULL
mov pHandle,eax
.else
popad
xor eax,eax ;failed
ret
.endif
popad
mov eax,pHandle ;return process Handle
ret
GetProcessHandleByWindowName endpHi, to find proceses isn't that hard ... Just use 3 APIs =)
And if everything went ok, you should have your process struct filled with right values...
Note: You will get process ID but not handle, for handle use
OpenProcess as folows -->
Now you can use pHandle to Write/ReadProcessMemory, to use VirtualAllocEx and ofcourse CreateRemoteThread or what ever you wanna do with it =)
.data
pe32 PROCESSENTRY32 <0>
process db "test.exe",0
....
code
start:
....
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, NULL
mov handle, eax
invoke Process32First, handle, ADDR pe32
invoke lstrlen, ADDR process
mov len ,eax
find_process:
mov esi, offset process
mov edi, offset pe32.szExeFile
mov ecx, len
repe cmpsb
jz found
invoke Process32Next, handle, ADDR pe32
or eax, eax
jz error
jmp find_process
found:
And if everything went ok, you should have your process struct filled with right values...
Note: You will get process ID but not handle, for handle use
OpenProcess as folows -->
invoke OpenProcess, PROCESS_ALL_ACCESS, TRUE, pe32.th32ProcessID
mov pHandle, eax
Now you can use pHandle to Write/ReadProcessMemory, to use VirtualAllocEx and ofcourse CreateRemoteThread or what ever you wanna do with it =)