Beispiel #1
0
int workerMain(int argc, char* argv[]) {
  if (!osquery::compareArguments(argv,
                                 argc,
                                 osquery::kExpectedWorkerArgs,
                                 osquery::kExpectedWorkerArgsCount)) {
    return ERROR_COMPARE_ARGUMENT;
  }

  auto process = osquery::PlatformProcess::getLauncherProcess();
  if (process == nullptr) {
    return ERROR_LAUNCHER_PROCESS;
  }

#ifdef WIN32
  CHAR buffer[1024] = {0};
  DWORD size = 1024;
  if (!QueryFullProcessImageNameA(process->nativeHandle(), 0, buffer, &size)) {
    return ERROR_QUERY_PROCESS_IMAGE;
  }
  PathStripPathA(buffer);

  if (strlen(buffer) != strlen(osquery::kOsqueryTestModuleName)) {
    return ERROR_IMAGE_NAME_LENGTH;
  }

  if (strncmp(buffer, osquery::kOsqueryTestModuleName, strlen(buffer)) != 0) {
    return ERROR_LAUNCHER_MISMATCH;
  }
#else
  if (process->nativeHandle() != getppid()) {
    return ERROR_LAUNCHER_MISMATCH;
  }
#endif
  return WORKER_SUCCESS_CODE;
}
bool ProcessHelper::GetProcessID(QString path, quint32& dwPID) {

    path.replace("/", "\\");

    HANDLE hProcessSnap;
    HANDLE hProcess;
    PROCESSENTRY32 pe32;
    DWORD dwPriorityClass;

    // Take a snapshot of all processes in the system.
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE)
        return false;

    pe32.dwSize = sizeof(PROCESSENTRY32 );
    if (!Process32First(hProcessSnap, &pe32)) {
        CloseHandle(hProcessSnap);          // clean the snapshot object
        return(FALSE);
    }

    bool bRes = false;
    do {
        // Retrieve the priority class.
        dwPriorityClass = 0;
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
        if (hProcess)
        {
            CHAR lpPath[MAX_PATH];//will hold .exe path to be returned
            DWORD charsCarried = MAX_PATH; // holds size of path[], will then hold amount of characters returned by QueryFullProcessImageName
            QueryFullProcessImageNameA(hProcess, 0, lpPath, &charsCarried);
            CloseHandle(hProcess);

            QString curPath(lpPath);
            if (curPath.compare(path, Qt::CaseInsensitive) == 0) {
                bRes = true;
                dwPID = pe32.th32ProcessID;
                break;
            }
        }
    } while(Process32Next(hProcessSnap, &pe32));
    CloseHandle(hProcessSnap);
    return bRes;
}
Beispiel #3
0
bool stockProcessName()
{
	HWND fg;
	DWORD pid;
	HANDLE hProcess;
	DWORD cchLen = MAX_PATH;

	if ((fg = GetForegroundWindow())) {
		GetWindowThreadProcessId(fg, &pid);
		if ((hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid))) {
			if (QueryFullProcessImageNameA(hProcess, 0, newPath, &cchLen)) {
				if (strcmp(newPath, curPath) != 0) {
					strcpy_s(curPath, newPath);
					json.putActiveProcess(curPath, "USELESS");
				}
				CloseHandle(hProcess);
				return true;
			}
			CloseHandle(hProcess);
		}
	}
	return false;
}
Beispiel #4
0
R_API char *r_sys_pid_to_path(int pid) {
#if __WINDOWS__
	BOOL WINAPI (*QueryFullProcessImageNameA) (HANDLE, DWORD, LPTSTR, PDWORD);
	DWORD WINAPI (*GetProcessImageFileNameA) (HANDLE, LPTSTR, DWORD);
	HANDLE kernel32 = LoadLibrary ("Kernel32.dll");
	if (!kernel32) {
		eprintf ("Error getting the handle to Kernel32.dll\n");
		return NULL;
	}
	QueryFullProcessImageNameA = GetProcAddress (kernel32, "QueryFullProcessImageNameA");
	if (!QueryFullProcessImageNameA) {
		// QueryFullProcessImageName does not exist before Vista, fallback to GetProcessImageFileName
		HANDLE psapi = LoadLibrary ("Psapi.dll");
		if (!psapi) {
			eprintf ("Error getting the handle to Psapi.dll\n");
			return NULL;
		}
		GetProcessImageFileNameA = GetProcAddress (psapi, "GetProcessImageFileNameA");
		if (!GetProcessImageFileNameA) {
			eprintf ("Error getting the address of GetProcessImageFileNameA\n");
			return NULL;
		}
	}
	HANDLE handle = NULL;
	TCHAR filename[MAX_PATH];
	DWORD maxlength = MAX_PATH;
	handle = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
	if (handle != NULL) {
		if (QueryFullProcessImageNameA) {
			if (QueryFullProcessImageNameA (handle, 0, filename, &maxlength) == 0) {
				eprintf("Error calling QueryFullProcessImageNameA\n");
				CloseHandle (handle);
				return NULL;
			}
		} else {
			if (GetProcessImageFileNameA (handle, filename, maxlength) == 0) {
				eprintf("Error calling GetProcessImageFileNameA\n");
				CloseHandle (handle);
				return NULL;
			}
		}
		CloseHandle (handle);
		return strdup (filename);
	}
	return NULL;
#elif __APPLE__
	char pathbuf[PROC_PIDPATHINFO_MAXSIZE];
	pathbuf[0] = 0;
	int ret = proc_pidpath (pid, pathbuf, sizeof (pathbuf));
	if (ret <= 0)
		return NULL;
	return strdup (pathbuf);
#else
	int ret;
	char buf[128], pathbuf[1024];
#if __FreeBSD__
	snprintf (buf, sizeof (buf), "/proc/%d/file", pid);
#else
	snprintf (buf, sizeof (buf), "/proc/%d/exe", pid);
#endif
	ret = readlink (buf, pathbuf, sizeof (pathbuf)-1);
	if (ret<1)
		return NULL;
	pathbuf[ret] = 0;
	return strdup (pathbuf);
#endif
}
Beispiel #5
0
// [2015/12/15 wupeng]
// if failed return 0, success return the Process ID
DWORD GetSpecificProcIDByNameEx(LPSTR lpName)
{
    if (ISNULL(lpName))
    {
        DOLOG("Process Name can't be null");
        return 0;
    }

    if (ISFALSE(EnableDebugPrivilege(TRUE)))
    {
        DOLOG("EnableDebugPrivilege Failed !");
        return 0;
    }

    DWORD allProcessIDs[2048] = { 0 };
    DWORD cbNeed = 0;

    if (ISZERO(EnumProcesses(allProcessIDs, sizeof(allProcessIDs), &cbNeed)))
    {
        DOLOG("EnumProcess Failed ! " + GetLastError());
        return 0;
    }

    HANDLE hProcess = NULL;
    CHAR szProcessName[MAX_PATH] = { 0 };
    for (DWORD i = 0; i < cbNeed; i++)
    {
        if (ISZERO(allProcessIDs[i]))
        {
            continue;
        }

        ZeroMemory(szProcessName, sizeof(szProcessName));
        hProcess = OpenProcess(
                       PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE,
                       allProcessIDs[i]);
        if (ISNOTNULL(hProcess))
        {
            DWORD dwNameSize = sizeof(szProcessName);
            if (QueryFullProcessImageNameA(hProcess, 0, szProcessName, &dwNameSize))
                //if (ISNOZERO(GetModuleBaseNameA(hProcess, NULL, szProcessName,
                //	sizeof(szProcessName))))
            {
                DOLOG(" >>" + szProcessName + " : " + allProcessIDs[i]);

                string strPath = szProcessName;
                TrimFilePathA(strPath);
                if (ISZERO(_stricmp(strPath.c_str(), lpName)))
                {
                    DOLOG("Found the Process " + lpName);
                    CloseHandle(hProcess);
                    return allProcessIDs[i];
                }
            }
            else
            {
                DOLOG("GetmoudleBaseName Failed ! " + GetLastError());
            }
            CloseHandle(hProcess);
        }
        else
        {
            DOLOG("OpenProcess Failed ! " + allProcessIDs[i] + " LastError:" + GetLastError());
        }
    }

    DOLOG("can't found the specify name process Failed ! ");
    return 0;
}