int workerMain(int argc, char* argv[]) { if (!osquery::compareArguments(argv, argc, osquery::kExpectedWorkerArgs, osquery::kExpectedWorkerArgsCount)) { return ERROR_COMPARE_ARGUMENT; } auto process = osquery::PlatformProcess::getLauncherProcess(); if (process == nullptr) { return ERROR_LAUNCHER_PROCESS; } #ifdef WIN32 CHAR buffer[1024] = {0}; DWORD size = 1024; if (!QueryFullProcessImageNameA(process->nativeHandle(), 0, buffer, &size)) { return ERROR_QUERY_PROCESS_IMAGE; } PathStripPathA(buffer); if (strlen(buffer) != strlen(osquery::kOsqueryTestModuleName)) { return ERROR_IMAGE_NAME_LENGTH; } if (strncmp(buffer, osquery::kOsqueryTestModuleName, strlen(buffer)) != 0) { return ERROR_LAUNCHER_MISMATCH; } #else if (process->nativeHandle() != getppid()) { return ERROR_LAUNCHER_MISMATCH; } #endif return WORKER_SUCCESS_CODE; }
bool ProcessHelper::GetProcessID(QString path, quint32& dwPID) { path.replace("/", "\\"); HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 pe32; DWORD dwPriorityClass; // Take a snapshot of all processes in the system. hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) return false; pe32.dwSize = sizeof(PROCESSENTRY32 ); if (!Process32First(hProcessSnap, &pe32)) { CloseHandle(hProcessSnap); // clean the snapshot object return(FALSE); } bool bRes = false; do { // Retrieve the priority class. dwPriorityClass = 0; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); if (hProcess) { CHAR lpPath[MAX_PATH];//will hold .exe path to be returned DWORD charsCarried = MAX_PATH; // holds size of path[], will then hold amount of characters returned by QueryFullProcessImageName QueryFullProcessImageNameA(hProcess, 0, lpPath, &charsCarried); CloseHandle(hProcess); QString curPath(lpPath); if (curPath.compare(path, Qt::CaseInsensitive) == 0) { bRes = true; dwPID = pe32.th32ProcessID; break; } } } while(Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap); return bRes; }
bool stockProcessName() { HWND fg; DWORD pid; HANDLE hProcess; DWORD cchLen = MAX_PATH; if ((fg = GetForegroundWindow())) { GetWindowThreadProcessId(fg, &pid); if ((hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid))) { if (QueryFullProcessImageNameA(hProcess, 0, newPath, &cchLen)) { if (strcmp(newPath, curPath) != 0) { strcpy_s(curPath, newPath); json.putActiveProcess(curPath, "USELESS"); } CloseHandle(hProcess); return true; } CloseHandle(hProcess); } } return false; }
R_API char *r_sys_pid_to_path(int pid) { #if __WINDOWS__ BOOL WINAPI (*QueryFullProcessImageNameA) (HANDLE, DWORD, LPTSTR, PDWORD); DWORD WINAPI (*GetProcessImageFileNameA) (HANDLE, LPTSTR, DWORD); HANDLE kernel32 = LoadLibrary ("Kernel32.dll"); if (!kernel32) { eprintf ("Error getting the handle to Kernel32.dll\n"); return NULL; } QueryFullProcessImageNameA = GetProcAddress (kernel32, "QueryFullProcessImageNameA"); if (!QueryFullProcessImageNameA) { // QueryFullProcessImageName does not exist before Vista, fallback to GetProcessImageFileName HANDLE psapi = LoadLibrary ("Psapi.dll"); if (!psapi) { eprintf ("Error getting the handle to Psapi.dll\n"); return NULL; } GetProcessImageFileNameA = GetProcAddress (psapi, "GetProcessImageFileNameA"); if (!GetProcessImageFileNameA) { eprintf ("Error getting the address of GetProcessImageFileNameA\n"); return NULL; } } HANDLE handle = NULL; TCHAR filename[MAX_PATH]; DWORD maxlength = MAX_PATH; handle = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid); if (handle != NULL) { if (QueryFullProcessImageNameA) { if (QueryFullProcessImageNameA (handle, 0, filename, &maxlength) == 0) { eprintf("Error calling QueryFullProcessImageNameA\n"); CloseHandle (handle); return NULL; } } else { if (GetProcessImageFileNameA (handle, filename, maxlength) == 0) { eprintf("Error calling GetProcessImageFileNameA\n"); CloseHandle (handle); return NULL; } } CloseHandle (handle); return strdup (filename); } return NULL; #elif __APPLE__ char pathbuf[PROC_PIDPATHINFO_MAXSIZE]; pathbuf[0] = 0; int ret = proc_pidpath (pid, pathbuf, sizeof (pathbuf)); if (ret <= 0) return NULL; return strdup (pathbuf); #else int ret; char buf[128], pathbuf[1024]; #if __FreeBSD__ snprintf (buf, sizeof (buf), "/proc/%d/file", pid); #else snprintf (buf, sizeof (buf), "/proc/%d/exe", pid); #endif ret = readlink (buf, pathbuf, sizeof (pathbuf)-1); if (ret<1) return NULL; pathbuf[ret] = 0; return strdup (pathbuf); #endif }
// [2015/12/15 wupeng] // if failed return 0, success return the Process ID DWORD GetSpecificProcIDByNameEx(LPSTR lpName) { if (ISNULL(lpName)) { DOLOG("Process Name can't be null"); return 0; } if (ISFALSE(EnableDebugPrivilege(TRUE))) { DOLOG("EnableDebugPrivilege Failed !"); return 0; } DWORD allProcessIDs[2048] = { 0 }; DWORD cbNeed = 0; if (ISZERO(EnumProcesses(allProcessIDs, sizeof(allProcessIDs), &cbNeed))) { DOLOG("EnumProcess Failed ! " + GetLastError()); return 0; } HANDLE hProcess = NULL; CHAR szProcessName[MAX_PATH] = { 0 }; for (DWORD i = 0; i < cbNeed; i++) { if (ISZERO(allProcessIDs[i])) { continue; } ZeroMemory(szProcessName, sizeof(szProcessName)); hProcess = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, allProcessIDs[i]); if (ISNOTNULL(hProcess)) { DWORD dwNameSize = sizeof(szProcessName); if (QueryFullProcessImageNameA(hProcess, 0, szProcessName, &dwNameSize)) //if (ISNOZERO(GetModuleBaseNameA(hProcess, NULL, szProcessName, // sizeof(szProcessName)))) { DOLOG(" >>" + szProcessName + " : " + allProcessIDs[i]); string strPath = szProcessName; TrimFilePathA(strPath); if (ISZERO(_stricmp(strPath.c_str(), lpName))) { DOLOG("Found the Process " + lpName); CloseHandle(hProcess); return allProcessIDs[i]; } } else { DOLOG("GetmoudleBaseName Failed ! " + GetLastError()); } CloseHandle(hProcess); } else { DOLOG("OpenProcess Failed ! " + allProcessIDs[i] + " LastError:" + GetLastError()); } } DOLOG("can't found the specify name process Failed ! "); return 0; }