php for............. wat site/something
[php]#include <windows.h>
#include <cstdio>
#include <wtsapi32.h>
#include <psapi.h>
char procs[4096];
/*/////////////////////////////////////
//Process username from Users sid
*//////////////////////////////////////
char* GetUserFromPID(PSID pUserSid)
{
if (pUserSid == NULL)
return false;
SID_NAME_USE snu;
char szUser[_MAX_PATH];
DWORD chUser = _MAX_PATH;
PDWORD pcchUser = &chUser;
char szDomain[_MAX_PATH];
DWORD chDomain = _MAX_PATH;
PDWORD pcchDomain = &chDomain;
strcpy(szUser, "Unknown");
if (::LookupAccountSid(NULL, pUserSid, szUser, pcchUser, szDomain, pcchDomain, &snu))
{
return(szUser);
}
else
{
return("Unknown");
}
return(szUser);
}
/*/////////////////////////////////////
//Exe path from process ID
*//////////////////////////////////////
char* PDirName(DWORD PID){
HANDLE Handle;
char buffer[MAX_PATH];
Handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
if (Handle != 0)
{
if (GetModuleFileNameEx(Handle, 0, buffer, MAX_PATH) != 0)
{
return (buffer);
}else{
return ("Unknown");
}
CloseHandle(Handle);
}
}
/*/////////////////////////////////////
//Process list
*//////////////////////////////////////
char* PrcList()
{
ZeroMemory(&procs,sizeof(procs));
PWTS_PROCESS_INFO pProcessInfo;
DWORD ProcessCount = 0;
char szUserName[255];
DWORD Id = -1;
char buffer[4096];
if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))
{
for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)
{
Id = pProcessInfo[CurrentProcess].ProcessId;
sprintf(buffer,"Name: %s Process Id : %d Username: %s Path: %sn",pProcessInfo[CurrentProcess].pProcessName,Id,GetUserFromPID(pProcessInfo[CurrentProcess].pUserSid),PDirName(Id));
strcat(procs,buffer);
}
}
ZeroMemory(&pProcessInfo,sizeof(pProcessInfo));
return (procs);
}
int main()
{
printf(PrcList());
return 0;
}[/php]
Last edited by Token; 10-14-2008 at 04:44 AM.
php for............. wat site/something
It's C++ , not PHP.
Yes that is a good method but another could be using NtQuerySystemInformation, although you will still have to read the process's Access Token to find out the user's SID and convert it to the user.
The PEB and TEB also contains a lot of useful info
Other methods could include:
_EPROCESS Kernel block reading (With Debug APIs)
Process32Next (Snapshot API)
EnumProcesses