Get Process name, PID, User, Path
[C++]Get Process name, PID, User, Path
[php]#include <windows.h>
#include <cstdio>
#include <wtsapi32.h>
#include <psapi.h>
char procs[4096];
/*/////////////////////////////////////
//Process username from Users sid
*//////////////////////////////////////
char* GetUserFromPID(PSID pUserSid)
{
if (pUserSid == NULL)
return false;
SID_NAME_USE snu;
char szUser[_MAX_PATH];
DWORD chUser = _MAX_PATH;
PDWORD pcchUser = &chUser;
char szDomain[_MAX_PATH];
DWORD chDomain = _MAX_PATH;
PDWORD pcchDomain = &chDomain;
strcpy(szUser, "Unknown");
if (::LookupAccountSid(NULL, pUserSid, szUser, pcchUser, szDomain, pcchDomain, &snu))
{
return(szUser);
}
else
{
return("Unknown");
}
return(szUser);
}
/*/////////////////////////////////////
//Exe path from process ID
*//////////////////////////////////////
char* PDirName(DWORD PID){
HANDLE Handle;
char buffer[MAX_PATH];
Handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
if (Handle != 0)
{
if (GetModuleFileNameEx(Handle, 0, buffer, MAX_PATH) != 0)
{
return (buffer);
}else{
return ("Unknown");
}
CloseHandle(Handle);
}
}
/*/////////////////////////////////////
//Process list
*//////////////////////////////////////
char* PrcList()
{
ZeroMemory(&procs,sizeof(procs));
PWTS_PROCESS_INFO pProcessInfo;
DWORD ProcessCount = 0;
char szUserName[255];
DWORD Id = -1;
char buffer[4096];
if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))
{
for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)
{
Id = pProcessInfo[CurrentProcess].ProcessId;
sprintf(buffer,"Name: %s Process Id : %d Username: %s Path: %sn",pProcessInfo[CurrentProcess].pProcessName,Id,GetUserFromPID(pProcessInfo[CurrentProcess].pUserSid),PDirName(Id));
strcat(procs,buffer);
}
}
ZeroMemory(&pProcessInfo,sizeof(pProcessInfo));
return (procs);
}
int main()
{
printf(PrcList());
return 0;
}[/php]
#include <cstdio>
#include <wtsapi32.h>
#include <psapi.h>
char procs[4096];
/*/////////////////////////////////////
//Process username from Users sid
*//////////////////////////////////////
char* GetUserFromPID(PSID pUserSid)
{
if (pUserSid == NULL)
return false;
SID_NAME_USE snu;
char szUser[_MAX_PATH];
DWORD chUser = _MAX_PATH;
PDWORD pcchUser = &chUser;
char szDomain[_MAX_PATH];
DWORD chDomain = _MAX_PATH;
PDWORD pcchDomain = &chDomain;
strcpy(szUser, "Unknown");
if (::LookupAccountSid(NULL, pUserSid, szUser, pcchUser, szDomain, pcchDomain, &snu))
{
return(szUser);
}
else
{
return("Unknown");
}
return(szUser);
}
/*/////////////////////////////////////
//Exe path from process ID
*//////////////////////////////////////
char* PDirName(DWORD PID){
HANDLE Handle;
char buffer[MAX_PATH];
Handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, PID);
if (Handle != 0)
{
if (GetModuleFileNameEx(Handle, 0, buffer, MAX_PATH) != 0)
{
return (buffer);
}else{
return ("Unknown");
}
CloseHandle(Handle);
}
}
/*/////////////////////////////////////
//Process list
*//////////////////////////////////////
char* PrcList()
{
ZeroMemory(&procs,sizeof(procs));
PWTS_PROCESS_INFO pProcessInfo;
DWORD ProcessCount = 0;
char szUserName[255];
DWORD Id = -1;
char buffer[4096];
if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pProcessInfo, &ProcessCount))
{
for (DWORD CurrentProcess = 0; CurrentProcess < ProcessCount; CurrentProcess++)
{
Id = pProcessInfo[CurrentProcess].ProcessId;
sprintf(buffer,"Name: %s Process Id : %d Username: %s Path: %sn",pProcessInfo[CurrentProcess].pProcessName,Id,GetUserFromPID(pProcessInfo[CurrentProcess].pUserSid),PDirName(Id));
strcat(procs,buffer);
}
}
ZeroMemory(&pProcessInfo,sizeof(pProcessInfo));
return (procs);
}
int main()
{
printf(PrcList());
return 0;
}[/php]
php for............. wat site/something
It's C++ , not PHP.
Yes that is a good method but another could be using NtQuerySystemInformation, although you will still have to read the process's Access Token to find out the user's SID and convert it to the user.
The PEB and TEB also contains a lot of useful info
Other methods could include:
_EPROCESS Kernel block reading (With Debug APIs)
Process32Next (Snapshot API)
EnumProcesses
The PEB and TEB also contains a lot of useful info
Other methods could include:
_EPROCESS Kernel block reading (With Debug APIs)
Process32Next (Snapshot API)
EnumProcesses
Similar Threads
- 8Last post
- 7Last post
- 1Last post
- 2Last post
- 23Last post