hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Windows Systems
AgentOrange
Oct 20 2004, 06:58 AM
I am looking for some C code or maybe a bat file that will allow me to find the path to an executable if i have its PID. I am working in a windows environment.

The only thing i can think of is to search the computer for the executables name then try and brute force it. This is a huge waste of resources, but i don't know of another way.

Peace out
jsell
Oct 20 2004, 07:11 AM
i don't know about sorce code, but knlps can do this easy enough

it list all the processes running on a machine and show you a path to the executable. watch out though cuase i believe some rootkits are designed specifically to hide processes from this tool. It should work for what you need in most cases.

h**p://www.xfocus.net/tools/200403/knlps%20v0.4.zip
TheWaY2Be1337
Oct 20 2004, 08:55 AM
QUOTE(jsell @ Oct 20 2004, 07:11 AM)
i don't know about sorce code, but knlps can do this easy enough

it list all the processes running on a machine and show you a path to the executable. watch out though cuase i believe some rootkits are designed specifically to hide processes from this tool. It should work for what you need in most cases.

h**p://www.xfocus.net/tools/200403/knlps%20v0.4.zip
*




yes knlps work fine tongue.gif

there is on other name handle.exe

Handle v2.10
Copyright © 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

bye ph34r.gif ph34r.gif ph34r.gif ph34r.gif
temptation
Oct 20 2004, 02:27 PM
Here is the sourcecode for delphi, maybe it helps u ?!?

CODE
uses
 PsAPI, TlHelp32;
// portions by Project Jedi www.delphi-jedi.org/
const
 RsSystemIdleProcess = 'System Idle Process';
 RsSystemProcess = 'System Process';

function IsWinXP: Boolean;
begin
 Result := (Win32Platform = VER_PLATFORM_WIN32_NT) and
   (Win32MajorVersion = 5) and (Win32MinorVersion = 1);
end;

function IsWin2k: Boolean;
begin
 Result := (Win32MajorVersion >= 5) and
   (Win32Platform = VER_PLATFORM_WIN32_NT);
end;

function IsWinNT4: Boolean;
begin
 Result := Win32Platform = VER_PLATFORM_WIN32_NT;
 Result := Result and (Win32MajorVersion = 4);
end;

function IsWin3X: Boolean;
begin
 Result := Win32Platform = VER_PLATFORM_WIN32_NT;
 Result := Result and (Win32MajorVersion = 3) and
   ((Win32MinorVersion = 1) or (Win32MinorVersion = 5) or
   (Win32MinorVersion = 51));
end;

function RunningProcessesList(const List: TStrings; FullPath: Boolean): Boolean;

 function ProcessFileName(PID: DWORD): string;
 var
   Handle: THandle;
 begin
   Result := '';
   Handle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, PID);
   if Handle <> 0 then
     try
       SetLength(Result, MAX_PATH);
       if FullPath then
       begin
         if GetModuleFileNameEx(Handle, 0, PChar(Result), MAX_PATH) > 0 then
           SetLength(Result, StrLen(PChar(Result)))
         else
           Result := '';
       end
       else
       begin
         if GetModuleBaseNameA(Handle, 0, PChar(Result), MAX_PATH) > 0 then
           SetLength(Result, StrLen(PChar(Result)))
         else
           Result := '';
       end;
     finally
       CloseHandle(Handle);
     end;
 end;

 function BuildListTH: Boolean;
 var
   SnapProcHandle: THandle;
   ProcEntry: TProcessEntry32;
   NextProc: Boolean;
   FileName: string;
 begin
   SnapProcHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   Result := (SnapProcHandle <> INVALID_HANDLE_VALUE);
   if Result then
     try
       ProcEntry.dwSize := SizeOf(ProcEntry);
       NextProc := Process32First(SnapProcHandle, ProcEntry);
       while NextProc do
       begin
         if ProcEntry.th32ProcessID = 0 then
         begin
           // PID 0 is always the "System Idle Process" but this name cannot be
           // retrieved from the system and has to be fabricated.
           FileName := RsSystemIdleProcess;
         end
         else
         begin
           if IsWin2k or IsWinXP then
           begin
             FileName := ProcessFileName(ProcEntry.th32ProcessID);
             if FileName = '' then
               FileName := ProcEntry.szExeFile;
           end
           else
           begin
             FileName := ProcEntry.szExeFile;
             if not FullPath then
               FileName := ExtractFileName(FileName);
           end;
         end;
         List.AddObject(FileName, Pointer(ProcEntry.th32ProcessID));
         NextProc := Process32Next(SnapProcHandle, ProcEntry);
       end;
     finally
       CloseHandle(SnapProcHandle);
     end;
 end;

 function BuildListPS: Boolean;
 var
   PIDs: array [0..1024] of DWORD;
   Needed: DWORD;
   I: Integer;
   FileName: string;
 begin
   Result := EnumProcesses(@PIDs, SizeOf(PIDs), Needed);
   if Result then
   begin
     for I := 0 to (Needed div SizeOf(DWORD)) - 1 do
     begin
       case PIDs[I] of
         0:
           // PID 0 is always the "System Idle Process" but this name cannot be
           // retrieved from the system and has to be fabricated.
           FileName := RsSystemIdleProcess;
         2:
           // On NT 4 PID 2 is the "System Process" but this name cannot be
           // retrieved from the system and has to be fabricated.
           if IsWinNT4 then
             FileName := RsSystemProcess
           else
             FileName := ProcessFileName(PIDs[I]);
           8:
           // On Win2K PID 8 is the "System Process" but this name cannot be
           // retrieved from the system and has to be fabricated.
           if IsWin2k or IsWinXP then
             FileName := RsSystemProcess
           else
             FileName := ProcessFileName(PIDs[I]);
           else
             FileName := ProcessFileName(PIDs[I]);
       end;
       if FileName <> '' then
         List.AddObject(FileName, Pointer(PIDs[I]));
     end;
   end;
 end;
begin
 if IsWin3X or IsWinNT4 then
   Result := BuildListPS
 else
   Result := BuildListTH;
end;

function GetProcessNameFromWnd(Wnd: HWND): string;
var
 List: TStringList;
 PID: DWORD;
 I: Integer;
begin
 Result := '';
 if IsWindow(Wnd) then
 begin
   PID := INVALID_HANDLE_VALUE;
   GetWindowThreadProcessId(Wnd, @PID);
   List := TStringList.Create;
   try
     if RunningProcessesList(List, True) then
     begin
       I := List.IndexOfObject(Pointer(PID));
       if I > -1 then
         Result := List[I];
     end;
   finally
     List.Free;
   end;
 end;
end;


if u want i can code a dll file, so that u can use c for the program :-D
tibbar
Oct 20 2004, 06:00 PM
yikes all that code for such a simple thing!

it is a simple thing.

in pseudo code:


HANDLE processHandle = OpenProcess(
PROCESS_QUERY_INFORMATION,
FALSE,
dwProcessId
);

char ImageFileName[256];

DWORD DidItWork = GetProcessImageFileName(
processHandle ,
ImageFileName,
sizeof(char)*256+1
);

now that was pretty simple biggrin.gif
x^r
Oct 20 2004, 08:48 PM
Hi, Attached a .zip with an example, source and binairy inlcuded
QUOTE
C:\Work>PidPath.exe

PidPath.exe 1.0 by x^r

PID    : PATH
180    : \SystemRoot\System32\smss.exe
204    : \??\C:\WINNT\system32\csrss.exe
200    : \??\C:\WINNT\system32\winlogon.exe
252    : C:\WINNT\system32\services.exe
264    : C:\WINNT\system32\lsass.exe
412    : C:\WINNT\system32\svchost.exe
512    : C:\WINNT\Explorer.EXE
596    : C:\WINNT\System32\svchost.exe
684    : C:\WINNT\system32\cmd.exe
364    : C:\Work\PidPath.exe

C:\Work>

btw. you need PSAPI.DLL somewhere in your %PATH%

Greetz x^r
AgentOrange
Oct 21 2004, 05:48 AM
Bad ass, this is just what i was looking for. Thanks for your help guys.

Peace out
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.