KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

How to get PID from process name

https://www.kernelmode.info/forum/viewtopic.php?f=14&t=2599

Page 1 of 1

How to get PID from process name

PostPosted:Wed Mar 13, 2013 11:08 pm
by Xearinox
Hello.

How to get PID from process name in kernel mode?

Maybe simply answer, but how to get all PIDs, if application has multiple instances, so multiple PIDs exists.

How to get all ?

Thanks.

Re: How to get PID from process name

PostPosted:Thu Mar 14, 2013 12:35 am
by reverser
http://msdn.microsoft.com/en-us/library ... p/ms686701

Re: How to get PID from process name

PostPosted:Thu Mar 14, 2013 1:41 am
by r2nwcnydc
You could use ZwQueryInformationProcess with ProcessImageFileName to get the process' image name and path:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

You can use ZwQuerySystemInformation with SystemProcessInformation to enumerate all process:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

Then you'll just loop over each process in the list, open the process, get its file name, and compare it to the name you want to enumerate. There will be a race condition with this approach, so you'll need to handle that if that concerns you.

Re: How to get PID from process name

PostPosted:Sun Mar 17, 2013 5:54 pm
by darklich
well as r2nwcnydc say, enum the running process and compare the process name with the name you have, then return its PID...

and here is some code:
Code: Select all
DWORD GetProcessIdByName(TCHAR *pName)
{
	TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
	TCHAR szProcessPath[MAX_PATH * 2] = TEXT("<unknown>");
	
	DWORD aProcesses[1024], cbNeeded, cProcesses;
    unsigned int i;
	int err=0;

	if(!EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
	{
		err=GetLastError();
		printf("Error list running process, code: %d\n",err);
		return -1;
	}

  cProcesses = cbNeeded / sizeof(DWORD);
	 

	for(i=1;i<cProcesses;i++)
	{
		if(aProcesses[i] != 4)
		{
		
			HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS,FALSE, aProcesses[i] );
			if (NULL != hProcess )
			{
				HMODULE hMod;
				DWORD cbNeeded;

				if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod),&cbNeeded) )
				{
					GetModuleBaseName( hProcess, hMod, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
					if(_tcscmp(pName,szProcessName) == 0)
					{
						CloseHandle(hProcess);
						return aProcesses[i];
					}
				}

				CloseHandle(hProcess);
			}


			hProcess = NULL;
		}
	}

	printf(" process %s not found!\n",pName);
	return -1;
				
}
Hope it helps :)

Re: How to get PID from process name

PostPosted:Mon Mar 18, 2013 2:59 am
by EP_X0FF
How to get PID from process name in kernel mode?
How does all this Tool Help and PSAPI can help in kernel mode?

Re: How to get PID from process name

PostPosted:Fri Mar 22, 2013 2:09 am
by Brock
As mentioned already, usermode TLHELP and PSAPI libs will not help you in kernel land. Using Zw* APIs will though (r2nwcnydc mentions this) ZwQuerySystemInformation and ZwQueryInformationProcess is all you need to do what you ask :lol:

Re: How to get PID from process name

PostPosted:Fri Mar 22, 2013 8:46 pm
by reverser
EP_X0FF wrote:
How to get PID from process name in kernel mode?
How does all this Tool Help and PSAPI can help in kernel mode?
Sorry, missed that part.

Re: How to get PID from process name

PostPosted:Wed Dec 25, 2013 11:17 am
by FileSystem_Driver
hi ,
You can use the following function to get the handle of the process : :ugeek:
Code: Select all
NTSTATUS NTAPI ObOpenObjectByName 	( 	IN POBJECT_ATTRIBUTES  	ObjectAttributes,
		IN POBJECT_TYPE  	ObjectType,
		IN KPROCESSOR_MODE  	AccessMode,
		IN PACCESS_STATE  	PassedAccessState,
		IN ACCESS_MASK  	DesiredAccess,
		IN OUT PVOID  	ParseContext,
		OUT PHANDLE  	Handle 
	) 	

and then , enter the following code into kernel mode can easily do , :)

DWORD WINAPI GetProcessIDbyProcessHandle(HANDLE hProcess)
{
    if (hProcess == NULL)    return 0xffffffff;
    PTHREAD_START_ROUTINE lpStartAddress = (PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "GetCurrentProcessId");
    if (lpStartAddress == NULL) return 0xffffffff;
 
    HANDLE hProcessAccAdj;
    BOOL bRes = DuplicateHandle(GetCurrentProcess(), 
                                hProcess, GetCurrentProcess(), &hProcessAccAdj, 
                                PROCESS_QUERY_INFORMATION|PROCESS_CREATE_THREAD|
                                PROCESS_VM_OPERATION|PROCESS_VM_WRITE, 
                                FALSE, 0);
    if (!bRes || hProcessAccAdj == NULL)
    {
        UINT unError = GetLastError();
        return 0xffffffff;
    }
 
    DWORD dwThreadID;
    HANDLE hRemoteThread = CreateRemoteThread(hProcessAccAdj, NULL, 
        0, lpStartAddress, 0, 0, &dwThreadID);
    CloseHandle(hProcessAccAdj);
    if (hRemoteThread == NULL) return 0xffffffff;

 
    WaitForSingleObject(hRemoteThread, INFINITE);
    DWORD dwExitCode;
    if (GetExitCodeThread(hRemoteThread, &dwExitCode) == 0)    dwExitCode = 0xffffffff;
    CloseHandle(hRemoteThread);
    return dwExitCode;
}

Re: How to get PID from process name

PostPosted:Thu Dec 26, 2013 8:20 am
by EP_X0FF
Use [ code ] [ / code] tags and stay away from posting in dead 9 months old thread.
Necroposting, closed.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/