none
How get pid by exe name? RRS feed

  • Question

  • Hello,

    I have the following code and is showed how kill a specific process based on your pid.

    #include <ntifs.h>
    
    extern NTSTATUS PsLookupProcessByProcessId(
           HANDLE ProcessId,
           PEPROCESS *Process
    );
    
    NTSTATUS terminate_process(PVOID targetPid)
    {
           NTSTATUS NtRet = STATUS_SUCCESS;
           PEPROCESS PeProc = { 0 };
           NtRet = PsLookupProcessByProcessId(targetPid, &PeProc);
           if (NtRet != STATUS_SUCCESS)
           {
                  return NtRet;
           }
           HANDLE ProcessHandle;
           NtRet = ObOpenObjectByPointer(PeProc, NULL, NULL, 25, *PsProcessType, KernelMode, &ProcessHandle);
           if (NtRet != STATUS_SUCCESS)
           {
                  return NtRet;
           }
           ZwTerminateProcess(ProcessHandle, 0);
           return NtRet;
    }
    
    VOID DriverUnloadRoutine(PDRIVER_OBJECT pDriverObject)
    {
           // nothing needs to be done here
    }
    
    NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pUniStr)
    {
           pDriverObject->DriverUnload = DriverUnloadRoutine;
           terminate_process(124240);
           return STATUS_SUCCESS;
    }

    Could be more easy get this pid using only program name like normally is made in a user mode function ( method ).

    So, i want know how obtain pid of a process ( in kernel mode ) using only your name.


    • Edited by FLASHCODER Monday, January 16, 2017 10:24 PM
    Monday, January 16, 2017 10:24 PM

Answers

  • First you need to understand that using the name of an executable, is not going to do much for you, there are a lot of ways to spoof the name.   As Brian pointed out why are you doing this in kernel mode, there are a lot of things that are better to do in user space, and this is one of them.  

    If you really want to map executable name to a PID, you need to look at PsSetCreateProcessNotifyRoutineEx, and if need be PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine (the first image loaded in a new process is the executable).   Of course you probably should want to use PsSetLoadImageNotifyRoutine since there is nothing that stops malware from utilizing a DLL for its dirty work.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FLASHCODER Tuesday, January 17, 2017 11:35 PM
    Monday, January 16, 2017 11:36 PM

All replies

  • Why are you trying to do this from a driver? What larger problem are you trying to solve?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, January 16, 2017 10:29 PM
    Moderator
  • Why are you trying to do this from a driver? What larger problem are you trying to solve?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    This feature is for an antirootkit that i'm developing.

    Monday, January 16, 2017 11:11 PM
  • First you need to understand that using the name of an executable, is not going to do much for you, there are a lot of ways to spoof the name.   As Brian pointed out why are you doing this in kernel mode, there are a lot of things that are better to do in user space, and this is one of them.  

    If you really want to map executable name to a PID, you need to look at PsSetCreateProcessNotifyRoutineEx, and if need be PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine (the first image loaded in a new process is the executable).   Of course you probably should want to use PsSetLoadImageNotifyRoutine since there is nothing that stops malware from utilizing a DLL for its dirty work.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by FLASHCODER Tuesday, January 17, 2017 11:35 PM
    Monday, January 16, 2017 11:36 PM
  • First you need to understand that using the name of an executable, is not going to do much for you, there are a lot of ways to spoof the name.   As Brian pointed out why are you doing this in kernel mode, there are a lot of things that are better to do in user space, and this is one of them.  

    If you really want to map executable name to a PID, you need to look at PsSetCreateProcessNotifyRoutineEx, and if need be PsSetCreateProcessNotifyRoutine and PsSetLoadImageNotifyRoutine (the first image loaded in a new process is the executable).   Of course you probably should want to use PsSetLoadImageNotifyRoutine since there is nothing that stops malware from utilizing a DLL for its dirty work.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    So, how you know, a malware can be protected against killing, this way is really necessary use a driver ( .sys ) for kill malware process protected.

    Then i'm searching something like this ( in kernel mode ):

    #include <cstdio>
    #include <windows.h>
    #include <tlhelp32.h>
    
    int main( int, char *[] )
    {
        PROCESSENTRY32 entry;
        entry.dwSize = sizeof(PROCESSENTRY32);
    
        HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    
        if (Process32First(snapshot, &entry) == TRUE)
        {
            while (Process32Next(snapshot, &entry) == TRUE)
            {
                if (stricmp(entry.szExeFile, "target.exe") == 0)
                {  
                    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
    
                    // Do stuff..
    
                    CloseHandle(hProcess);
                }
            }
        }
    
        CloseHandle(snapshot);
    
        return 0;
    }



    • Edited by FLASHCODER Tuesday, January 17, 2017 12:06 AM
    Tuesday, January 17, 2017 12:05 AM
  • You are going to have to build your own table of executable image paths to PID, using the calls from my last post.   Of course remember that a clever piece of malware can spoof the path and other things in so many ways.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, January 17, 2017 12:14 AM