Advertisement
waliedassar

ProcessBasicInformation vs. New Flags

Jan 22nd, 2013
762
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.69 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //With the "ProcessBasicInformation" class of the "ZwQueryInformationProcess" function, you
  5. //can now query certain flags of the "_EPROCESS" structure e.g.
  6. //1) The state of whether the process is protected or not (see. audiodg.exe).
  7. //2) The state of whether the process is Wow64 or Native64.
  8. //3) The state of whether the process is self-delete or not.
  9. //N.B. Self-Delete means that the process can only be terminated by self.
  10.  
  11. #include "stdafx.h"
  12. #include "windows.h"
  13. #include "stdio.h"
  14.  
  15.  
  16.  
  17.  
  18. extern "C"
  19. {
  20.     int __stdcall ZwQueryInformationProcess(HANDLE,unsigned long,void*,unsigned long,unsigned long*);
  21.     int __stdcall ZwSetInformationProcess(HANDLE,unsigned long,unsigned long*,unsigned long);
  22. }
  23.  
  24.  
  25.  
  26.  
  27. #define ProcessBasicInformation 0x0
  28.  
  29. #define ProcessIsProtected 0x1
  30. #define ProcessIsWow64     0x2
  31. #define ProcessDeleteOrSelfDelete 0x4
  32. #define ProcessCrossSectionCreate 0x8
  33.  
  34. struct PROCESS_BASIC_INFORMATION_EXT
  35. {
  36.     unsigned long Size;
  37.     unsigned long ExitStatus;
  38.     unsigned long PebAddress;
  39.     unsigned long AffinityMask;
  40.     unsigned long BasePriority;
  41.     unsigned long UniqueProcessId;
  42.     unsigned long ParentProcessId;
  43.     unsigned long MiscFlags;
  44. };
  45.  
  46. #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
  47.  
  48. void main()
  49. {
  50.     unsigned long pid=0;
  51.     printf("Enter Process Id ");
  52.     scanf("%d",&pid);
  53.     if(!pid) ExitProcess(0);
  54.  
  55.     HANDLE hProcess=OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,TRUE,pid);
  56.     if(!hProcess) ExitProcess(0);
  57.  
  58.  
  59.  
  60.     PROCESS_BASIC_INFORMATION_EXT B={sizeof(B)};
  61.     unsigned long retLength=0;
  62.     int ret=ZwQueryInformationProcess(hProcess,ProcessBasicInformation,&B,sizeof(B),&retLength);
  63.     if(ret<0) printf("Error: %x\r\n",ret);
  64.     else
  65.     {
  66.         printf("ExitStatus is %x\r\n",B.ExitStatus);
  67.         printf("PEB Address is %x\r\n",B.PebAddress);
  68.         printf("Process Affinity mask is %x\r\n",B.AffinityMask);
  69.         printf("Process Base Priority is %x\r\n",B.BasePriority);
  70.         printf("Process Id is %x\r\n",B.UniqueProcessId);
  71.         printf("Parent Process Id is %x\r\n",B.ParentProcessId);
  72.         if(B.MiscFlags&ProcessIsProtected) printf("Protected: TRUE\r\n");
  73.         else                               printf("Protected: FALSE\r\n");
  74.  
  75.         if(B.MiscFlags&ProcessIsWow64)   printf("Wow64: TRUE\r\n");
  76.         else                             printf("Wow64: FALSE\r\n");
  77.  
  78.         if(B.MiscFlags&ProcessDeleteOrSelfDelete) printf("Self-Delete: TRUE\r\n");
  79.         else                                      printf("Self-Delete: FALSE\r\n");
  80.  
  81.         if(B.MiscFlags&ProcessCrossSectionCreate) printf("CrossSectionCreate: TRUE\r\n");
  82.         else                                      printf("CrossSectionCreate: FALSE\r\n");
  83.  
  84.     }
  85.     CloseHandle(hProcess);
  86.     ExitProcess(1);
  87. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement