waliedassar

ProcessBasicInformation vs. New Flags

Jan 22nd, 2013
500
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //With the "ProcessBasicInformation" class of the "ZwQueryInformationProcess" function, you
  5. //can now query certain flags of the "_EPROCESS" structure e.g.
  6. //1) The state of whether the process is protected or not (see. audiodg.exe).
  7. //2) The state of whether the process is Wow64 or Native64.
  8. //3) The state of whether the process is self-delete or not.
  9. //N.B. Self-Delete means that the process can only be terminated by self.
  10.  
  11. #include "stdafx.h"
  12. #include "windows.h"
  13. #include "stdio.h"
  14.  
  15.  
  16.  
  17.  
  18. extern "C"
  19. {
  20.     int __stdcall ZwQueryInformationProcess(HANDLE,unsigned long,void*,unsigned long,unsigned long*);
  21.     int __stdcall ZwSetInformationProcess(HANDLE,unsigned long,unsigned long*,unsigned long);
  22. }
  23.  
  24.  
  25.  
  26.  
  27. #define ProcessBasicInformation 0x0
  28.  
  29. #define ProcessIsProtected 0x1
  30. #define ProcessIsWow64     0x2
  31. #define ProcessDeleteOrSelfDelete 0x4
  32. #define ProcessCrossSectionCreate 0x8
  33.  
  34. struct PROCESS_BASIC_INFORMATION_EXT
  35. {
  36.     unsigned long Size;
  37.     unsigned long ExitStatus;
  38.     unsigned long PebAddress;
  39.     unsigned long AffinityMask;
  40.     unsigned long BasePriority;
  41.     unsigned long UniqueProcessId;
  42.     unsigned long ParentProcessId;
  43.     unsigned long MiscFlags;
  44. };
  45.  
  46. #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
  47.  
  48. void main()
  49. {
  50.     unsigned long pid=0;
  51.     printf("Enter Process Id ");
  52.     scanf("%d",&pid);
  53.     if(!pid) ExitProcess(0);
  54.  
  55.     HANDLE hProcess=OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,TRUE,pid);
  56.     if(!hProcess) ExitProcess(0);
  57.  
  58.  
  59.  
  60.     PROCESS_BASIC_INFORMATION_EXT B={sizeof(B)};
  61.     unsigned long retLength=0;
  62.     int ret=ZwQueryInformationProcess(hProcess,ProcessBasicInformation,&B,sizeof(B),&retLength);
  63.     if(ret<0) printf("Error: %x\r\n",ret);
  64.     else
  65.     {
  66.         printf("ExitStatus is %x\r\n",B.ExitStatus);
  67.         printf("PEB Address is %x\r\n",B.PebAddress);
  68.         printf("Process Affinity mask is %x\r\n",B.AffinityMask);
  69.         printf("Process Base Priority is %x\r\n",B.BasePriority);
  70.         printf("Process Id is %x\r\n",B.UniqueProcessId);
  71.         printf("Parent Process Id is %x\r\n",B.ParentProcessId);
  72.         if(B.MiscFlags&ProcessIsProtected) printf("Protected: TRUE\r\n");
  73.         else                               printf("Protected: FALSE\r\n");
  74.  
  75.         if(B.MiscFlags&ProcessIsWow64)   printf("Wow64: TRUE\r\n");
  76.         else                             printf("Wow64: FALSE\r\n");
  77.  
  78.         if(B.MiscFlags&ProcessDeleteOrSelfDelete) printf("Self-Delete: TRUE\r\n");
  79.         else                                      printf("Self-Delete: FALSE\r\n");
  80.  
  81.         if(B.MiscFlags&ProcessCrossSectionCreate) printf("CrossSectionCreate: TRUE\r\n");
  82.         else                                      printf("CrossSectionCreate: FALSE\r\n");
  83.  
  84.     }
  85.     CloseHandle(hProcess);
  86.     ExitProcess(1);
  87. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×