Windows hacker BASICS (2): Get handle of other processes

In Windows, process, handle, or file can be abstracted as a handle. Anyone who has been familiar with Linux programming knows that everything in Linux is a file, process, and file, socket operations are identified by Int. The handle concept in Windows is similar to the int concept in Linux. It can be attributed to a data type similar to the ID, but the representation is different, the operation on all objects must be passed through this identifier.

Of course, hicon and hwnd are also included in windows. Most of them are UI-related. We need to know That hwnd is the identifier of the Operation window, And hicon is the icon identifier, we will talk about how to operate other processes in a window later.

 

If we want to operate other processes, we must first be ableProgramTo get the identifier of other processes. In Windows, we provide the OpenProcess function.

 
Handle OpenProcess (DWORD dwdesiredaccess, bool binherithandle, DWORD dwprocessid)
 

Dwdesireaccess is the operation permission. In this chapter, set it to process_all_access.

Binherithandle indicates whether the obtained Process Handle can be inherited.

Dwprocessid, which is the most important, is the process ID

 

 

As long as we can find a way to get the process ID, we can operate on the process. How can we get the process ID ??

1. Use the Task Manager

Open the task manager, click View in the menu bar, select a column, and tick the PID. Then, we return to the task manager. There is a line of PID, which is the ID of the process we need.

At this time, we only need to use this value to call OpenProcess to obtain the process handle.

 
Handle openprocessbyid (ConstDword id ){ReturnOpenProcess (process_all_access, false, ID );}
 

 

2. Through hwnd, that is, the window

Windows provides an API for us to find a process window handle, that is, findwindows. At the same time, we can use getwindowthreadprocessid to pass in the hwnd found through findwindow, then pass it to getwindowthreadprocessid to find the ID of the process.

Handle openprocessbywindowname (Const Char*Name) {hwnd=Findwindow (null, name );If(Hwnd! =Null) {DWORD threadid=-1; DWORD processid=-1; Threadid= Getwindowthreadprocessid (hwnd ,&Processid );ReturnOpenprocessbyid (processid );}ReturnInvalid_handle_value ;}
 

3. Search for the process name
In Windows, We can enumerate the names of all processes in the system and compare them one by one to find the corresponding process IDs.

Handle openprocessbyprocessnmae ( Const   Char * Name) {handle hsnapshot = Createconlhelp32snapshot (th32cs_snapprocess, 0  );  If (Hsnapshot = Invalid_handle_value) {closehandle (hsnapshot );  Return  Invalid_handle_value;} processentry32 pe32; DWORD ID = 0  ; Pe32.dwsize =Sizeof  (Processentry32 );  If (! Process32first (hsnapshot ,& Pe32) {closehandle (hsnapshot );  Return  Invalid_handle_value ;}  While ( 1  ) {Pe32.dwsize = Sizeof  (Processentry32 );  If (Process32next (hsnapshot, & pe32) =False)  Break  ;  If (Strcmp (pe32.szexefile, name) = 0  ){  Return  Openprocessbyid (pe32.th32processid) ;}} closehandle (hsnapshot );  Return  Invalid_handle_value ;} 

 

After we get the process handle, we can do our next thing, for exampleCodeInjection, such as stealing data