ProcessHacker | purpose tool that helps you monitor system resources | Security library
kandi X-RAY | ProcessHacker Summary
kandi X-RAY | ProcessHacker Summary
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Project Website - Project Downloads.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ProcessHacker
ProcessHacker Key Features
ProcessHacker Examples and Code Snippets
Community Discussions
Trending Discussions on ProcessHacker
QUESTION
I've a strange problem. I started approx. 160 processes. Now, if the mouse pointer is on the Desktop, some actions which used to take 100ms, now take 10 seconds although the total load of the system is 13-16%. Even thrid party programs like processhacker slowing down and doesn't refresh their gui. If I move the mouse pointer over some window no matter which one (could be notepad) even the taskbar can help all goes back to normal. Processhacker is refreshing his lists and the responsivness is back to 100ms. Since Microsoft-Support won't help use - since or processes are programmed in Borland-Delphi we have no idea how to find out what's going on here. A colleague tries to reproduce the effect with this little test program:
...ANSWER
Answered 2021-Aug-16 at 06:42After we managed to add debug-symbols to some of our processes, we found the issue in the Delphi-VCL/Forms.pas. In a new trace, with debug-symbols, we saw that the Application.DoMouseIdle method spends a lot of time finding VCLWindows, get Parents of these and so on. The source of the slowdown is the "FindDragTarget" method. Our processes need no drag'n'drop functionality and they need no hint showing somewhere. So we cut this function call out of the code, which was not easy. Now everything is running fast undependend from the mouse position.
QUESTION
I was trying to read a memory from explorer.exe. With a program process hacker I found that on the address 0xfa07f8 this string is stored: \??\C:\Program Files\Process Hacker 2\ProcessHacker.exe
When I try to read the string of this address, I get only the first character of the string back. The '\' char. How can I read the whole string?
...ANSWER
Answered 2021-Jun-30 at 21:21You are reading wide characters from the process memory. MessageBoxA is for displaying "narrow" characters.
To display wide characters, use MessageBoxW.
QUESTION
ANSWER
Answered 2021-Jun-13 at 09:36There are some problems with your approach (my idea for a solution is further down):
Most of the strings listed are environment variablesAll of the programs that run on your computer have access to those. They are copied to the memory space of every program on startup so every program knows where to look for certain files. There is no point in removing them from the memory of your application, since every application running on your computer already knows them.
You can see them by running cmd.exe, typing set and then pressing return.
OpenProcess and VirtualQueryEx are for accessing another process
You could simply use VirtualQuery, since you only want to access your own process.
I guess you are trying to get access to non-committed memory pages by doing this, but memset can only access committed, writable memory pages in your own program's address space. So those two approaches don't mix.
But there is a more important point to this:
Non-committed memory does not existIf a memory page is not committed, there is no actual memory assigned to that address. That means, that there is nothing you can overwrite with zeroes. The memory containing your strings may already have been assigned to another application. Read some information about virtual memory management for details.
Most calls tofree, delete or garbage collection do not always actually decommit the page
For efficiency reasons, when your code allocates and deallocates memory, your runtime library hands you down little scraps of a larger page of memory (called "heap") that is only decommitted if every single piece in it has been freed.
You could find freed blocks of memory by walking over the heap entries, but how that works depends on your C runtime library or other runtime libraries.
The operating system might move your strings aroundIf the operating systems detects that there is a shortage of memory, it can save your strings to disk to free up memory for other applications, and reloads them when your application again becomes active. It usually does not bother to clean the disk up afterwards. You have no influence on that (unless you format your hard drive).
My ideas for a solutionBefore every call to free or delete in your code that frees
memory with sensitive information (and only those), you can call
memset(...) on that single block of memory. In C++, you can wrap that up in a class which clears its memory on destruction, as Alan Birtles pointed out in his comment.
I don't think there is a solution that you can simply pop onto an existing program that clears sensitive information after the memory has been freed.
This approach leaves only the last problem. You can only circumvent that if you never store your sensitive information unencrypted in memory. That is probably not feasible since that would mean that you do not handle it only encrypted.
What will be difficult or impossibleIf you want to clear freed memory in other processes (the separate *.exe files you cannot change you refer to in your edit), you have to understand the internal heap layout of those and use WriteProcessMemory instead of memset.
But this does not catch the case where the other program actually decommits a page, since you do not know if the operating system has already reassigned it. When this happens is completely outside of your control.
You might also try to reimplement the free and delete functions in your C runtime library so they first clear the memory and then call the original version, but this only works if they are actually used by those *.exe files and they are dynamically linked. If these conditions are met, you might still have a hard time.
QUESTION
I am trying to understand why use this casting style in ProcessHacker Code.
...ANSWER
Answered 2021-Mar-06 at 10:01This
QUESTION
I'm using the Cloud Mirror sample and I could create placeholders correctly before the Windows Update KB4592449. But after this update I can't create placeholders for the second or higher folder level in the base directory path, using the CfCreatePlaceholders function as is used in the sample, the error code 8007017c is now launched by this function. I reviewed this Spanish article where is mentioned that with the 18362.1256 and 18363.1256 Operating System compilations is avoided the security vulnerability that the apps that are executed as a SYSTEM account can print in the "FILE:" ports. And there is a suggestion that says: make sure your apps and services are executed as a specific user or service account. Currently I tried to execute my app as another account using PsExec and Process Hacker tools but I couldn't execute my app using a different account and I'm not really sure that with this my problem will be solved. If anyone could help me I will appreciate it, thanks.
...ANSWER
Answered 2020-Dec-16 at 07:13I can reproduce this issue on OS Build 19042.685.
The following is an example workaround (temporarily) you can refer to:
Change these code lines of CloudMirror:
QUESTION
i'm absolute beginner to this, i've been trying to collect handle on my system using ntquerysysteminformation and now i get the handle that i want(i know this by using processhacker) but the problem coming when i try to collect the pid from that handle in order to determine which handle that is correct to inject my dll(my function returns array of handle), i know it can be simply use getprocessid() from msdn but it returns 0x6 errorcode.
is there another graceful way to do this without using openprocess? *duplicatehandle() doesn't seems to work as well
or is there a way to simply add process_query_information access right to this handle?
...ANSWER
Answered 2020-Aug-14 at 09:05Since we are in an external process, so it makes no sense to distribute the handle provided by NtQuerySystemInformation, you need to copy the handle into our own process.
source process for testing:
QUESTION
cls
@ECHO OFF
title Heirloom SS Tool
:MENU
ECHO.
ECHO __________________________
ECHO| Select SS Option |
ECHO --------------------------
ECHO.
ECHO 1 -> Open Horion Folder
ECHO 2 -> Open Advanced Search Tool
ECHO 3 -> Open UserAssistView
ECHO 4 -> Open LastActivityView
ECHO 5 -> Open ProcessHacker
SET /P M=Type 1, 2, 3, 4 or 5 then press ENTER:
IF %M%==1 GOTO Horion
IF %M%==2 GOTO Search
IF %M%==3 GOTO UAV
IF %M%==4 GOTO LAV
IF %M%==5 GOTO PH
:Horion
explorer C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.MinecraftUWP_8wekyb3d8bbwe\RoamingState
GOTO MENU
:Search
cd Tools\Search
start everything.exe
GOTO MENU
:UAV
cd Tools\UAV
start UserAssistView.exe
GOTO MENU
:LAV
cd Tools\LAV
start LastActivityView.exe
GOTO MENU
:PH
cd Tools\ProccessHacker
start ProcessHacker.exe
GOTO MENU
EXIT
ANSWER
Answered 2020-Jul-04 at 16:33You need to escape special characters redirect > and pipe | using caret ^ as already mentioned to you by @Neko in a comment.
I would however rather use choice instead of set /p
QUESTION
begin TLDR;
I want to write a python3 script to scan through the memory of a running windows process and find strings.
end TLDR;
This is for a CTF binary. It's a typical Windows x86 PE file. The goal is simply to get a flag from the processes memory as it runs. This is easy with ProcessHacker you can search through the strings in the memory of the running application and find the flag with a regex. Now because I'm a masochistic geek I strive to script out solutions for CTFs (for everything really). Specifically I want to use python3, C# is also an option but would really like to keep all of the solution scripts in python.
Thought this would be a very simple task. You know... pip install some library written by someone that's already solved the problem and use it. Couldn't find anything that would let me do what I need for this task. Here are the libraries I tried out already.
ctypes - This was the first one I used, specifically ReadProcessMemory. Kept getting 299 errors which was because the buffer I was passing in was larger than that section of memory so I made a recursive function that would catch that exception, divide the buffer length by 2 until it got something THEN would read one byte at a time until it hit a 299 error. May have been on the right track there but I wasn't able to get the flag. I WAS able to find the flag only if I knew the exact address of the flag (which I'd get from process hacker). I may make a separate question on SO to address that, this one is really just me asking the community if something already exists before diving into this.
pymem - A nice wrapper for ctypes but had the same issues as above.
winappdbg - python2.x only. I don't want to use python 2.x.
haystack - Looks like this depends on winappdbg which depends on python 2.x.
angr - This is a possibility, Only scratched the surface with it so far. Looks complicated and it's on the to learn list but don't want to dive into something right now that's not going to solve the issue.
volatility - Looks like this is meant for working with full RAM dumps not for hooking into currently running processes and reading the memory.
My plan at the moment is to dive a bit more into angr to see if that will work, go back to pymem/ctypes and try more things. If all else fails ProcessHacker IS opensource. I'm not fluent in C so it'll take time to figure out how they're doing it. Really hoping there's some python3 library I'm missing or maybe I'm going about this the wrong way.
...ANSWER
Answered 2020-Jun-18 at 04:18Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ProcessHacker
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
