processhacker | purpose tool that helps you monitor system resources | Monitoring library

 by   processhacker C Version: v2.39 License: Non-SPDX

kandi X-RAY | processhacker Summary

kandi X-RAY | processhacker Summary

processhacker is a C library typically used in Performance Management, Monitoring applications. processhacker has no bugs, it has no vulnerabilities and it has medium support. However processhacker has a Non-SPDX License. You can download it from GitHub.

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Project Website - Project Downloads.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              processhacker has a medium active ecosystem.
              It has 5121 star(s) with 831 fork(s). There are 235 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 85 open issues and 698 have been closed. On average issues are closed in 38 days. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of processhacker is v2.39

            kandi-Quality Quality

              processhacker has no bugs reported.

            kandi-Security Security

              processhacker has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

            kandi-License License

              processhacker has a Non-SPDX License.
              Non-SPDX licenses can be open source with a non SPDX compliant license, or non open source licenses, and you need to review them closely before use.

            kandi-Reuse Reuse

              processhacker releases are available to install and integrate.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of processhacker
            Get all kandi verified functions for this library.

            processhacker Key Features

            No Key Features are available at this moment for processhacker.

            processhacker Examples and Code Snippets

            No Code Snippets are available at this moment for processhacker.

            Community Discussions

            QUESTION

            Clear strings from process memory
            Asked 2021-Jun-13 at 09:52

            To improve the security of my application, I am trying to delete string data from the process memory, but since there is little information about this on the Internet, I could not write a working code.

            Can anyone help me?

            String Data to be cleared (from ProcessHacker).

            My pasted code:

            ...

            ANSWER

            Answered 2021-Jun-13 at 09:36

            There are some problems with your approach (my idea for a solution is further down):

            Most of the strings listed are environment variables

            All of the programs that run on your computer have access to those. They are copied to the memory space of every program on startup so every program knows where to look for certain files. There is no point in removing them from the memory of your application, since every application running on your computer already knows them.

            You can see them by running cmd.exe, typing set and then pressing return.

            OpenProcess and VirtualQueryEx are for accessing another process

            You could simply use VirtualQuery, since you only want to access your own process.

            I guess you are trying to get access to non-committed memory pages by doing this, but memset can only access committed, writable memory pages in your own program's address space. So those two approaches don't mix.

            But there is a more important point to this:

            Non-committed memory does not exist

            If a memory page is not committed, there is no actual memory assigned to that address. That means, that there is nothing you can overwrite with zeroes. The memory containing your strings may already have been assigned to another application. Read some information about virtual memory management for details.

            Most calls to free, delete or garbage collection do not always actually decommit the page

            For efficiency reasons, when your code allocates and deallocates memory, your runtime library hands you down little scraps of a larger page of memory (called "heap") that is only decommitted if every single piece in it has been freed.

            You could find freed blocks of memory by walking over the heap entries, but how that works depends on your C runtime library or other runtime libraries.

            The operating system might move your strings around

            If the operating systems detects that there is a shortage of memory, it can save your strings to disk to free up memory for other applications, and reloads them when your application again becomes active. It usually does not bother to clean the disk up afterwards. You have no influence on that (unless you format your hard drive).

            My ideas for a solution

            Before every call to free or delete in your code that frees memory with sensitive information (and only those), you can call memset(...) on that single block of memory. In C++, you can wrap that up in a class which clears its memory on destruction, as Alan Birtles pointed out in his comment.

            I don't think there is a solution that you can simply pop onto an existing program that clears sensitive information after the memory has been freed.

            This approach leaves only the last problem. You can only circumvent that if you never store your sensitive information unencrypted in memory. That is probably not feasible since that would mean that you do not handle it only encrypted.

            What will be difficult or impossible

            If you want to clear freed memory in other processes (the separate *.exe files you cannot change you refer to in your edit), you have to understand the internal heap layout of those and use WriteProcessMemory instead of memset.

            But this does not catch the case where the other program actually decommits a page, since you do not know if the operating system has already reassigned it. When this happens is completely outside of your control.

            You might also try to reimplement the free and delete functions in your C runtime library so they first clear the memory and then call the original version, but this only works if they are actually used by those *.exe files and they are dynamically linked. If these conditions are met, you might still have a hard time.

            Source https://stackoverflow.com/questions/67955877

            QUESTION

            What are the advantages of using "{}" for casting in C Language?
            Asked 2021-Mar-06 at 10:09

            I am trying to understand why use this casting style in ProcessHacker Code.

            ...

            ANSWER

            Answered 2021-Mar-06 at 10:01

            QUESTION

            Error 8007017c using CfCreatePlaceholders after Windows update KB4592449
            Asked 2020-Dec-16 at 07:13

            I'm using the Cloud Mirror sample and I could create placeholders correctly before the Windows Update KB4592449. But after this update I can't create placeholders for the second or higher folder level in the base directory path, using the CfCreatePlaceholders function as is used in the sample, the error code 8007017c is now launched by this function. I reviewed this Spanish article where is mentioned that with the 18362.1256 and 18363.1256 Operating System compilations is avoided the security vulnerability that the apps that are executed as a SYSTEM account can print in the "FILE:" ports. And there is a suggestion that says: make sure your apps and services are executed as a specific user or service account. Currently I tried to execute my app as another account using PsExec and Process Hacker tools but I couldn't execute my app using a different account and I'm not really sure that with this my problem will be solved. If anyone could help me I will appreciate it, thanks.

            ...

            ANSWER

            Answered 2020-Dec-16 at 07:13

            I can reproduce this issue on OS Build 19042.685.

            The following is an example workaround (temporarily) you can refer to:

            Change these code lines of CloudMirror:

            Source https://stackoverflow.com/questions/65307825

            QUESTION

            is there a way to add process_query_information to existing process handle?
            Asked 2020-Aug-14 at 09:05

            i'm absolute beginner to this, i've been trying to collect handle on my system using ntquerysysteminformation and now i get the handle that i want(i know this by using processhacker) but the problem coming when i try to collect the pid from that handle in order to determine which handle that is correct to inject my dll(my function returns array of handle), i know it can be simply use getprocessid() from msdn but it returns 0x6 errorcode.

            is there another graceful way to do this without using openprocess? *duplicatehandle() doesn't seems to work as well

            or is there a way to simply add process_query_information access right to this handle?

            ...

            ANSWER

            Answered 2020-Aug-14 at 09:05

            Since we are in an external process, so it makes no sense to distribute the handle provided by NtQuerySystemInformation, you need to copy the handle into our own process.

            source process for testing:

            Source https://stackoverflow.com/questions/63149347

            QUESTION

            How do I make a batch file that opens certain programs?
            Asked 2020-Jul-04 at 16:33
            cls
            @ECHO OFF
            title Heirloom SS Tool
            :MENU
            ECHO.
            ECHO __________________________
            ECHO|     Select SS Option     |
            ECHO --------------------------
            ECHO.
            ECHO 1 -> Open Horion Folder
            ECHO 2 -> Open Advanced Search Tool
            ECHO 3 -> Open UserAssistView
            ECHO 4 -> Open LastActivityView
            ECHO 5 -> Open ProcessHacker
            SET /P M=Type 1, 2, 3, 4 or 5 then press ENTER:
            IF %M%==1 GOTO Horion
            IF %M%==2 GOTO Search
            IF %M%==3 GOTO UAV
            IF %M%==4 GOTO LAV
            IF %M%==5 GOTO PH
            :Horion
            explorer C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.MinecraftUWP_8wekyb3d8bbwe\RoamingState
            GOTO MENU
            :Search
            cd Tools\Search
            start everything.exe
            GOTO MENU
            :UAV
            cd Tools\UAV
            start UserAssistView.exe
            GOTO MENU
            :LAV
            cd Tools\LAV
            start LastActivityView.exe
            GOTO MENU
            :PH
            cd Tools\ProccessHacker
            start ProcessHacker.exe
            GOTO MENU
            EXIT
            
            ...

            ANSWER

            Answered 2020-Jul-04 at 16:33

            You need to escape special characters redirect > and pipe | using caret ^ as already mentioned to you by @Neko in a comment.

            I would however rather use choice instead of set /p

            Source https://stackoverflow.com/questions/62724778

            QUESTION

            Python3 Search the virtual memory of a running windows process
            Asked 2020-Jun-18 at 04:18

            begin TLDR;

            I want to write a python3 script to scan through the memory of a running windows process and find strings.

            end TLDR;

            This is for a CTF binary. It's a typical Windows x86 PE file. The goal is simply to get a flag from the processes memory as it runs. This is easy with ProcessHacker you can search through the strings in the memory of the running application and find the flag with a regex. Now because I'm a masochistic geek I strive to script out solutions for CTFs (for everything really). Specifically I want to use python3, C# is also an option but would really like to keep all of the solution scripts in python.

            Thought this would be a very simple task. You know... pip install some library written by someone that's already solved the problem and use it. Couldn't find anything that would let me do what I need for this task. Here are the libraries I tried out already.

            • ctypes - This was the first one I used, specifically ReadProcessMemory. Kept getting 299 errors which was because the buffer I was passing in was larger than that section of memory so I made a recursive function that would catch that exception, divide the buffer length by 2 until it got something THEN would read one byte at a time until it hit a 299 error. May have been on the right track there but I wasn't able to get the flag. I WAS able to find the flag only if I knew the exact address of the flag (which I'd get from process hacker). I may make a separate question on SO to address that, this one is really just me asking the community if something already exists before diving into this.

            • pymem - A nice wrapper for ctypes but had the same issues as above.

            • winappdbg - python2.x only. I don't want to use python 2.x.

            • haystack - Looks like this depends on winappdbg which depends on python 2.x.

            • angr - This is a possibility, Only scratched the surface with it so far. Looks complicated and it's on the to learn list but don't want to dive into something right now that's not going to solve the issue.

            • volatility - Looks like this is meant for working with full RAM dumps not for hooking into currently running processes and reading the memory.

            My plan at the moment is to dive a bit more into angr to see if that will work, go back to pymem/ctypes and try more things. If all else fails ProcessHacker IS opensource. I'm not fluent in C so it'll take time to figure out how they're doing it. Really hoping there's some python3 library I'm missing or maybe I'm going about this the wrong way.

            ...

            ANSWER

            Answered 2020-Jun-18 at 04:18

            Ended up writing the script using the frida library. Also have to give soutz to rootbsd because his or her code in the fridump3 project helped greatly.

            Source https://stackoverflow.com/questions/62417063

            QUESTION

            Prevent administrator from taking ownership of an object
            Asked 2020-Apr-04 at 13:50

            As a premise I want you to know that this has nothing to do with game cheating, as I am only interested in knowing the way that Windows works. I don't even personally play video-games.

            EasyAntiCheat, that comes with Fortnite, prevents the game process to be modified and his parameters to be changed.

            For example, trying to change the priority (I am not looking for a way to change priority, as a solution has already been posted here, and here in a Wayback Machine capture) results in an access denied error.

            Modifying the process' ACL using Process Hacker or Process Explorer also produces the same error, even if the user is an administrator and holds the SeTakeOwnershipPrivilege right.

            Since:

            • PatchGuard is enabled, so old-style kernel hooking is not possible even for the EAC driver
            • Kernel exposes APIs that only allow drivers to be notified of system calls happening and not to change the the stock kernel behavior
            • EasyAntiCheat driver file-system mini-filter should not affect processes ACL. In fact, the result is the same even when the filter is unloaded using FLTMC.exe
            • A code injection within the process does not seem to be happening, at least when listing the Load Image events with Process Monitor, even though injection could be achieved by other means (I don't have enough knowledge about this)
            • The process is not Protected or Light Protected

            What is the mechanism through which Windows 10 x64 (1803) allows EAC to do what described above? Maybe to find an answer it would be enought to put more attention to the 4th method.

            Here you can find a link to a list of the Load Image events that show up from the startup of ProcessHacker.exe to its end in Sysinternals Process Monitor.

            P.S.: Excuse me for any grammar error, English is not my main language.

            ...

            ANSWER

            Answered 2020-Apr-04 at 13:50

            So I almost randomly came around this post on Reddit that I think explains it.

            The key is the ObRegisterCallbacks kernel-mode function that I didn't know about.

            It allows a driver to register for events about processes, threads and (starting with Windows 10) desktop objects.

            I was initally aware of PsSetCreateProcessNotifyRoutine, which not only allows to "passively" monitor processes creation/termination, but provides a driver a way to "actively" cancelling the creation by returning an error on the callback.

            That wasn't however what I was dealing with in my case: there was no process creation going on, just me trying to rise the priority of a process that was not Protected or Light Protected.

            The use of ObRegisterCallbacks goes like this: the protecting driver, from the registered callback, would strip the DesiredAccess of the handle request to what it wants, making the handle creation operation proceed as the process never actually asked to be able to terminate/set process priority, and thus effectively blocking it.

            A good example is provided in this GitHub repo. This link is a permalink to the point in code that accesses the DesiredAccess member of CreateHandleInformation (or DuplicateHandleInformation).

            Source https://stackoverflow.com/questions/53544656

            QUESTION

            How to get conhost.exe process id?
            Asked 2019-Apr-29 at 09:49

            After doing some research and looking at the source code of ProcessHacker, it seems the way to obtain conhost.exe's process id is to use NtQuerySystemInformation.

            I wrote the following little program for testing purposes but, it isn't working and I don't see why.

            ...

            ANSWER

            Answered 2019-Apr-29 at 09:49

            Seems that parameter ProcessConsoleHostProcess(49) is not support in 32-bit, and I can just get it work in 64-bit program. You could try to compile it with x64.

            There are also reminders in the document

            To maintain the compatibility of your application, it is better to use public functions mentioned in the description of the ProcessInformationClass parameter instead.

            Or you could also get it in another way with Tool Help Functions. Here is the related sample.

            Source https://stackoverflow.com/questions/55859561

            QUESTION

            How to detect if Windows 10 is in tablet mode
            Asked 2019-Mar-19 at 06:27

            I'm trying to find a method to detect if Windows 10 is in tablet mode or not. Please note, this is not about querying whether the user has a Tablet PC or not - that can be solved with GetSystemMetrics(SM_CONVERTIBLESLATEMODE). In my case the above function always returns 0 - whether Win10 is in tablet mode or not.

            This thread without an epilogue seems to suggest that there is no WinAPI call that could detect Tablet mode. I hope that isn't the case, since there are different WM messages posted by the OS if it's in tablet mode or not. In tablet mode WM_SHOWWINDOW isn't sent which means I need to address the launching of the application differently if Windows 10 is in tablet mode.

            I could just move the code that is currently triggered after receiving the WM_SHOWWINDOW message somewhere else (just after ShowWindow is called), but then I get a WM_DPICHANGED message with null parameters.

            ...

            ANSWER

            Answered 2019-Mar-19 at 06:27

            You can use UIViewSettings.UserInteractionMode @Raymond pointed out.

            Refer to "Tablet mode" "How can I detect whether my PC is in tablet mode?"

            Source https://stackoverflow.com/questions/55225753

            QUESTION

            P/Invoke definition for RtlCrc32 and RtlCrc64 functions?
            Asked 2019-Mar-17 at 11:27

            I would like to request a working P/Invoke definition for the undocumented RtlCrc32 and RtlCrc64 functions.

            I'm aware about existing CRC-32 algorithms in managed code, but I prefer to go the Microsoft Windows way to avoid possible human errors and/or negative performance from my side due inexperience on checksum calculation, just that.

            These are the functions declared in winnt.h header file (Windows 10 SDK):

            ...

            ANSWER

            Answered 2019-Mar-17 at 06:10

            Your definitions are fine. The functions return the CRC value rather than an error code.

            It might be easier to declare the buffer as byte[] and let the marshaler pin the array for you, avoiding a copy.

            The initial value is part of the input to a CRC algorithm. When comparing against output from another CRC algorithm you need to know what initial value was used.

            Source https://stackoverflow.com/questions/55202997

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install processhacker

            You can download it from GitHub.

            Support

            Please use the GitHub issue tracker for reporting problems or suggesting new features.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/processhacker/processhacker.git

          • CLI

            gh repo clone processhacker/processhacker

          • sshUrl

            git@github.com:processhacker/processhacker.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Monitoring Libraries

            netdata

            by netdata

            sentry

            by getsentry

            skywalking

            by apache

            osquery

            by osquery

            cat

            by dianping

            Try Top Libraries by processhacker

            phnt

            by processhackerC

            plugins-extra

            by processhackerC