processhacker | purpose tool that helps you monitor system resources | Monitoring library
kandi X-RAY | processhacker Summary
kandi X-RAY | processhacker Summary
A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Project Website - Project Downloads.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of processhacker
processhacker Key Features
processhacker Examples and Code Snippets
Community Discussions
Trending Discussions on processhacker
QUESTION
ANSWER
Answered 2021-Jun-13 at 09:36There are some problems with your approach (my idea for a solution is further down):
Most of the strings listed are environment variablesAll of the programs that run on your computer have access to those. They are copied to the memory space of every program on startup so every program knows where to look for certain files. There is no point in removing them from the memory of your application, since every application running on your computer already knows them.
You can see them by running cmd.exe
, typing set
and then pressing return
.
OpenProcess
and VirtualQueryEx
are for accessing another process
You could simply use VirtualQuery
, since you only want to access your own process.
I guess you are trying to get access to non-committed memory pages by doing this, but memset
can only access committed, writable memory pages in your own program's address space. So those two approaches don't mix.
But there is a more important point to this:
Non-committed memory does not existIf a memory page is not committed, there is no actual memory assigned to that address. That means, that there is nothing you can overwrite with zeroes. The memory containing your strings may already have been assigned to another application. Read some information about virtual memory management for details.
Most calls tofree
, delete
or garbage collection do not always actually decommit the page
For efficiency reasons, when your code allocates and deallocates memory, your runtime library hands you down little scraps of a larger page of memory (called "heap") that is only decommitted if every single piece in it has been freed.
You could find freed blocks of memory by walking over the heap entries, but how that works depends on your C runtime library or other runtime libraries.
The operating system might move your strings aroundIf the operating systems detects that there is a shortage of memory, it can save your strings to disk to free up memory for other applications, and reloads them when your application again becomes active. It usually does not bother to clean the disk up afterwards. You have no influence on that (unless you format your hard drive).
My ideas for a solutionBefore every call to free
or delete
in your code that frees
memory with sensitive information (and only those), you can call
memset(...)
on that single block of memory. In C++, you can wrap that up in a class which clears its memory on destruction, as Alan Birtles pointed out in his comment.
I don't think there is a solution that you can simply pop onto an existing program that clears sensitive information after the memory has been freed.
This approach leaves only the last problem. You can only circumvent that if you never store your sensitive information unencrypted in memory. That is probably not feasible since that would mean that you do not handle it only encrypted.
What will be difficult or impossibleIf you want to clear freed memory in other processes (the separate *.exe files you cannot change you refer to in your edit), you have to understand the internal heap layout of those and use WriteProcessMemory
instead of memset
.
But this does not catch the case where the other program actually decommits a page, since you do not know if the operating system has already reassigned it. When this happens is completely outside of your control.
You might also try to reimplement the free
and delete
functions in your C runtime library so they first clear the memory and then call the original version, but this only works if they are actually used by those *.exe files and they are dynamically linked. If these conditions are met, you might still have a hard time.
QUESTION
I am trying to understand why use this casting style in ProcessHacker Code.
...ANSWER
Answered 2021-Mar-06 at 10:01This
QUESTION
I'm using the Cloud Mirror sample and I could create placeholders correctly before the Windows Update KB4592449. But after this update I can't create placeholders for the second or higher folder level in the base directory path, using the CfCreatePlaceholders function as is used in the sample, the error code 8007017c is now launched by this function. I reviewed this Spanish article where is mentioned that with the 18362.1256 and 18363.1256 Operating System compilations is avoided the security vulnerability that the apps that are executed as a SYSTEM account can print in the "FILE:" ports. And there is a suggestion that says: make sure your apps and services are executed as a specific user or service account. Currently I tried to execute my app as another account using PsExec and Process Hacker tools but I couldn't execute my app using a different account and I'm not really sure that with this my problem will be solved. If anyone could help me I will appreciate it, thanks.
...ANSWER
Answered 2020-Dec-16 at 07:13I can reproduce this issue on OS Build 19042.685.
The following is an example workaround (temporarily) you can refer to:
Change these code lines of CloudMirror:
QUESTION
i'm absolute beginner to this, i've been trying to collect handle on my system using ntquerysysteminformation and now i get the handle that i want(i know this by using processhacker) but the problem coming when i try to collect the pid from that handle in order to determine which handle that is correct to inject my dll(my function returns array of handle), i know it can be simply use getprocessid() from msdn but it returns 0x6 errorcode.
is there another graceful way to do this without using openprocess? *duplicatehandle() doesn't seems to work as well
or is there a way to simply add process_query_information access right to this handle?
...ANSWER
Answered 2020-Aug-14 at 09:05Since we are in an external process, so it makes no sense to distribute the handle provided by NtQuerySystemInformation
, you need to copy the handle into our own process.
source process for testing:
QUESTION
cls
@ECHO OFF
title Heirloom SS Tool
:MENU
ECHO.
ECHO __________________________
ECHO| Select SS Option |
ECHO --------------------------
ECHO.
ECHO 1 -> Open Horion Folder
ECHO 2 -> Open Advanced Search Tool
ECHO 3 -> Open UserAssistView
ECHO 4 -> Open LastActivityView
ECHO 5 -> Open ProcessHacker
SET /P M=Type 1, 2, 3, 4 or 5 then press ENTER:
IF %M%==1 GOTO Horion
IF %M%==2 GOTO Search
IF %M%==3 GOTO UAV
IF %M%==4 GOTO LAV
IF %M%==5 GOTO PH
:Horion
explorer C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.MinecraftUWP_8wekyb3d8bbwe\RoamingState
GOTO MENU
:Search
cd Tools\Search
start everything.exe
GOTO MENU
:UAV
cd Tools\UAV
start UserAssistView.exe
GOTO MENU
:LAV
cd Tools\LAV
start LastActivityView.exe
GOTO MENU
:PH
cd Tools\ProccessHacker
start ProcessHacker.exe
GOTO MENU
EXIT
...ANSWER
Answered 2020-Jul-04 at 16:33You need to escape special characters redirect >
and pipe |
using caret ^
as already mentioned to you by @Neko in a comment.
I would however rather use choice
instead of set /p
QUESTION
begin TLDR;
I want to write a python3 script to scan through the memory of a running windows process and find strings.
end TLDR;
This is for a CTF binary. It's a typical Windows x86 PE file. The goal is simply to get a flag from the processes memory as it runs. This is easy with ProcessHacker you can search through the strings in the memory of the running application and find the flag with a regex. Now because I'm a masochistic geek I strive to script out solutions for CTFs (for everything really). Specifically I want to use python3, C# is also an option but would really like to keep all of the solution scripts in python.
Thought this would be a very simple task. You know... pip install some library written by someone that's already solved the problem and use it. Couldn't find anything that would let me do what I need for this task. Here are the libraries I tried out already.
ctypes - This was the first one I used, specifically ReadProcessMemory. Kept getting 299 errors which was because the buffer I was passing in was larger than that section of memory so I made a recursive function that would catch that exception, divide the buffer length by 2 until it got something THEN would read one byte at a time until it hit a 299 error. May have been on the right track there but I wasn't able to get the flag. I WAS able to find the flag only if I knew the exact address of the flag (which I'd get from process hacker). I may make a separate question on SO to address that, this one is really just me asking the community if something already exists before diving into this.
pymem - A nice wrapper for ctypes but had the same issues as above.
winappdbg - python2.x only. I don't want to use python 2.x.
haystack - Looks like this depends on winappdbg which depends on python 2.x.
angr - This is a possibility, Only scratched the surface with it so far. Looks complicated and it's on the to learn list but don't want to dive into something right now that's not going to solve the issue.
volatility - Looks like this is meant for working with full RAM dumps not for hooking into currently running processes and reading the memory.
My plan at the moment is to dive a bit more into angr to see if that will work, go back to pymem/ctypes and try more things. If all else fails ProcessHacker IS opensource. I'm not fluent in C so it'll take time to figure out how they're doing it. Really hoping there's some python3 library I'm missing or maybe I'm going about this the wrong way.
...ANSWER
Answered 2020-Jun-18 at 04:18QUESTION
As a premise I want you to know that this has nothing to do with game cheating, as I am only interested in knowing the way that Windows works. I don't even personally play video-games.
EasyAntiCheat, that comes with Fortnite, prevents the game process to be modified and his parameters to be changed.
For example, trying to change the priority (I am not looking for a way to change priority, as a solution has already been posted here, and here in a Wayback Machine capture) results in an access denied error.
Modifying the process' ACL using Process Hacker or Process Explorer also produces the same error, even if the user is an administrator and holds the SeTakeOwnershipPrivilege right.
Since:
- PatchGuard is enabled, so old-style kernel hooking is not possible even for the EAC driver
- Kernel exposes APIs that only allow drivers to be notified of system calls happening and not to change the the stock kernel behavior
- EasyAntiCheat driver file-system mini-filter should not affect processes ACL. In fact, the result is the same even when the filter is unloaded using FLTMC.exe
- A code injection within the process does not seem to be happening, at least when listing the Load Image events with Process Monitor, even though injection could be achieved by other means (I don't have enough knowledge about this)
- The process is not Protected or Light Protected
What is the mechanism through which Windows 10 x64 (1803) allows EAC to do what described above? Maybe to find an answer it would be enought to put more attention to the 4th method.
Here you can find a link to a list of the Load Image events that show up from the startup of ProcessHacker.exe to its end in Sysinternals Process Monitor.
P.S.: Excuse me for any grammar error, English is not my main language.
...ANSWER
Answered 2020-Apr-04 at 13:50So I almost randomly came around this post on Reddit that I think explains it.
The key is the ObRegisterCallbacks
kernel-mode function that I didn't know about.
It allows a driver to register for events about processes, threads and (starting with Windows 10) desktop objects.
I was initally aware of PsSetCreateProcessNotifyRoutine
, which not only allows to "passively" monitor processes creation/termination, but provides a driver a way to "actively" cancelling the creation by returning an error on the callback.
That wasn't however what I was dealing with in my case: there was no process creation going on, just me trying to rise the priority of a process that was not Protected or Light Protected.
The use of ObRegisterCallbacks
goes like this:
the protecting driver, from the registered callback, would strip the DesiredAccess
of the handle request to what it wants, making the handle creation operation proceed as the process never actually asked to be able to terminate/set process priority, and thus effectively blocking it.
A good example is provided in this GitHub repo. This link is a permalink to the point in code that accesses the DesiredAccess
member of CreateHandleInformation
(or DuplicateHandleInformation
).
QUESTION
After doing some research and looking at the source code of ProcessHacker, it seems the way to obtain conhost.exe's process id is to use NtQuerySystemInformation.
I wrote the following little program for testing purposes but, it isn't working and I don't see why.
...ANSWER
Answered 2019-Apr-29 at 09:49Seems that parameter ProcessConsoleHostProcess(49)
is not support in 32-bit, and I can just get it work in 64-bit program. You could try to compile it with x64.
There are also reminders in the document
To maintain the compatibility of your application, it is better to use public functions mentioned in the description of the ProcessInformationClass parameter instead.
Or you could also get it in another way with Tool Help Functions. Here is the related sample.
QUESTION
I'm trying to find a method to detect if Windows 10 is in tablet mode or not. Please note, this is not about querying whether the user has a Tablet PC or not - that can be solved with GetSystemMetrics(SM_CONVERTIBLESLATEMODE)
. In my case the above function always returns 0 - whether Win10 is in tablet mode or not.
This thread without an epilogue seems to suggest that there is no WinAPI call that could detect Tablet mode. I hope that isn't the case, since there are different WM messages posted by the OS if it's in tablet mode or not. In tablet mode WM_SHOWWINDOW isn't sent which means I need to address the launching of the application differently if Windows 10 is in tablet mode.
I could just move the code that is currently triggered after receiving the WM_SHOWWINDOW
message somewhere else (just after ShowWindow
is called), but then I get a WM_DPICHANGED
message with null parameters.
ANSWER
Answered 2019-Mar-19 at 06:27You can use UIViewSettings.UserInteractionMode @Raymond pointed out.
Refer to "Tablet mode" "How can I detect whether my PC is in tablet mode?"
QUESTION
I would like to request a working P/Invoke definition for the undocumented RtlCrc32 and RtlCrc64 functions.
I'm aware about existing CRC-32 algorithms in managed code, but I prefer to go the Microsoft Windows way to avoid possible human errors and/or negative performance from my side due inexperience on checksum calculation, just that.
These are the functions declared in winnt.h header file (Windows 10 SDK):
...ANSWER
Answered 2019-Mar-17 at 06:10Your definitions are fine. The functions return the CRC value rather than an error code.
It might be easier to declare the buffer as byte[]
and let the marshaler pin the array for you, avoiding a copy.
The initial value is part of the input to a CRC algorithm. When comparing against output from another CRC algorithm you need to know what initial value was used.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install processhacker
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page