How get pid by process name?

flash_mark · January 23, 2017, 10:45am

I have following code that promise return pid by process name, but i’m getting only trash
in DbgView for pid and name.

#include <ntddk.h>
#include “ntapi.h” => http://pastebin.com/QNR9ncha
#include <ntstrsafe.h>
#pragma comment(lib, “ntstrsafe.lib”)

CODE => http://pastebin.com/M1NegWEw

DEBUG => http://image.prntscr.com/image/d78f486fb7eb4c278d18bfcb63796a77.png

Someone have idea how solve?

thanks in advance.</ntstrsafe.h></ntddk.h>

flash_mark · January 23, 2017, 11:46am

typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
ULONG PrivatePageCount;
VM_COUNTERS VirtualMemoryCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

OSR_Community_User · January 23, 2017, 12:45pm

This could be done in user mode. Link the executable against NTDLL.LIB.

Replace ExAllocatePoolWithTag/ExFreePoolWithTag with HeapAlloc/HeapFree, DbgPrint with printf and so on… Most of the required types are defined in Winternl.h.

It is easy to locate a unicode string in memory: you have two USHORTS followed by an address. The second USHORT is the first plus 2.

Visual Studio is perfect for this job. Compiling, restarting and debugging a user mode app is much easier than compiling, reloading and debugging a kernel mode driver.

Within Visual Studio, use the Memory window with the Watch window to locate the unicode string in the SYSTREM_PROCESS_INFORMATION struct variable.

Good luck.

flash_mark · January 23, 2017, 1:02pm

@D.T

i’m need get pid in kernel mode.

Exist something to do for this my code works?

Why i’m getting trash, as pid and process name respectively?

OSR_Community_User · January 23, 2017, 2:12pm

NtQuerySystemInformation has the same prototype in user and kernel moide.

Why don’t you investigate in user mode ?

It is much easier, don’t you think ?

flash_mark · January 23, 2017, 6:51pm

@D.T

I already solved this trouble.

My error was a wrong struct of PSYSTEM_PROCESS_INFORMATION,

the struct that i found was exactly equals to this struct above, in another words, this struct above is 100% correct. I had used another struct very diferent (wrong).

Thank you by help me!