2

I am trying to obtain a list of all currently running processes on a windows machine.

I am trying it with winapi calls via JNA to EnumProcesses -> OpenProcess -> GetModuleBaseNameW -> CloseHandle It fails at the OpenProcess call. GetLastError returns 5 (ERROR_ACCESS_DENIED).

This is my code:

public static final int PROCESS_QUERY_INFORMATION = 0x0400;
public static final int PROCESS_VM_READ = 0x0010;
public static final int PROCESS_VM_WRITE = 0x0020;
public static final int PROCESS_VM_OPERATION = 0x0008;


public interface Psapi extends StdCallLibrary {
    Psapi INSTANCE = (Psapi) Native.loadLibrary("Psapi", Psapi.class);

    boolean EnumProcesses(int[] ProcessIDsOut, int size, int[] BytesReturned);

    DWORD GetModuleBaseNameW(Pointer hProcess, Pointer hModule, byte[] lpBaseName, int nSize);

}

public interface Kernel32 extends StdCallLibrary {
    Kernel32 INSTANCE = (Kernel32) Native.loadLibrary("Kernel32", Kernel32.class);

    Pointer OpenProcess(int dwDesiredAccess, boolean bInheritHandle, int dwProcessId);

    boolean CloseHandle(Pointer hObject);

}

public static void main(String[] args) {
    int[] processlist = new int[1024];
    int[] dummylist = new int[1024];
    Psapi.INSTANCE.EnumProcesses(processlist, 1024, dummylist);

    for (int pid : processlist) {
        System.out.println(pid);
        Pointer ph = Kernel32.INSTANCE.OpenProcess(PROCESS_VM_READ, false, pid);

        try {
            Thread.sleep(1000);
        } catch (Exception ignore) {
        }

        System.err.println(com.sun.jna.platform.win32.Kernel32.INSTANCE.GetLastError()); // <- 5
        System.err.println(ph); // <- null
        if (ph != null) {
            byte[] filename = new byte[512];
            Psapi.INSTANCE.GetModuleBaseNameW(ph, new Pointer(0), filename, 512);

            try {
                Thread.sleep(1000);
            } catch (Exception ignore) {
            }

            System.err.println(Native.toString(filename));
            Kernel32.INSTANCE.CloseHandle(ph);
        }

    }

}
cutze
  • 93
  • 1
  • 8
  • Note that JNA includes a platform library which wraps many WinAPI calls already, so you'd have to do less. – MauganRa Mar 10 '17 at 08:20

1 Answers1

1

Calling OpenProcess with PROCESS_VM_READ means that you want to read the memory of that process. To do this, you need the SE_DEBUG_PRIVLEGE. Your application doesn't have that privilege which is why you are getting access denied.

Check the MSDN article for ReadProcessMemory. There is some community content on how to acquire that privilege.

Steve
  • 7,171
  • 2
  • 30
  • 52
  • 1
    Thank you for your answer! I found out that I can read the memory of processes that belong to the current user, this is sufficient for me. – cutze May 21 '13 at 12:26