1

I am writing a program on Windows XP, trying to get the proccess handle of calc.exe. I can assume that the user indeed ran calc.exe, but he might have changed the file name.

Is there a name to get the calc.exe process's handle even though is name had been changed?

I have found this answer but it doesn't deal with the case when the naughty user changes the name (for example to calc_new.exe):

How can I get a process handle by its name in C++?

Is there some other property of a Win32 process I can use to find the handle?

Community
  • 1
  • 1
0x90
  • 39,472
  • 36
  • 165
  • 245

2 Answers2

1

You can do this with the following sequence of Win32 API calls:

  1. Use Spy++ or something similar to find the class name of the top level window you are targeting.
  2. Call FindWindow or EnumWindows to find top-level windows with that class name.
  3. Call GetWindowThreadProcessId to find the process ID of each window of interest.
  4. Call OpenProcess passing the process ID to get a process handle.
David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
1

If the user can change the name of calc.exe, what else can they change to avoid detection? Arbitrary bytes in the executable? If that's the case, then you're facing the same sort of problem that virus scanner vendors face.

Anyway, here's my crazy idea (untested! unworkable, really):

  1. Use CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0) to snapshot the module information for all processes.
  2. Walk through the list of processes in the snapshot.
  3. For each process, walk through the list of modules.
  4. For each module, look at MODULEENTRY32::szExePath to find the path from which the module was loaded. This assumes that the module is still in that location, hasn't been overwritten, the disk hasn't been removed, etc.
  5. You might want to compare the file size against a list of known calc.exe file sizes, but that won't help. The user may have padded the executable or compressed it (with UPX, for example) in order to avoid detection.
  6. Use WinVerifyTrust() to check the module's digital signature. If it's signed by someone other than Microsoft, unsigned, or the signature doesn't check out, then it may be a copy of calc.exe that the user has modified (and possibly re-signed) in order to avoid detection, and you must flag the process as being calc.exe.
  7. If the module's digital signature indicates that the file was signed by Microsoft and is unmodified, then use GetFileVersionInfo() and friends to get the OriginalFilename string. If the string is equal to CALC.EXE, then flag the process as being calc.exe.
bk1e
  • 23,871
  • 6
  • 54
  • 65