Sign in to follow this  
Followers 0
Ascend4nt

ProcessGetOwner approach - issues

4 posts in this topic

#1 ·  Posted (edited)

*EDIT: The updated _ProcessGetOwner() is now a part of my Process Functions UDFs, click the link for it.

----------------------------------------------------------------------------------------

Hi all,

I've coded the below _ProcessGetOwner() function and, while it seems to work on XP, I've experienced failure on like 5% of processes in Vista+ - with seemingly random names (or none at all) being returned for some Processes.

If anyone has any idea if the below code could be tweaked somehow, or if there's another alternative (tried OpenProcessToken and GetKernelObjectSecurity, both failed) please let me know.

The _GetPrivilege_SeDebug is Manko's code from here -> Get SeDebug privilege. The rest is mine, part of a bigger Process functions module I've worked on.

Please, anyone who knows what the heck I'm doing right/wrong, let me know :(

Thanks,

Ascend4nt

Edited by Ascend4nt

Share this post


Link to post
Share on other sites



This is interesting.. it appears that Task Manger, even when set to 'Show All Processes from All Users' on Vista and Win 7 actually doesn't list a few processes - namely extra instances of 'dllhost.exe' and 'WmiPrvSE.exe'.. those are the ones bringing up blank owners.

Also, for a few processes, the Owner is coming back as 'None' when it should be the current user name. Only a few processes though!

'Audiodg.exe' is one I can't understand, as it is listed in Task Manager, but comes up blank. grr.. what am I missing

Share this post


Link to post
Share on other sites

Audiodg.exe is protected application. (There's a bit in the eprocess structure, signaling that...) It should give you some restrictions...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Dang, you are absolutely right - I forgot to check to see if I was actually getting the handle, which I'm not in the cases I listed above. No wonder! Hmm.. is there any workaround that you know of?

I added a check in my code for 'None', which simply changes it to @UserName.. that solves that part of the problem.

However.. how I would get a process handle for those 'protected processes' is the question. I suppose it's not possible if SE_DEBUG access doesn't work eh?

Oh, I've noticed WTS enumeration code works fine on non x86 O/S's for reporting on all Processes (even the hidden dllhost.exe ones).. however on x64 O/S it misses 2-4 processes. I'm not sure why this is. ProcessList reports the correct #, but WTS enumeration, run in both 32-bit and 64-bit mode still misses those processes.

*edit: Hmm, Audiodg.exe always is listed as 'LOCAL SERVICE' on the O/S's I tried it on, but I'm assuming there's the possibility of more protected processes, so checking for this one specifically probably isn't a good idea..

Some searching brought up 'D-Pin Purr' but this is a hack (and a 32-bit one at that). Okay.. enough research for one morning..

Edited by Ascend4nt

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0