giangnguyen Posted August 26, 2016 Posted August 26, 2016 How can I use NtQueryInformationProcess? The return value is the status but how do I get the output in autoit? With DllCreateStruct? I am trying to get the PEB base address here.
Danyfirex Posted August 26, 2016 Posted August 26, 2016 Hello. What have you done so far? Saludos Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut
giangnguyen Posted August 26, 2016 Author Posted August 26, 2016 $hProcess = Run("testfile.exe") $tag_PROCESS_BASIC_INFORMATION = "int ExitStatus;ptr PebBaseAddress;ptr AffinityMask;ptr BasePriority;ulong UniqueProcessId;ulong InheritedFromUniqueProcessId;" Local $SpecialStruct = DllStructCreate($tag_PROCESS_BASIC_INFORMATION) DllCall("ntdll.dll", "int", "NtQueryInformationProcess", "handle", $hProcess, "dword", 0, "ptr", DllStructGetPtr($SpecialStruct), "dword", DllStructGetSize($SpecialStruct), "dword*", 0) $ProcessBasicInfo = DllStructGetData($SpecialStruct,2) $dw=DllStructCreate("ptr") DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($SpecialStruct,2)+0x10, _ ; PebBaseAddress+16 bytes <-- ptr _PROCESS_PARAMETERS "ptr", DllStructGetPtr($dw), "int", 4, "ptr", 0) MsgBox(1,"",$ProcessBasicInfo) But I always get 0x0000000 in the MsgBox and I don't really get how I can select which element to read
Danyfirex Posted August 26, 2016 Posted August 26, 2016 This is the correct way for handle it. http://www.codeproject.com/Articles/19685/Get-Process-Info-with-NtQueryInformationProcess Saludos Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut
argumentum Posted August 26, 2016 Posted August 26, 2016 1 hour ago, Danyfirex said: http://www.codeproject.com/Articles/19685/Get-Process-Info-with-NtQueryInformationProcess Nice link, thanks. @giangnguyen , google like this https://www.google.com/search?q=NtQueryInformationProcess+site%3Awww.autoitscript.com and you're likely to find what you're looking for. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
giangnguyen Posted August 28, 2016 Author Posted August 28, 2016 Googled it and found nothing. @Dannyfirex thanks for the link, I read it before already. I think I figured out most of the stuff, but how do you select which element from the struct to read? Using the second parameter of DllStructGetData?
giangnguyen Posted August 29, 2016 Author Posted August 29, 2016 $tag_PROCESS_BASIC_INFORMATION = "ptr Reserved1;" & _ "ptr PebBaseAddress;" & _ "ptr Reserved[2];" & _ "ulong UniqueProcessId;" & _ "ptr Reserved3;" Local $SpecialStruct = DllStructCreate($tag_PROCESS_BASIC_INFORMATION) DllCall("ntdll.dll", "int", "NtQueryInformationProcess", "handle", $hProcess, "dword", 0, "ptr", DllStructGetPtr($SpecialStruct), "dword", DllStructGetSize($SpecialStruct), "dword*", 0) $ProcessBasicInfo = DllStructGetData($SpecialStruct, "PebBaseAddress") MsgBox(1,"",$ProcessBasicInfo) My code atm, always getting 0x000000. I have full access to the process.
giangnguyen Posted August 29, 2016 Author Posted August 29, 2016 Getting 0 for everything, even UniqueProcessID.
Danyfirex Posted August 29, 2016 Posted August 29, 2016 I think you're not reading my answers... #include <ProcessConstants.au3> #include <WinAPIProc.au3> #include <WinAPISys.au3> Global Const $sTag_PROCESS_BASIC_INFORMATION = "int ExitStatus;ptr PebBaseAddress;ptr AffinityMask;ptr BasePriority;ulong UniqueProcessId;ulong InheritedFromUniqueProcessId;" Local $iPID = Run("Danyfirex.exe") ;Get process PID ConsoleWrite("PID: " & $iPID & @CRLF) Local $hProcess = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, 0, $iPID) ;Open process ConsoleWrite("hProcess: " & $hProcess & @CRLF) Local $tPBI = DllStructCreate($sTag_PROCESS_BASIC_INFORMATION) Local $aRet = DllCall('ntdll.dll', 'int', 'NtQueryInformationProcess', 'handle', $hProcess, 'dword', 0, 'ptr', DllStructGetPtr($tPBI), 'ulong', DllStructGetSize($tPBI), 'ulong*', 0) ConsoleWrite($tPBI.UniqueProcessId & @CRLF) ConsoleWrite($tPBI.PebBaseAddress & @CRLF) _WinAPI_CloseHandle($hProcess) Saludos kylomas, argumentum and giangnguyen 3 Danysys.com AutoIt... UDFs: VirusTotal API 2.0 UDF - libZPlay UDF - Apps: Guitar Tab Tester - VirusTotal Hash Checker Examples: Text-to-Speech ISpVoice Interface - Get installed applications - Enable/Disable Network connection PrintHookProc - WINTRUST - Mute Microphone Level - Get Connected NetWorks - Create NetWork Connection ShortCut
giangnguyen Posted August 30, 2016 Author Posted August 30, 2016 (edited) I am using DllStructGetData which I think works as well. Anyway thanks for your help, I found where things went wrong. I forgot that using ShellExecute returns the PID and not the handle to the process and forgot to open the process. Thanks guys Staff please lock this, problem solved. Thanks guys. Edited August 30, 2016 by giangnguyen
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now