* * *

Author Topic: get process path  (Read 1049 times)

mcland

  • New member
  • *
  • Posts: 12
get process path
« on: October 09, 2017, 12:02:31 pm »
Hi, all.

I need to get the path from a process, how can i do?

I have this code:

program myprocess;
uses
  crt,sysutils,dos,jwatlhelp32,windows;
var
     //Proc: array[0..259] of char;
     S: HANDLE;
    proc:handle;
     PE: TProcessEntry32;
begin
     S := CreateToolHelp32Snapshot(TH32CS_SNAPALL, 0);
     PE.DWSize := SizeOf(PE);
     if Process32First(S, PE) then
    repeat
         if (pos('.exe',ExtractFileName(pe.szExeFile))<>0) then
         begin
          writeln(ExtractFileName(pe.szExeFile));
          readkey;
         end;
    until not Process32Next(S, PE);
     CloseHandle(S);
end.

this code prints the exe name, but i want the path too.

Thanks and sorry for my bad english

Thaddy

  • Hero Member
  • *****
  • Posts: 4521
Re: get process path
« Reply #1 on: October 09, 2017, 12:05:45 pm »
For your own process it is simply:
Code: Pascal  [Select]
  1. program program1;
  2. begin
  3.   writeln(paramstr(0));  // paramstr(0) contains the full path x-platform.  
  4. end.

For other processes it is way more complex
- They may be hidden
- They may be symlinked
- They maybe only exist in memory, so you need the launching application.

What do you exactly want? It is more a hackers technique than useful in a normal context.
« Last Edit: October 09, 2017, 12:08:59 pm by Thaddy »
"Logically, no number of positive outcomes at the level of experimental testing can confirm a scientific theory, but a single counterexample is logically decisive."

marcov

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5741
Re: get process path
« Reply #2 on: October 09, 2017, 12:09:00 pm »
Note that "ExtractFileName" strips the path, so maybe your way shows the path too, but you strip it before writeln()ing.

mcland

  • New member
  • *
  • Posts: 12
Re: get process path
« Reply #3 on: October 09, 2017, 12:09:32 pm »
mmm, not exactly, my progran now prints:

notepad.exe
..
..
...

and i want:
notepad.exe
(and here c:\windows\system32\notepad.exe

and so on...

mcland

  • New member
  • *
  • Posts: 12
Re: get process path
« Reply #4 on: October 09, 2017, 12:12:36 pm »
if i write:
          writeln(ExtractFileName(pe.szExeFile));
          writeln(pe.szexefile);

the program writes two times the same (notepad.exe or ...program.exe)...


mmm, not exactly, my progran now prints:

notepad.exe
..
..
...

and i want:
notepad.exe
(and here c:\windows\system32\notepad.exe

and so on...

GetMem

  • Hero Member
  • *****
  • Posts: 2328
Re: get process path
« Reply #5 on: October 09, 2017, 01:24:04 pm »
Try something like this:
Code: Pascal  [Select]
  1. uses JwaPsApi;
  2.  
  3. function GetProcessFileName(PID : DWORD) : string;
  4. var
  5.   Handle : THandle;
  6. begin
  7.    Result := '-';
  8.    Handle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, PID);
  9.    if Handle <> 0 then
  10.     try
  11.       SetLength(Result, MAX_PATH);
  12.       if GetModuleFileNameEx(Handle, 0, Pchar(Result), MAX_PATH) > 0 then
  13.       begin
  14.          SetLength(Result, StrLen(PChar(Result)));
  15.          if not FileExists(Result) then
  16.            Result := '-';
  17.       end
  18.       else
  19.         Result := '-';
  20.     finally
  21.       CloseHandle(Handle);
  22.     end;
  23. end;
  24.  
  25. //....
  26. Writeln(GetProcessFileName(pe.th32ProcessID));

To open a process you need elevated privileges, so for some processes might not work.

mcland

  • New member
  • *
  • Posts: 12
Re: get process path
« Reply #6 on: October 09, 2017, 03:26:47 pm »
there is no way to do with windows api as Process32First?
with taskmanager you can see the full path of a process and there is no need to be administrator...

Thaddy

  • Hero Member
  • *****
  • Posts: 4521
Re: get process path
« Reply #7 on: October 09, 2017, 03:39:58 pm »
there is no way to do with windows api as Process32First?
with taskmanager you can see the full path of a process and there is no need to be administrator...
That's because they are in-memory processes: you will need to do more to see from where a process is launched.
Why do you really need it?


As usual you can find those things on http://www.delphibasics.info/ btw.
The best source available for anyone dabbling with hacker things in Object Pascal....
You will find it is full of useful snippets for the idiots, malware writers and "system protectors".

Why do you need such techniques?

It would also help if you are able to translate C code into Object Pascal and examine anything sysinternals...
« Last Edit: October 09, 2017, 03:54:25 pm by Thaddy »
"Logically, no number of positive outcomes at the level of experimental testing can confirm a scientific theory, but a single counterexample is logically decisive."

mcland

  • New member
  • *
  • Posts: 12
Re: get process path
« Reply #8 on: October 09, 2017, 05:56:50 pm »
that's exactly that i want, to get the full path of the process in-memory.
The unit Aphex is perfect for me, where can i read the code?

i'm building my own antivirus for my company.

thanks again and sorry my bad english

GetMem

  • Hero Member
  • *****
  • Posts: 2328
Re: get process path
« Reply #9 on: October 09, 2017, 06:15:25 pm »
@mcland
Quote
i'm building my own antivirus for my company.
OMG this is a good one! Thaddy will help you with this project.  :D
Now seriously listing processes won't help you detecting viruses/trojans/rootkits. A malware can take many form, it can be a driver, a dll injected in another process, a hijecked dll, exe injected inside another exe(PE injection) etc. By the way that Aphex code won't work with vista+, since services are isolate in session0. The only method which will work with services is a WMI query, using win32_process(https://msdn.microsoft.com/en-us/library/windows/desktop/aa394372(v=VS.85).aspx). AFAIK the same method is used by Process Explorer, Process Hacker etc...

mcland

  • New member
  • *
  • Posts: 12
Re: get process path
« Reply #10 on: October 09, 2017, 06:33:55 pm »
:D

Modul := CreateToolHelp32SnapShot(TH32CS_SNAPMODULE, Process32.th32ProcessID);
          Module32.dwSize := SizeOf(TModuleEntry32);
          Module32First(Modul, Module32);
         
          writeln(Module32.szExePath);

in the module32first its the solution, i'm still trying but no success.

Thaddy

  • Hero Member
  • *****
  • Posts: 4521
Re: get process path
« Reply #11 on: October 09, 2017, 07:32:42 pm »
OMG this is a good one! Thaddy will help you with this project.  :D
Well, can't hurt too much if he can't find the sourcecode on the website I pointed him to anyway... Can it? And these techniques are all covered nowadays...  :D :D O:-)

(For noobs and scriptkiddies, I forgot those two...the sourcecode is there....)
« Last Edit: October 09, 2017, 07:36:32 pm by Thaddy »
"Logically, no number of positive outcomes at the level of experimental testing can confirm a scientific theory, but a single counterexample is logically decisive."

Remy Lebeau

  • Sr. Member
  • ****
  • Posts: 333
    • Lebeau Software
Re: get process path
« Reply #12 on: October 09, 2017, 09:15:28 pm »
Try something like this:
Code: Pascal  [Select]
  1.    Handle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, PID);
  2.    ...
  3.    if GetModuleFileNameEx(Handle, 0, Pchar(Result), MAX_PATH) > 0 then
  4.  

To open a process you need elevated privileges, so for some processes might not work.

You should be using GetProcessImageFileName() or QueryFullProcessImageName() instead.  Even the documentation for GetModuleFileNameEx() says so:

Quote
To retrieve the name of the main executable module for a remote process, use the GetProcessImageFileName or QueryFullProcessImageName function. This is more efficient and more reliable than calling the GetModuleFileNameEx function with a NULL module handle.

The upside is that they both work with PROCESS_QUERY_LIMITED_INFORMATION access, and do not require PROCESS_VM_READ access, so a non-elevated process can get the path+filename of an external process.
« Last Edit: October 09, 2017, 09:21:23 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) open source project - Admin, Developer

RAW

  • Hero Member
  • *****
  • Posts: 548
Re: get process path
« Reply #13 on: October 09, 2017, 09:38:49 pm »
My recommendation...
Windows 7 Pro (x64 Sp1) And Windows XP Pro (x86 Sp3) - LAZARUS 1.8.0RC4 FPC 3.0.4

mcland

  • New member
  • *
  • Posts: 12
Re: get process path
« Reply #14 on: October 10, 2017, 11:09:23 am »
Sorry, i don't know how to use this part of the windows api.
This code only prints process name :(


program myprocess;
uses
  crt,sysutils,dos,jwatlhelp32,windows,process,JwaWindows;
var
     S: HANDLE;
    proc:handle;
     PE: TProcessEntry32;
    buffer: array[0..259] of char;
    cpid:word;
begin
     S := CreateToolHelp32Snapshot(TH32CS_SNAPALL, 0); // Create snapshot
     PE.DWSize := SizeOf(PE); // Set size before use
     if Process32First(S, PE) then
    repeat
         if (pos('.exe',ExtractFileName(pe.szExeFile))<>0) then
         begin
          writeln('proceso: ',ExtractFileName(pe.szExeFile));
          CPID := PE.th32ProcessID;
          proc := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, CPID);
          if GetModuleFileNameEx(proc, 0, Pchar(buffer), MAX_PATH) > 0 then
            writeln('path: ',buffer);
          readkey;
         end;
    until not Process32Next(S, PE);
     CloseHandle(S);
end.

thanks again




Try something like this:
Code: Pascal  [Select]
  1.    Handle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, PID);
  2.    ...
  3.    if GetModuleFileNameEx(Handle, 0, Pchar(Result), MAX_PATH) > 0 then
  4.  

To open a process you need elevated privileges, so for some processes might not work.

You should be using GetProcessImageFileName() or QueryFullProcessImageName() instead.  Even the documentation for GetModuleFileNameEx() says so:

Quote
To retrieve the name of the main executable module for a remote process, use the GetProcessImageFileName or QueryFullProcessImageName function. This is more efficient and more reliable than calling the GetModuleFileNameEx function with a NULL module handle.

The upside is that they both work with PROCESS_QUERY_LIMITED_INFORMATION access, and do not require PROCESS_VM_READ access, so a non-elevated process can get the path+filename of an external process.

 

Recent

Get Lazarus at SourceForge.net. Fast, secure and Free Open Source software downloads Open Hub project report for Lazarus