Created
May 5, 2022 15:16
-
-
Save antonioCoco/9db236d6089b4b492746f7de31b21d9d to your computer and use it in GitHub Desktop.
Revisions
-
antonioCoco created this gist
May 5, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,72 @@ #include "Windows.h" #include "stdio.h" #include "strsafe.h" #include "winternl.h" #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION { ULONG NumberOfProcessIdsInList; ULONG_PTR ProcessIdList[1]; } FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION; typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass); DWORD GetPidOpeningFilePath(PWCHAR filePath); int main() { WCHAR procName1[] = L"C:\\Windows\\explorer.exe"; WCHAR procName2[] = L"C:\\Windows\\System32\\csrss.exe"; WCHAR procName3[] = L"C:\\Windows\\System32\\services.exe"; WCHAR procName4[] = L"C:\\Windows\\System32\\winlogon.exe"; WCHAR procName5[] = L"C:\\Windows\\System32\\lsass.exe"; WCHAR procName6[] = L"C:\\Windows\\System32\\spoolsv.exe"; WCHAR procName7[] = L"C:\\Windows\\System32\\taskhostw.exe"; WCHAR procName8[] = L"C:\\Windows\\System32\\dllhost.exe"; WCHAR procName9[] = L"C:\\Windows\\System32\\RuntimeBroker.exe"; WCHAR procName10[] = L"C:\\Windows\\System32\\sihost.exe"; printf("Pid for process %S = %d \n", procName1, GetPidOpeningFilePath(procName1)); printf("Pid for process %S = %d \n", procName2, GetPidOpeningFilePath(procName2)); printf("Pid for process %S = %d \n", procName3, GetPidOpeningFilePath(procName3)); printf("Pid for process %S = %d \n", procName4, GetPidOpeningFilePath(procName4)); printf("Pid for process %S = %d \n", procName5, GetPidOpeningFilePath(procName5)); printf("Pid for process %S = %d \n", procName6, GetPidOpeningFilePath(procName6)); printf("Pid for process %S = %d \n", procName7, GetPidOpeningFilePath(procName7)); printf("Pid for process %S = %d \n", procName8, GetPidOpeningFilePath(procName8)); printf("Pid for process %S = %d \n", procName9, GetPidOpeningFilePath(procName9)); printf("Pid for process %S = %d \n", procName10, GetPidOpeningFilePath(procName10)); return 0; } DWORD GetPidOpeningFilePath(PWCHAR filePath) { DWORD retPid = 0; IO_STATUS_BLOCK iosb; HANDLE hFile; PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL; int FileProcessIdsUsingFileInformation = 47; ULONG pfpiufiLen = 0; PULONG_PTR processIdListPtr = NULL; NTSTATUS status = 0; pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile"); hFile = CreateFile(filePath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); if (hFile != INVALID_HANDLE_VALUE) { pfpiufiLen = 8192; pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen); status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation); while (status == STATUS_INFO_LENGTH_MISMATCH) { pfpiufiLen = pfpiufiLen + 8192; pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen); status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation); } processIdListPtr = pfpiufi->ProcessIdList; // we return only the first pid, it's usually the right one if (pfpiufi->NumberOfProcessIdsInList >= 1) retPid = *processIdListPtr; HeapFree(GetProcessHeap(), 0, pfpiufi); CloseHandle(hFile); } return retPid; }