\n\nThis page has been machine-translated from the original page.
\n
While studying the behavior of code injection in Malware, I came to wonder how Malware identifies the PID to reference in the OpenProcess API.
\nThe Injection section on MalAPI.io lists the following three APIs, and one implementation example appears to be using CreateToolhelp32Snapshot.
So, this article summarizes how to enumerate process information in the system using the Win32 API’s CreateToolhelp32Snapshot.
Reference: Taking a Snapshot and Viewing Processes - Win32 apps | Microsoft Learn
\nReference: Snapshots of the System - Win32 apps | Microsoft Learn
\n\nAll content in this article is created based solely on publicly available information, published books, or results from testing in personal verification environments.
\nRelated articles:
\nThe CreateToolhelp32Snapshot function is a function that can take a snapshot of the heap, modules, and threads of a specified process.
This function retrieves information for the process with the PID specified in th32ProcessID, but if dFlags is given TH32CS_SNAPHEAPLIST, TH32CS_SNAPMODULE, TH32CS_SNAPMODULE32, or TH32CS_SNAPALL, it is ignored and returns information for all processes.
HANDLE CreateToolhelp32Snapshot(\n [in] DWORD dwFlags,\n [in] DWORD th32ProcessID\n);If this function executes successfully, it returns a handle to the obtained snapshot as the return value.
\nYou can reference information within the snapshot using helper functions like Process32First described later.
Reference: CreateToolhelp32Snapshot function (tlhelp32.h) - Win32 apps | Microsoft Learn
\nI investigated what this function actually does by enumerating the functions it calls using WinDbg.
\nKERNEL32!CreateToolhelp32Snapshot\n===>\ncall to KERNELBASE!GetCurrentProcessId (00007fff`3ae04080)\ncall to KERNEL32!ThpCreateRawSnap (00007fff`3d3fe480)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!ULongMult (00007fff`3d3ffd84)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!ULongMult (00007fff`3d3ffd84)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!ThpAllocateSnapshotSection (00007fff`3d3fd8c4)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to KERNEL32!ThpProcessToSnap (00007fff`3d3fb274)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)\ncall to ntdll!NtClose (00007fff`3d66d230)\ncall to ntdll!NtUnmapViewOfSection (00007fff`3d66d590)\ncall to ntdll!NtFreeVirtualMemory (00007fff`3d66d410)\ncall to ntdll!RtlDestroyQueryDebugBuffer (00007fff`3d6a76d0)\ncall to ntdll!RtlDestroyQueryDebugBuffer (00007fff`3d6a76d0)This alone doesn’t make things very clear, but the ThpCreateRawSnap function and ThpAllocateSnapshotSection function seem to be closely related to the snapshot retrieval process.
The ThpCreateRawSnap function appears to be retrieving system information and process information, judging by the names of the functions it calls.
KERNEL32!ThpCreateRawSnap\n===>\ncall to ntdll!NtAllocateVirtualMemory (00007fff`3d66d350)\ncall to ntdll!NtQuerySystemInformation (00007fff`3d66d710)\ncall to ntdll!RtlDestroyQueryDebugBuffer (00007fff`3d6a76d0)\ncall to ntdll!RtlCreateQueryDebugBuffer (00007fff`3d6a7420)\ncall to ntdll!RtlQueryProcessDebugInformation (00007fff`3d6a78a0)\ncall to ntdll!NtFreeVirtualMemory (00007fff`3d66d410)\ncall to ntdll!RtlCreateQueryDebugBuffer (00007fff`3d6a7420)\ncall to ntdll!RtlQueryProcessDebugInformation (00007fff`3d6a78a0)\ncall to ntdll!NtFreeVirtualMemory (00007fff`3d66d410)\ncall to ntdll!RtlDestroyQueryDebugBuffer (00007fff`3d6a76d0)Reference: NtQuerySystemInformation function (winternl.h) - Win32 apps | Microsoft Learn
\nReference: NtQueryInformationProcess function (winternl.h) - Win32 apps | Microsoft Learn
\nAlso, the ThpAllocateSnapshotSection function was calling the following functions.
I wonder if this is where the area to store the handle is actually allocated?
\nKERNEL32!ThpAllocateSnapshotSection\n===>\ncall to KERNELBASE!BaseFormatObjectAttributes (00007fff`3addf5f0)\ncall to ntdll!NtCreateSection (00007fff`3d66d990)\ncall to ntdll!NtMapViewOfSection (00007fff`3d66d550)Reference: NtCreateSection 関数 (ntifs.h) - Windows drivers | Microsoft Learn
\nReference: NtCreateSection + NtMapViewOfSection Code Injection - Red Team Notes
\nReference: MalAPI.io NtMapViewOfSection
\nA function to retrieve information about the first process in the snapshot.
\nIf the function executes successfully it returns True, and if it fails it returns False. (It returns an error value when no process exists, etc.)
\nThe retrieved process information is stored in the area pointed to by the pointer address of the PROCESSENTRY32 (tlhelp32.h) structure given as the second argument.
\nBOOL Process32First(\n [in] HANDLE hSnapshot,\n [in, out] LPPROCESSENTRY32 lppe\n);The PROCESSENTRY32 (tlhelp32.h) structure contains the following information:
\ntypedef struct tagPROCESSENTRY32 {\n DWORD dwSize;\n DWORD cntUsage;\n DWORD th32ProcessID;\n ULONG_PTR th32DefaultHeapID;\n DWORD th32ModuleID;\n DWORD cntThreads;\n DWORD th32ParentProcessID;\n LONG pcPriClassBase;\n DWORD dwFlags;\n CHAR szExeFile[MAX_PATH];\n} PROCESSENTRY32;Reference: Process32First function (tlhelp32.h) - Win32 apps | Microsoft Learn
\nThe functions being called are like this:
\nKERNEL32!Process32FirstW\n===>\ncall to ntdll!NtMapViewOfSection (00007fff`3d66d550)\ncall to ntdll!NtUnmapViewOfSection (00007fff`3d66d590)\ncall to KERNEL32!memset (00007fff`3d408147)\ncall to ntdll!RtlSetLastWin32Error (00007fff`3d6207c0)\ncall to KERNEL32!BaseSetLastNTError (00007fff`3d3f30e0)Looking in the debugger, data that appears to be from PROCESSENTRY32->szExeFile was stored at the pointer address given as an argument after the call to ntdll!NtMapViewOfSection.
Retrieves information about the next process recorded in the system snapshot.
\nThis function can retrieve the PROCESSENTRY32 of the next process by providing the same snapshot handle given to the Process32FirstW function.
BOOL Process32Next(\n [in] HANDLE hSnapshot,\n [out] LPPROCESSENTRY32 lppe\n);Reference: PROCESSENTRY32 (tlhelp32.h) - Win32 apps | Microsoft Learn
\nThe snapshot handle appears to have a buffer for identifying the currently referenced process information. When the Process32First function is executed, it points to the first one, and when the Process32Next function is executed, it sequentially points to the next process one by one.
Therefore, if you execute the Process32First function in the middle of a loop executing the Process32Next function, the reference buffer returns to the first one, causing the process to loop continuously.
I created a program that enumerates process information using these APIs.
\nThis program retrieves a snapshot of all processes by specifying TH32CS_SNAPPROCESS as an argument to the CreateToolhelp32Snapshot function, and loops the helper function to sequentially output the process name, PID, and number of running threads from the PROCESSENTRY32 structure of each process from the beginning.
#include <windows.h>\n#include <tlhelp32.h>\n#include <tchar.h>\n\n#pragma comment(lib, \"advapi32.lib\")\n\nint main() {\n\n//HANDLE CreateToolhelp32Snapshot(\n//[in] DWORD dwFlags,\n//[in] DWORD th32ProcessID\n//);\n\nHANDLE hToolhelp32Snapshot = NULL;\nhToolhelp32Snapshot = CreateToolhelp32Snapshot(\nTH32CS_SNAPPROCESS,\nNULL\n);\n\nif (hToolhelp32Snapshot == INVALID_HANDLE_VALUE) {\nwprintf(L\"ERROR: Could not get a Toolhelp32Snapshot\\n\");\nwprintf(L\"Faild with %u.\\n\", GetLastError());\nreturn 1;\n}\n\n//typedef struct tagPROCESSENTRY32\n//{\n//DWORD dwSize;\n//DWORD cntUsage;\n//DWORD th32ProcessID;\n//ULONG_PTR th32DefaultHeapID;\n//DWORD th32ModuleID;\n//DWORD cntThreads;\n//DWORD th32ParentProcessID;\n//LONG pcPriClassBase;\n//DWORD dwFlags;\n//CHAR szExeFile[MAX_PATH];\n//} PROCESSENTRY32;\n\n/*BOOL Process32First(\n[in] HANDLE hSnapshot,\n[in, out] LPPROCESSENTRY32 lppe\n);*/\n\nPROCESSENTRY32 pe32;\npe32.dwSize = sizeof(PROCESSENTRY32);\n\nif (Process32First(hToolhelp32Snapshot, &pe32)) {\ndo {\nwprintf(L\"Process name is : %s\\n\", pe32.szExeFile);\nwprintf(L\"=====> PID : %d\\n\", pe32.th32ProcessID);\nwprintf(L\"=====> Threads count : %d\\n\", pe32.cntThreads);\n} while (Process32Next(hToolhelp32Snapshot, &pe32));\nwprintf(L\"Got all process entries.\\n\");\n}\nelse {\nwprintf(L\"ERROR: Could not get the first PROCESSENTRY32.\\n\");\nwprintf(L\"Faild with %u.\\n\", GetLastError());\nCloseHandle(hToolhelp32Snapshot);\nreturn 1;\n}\n\nreturn 0;\n}The execution result looked like this:
\nI’m running it from a command prompt launched with administrator privileges, but it also worked effectively at Medium Integrity.
\nIt seems that when retrieving process information on Windows, you need to first obtain a snapshot object and then pass it to the program.
\nI wonder if Task Manager uses the same implementation?
\nI’d like to attach a debugger and investigate next time.
","fields":{"slug":"/win32api-getprocesslist-en","tagSlugs":["/tag/win-32-api-en/","/tag/malware-en/","/tag/win-dbg-en/","/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-03","description":"I tried enumerating process information in the system using Win32 API.","tags":["Win32API (en)","Malware (en)","WinDbg (en)","Reversing (en)","English"],"title":"Enumerating Process Information in the System with Win32 API","socialImage":{"publicURL":"/static/64aef3f47d21bab71d5b71e5debe5b03/win32api-getprocesslist.png"}}}},"pageContext":{"slug":"/win32api-getprocesslist-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}