Detecting my own renamed exe?
Detecting my own renamed exe?
Let's say I create an app called Calc.exe, and I have another of my apps called Detect.exe. I want Detect.exe to detect if my own Calc.exe is running, but the two problems are: (1) Is Calc.exe really my own exe, or the Windows Calculator; and (2) my own Calc.exe might be running from a location that is NOT in the Windows folder. So, I can't check by testing the path to the exe alone.
Any tips for this dilemma? Since my exe can create a mutex, can I detect that mutex and see the executable path and name that it points to?
TL;DR - How can I detect if one of my exes is running, if the user has renamed it to Calc.exe and it's not in the Windows folder?
Any tips for this dilemma? Since my exe can create a mutex, can I detect that mutex and see the executable path and name that it points to?
TL;DR - How can I detect if one of my exes is running, if the user has renamed it to Calc.exe and it's not in the Windows folder?
Re: Detecting my own renamed exe?
Hi
Code: Select all
Prototype.i GetModuleFileNameExW(hProcess.l,hModule.l,*lpFilename,nSize.i)
Prototype.i GetModuleFileNameExA(hProcess.l,hModule.l,*lpFilename,nSize.i)
CompilerIf #PB_Compiler_Unicode
Global GetModuleFileNameEx.GetModuleFileNameExW
CompilerElse
Global GetModuleFileNameEx.GetModuleFileNameExA
CompilerEndIf
Lib = OpenLibrary(#PB_Any,"psapi.dll")
If Lib
CompilerIf #PB_Compiler_Unicode
Global GetModuleFileNameEx.GetModuleFileNameExW = GetFunction(Lib,"GetModuleFileNameExW")
CompilerElse
Global GetModuleFileNameEx.GetModuleFileNameExA = GetFunction(Lib,"GetModuleFileNameExA")
CompilerEndIf
Else
MessageRequester("Warning", "Can not load Psapi.dll" ,#MB_ICONWARNING)
End
EndIf
Procedure CheckRunningExe()
Proc32.PROCESSENTRY32
Proc32\dwSize = SizeOf(PROCESSENTRY32)
snap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
If Snap
If Process32First_(snap, @Proc32)
While Process32Next_(snap, @Proc32)
ImageName$ = PeekS(@Proc32\szExeFile)
FilePath$ = Space(1024)
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, 0, Proc32\th32ProcessID)
If hProcess
GetModuleFileNameEx(hProcess, 0, @FilePath$, Len(FilePath$))
CloseHandle_(hProcess)
EndIf
Debug ImageName$
Debug FilePath$
Debug " "
Wend
EndIf
CloseHandle_(Snap)
EndIf
EndProcedure
CheckRunningExe()
Egypt my love
Re: Detecting my own renamed exe?
Hi Rashad. I think you misunderstood. I want Detect.exe (my first app) to check if Calc.exe (my second app) is actually my second app, and not the Windows Calculator. Assume that the Calc.exe file is located in the root of the C: drive instead of the Windows folder. How does my first app know if that's my other app?
- RSBasic
- Moderator
- Posts: 1218
- Joined: Thu Dec 31, 2009 11:05 pm
- Location: Gernsbach (Germany)
- Contact:
Re: Detecting my own renamed exe?
Hello Dude
Do you mean MD5/CRC32/SHA or own class name of your window to identify?
Do you mean MD5/CRC32/SHA or own class name of your window to identify?
Re: Detecting my own renamed exe?
With the snippet I posted you know all the running applications and its paths
You know now all the running Calc.exe so go to each one and check the properties of each file and of course you know your own
It can not be all similar
The snippet is your Detect.exe
You can read also the class name of each running application
You can double check or more for size,classname & maybe signature you code it in your calc.exe
Adapt it for your needs
You know now all the running Calc.exe so go to each one and check the properties of each file and of course you know your own
It can not be all similar
The snippet is your Detect.exe
You can read also the class name of each running application
You can double check or more for size,classname & maybe signature you code it in your calc.exe
Code: Select all
Prototype.i GetModuleFileNameExW(hProcess.l,hModule.l,*lpFilename,nSize.i)
Prototype.i GetModuleFileNameExA(hProcess.l,hModule.l,*lpFilename,nSize.i)
CompilerIf #PB_Compiler_Unicode
Global GetModuleFileNameEx.GetModuleFileNameExW
CompilerElse
Global GetModuleFileNameEx.GetModuleFileNameExA
CompilerEndIf
Lib = OpenLibrary(#PB_Any,"psapi.dll")
If Lib
CompilerIf #PB_Compiler_Unicode
Global GetModuleFileNameEx.GetModuleFileNameExW = GetFunction(Lib,"GetModuleFileNameExW")
CompilerElse
Global GetModuleFileNameEx.GetModuleFileNameExA = GetFunction(Lib,"GetModuleFileNameExA")
CompilerEndIf
Else
MessageRequester("Warning", "Can not load Psapi.dll" ,#MB_ICONWARNING)
End
EndIf
Procedure CheckRunningExe()
Proc32.PROCESSENTRY32
Proc32\dwSize = SizeOf(PROCESSENTRY32)
snap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
If Snap
If Process32First_(snap, @Proc32)
While Process32Next_(snap, @Proc32)
ImageName$ = PeekS(@Proc32\szExeFile)
If UCase(ImageName$) = "CALC.EXE"
FilePath$ = Space(1024)
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, 0, Proc32\th32ProcessID)
If hProcess
GetModuleFileNameEx(hProcess, 0, @FilePath$, Len(FilePath$))
CloseHandle_(hProcess)
EndIf
If FileSize( FilePath$) = 1234456 ;Just for exam.
Debug "My own application"
Break
EndIf
EndIf
Wend
EndIf
CloseHandle_(Snap)
EndIf
EndProcedure
CheckRunningExe()
Adapt it for your needs
Last edited by RASHAD on Sat May 14, 2016 10:24 pm, edited 1 time in total.
Egypt my love
Re: Detecting my own renamed exe?
You can set it up so the programs attempt to communicate with one another and determine if either one/both are running and have them act accordingly.
Re: Detecting my own renamed exe?
Debug ProgramFilename()
Re: Detecting my own renamed exe?
I need to check if it's running; not if it exists on disk. So checking file properties can't help.RASHAD wrote:You know now all the running Calc.exe so go to each one and check the properties of each file
I think this may be the answer. I'll have to create a custom class for the exe's window that I can search for. Thanks for the idea!RASHAD wrote:You can read also the class name of each running application
And thanks to everyone else who replied with ideas. I appreciate all the assistance.
- RSBasic
- Moderator
- Posts: 1218
- Joined: Thu Dec 31, 2009 11:05 pm
- Location: Gernsbach (Germany)
- Contact:
Re: Detecting my own renamed exe?
Or with mutex (it's faster): http://www.rsbasic.de/aktualisierung/wi ... 3%A4uft.pb (To check if it's running) (only Windows)
Re: Detecting my own renamed exe?
A mutex won't tell me its running process name though, will it? That's what I really need to know.
Re: Detecting my own renamed exe?
Dude you misunderstood what have between your hands
1- Run the snippet it will give you the names of the running process and the path
if it has one
2 - Then use the name while the application is running to check whether it is your application or not
It will work even if have many different running applications with the same name
Give it a try well you
1- Run the snippet it will give you the names of the running process and the path
if it has one
2 - Then use the name while the application is running to check whether it is your application or not
It will work even if have many different running applications with the same name
Give it a try well you
Egypt my love
Re: Detecting my own renamed exe?
There's no point because you're checking file size, which is not what I want. The other exe could be an older version of my own app with a different size, or the user could've used UPX on it, or it could even just be a different app with the same file size. Also, the user could launch my other exe from a USB stick and then remove the stick, leaving only the process of my other exe running in memory (with no file size to check).RASHAD wrote:Give it a try
So you see, it's not so simple... I need to check the other exe's process only, and not the file on disk, like I said in my first post ("I can't check by testing the path to the exe alone").
[Edit] Let me explain it like this: say I come to your house and run an exe called Calc.exe on your PC from a USB stick, but then I remove the stick. You can see Calc.exe in the Task Manager. How can you know (with a PureBasic app) if that's Microsoft's Calc, or my app?
- RSBasic
- Moderator
- Posts: 1218
- Joined: Thu Dec 31, 2009 11:05 pm
- Location: Gernsbach (Germany)
- Contact:
Re: Detecting my own renamed exe?
My code checks the instance name regardless of file name, file size and process name. Your application has the name "Global\MyApplication1" (it's example, you can rename this name) and you can check if it's running.Dude wrote:A mutex won't tell me its running process name though, will it? That's what I really need to know.
Re: Detecting my own renamed exe?
Dude
I said check the file size or Classname or a signature or you what you like(adapt it for your needs)
Did UPX or any other PE compress tools will change the Classname for instance ?
The snippet gives you the names and the titles and the classname if you like for all the running applications beside the path
What you need more ?
You asked for a tool to give you the running application ,right
Now it is your turn
If you presume the user is a good hacker then you are in trouble
I said check the file size or Classname or a signature or you what you like(adapt it for your needs)
Did UPX or any other PE compress tools will change the Classname for instance ?
The snippet gives you the names and the titles and the classname if you like for all the running applications beside the path
What you need more ?
You asked for a tool to give you the running application ,right
Now it is your turn
If you presume the user is a good hacker then you are in trouble
Egypt my love
Re: Detecting my own renamed exe?
You can use Sender & Receiver Tech.
1- Make your 1 st. application check periodically for the Detect.exe
FindWindow_(0, "WM_COPYDATA Receiver")
2- If it finds the Detect.exe then it sends a message using #WM_COPYDATA
that it is the child application
Now the Detect.exe is between your hands do not tell me you will use UPX
or whatever to disguise
Simple example :
Use special Classname to find
# 1:
# 2 :
1- Make your 1 st. application check periodically for the Detect.exe
FindWindow_(0, "WM_COPYDATA Receiver")
2- If it finds the Detect.exe then it sends a message using #WM_COPYDATA
that it is the child application
Now the Detect.exe is between your hands do not tell me you will use UPX
or whatever to disguise
Simple example :
Use special Classname to find
# 1:
Code: Select all
OpenWindow(0,100,100,300,300,"Calc.exe",#PB_Window_SystemMenu)
StickyWindow(0,1)
Text$="Yes I am your pal"
AddWindowTimer(0,125,10000)
Repeat
Select WaitWindowEvent()
Case #PB_Event_CloseWindow
Quit = 1
Case #PB_Event_Timer
Select EventTimer()
Case 125
hWnd = FindWindow_(0,"Detect")
If hwnd
hWndEdit = FindWindowEx_(hWnd, 0, "edit", 0)
x+1
Text$ = Text$+" "+Str(x)
SendMessage_(hWndEdit,#WM_SETTEXT,0,@Text$)
EndIf
EndSelect
EndSelect
Until Quit = 1
Code: Select all
OpenWindow(0,20,20,300,300,"Detect",#PB_Window_SystemMenu| #PB_Window_ScreenCentered)
StickyWindow(0,1)
StringGadget(1,10,10,220,20,"")
Repeat
Select WaitWindowEvent()
Case #PB_Event_CloseWindow
Quit = 1
EndSelect
Until Quit = 1
Egypt my love