Detecting my own renamed exe?

[Dude]

Let's say I create an app called Calc.exe, and I have another of my apps called Detect.exe. I want Detect.exe to detect if my own Calc.exe is running, but the two problems are: (1) Is Calc.exe really my own exe, or the Windows Calculator; and (2) my own Calc.exe might be running from a location that is NOT in the Windows folder. So, I can't check by testing the path to the exe alone.

Any tips for this dilemma? Since my exe can create a mutex, can I detect that mutex and see the executable path and name that it points to?

TL;DR - How can I detect if one of my exes is running, if the user has renamed it to Calc.exe and it's not in the Windows folder?

[RASHAD]

Hi

Code: Select all

Prototype.i GetModuleFileNameExW(hProcess.l,hModule.l,*lpFilename,nSize.i)
Prototype.i GetModuleFileNameExA(hProcess.l,hModule.l,*lpFilename,nSize.i)

CompilerIf #PB_Compiler_Unicode
  Global GetModuleFileNameEx.GetModuleFileNameExW
CompilerElse
  Global GetModuleFileNameEx.GetModuleFileNameExA
CompilerEndIf

Lib = OpenLibrary(#PB_Any,"psapi.dll")
If Lib
 
  CompilerIf #PB_Compiler_Unicode
    Global GetModuleFileNameEx.GetModuleFileNameExW = GetFunction(Lib,"GetModuleFileNameExW")
  CompilerElse
    Global GetModuleFileNameEx.GetModuleFileNameExA = GetFunction(Lib,"GetModuleFileNameExA")
  CompilerEndIf
  
Else

  MessageRequester("Warning", "Can not load Psapi.dll" ,#MB_ICONWARNING)
  End
  
EndIf

Procedure CheckRunningExe()
    Proc32.PROCESSENTRY32
    Proc32\dwSize = SizeOf(PROCESSENTRY32)
   
    snap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0) 
      If Snap
          If Process32First_(snap, @Proc32)
          While Process32Next_(snap, @Proc32)
              ImageName$ = PeekS(@Proc32\szExeFile)
              FilePath$ = Space(1024)
              hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, 0, Proc32\th32ProcessID)
              If hProcess
                  GetModuleFileNameEx(hProcess, 0, @FilePath$, Len(FilePath$))
                  CloseHandle_(hProcess)
              EndIf             
              Debug ImageName$
              Debug FilePath$
              Debug " "
          Wend
      EndIf
      CloseHandle_(Snap)
  EndIf

EndProcedure

CheckRunningExe()

[Dude]

Hi Rashad. I think you misunderstood. I want Detect.exe (my first app) to check if Calc.exe (my second app) is actually my second app, and not the Windows Calculator. Assume that the Calc.exe file is located in the root of the C: drive instead of the Windows folder. How does my first app know if that's my other app?

[RSBasic]

Hello Dude

Do you mean MD5/CRC32/SHA or own class name of your window to identify?

[RASHAD]

With the snippet I posted you know all the running applications and its paths
You know now all the running Calc.exe so go to each one and check the properties of each file and of course you know your own
It can not be all similar
The snippet is your Detect.exe
You can read also the class name of each running application

You can double check or more for size,classname & maybe signature you code it in your calc.exe

Code: Select all

Prototype.i GetModuleFileNameExW(hProcess.l,hModule.l,*lpFilename,nSize.i)
Prototype.i GetModuleFileNameExA(hProcess.l,hModule.l,*lpFilename,nSize.i)

CompilerIf #PB_Compiler_Unicode
  Global GetModuleFileNameEx.GetModuleFileNameExW
CompilerElse
  Global GetModuleFileNameEx.GetModuleFileNameExA
CompilerEndIf

Lib = OpenLibrary(#PB_Any,"psapi.dll")
If Lib
 
  CompilerIf #PB_Compiler_Unicode
    Global GetModuleFileNameEx.GetModuleFileNameExW = GetFunction(Lib,"GetModuleFileNameExW")
  CompilerElse
    Global GetModuleFileNameEx.GetModuleFileNameExA = GetFunction(Lib,"GetModuleFileNameExA")
  CompilerEndIf
 
Else

  MessageRequester("Warning", "Can not load Psapi.dll" ,#MB_ICONWARNING)
  End
 
EndIf

Procedure CheckRunningExe()
    Proc32.PROCESSENTRY32
    Proc32\dwSize = SizeOf(PROCESSENTRY32)
   
    snap = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, 0)
      If Snap
          If Process32First_(snap, @Proc32)
          While Process32Next_(snap, @Proc32)
              ImageName$ = PeekS(@Proc32\szExeFile)
              If UCase(ImageName$) = "CALC.EXE"
                  FilePath$ = Space(1024)
                  hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, 0, Proc32\th32ProcessID)
                  If hProcess
                      GetModuleFileNameEx(hProcess, 0, @FilePath$, Len(FilePath$))
                      CloseHandle_(hProcess)
                  EndIf
                  If FileSize( FilePath$) = 1234456 ;Just for exam.
                      Debug "My own application"
                      Break
                  EndIf
              EndIf           
          Wend
      EndIf
      CloseHandle_(Snap)
  EndIf

EndProcedure

CheckRunningExe()

Adapt it for your needs

[juror]

You can set it up so the programs attempt to communicate with one another and determine if either one/both are running and have them act accordingly.

[Nico]

Debug ProgramFilename()

[Dude]

You know now all the running Calc.exe so go to each one and check the properties of each file

I need to check if it's running; not if it exists on disk. So checking file properties can't help.

You can read also the class name of each running application

I think this may be the answer. I'll have to create a custom class for the exe's window that I can search for. Thanks for the idea!

And thanks to everyone else who replied with ideas. I appreciate all the assistance.

[RSBasic]

Or with mutex (it's faster): http://www.rsbasic.de/aktualisierung/wi ... 3%A4uft.pb (To check if it's running) (only Windows)

[Dude]

A mutex won't tell me its running process name though, will it? That's what I really need to know.

[RASHAD]

Dude you misunderstood what have between your hands
1- Run the snippet it will give you the names of the running process and the path
if it has one
2 - Then use the name while the application is running to check whether it is your application or not

It will work even if have many different running applications with the same name
Give it a try well you

[Dude]

Give it a try

There's no point because you're checking file size, which is not what I want. The other exe could be an older version of my own app with a different size, or the user could've used UPX on it, or it could even just be a different app with the same file size. Also, the user could launch my other exe from a USB stick and then remove the stick, leaving only the process of my other exe running in memory (with no file size to check).

So you see, it's not so simple... I need to check the other exe's process only, and not the file on disk, like I said in my first post ("I can't check by testing the path to the exe alone").

[Edit] Let me explain it like this: say I come to your house and run an exe called Calc.exe on your PC from a USB stick, but then I remove the stick. You can see Calc.exe in the Task Manager. How can you know (with a PureBasic app) if that's Microsoft's Calc, or my app?

[RSBasic]

A mutex won't tell me its running process name though, will it? That's what I really need to know.

My code checks the instance name regardless of file name, file size and process name. Your application has the name "Global\MyApplication1" (it's example, you can rename this name) and you can check if it's running.

[RASHAD]

Dude
I said check the file size or Classname or a signature or you what you like(adapt it for your needs)
Did UPX or any other PE compress tools will change the Classname for instance ?
The snippet gives you the names and the titles and the classname if you like for all the running applications beside the path
What you need more ?
You asked for a tool to give you the running application ,right
Now it is your turn
If you presume the user is a good hacker then you are in trouble

[RASHAD]

You can use Sender & Receiver Tech.
1- Make your 1 st. application check periodically for the Detect.exe
FindWindow_(0, "WM_COPYDATA Receiver")

2- If it finds the Detect.exe then it sends a message using #WM_COPYDATA
that it is the child application

Now the Detect.exe is between your hands do not tell me you will use UPX
or whatever to disguise

Simple example :
Use special Classname to find

# 1:

Code: Select all

OpenWindow(0,100,100,300,300,"Calc.exe",#PB_Window_SystemMenu)
StickyWindow(0,1)
Text$="Yes I am your pal"
AddWindowTimer(0,125,10000)
Repeat
  Select WaitWindowEvent()
    Case #PB_Event_CloseWindow
        Quit = 1
    Case #PB_Event_Timer
      Select EventTimer()
        Case 125
          hWnd = FindWindow_(0,"Detect")
          If hwnd          
             hWndEdit = FindWindowEx_(hWnd, 0, "edit", 0)
             x+1
             Text$ = Text$+"  "+Str(x)
             SendMessage_(hWndEdit,#WM_SETTEXT,0,@Text$)
          EndIf          
      EndSelect
  EndSelect
Until Quit = 1

# 2 :

Code: Select all

OpenWindow(0,20,20,300,300,"Detect",#PB_Window_SystemMenu| #PB_Window_ScreenCentered)
StickyWindow(0,1)
StringGadget(1,10,10,220,20,"")

Repeat
 Select  WaitWindowEvent()
    Case #PB_Event_CloseWindow
      Quit = 1

  EndSelect
Until Quit = 1