How to open a process by name with NtOpenProcess
MSDN states that on older versions of Windows, NtOpenProcess supports opening a process by name but fails to document that actual syntax of the name string.
In Windows Server 2003, Windows XP, and Windows 2000, the caller has the option of supplying either a client ID or an object name (but not both). If the ObjectName field of the structure pointed to by ObjectAttributes contains a non-NULL pointer to an object name, ClientId must be NULL.
I've tried various versions of %d, %#x and %x, what is the correct syntax for the object name?
HANDLE handle = 0;
WCHAR b[99];
wsprintfW(b, L"Process\\%x", GetCurrentProcessId()); // What is the syntax supposed to be? "Process" is the name of the process object type but I'm not sure if it's required here.
UNICODE_STRING name;
RtlInitUnicodeString(&name, b);
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &name, 0, NULL, NULL);
NTSTATUS status = NtOpenProcess(&handle, SYNCHRONIZE, &oa, NULL);
_tprintf(_T("%X %p\n"), status, handle);
(I realize this question is outdated by about 20 years but I'm just curious)
With help from RbMm in the comments I was able to get it to work but since you are limited to processes named on purpose and the functions to do that are undocumented the whole feature is rather useless.
if (LOBYTE(GetVersion()) != 5) return -1;
UNICODE_STRING name;
OBJECT_ATTRIBUTES oa;
RtlInitUnicodeString(&name, L"\\BaseNamedObjects\\HelloWorld");
NTSTATUS status;
HANDLE handle = 0;
InitializeObjectAttributes(&oa, &name, 0, NULL, NULL);
status = NtCreateProcessEx(&handle, STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x0FFF, &oa, GetCurrentProcess(), 0, NULL, NULL, NULL, 0);
_tprintf(_T("create %X %p pid=%d\n"), status, handle, status ? 0 : GetProcessId(handle));
if (status) return status;
status = NtOpenProcess(&handle, SYNCHRONIZE|PROCESS_QUERY_INFORMATION|PROCESS_TERMINATE, &oa, NULL);
_tprintf(_T("open %X %p pid=%d\n"), status, handle, status ? 0 : GetProcessId(handle));
if (status) return status;
Sleep(1000*60);
TerminateProcess(handle, 0); // Kill zombie child
- WSL (Kali-linux) dose not have internet accsse
- php : The term 'php' is not recognized as the name of a cmdlet, function, script file, or operable program
- How to set icon for created .skp file by using C API?
- Unable to run Powershell commands in non-interactive mode
- PowerShell script to call git init in all subdirectories
- Running cURL on 64 bit Windows
- CGO undefined reference to `TIFFGetField'
- How do you make clang link directly to a DLL in Windows without a .lib
- Library's CMake generates DLL. Application's CMake wants LIB
- Bitmap info regularly returns series of same wrong values before returning correct pixel colors
- Append text with a newline in a Windows environment with file_put_contents()
- How to install OpenSSL from source on Windows 10/11?
- How dynamic linking reacts on a change in object
- Laravel 5 show ErrorException file_put_contents failed to open stream: No such file or directory
- Beautiful Soup ".find" not working running from windows terminal
- Create a python file using cmd in windows
- Install winget by the command line (powershell)
- OSError: cannot load library 'gobject-2.0': error 0x7e
- Certificate Rebind in IIS 10 using powershell
- Maven: mvn command not found
- C# import certificate and key (PFX) into CNG/KSP
- Some Services stop automatically if they are not in use by other services
- How to create a Run As Administrator shortcut using PowerShell
- Turbo Studio virtualization
- COM port terminal program
- Git Bash and Pageant are not using keys
- How do I link Rusqlite applications against custom SQLite builds on Windows?
- How to get the MAC address of my local network interface by win socket or remote ip
- CryptographicException: Access denied - How to give access on User store?
- Enable VT support for intel haxm on Hyper-V vm (Windows 10 Pro)?