Link to home
Start Free TrialLog in
Avatar of Centauri
Centauri

asked on

Getting the filename(with path) of a process

I'm developeing a "Anti w32.Jeefo virus" program and need to kill the virus wich is a process started from %windir%\svchost.exe.I'm stuck with the part of getting a process's filename.I know there is the Toolhelp32Snapshot wich returns the filename but only works on win9x.
Thanks in advance!
Avatar of geobul
geobul
Hi,

Toolhelp32Snapshot works on all Windows platforms except Windows NT 4. I'm afraid that there could be no separate process but a dll only loaded into the infected process. Some of the new viruses work that way.

Regards, Geo
Avatar of geobul
geobul
You may be interested in Madshi's madKernel package which works on all Windows versions. Check his site:
http://www.madshi.net

Regards, Geo
Avatar of heretoread
heretoread
you could remove it's startup key then reboot and delete it.
or run through the open processes using ToolHelp and search for scvhost.exe process located in the C:Windows folder.
Avatar of _Katka_
_Katka_
Flag of Czechia image
Or you can use my SVCHOST assigned files list and kill it by process PID as pointed in

https://www.experts-exchange.com/questions/21274219/Svchost-exe-process-and-appendant-DLLs.html

otherwise "tasklist /SVC" does the same thing
my code (the accepted one works for Winnt4 above)

regards,
Kate
Avatar of Eddie Shipman
Eddie Shipman
Flag of United States of America image
Give this a try:

uses ..., TlHelp32, PSAPI;
 
function WinXPor2Kor2K3:Boolean;
begin
  Result := False;
  if ( CheckWin32Version( 5, 0 ) ) or   // Win2K
     ( CheckWin32Version( 5, 1 ) ) or   // WinXP
     ( CheckWin32Version( 5, 2 ) ) then // Win2003
  begin
    Result := True;
  end;
end;
 
function RunningProcessesList(const List: TStrings; FullPath: Boolean): Boolean;
 
function BuildListTH: Boolean;
  var
    SnapProcHandle: THandle;
    ProcEntry: TProcessEntry32;
    NextProc: Boolean;
    FileName: string;
    PFileName: PChar;
    PIDName : array [0..MAX_PATH - 1] of char;
    Handle: THandle;
  begin
    SnapProcHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    Result := (SnapProcHandle <> INVALID_HANDLE_VALUE);
    if Result then
    try
      ProcEntry.dwSize := SizeOf(ProcEntry);
      NextProc := Process32First(SnapProcHandle, ProcEntry);
      while NextProc do
      begin
        if ProcEntry.th32ProcessID = 0 then
        begin
          // PID 0 is always the "System Idle Process" but this name cannot be
          // retrieved from the system and has to be fabricated.
          FileName := 'System Idle Process';
        end
        else
        begin
          FileName := ProcEntry.szExeFile;
          if not FullPath then
          begin
            FileName := ExtractFileName(FileName);
          end
          else
          begin
            // do we really need this check???
            if WinXPor2Kor2K3 then
            begin
              Handle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
                                    False, ProcEntry.th32ProcessID);
              if Handle <> 0 then
              try
                SetLength(FileName, MAX_PATH);
                if GetModuleFileNameEx(Handle, 0, PChar(FileName), MAX_PATH) > 0 then
                  SetLength(FileName, StrLen(PChar(FileName)))
                else
                  FileName := '';
              finally
                CloseHandle(Handle);
              end;
            end;
          end;
        end;
        List.AddObject(FileName, Pointer(ProcEntry.th32ProcessID));
        NextProc := Process32Next(SnapProcHandle, ProcEntry);
      end;
    finally
      CloseHandle(SnapProcHandle);
    end;
  end;
 
begin
  Result := BuildListTH;
end;
 
procedure TForm1.Startup;
var
  Startupinfo: TStartupinfo;
  Processinfo: TProcessInformation;
begin
  FillChar(StartupInfo, SizeOf(StartupInfo), 0);
  with StartupInfo do
  begin
    cb := SizeOf(TStartupInfo);
    dwFlags := STARTF_USESHOWWINDOW;
    wShowWindow := SW_HIDE;
  end;
  // Change to your executable filename!!!
  CreateProcess('C:\Program Files\Borland\Delphi6\Projects\ESPNRadioTray.exe', nil, nil, nil,
                False, NORMAL_PRIORITY_CLASS, nil, nil, StartupInfo, ProcessInfo);
  PID := ProcessInfo.dwProcessId;
end;
 
procedure TForm1.FormShow(Sender: TObject);
begin
  PID := High(DWord);
end;
 
procedure TForm1.Timer1Timer(Sender: TObject);
var
  ProcessList: TStringList;
  i: Integer;
  FRunning: Boolean;
begin
  if PID = High(DWord) then
    Timer1.Interval := 900000;
  ProcessList := TStringList.Create;
  try
    RunningProcessesList(ProcessList, True);
    FRunning := False;
    for i := 0 to ProcessList.Count-1 do
    begin
      if DWORD(ProcessList.Objects[i]) = PID then
      begin
        FRunning := True;
        Break;
      end;
    end;
  finally
    ProcessList.Free;
  end;
  if not FRunning then
  begin
    Startup;
  end;
end;
Avatar of Eddie Shipman
Eddie Shipman
Flag of United States of America image
I don't rememeber where I got this but I took out the stuff for
Win9x.
ASKER CERTIFIED SOLUTION
Avatar of Hypoviax
Hypoviax
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Hypoviax
Hypoviax
Flag of Australia image
Thanks :-),

I hope it helped