GetProcesImageFileName returning ERROR_ACCESS_DENIED

Question

Werwerwerw 0 Newbie Poster

8 Years Ago

Hi, I have a hooked function, NtTerminateProcess. I am trying to get the full path to the process handle passed to TerminateProcess. The injected app is taskmgr and GetProcessImageFileName is returning ERROR_ACCESS_DENIED. I even tried opening another handle to the process to ensure I have the required access rights, like this: HANDLE proc = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, GetProcessId(ProcessHandle)); Even after that, GetProcessImageFileName still returns 5. I tried GetModuleFileNameExW and even that is returning ERROR_ACCESS_DENIED. I'm at a loss here. I'm doing this to protect my process from being closed in case you're wondeirng. I guess I could try an alternative method and set a Registry value of the process ID I want to protect and just check against that, but I would still like to know why this isn't working.

c++

1 Contributor
4 Replies
432 Views
48 Minutes Discussion Span
Latest Post 8 Years Ago Latest Post by Werwerwerw

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Werwerwerw 0 Newbie Poster · Answer 1 · 2016-05-23T20:43:56+00:00

I almost forgot lol, here's my code:

NTSTATUS WINAPI HookedNtTerminateProcess(
    _In_opt_ HANDLE   ProcessHandle,
    _In_     NTSTATUS ExitStatus)
{
    wchar_t FileName[MAX_PATH];
    GetProcessImageFileNameW(ProcessHandle, FileName, MAX_PATH);

    char output[10];
    itoa(GetLastError(), output, 10);
    MessageBoxA(0, output, 0, 0);


    return OriginalNtTerminateProcess(ProcessHandle, ExitStatus);
}

Werwerwerw 0 Newbie Poster · Answer 2 · 2016-05-23T20:51:19+00:00

Even when running taskmgr as admin, it fails and sets the last error to 5. So how does taskmgr check for File Path? I know it does because you can right click -> Open File Location.

Werwerwerw 0 Newbie Poster · Answer 3 · 2016-05-23T21:11:08+00:00

Here is the alternative method that I'm also having a problem with (converting DWORD hex to DWORD):

NTSTATUS WINAPI HookedNtTerminateProcess(
    _In_opt_ HANDLE   ProcessHandle,
    _In_     NTSTATUS ExitStatus)
{
    DWORD ProcId = 0;
    DWORD dwType = REG_DWORD;
    DWORD dwSize = sizeof(DWORD);

    HKEY k;
    RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Cryptorange", 0, KEY_QUERY_VALUE, &k);
    RegQueryValueExW(k, L"ProcId", 0, &dwType,(LPBYTE)&ProcId, &dwSize);

    //for example, I want to convert 70770 (process id in hex) to 11472
    // But I keep getting some random number
    char convert[10];
    itoa(ProcId, convert, 10); 
    ProcId = strtoul(convert, NULL, 16);
    RtlSecureZeroMemory(convert, sizeof(convert));
    itoa(ProcId, convert, 10);
    MessageBoxA(0, convert, 0, 0);

    if (GetProcessId(ProcessHandle) == ProcId)
    {
        MessageBoxA(0, "Access is denied.", "Error.", MB_ICONERROR);
        return ERROR_ACCESS_DENIED;
    }

    return OriginalNtTerminateProcess(ProcessHandle, ExitStatus);
}

Werwerwerw 0 Newbie Poster · Answer 4 · 2016-05-23T21:28:02+00:00

I fixed my alternative method by just storing the Process ID as a string so I don't have to convert DWORD hex to DWORD.