Process32First / Process32Next return the 'temp' filename for processes that are started from inside the box.
e.g. the process name will be `evb4760.tmp` instead of what is expected.
Process32Next seeing temp file name
Re: Process32Next seeing temp file name
Hi, yes, to run the child process EVB uses temporary file as a core for running process. Temp file does not contain any code or data, but it is required to correctly run child process.
Change the name of such process to real name is impossible. This is not EVB limitation, this is how Windows system works.
Change the name of such process to real name is impossible. This is not EVB limitation, this is how Windows system works.
-
learn_more
- Posts: 4
- Joined: Mon Apr 03, 2023 6:18 pm
Re: Process32Next seeing temp file name
To elaborate a bit:
I am calling Process32First / Process32Next from inside the box, so I expected this to be fixed up by the hooks placed from virtualbox.
A workaround would be to detect the process name starting with 'evb' and ending with '.tmp', and then calling Module32First, because this will return the expected name.
I am calling Process32First / Process32Next from inside the box, so I expected this to be fixed up by the hooks placed from virtualbox.
A workaround would be to detect the process name starting with 'evb' and ending with '.tmp', and then calling Module32First, because this will return the expected name.
Re: Process32Next seeing temp file name
Module32First/Module32Next are hooked and return correct data.
As for Process32First/Process32Next - agree, they return this .tmp file name, but there are specifics to make it hooked and changed. I will add it into todo list, let see if it would be possible to develop.
As for Process32First/Process32Next - agree, they return this .tmp file name, but there are specifics to make it hooked and changed. I will add it into todo list, let see if it would be possible to develop.
-
learn_more
- Posts: 4
- Joined: Mon Apr 03, 2023 6:18 pm
Re: Process32Next seeing temp file name
Thanks!Enigma wrote: ↑Wed Apr 05, 2023 12:09 pm Module32First/Module32Next are hooked and return correct data.
As for Process32First/Process32Next - agree, they return this .tmp file name, but there are specifics to make it hooked and changed. I will add it into todo list, let see if it would be possible to develop.
For reference, here is my code with the workaround:
Code: Select all
DWORD getProcessID(const char* szName)
{
std::unique_ptr<HANDLE, HANDLEDeleter> hSnap(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0));
PROCESSENTRY32 pe = {sizeof(pe), 0};
if (hSnap.get() == INVALID_HANDLE_VALUE ||
!Process32First(hSnap.get(), &pe))
{
return 0;
}
do
{
if (pe.th32ParentProcessID == GetCurrentProcessId())
{
if (stringStartsWith(pe.szExeFile, "evb") &&
stringEndsWith(pe.szExeFile, ".tmp"))
{
// Packed executable, try to find the real one!
std::unique_ptr<HANDLE, HANDLEDeleter> hModSnap(CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID));
MODULEENTRY32 me = {sizeof(me)};
if (hModSnap.get() != INVALID_HANDLE_VALUE)
{
// First module is always the main .exe
if (Module32First(hModSnap.get(), &me) && !stricmp(me.szModule, szName))
{
return pe.th32ProcessID;
}
}
}
}
if (!stricmp(pe.szExeFile, szName))
{
return pe.th32ProcessID;
}
} while (Process32Next(hSnap.get(), &pe));
return 0;
}
Re: Process32Next seeing temp file name
OK, thanks, but EVB really operates on a deeper level. Inside CreateToolhelp32Snapshot the system calls the function NtQuerySystemInformation that EVB hooks, so this has to be handled inside EVB to replace .tmp process file name with the virtual one. Just for your information 
-
learn_more
- Posts: 4
- Joined: Mon Apr 03, 2023 6:18 pm
Re: Process32Next seeing temp file name
Yeah, I noticed quite a bit of hooks inside ntdll