Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Killing processes from a list


  • Please log in to reply
9 replies to this topic

#1 access2godzila

access2godzila

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 09 May 2012 - 08:09 AM

Having learnt a little bit of programming, I thought I'd write a program that kills processes from a given list. I did it this way:
#include <windows.h>
#include <tlhelp32.h>
#include <cstdio>
using namespace std;

void killprocessbyname(char *executable_name)
{
	printf("killing %s ... ", executable_name);
	PROCESSENTRY32 procentry32 = {sizeof(PROCESSENTRY32)};
	HANDLE handle_process, handle_processes = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if(Process32First(handle_processes, &procentry32))
	{
		do
		{
			if(CompareString(LOCALE_USER_DEFAULT, NORM_IGNORECASE, procentry32.szExeFile, -1, executable_name, -1) == CSTR_EQUAL)
			{
				if((handle_process = OpenProcess(PROCESS_TERMINATE, FALSE, procentry32.th32ProcessID)) != NULL)
				{
					TerminateProcess(handle_process, 0);
					CloseHandle(handle_process);
					printf("succeeded!");
				}
			}
		}
		while(Process32Next(handle_processes, &procentry32));
		CloseHandle(handle_processes);
	}
	printf("\n");
}

int main()
{
	wchar_t *exepath = new wchar_t[MAX_PATH];
	int exepath_length = GetModuleFileNameW(NULL, exepath, MAX_PATH);
	wchar_t *currentdir = new wchar_t[MAX_PATH];
	GetCurrentDirectoryW(MAX_PATH, currentdir);
	while (exepath[exepath_length] != '\\')
	{
		exepath_length--;
	}
	exepath[exepath_length + 1] = '\0';
	SetCurrentDirectoryW(exepath);
	delete[] exepath;
	char *proc2kill = new char[MAX_PATH];
	FILE *procfile = fopen("proc", "r");
	if (procfile != NULL)
	{
		while (!feof(procfile))
		{
			fgets(proc2kill, MAX_PATH, procfile);
			killprocessbyname(proc2kill);
		}
		delete[] procfile;
	}
	SetCurrentDirectoryW(currentdir);
	delete[] currentdir;
}

And the code doesn't do anything. Can anyone tell me where I'm wrong?

Thanks in advance.

Edited by access2godzila, 09 May 2012 - 08:11 AM.


BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:25 AM

Posted 09 May 2012 - 08:54 AM

What do you mean by 'It doesn't do anything'? Do you mean it doesn't do what you expected it to do? Is it generating errors when you run it? Does it compile properly?

#3 access2godzila

access2godzila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 09 May 2012 - 09:03 AM

It compiles but does not kill processes.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:25 PM

Posted 09 May 2012 - 09:41 AM

Try stepping through the code in a debugger. Is the TerminateProcess call ever reached?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 access2godzila

access2godzila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 09 May 2012 - 10:25 AM

Don't know how to use a debugger but since "succeeded" is never printed, I assume its never reached.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:25 PM

Posted 09 May 2012 - 10:42 AM

What development environment are you using? If it's Visual Studio, you can just click on the bar to the right of the editor, which will set a breakpoint. That will stop execution whenever it is reached.

Alternately you can use "printf debugging", but that's more difficult. Try adding a piece of code right before the comparison that prints both what you're trying to find and what you're comparing it to. I suspect the comparison is failing for some reason.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 access2godzila

access2godzila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 09 May 2012 - 09:44 PM

EDIT: Please skip over to my next post. There isn't any problem with the comparison.

The comparison should be working fine. Have been very busy, and didn't have the time to verify the code, but killprocessbyname is working fine in another project.

Edited by access2godzila, 10 May 2012 - 11:43 AM.


#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:25 PM

Posted 09 May 2012 - 11:25 PM

Ok, so then why are you asking us for help?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 access2godzila

access2godzila
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 10 May 2012 - 11:42 AM

I didn't mean it that way.

My code posted above doesn't work even now. However, if int main() is written like this, the code magically starts working:
/* ... */
#include <string>
#include <fstream>
/*... */
int main()
{
        /* ... */
	string proc2kill;
	ifstream procfile("proc");
	if (procfile.is_open())
	{
		while(!procfile.eof())
		{
			getline(procfile, proc2kill);
			char *proc2kill_charptr = new char[proc2kill.length() + 1];
			strcpy(proc2kill_charptr, proc2kill.c_str());
			killprocessbyname(proc2kill_charptr);
			delete[] proc2kill_charptr;
		}
	}
        /* ... */
}

The question is, why is the above method with <string> and <fstream> working while the method with <cstdio> isn't? I'm confused.

I hope that makes my question clear.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:25 PM

Posted 11 May 2012 - 12:10 PM

Your iostream use is incorrect -- basic_ios::eof only returns true if the actual end of file is encountered, not if some other error condition has occurred. You also need to check the error state *after* the attempt to read. The correct code would look like this:

ifstream procfile("proc");
while (getline(procfile, proc2kill))
{
    killprocessbyname(proc2kill.c_str());
}

(and the argument to killprocessbyname should be char const*)

Now, why specifically your cstdio code fails:

FILE *procfile = fopen("proc", "r");
if (procfile != NULL)
{
        while (!feof(procfile))
        {
                fgets(proc2kill, MAX_PATH, procfile);
                killprocessbyname(proc2kill);
        }
        delete[] procfile;

You're calling delete[] on procfile, but you never allocated memory for it. Really, I'm surprised it didn't completely explode.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users