How to Query process names under low integrity process?

1
votes

I'm writing a BHO and I'd like to execute an external process. If the OS is vista or greater the user may be in protected mode, making my BHO running under a low integrity process.

The external process I'm trying to execute is listed in the IE's Elvation Policy list making it running under normal integrity.

I'd like to check if the process is currently running and create it once only if it's not. Problem is that I can't query a process with a higher integrity than mine when i use : HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID); I'm able to open only the processes that have low integrity.

Is there any other way to query process names from a low integrity process?

Thanks!

1
c++windowssecurityinternet-explorer
Hmm, what else could you do when you can call ReadProcessMemory()... - Hans Passant
I wouldn't but I need it for EnumProcessModules and GetModuleBaseName. Is there another way to get process name without the VM_READ attribute? BTW I could use a mutex or something to check if the process exists but now I'm just curious. I think there's another way - Omer
Just fyi it seems that .Net's Process.GetProcesses() will give the list even when running under low integrity. I'm not sure what it does under the hood but you could look into that. - Rory
Based on the .net code looks to me you can use NtQuerySystemInformation() from Kernel32 to retrieve it, and in my testing it appears to work from low-integrity processes too. - Rory

1 Answers

1
votes

Well, CreateToolhelp32Snapshot solved it, it maps every process no matter what it's integrity. The PROCESSENTRY32 struct has the executable file and that's all i needed.