antonioCoco · May 5, 2022 15:16
diff --git a/AltPidFinder.cpp b/AltPidFinder.cpp
 #include "Windows.h"
 #include "stdio.h"
 #include "strsafe.h"
 #include "winternl.h"

 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004

 typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION
 {
 	ULONG NumberOfProcessIdsInList;
 	ULONG_PTR ProcessIdList[1];
 } FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;

 typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);

 DWORD GetPidOpeningFilePath(PWCHAR filePath);

 int main()
 {
 	WCHAR procName1[] = L"C:\\Windows\\explorer.exe";
 	WCHAR procName2[] = L"C:\\Windows\\System32\\csrss.exe";
 	WCHAR procName3[] = L"C:\\Windows\\System32\\services.exe";
 	WCHAR procName4[] = L"C:\\Windows\\System32\\winlogon.exe";
 	WCHAR procName5[] = L"C:\\Windows\\System32\\lsass.exe";
 	WCHAR procName6[] = L"C:\\Windows\\System32\\spoolsv.exe";
 	WCHAR procName7[] = L"C:\\Windows\\System32\\taskhostw.exe";
 	WCHAR procName8[] = L"C:\\Windows\\System32\\dllhost.exe";
 	WCHAR procName9[] = L"C:\\Windows\\System32\\RuntimeBroker.exe";
 	WCHAR procName10[] = L"C:\\Windows\\System32\\sihost.exe";
 	printf("Pid for process %S = %d \n", procName1, GetPidOpeningFilePath(procName1));
 	printf("Pid for process %S = %d \n", procName2, GetPidOpeningFilePath(procName2));
 	printf("Pid for process %S = %d \n", procName3, GetPidOpeningFilePath(procName3));
 	printf("Pid for process %S = %d \n", procName4, GetPidOpeningFilePath(procName4));
 	printf("Pid for process %S = %d \n", procName5, GetPidOpeningFilePath(procName5));
 	printf("Pid for process %S = %d \n", procName6, GetPidOpeningFilePath(procName6));
 	printf("Pid for process %S = %d \n", procName7, GetPidOpeningFilePath(procName7));
 	printf("Pid for process %S = %d \n", procName8, GetPidOpeningFilePath(procName8));
 	printf("Pid for process %S = %d \n", procName9, GetPidOpeningFilePath(procName9));
 	printf("Pid for process %S = %d \n", procName10, GetPidOpeningFilePath(procName10));
 	return 0;
 }

 DWORD GetPidOpeningFilePath(PWCHAR filePath) {
 	DWORD retPid = 0;
 	IO_STATUS_BLOCK iosb;
 	HANDLE hFile;
 	PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL;
 	int FileProcessIdsUsingFileInformation = 47;
 	ULONG pfpiufiLen = 0;
 	PULONG_PTR processIdListPtr = NULL;
 	NTSTATUS status = 0;
 	pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile");
 	hFile = CreateFile(filePath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
 	if (hFile != INVALID_HANDLE_VALUE)
 	{
 		pfpiufiLen = 8192;
 		pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen);
 		status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
 		while (status == STATUS_INFO_LENGTH_MISMATCH) {
 			pfpiufiLen = pfpiufiLen + 8192;
 			pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen);
 			status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
 		}
 		processIdListPtr = pfpiufi->ProcessIdList;
 		// we return only the first pid, it's usually the right one
 		if (pfpiufi->NumberOfProcessIdsInList >= 1)
 			retPid = *processIdListPtr;
 		HeapFree(GetProcessHeap(), 0, pfpiufi);
 		CloseHandle(hFile);
 	}
 	return retPid;
 }
	#include "Windows.h"
	#include "stdio.h"
	#include "strsafe.h"
	#include "winternl.h"

	#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004

	typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION
	{
	ULONG NumberOfProcessIdsInList;
	ULONG_PTR ProcessIdList[1];
	} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;

	typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);

	DWORD GetPidOpeningFilePath(PWCHAR filePath);

	int main()
	{
	WCHAR procName1[] = L"C:\\Windows\\explorer.exe";
	WCHAR procName2[] = L"C:\\Windows\\System32\\csrss.exe";
	WCHAR procName3[] = L"C:\\Windows\\System32\\services.exe";
	WCHAR procName4[] = L"C:\\Windows\\System32\\winlogon.exe";
	WCHAR procName5[] = L"C:\\Windows\\System32\\lsass.exe";
	WCHAR procName6[] = L"C:\\Windows\\System32\\spoolsv.exe";
	WCHAR procName7[] = L"C:\\Windows\\System32\\taskhostw.exe";
	WCHAR procName8[] = L"C:\\Windows\\System32\\dllhost.exe";
	WCHAR procName9[] = L"C:\\Windows\\System32\\RuntimeBroker.exe";
	WCHAR procName10[] = L"C:\\Windows\\System32\\sihost.exe";
	printf("Pid for process %S = %d \n", procName1, GetPidOpeningFilePath(procName1));
	printf("Pid for process %S = %d \n", procName2, GetPidOpeningFilePath(procName2));
	printf("Pid for process %S = %d \n", procName3, GetPidOpeningFilePath(procName3));
	printf("Pid for process %S = %d \n", procName4, GetPidOpeningFilePath(procName4));
	printf("Pid for process %S = %d \n", procName5, GetPidOpeningFilePath(procName5));
	printf("Pid for process %S = %d \n", procName6, GetPidOpeningFilePath(procName6));
	printf("Pid for process %S = %d \n", procName7, GetPidOpeningFilePath(procName7));
	printf("Pid for process %S = %d \n", procName8, GetPidOpeningFilePath(procName8));
	printf("Pid for process %S = %d \n", procName9, GetPidOpeningFilePath(procName9));
	printf("Pid for process %S = %d \n", procName10, GetPidOpeningFilePath(procName10));
	return 0;
	}

	DWORD GetPidOpeningFilePath(PWCHAR filePath) {
	DWORD retPid = 0;
	IO_STATUS_BLOCK iosb;
	HANDLE hFile;
	PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL;
	int FileProcessIdsUsingFileInformation = 47;
	ULONG pfpiufiLen = 0;
	PULONG_PTR processIdListPtr = NULL;
	NTSTATUS status = 0;
	pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile");
	hFile = CreateFile(filePath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ \| FILE_SHARE_WRITE \| FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile != INVALID_HANDLE_VALUE)
	{
	pfpiufiLen = 8192;
	pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen);
	status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
	while (status == STATUS_INFO_LENGTH_MISMATCH) {
	pfpiufiLen = pfpiufiLen + 8192;
	pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen);
	status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
	}
	processIdListPtr = pfpiufi->ProcessIdList;
	// we return only the first pid, it's usually the right one
	if (pfpiufi->NumberOfProcessIdsInList >= 1)
	retPid = *processIdListPtr;
	HeapFree(GetProcessHeap(), 0, pfpiufi);
	CloseHandle(hFile);
	}
	return retPid;
	}