[SRC] GetPath EXE Opened

[Miseryk]

Bueno, éste es un tema que ví en foro.elhacker.net/programacion_visual_basic/abrir_ejecutable_en_un_form_iquestes_posible_abrir_chrome-t429104.0.html para obtener el path de un archivo en ejecución sin hooks, aparentemente vé de donde se abrió, ahora posteo el código y un par de ejemplos:

Código (vb) [Seleccionar] Expandir


Option Explicit

Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long

Public Const PROCESS_ALL_ACCESS = &H1F0FFF  'Specifies all possible access flags for the process object.
Public Const PROCESS_CREATE_THREAD = &H2   'Enables using the process handle in the CreateRemoteThread function to create a thread in the process.
Public Const PROCESS_DUP_HANDLE = &H40  'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle.
Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object.
Public Const PROCESS_SET_INFORMATION = &H200  'Enables using the process handle in the SetPriorityClass function to set the priority class of the process.
Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process.
Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
Public Const PROCESS_VM_READ = &H10     'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process.
Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process.
Public Const SYNCHRONIZE = &H100000   'Enables using the process handle in any of the wait functions to wait for the process to terminate.

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)

'The WideCharToMultiByte function maps a wide-character string to a new character string.
'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL.

'CodePage
Private Const CP_ACP = 0 'ANSI
Private Const CP_MACCP = 2 'Mac
Private Const CP_OEMCP = 1 'OEM
Private Const CP_UTF7 = 65000
Private Const CP_UTF8 = 65001

'dwFlags
Private Const WC_NO_BEST_FIT_CHARS = &H400
Private Const WC_COMPOSITECHECK = &H200
Private Const WC_DISCARDNS = &H10
Private Const WC_SEPCHARS = &H20 'Default
Private Const WC_DEFAULTCHAR = &H40

Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long

Public Function ByteArrayToString(Bytes() As Byte) As String
Dim iUnicode As Long, i As Long, j As Long

On Error Resume Next
i = UBound(Bytes)

If (i < 1) Then
    'ANSI, just convert to unicode and return
    ByteArrayToString = StrConv(Bytes, vbUnicode)
    Exit Function
End If
i = i + 1

'Examine the first two bytes
CopyMemory iUnicode, Bytes(0), 2

If iUnicode = Bytes(0) Then 'Unicode
    'Account for terminating null
    If (i Mod 2) Then i = i - 1
    'Set up a buffer to recieve the string
    ByteArrayToString = String$(i / 2, 0)
    'Copy to string
    CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i
Else 'ANSI
    ByteArrayToString = StrConv(Bytes, vbUnicode)
End If
End Function

Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte()
Dim lRet As Long
Dim bytBuffer() As Byte
Dim lLenB As Long

If bReturnAsUnicode Then
    'Number of bytes
    lLenB = LenB(strInput)
    'Resize buffer, do we want terminating null?
    If bAddNullTerminator Then
        ReDim bytBuffer(lLenB)
    Else
        ReDim bytBuffer(lLenB - 1)
    End If
    'Copy characters from string to byte array
    CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
Else
    'METHOD ONE
'        'Get rid of embedded nulls
'        strRet = StrConv(strInput, vbFromUnicode)
'        lLenB = LenB(strRet)
'        If bAddNullTerminator Then
'            ReDim bytBuffer(lLenB)
'        Else
'            ReDim bytBuffer(lLenB - 1)
'        End If
'        CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
   
    'METHOD TWO
    'Num of characters
    lLenB = Len(strInput)
    If bAddNullTerminator Then
        ReDim bytBuffer(lLenB)
    Else
        ReDim bytBuffer(lLenB - 1)
    End If
    lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&)
End If

StringToByteArray = bytBuffer
End Function


Código (vb) [Seleccionar] Expandir


Option Explicit

Private Sub Command1_Click()
Dim handle_Process As Double

handle_Process = OpenProcess(PROCESS_ALL_ACCESS, False, Val(Text1.Text))

If handle_Process <> 0 Then
    Dim zBytes(256) As Byte
   
    Dim lb As Long
   
    lb = LoadLibraryA("KERNEL32.DLL")
   
    If lb = 0 Then
        lb = &H77C50000
    End If

    'kernel32.dll+C6320
    '0x77D16320
    If ReadProcessMemory(handle_Process, lb + &HC6320, zBytes(0), 256, 0&) <> 0 Then
        Clipboard.SetText ByteArrayToString(zBytes)
        MsgBox Clipboard.GetText
    Else
        MsgBox "Error al ejecutar ReadProcessMemory. (" & Err.LastDllError & ")"
    End If

    Call CloseHandle(handle_Process)
Else
    MsgBox "Error al ejecutar OpenProcess. (" & Err.LastDllError & ")"
End If
End Sub

Private Sub Form_Load()
Text1.Text = GetCurrentProcessId()
End Sub


TaskMgr:
opera.exe 236 C:\Program Files\Opera\20.0.1387.91\opera.exe
OUTPUT: C:\Program Files\Opera\

McTray.exe 1796 C:\Program Files\McAfee\Common Framework\McTray.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\

Project1.exe 2368 (éste) C:\Users\***00001**\Desktop\Program Opened from\Project1.exe
OUTPUT: C:\Users\***00001**\Desktop\Program Opened from\

TeamViewer.exe 3308 C:\Program Files\TeamViewer\Version9\TeamViewer.exe
OUTPUT: C:\Windows\system32\ (muestra este output porque se cargó como servicio y aparentemente se abre desde ese path)

cheatengine-i386.exe 4320 C:\Misery-PC\Descargas\CE 6.3\CE 6.3\cheatengine-i386.exe
OUTPUT: C:\Misery-PC\Descargas\CE 6.3\CE 6.3\

UdaterUI.exe 5216 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\

notepad++.exe 7464 C:\Program Files\Notepad++\notepad++.exe
OUTPUT: C:\Users\***00001**\Desktop\GOTTA DO\ (abrí un txt desde ese lugar)

Si bien no muestra el path del ejecutable, muestra el path de donde se abrió, seguramente que por el address KERNEL32.DLL+offset debe estar el path original del .exe, cualquier cosa nueva la posteo.

Saludos.