ProcessBasicInformation vs. New Flags

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3.  
4. //With the "ProcessBasicInformation" class of the "ZwQueryInformationProcess" function, you
5. //can now query certain flags of the "_EPROCESS" structure e.g.
6. //1) The state of whether the process is protected or not (see. audiodg.exe).
7. //2) The state of whether the process is Wow64 or Native64.
8. //3) The state of whether the process is self-delete or not.
9. //N.B. Self-Delete means that the process can only be terminated by self.
10.  
11. #include "stdafx.h"
12. #include "windows.h"
13. #include "stdio.h"
14.  
15.  
16.  
17.  
18. extern "C"
19. {
20.     int __stdcall ZwQueryInformationProcess(HANDLE,unsigned long,void*,unsigned long,unsigned long*);
21.     int __stdcall ZwSetInformationProcess(HANDLE,unsigned long,unsigned long*,unsigned long);
22. }
23.  
24.  
25.  
26.  
27. #define ProcessBasicInformation 0x0
28.  
29. #define ProcessIsProtected 0x1
30. #define ProcessIsWow64     0x2
31. #define ProcessDeleteOrSelfDelete 0x4
32. #define ProcessCrossSectionCreate 0x8
33.  
34. struct PROCESS_BASIC_INFORMATION_EXT
35. {
36.     unsigned long Size;
37.     unsigned long ExitStatus;
38.     unsigned long PebAddress;
39.     unsigned long AffinityMask;
40.     unsigned long BasePriority;
41.     unsigned long UniqueProcessId;
42.     unsigned long ParentProcessId;
43.     unsigned long MiscFlags;
44. };
45.  
46. #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
47.  
48. void main()
49. {
50.     unsigned long pid=0;
51.     printf("Enter Process Id ");
52.     scanf("%d",&pid);
53.     if(!pid) ExitProcess(0);
54.  
55.     HANDLE hProcess=OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,TRUE,pid);
56.     if(!hProcess) ExitProcess(0);
57.  
58.  
59.  
60.     PROCESS_BASIC_INFORMATION_EXT B={sizeof(B)};
61.     unsigned long retLength=0;
62.     int ret=ZwQueryInformationProcess(hProcess,ProcessBasicInformation,&B,sizeof(B),&retLength);
63.     if(ret<0) printf("Error: %x\r\n",ret);
64.     else
65.     {
66.         printf("ExitStatus is %x\r\n",B.ExitStatus);
67.         printf("PEB Address is %x\r\n",B.PebAddress);
68.         printf("Process Affinity mask is %x\r\n",B.AffinityMask);
69.         printf("Process Base Priority is %x\r\n",B.BasePriority);
70.         printf("Process Id is %x\r\n",B.UniqueProcessId);
71.         printf("Parent Process Id is %x\r\n",B.ParentProcessId);
72.         if(B.MiscFlags&ProcessIsProtected) printf("Protected: TRUE\r\n");
73.         else                               printf("Protected: FALSE\r\n");
74.  
75.         if(B.MiscFlags&ProcessIsWow64)   printf("Wow64: TRUE\r\n");
76.         else                             printf("Wow64: FALSE\r\n");
77.  
78.         if(B.MiscFlags&ProcessDeleteOrSelfDelete) printf("Self-Delete: TRUE\r\n");
79.         else                                      printf("Self-Delete: FALSE\r\n");
80.  
81.         if(B.MiscFlags&ProcessCrossSectionCreate) printf("CrossSectionCreate: TRUE\r\n");
82.         else                                      printf("CrossSectionCreate: FALSE\r\n");
83.  
84.     }
85.     CloseHandle(hProcess);
86.     ExitProcess(1);
87. }