antonioCoco/AltPidFinder.cpp

## AltPidFinder.cpp
#include "Windows.h"
#include "stdio.h"
#include "strsafe.h"
#include "winternl.h"

#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004

typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION
{
	ULONG NumberOfProcessIdsInList;
	ULONG_PTR ProcessIdList[1];
} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;

typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);

DWORD GetPidOpeningFilePath(PWCHAR filePath);

int main()
{
	WCHAR procName1[] = L"C:\\Windows\\explorer.exe";
	WCHAR procName2[] = L"C:\\Windows\\System32\\csrss.exe";
	WCHAR procName3[] = L"C:\\Windows\\System32\\services.exe";
	WCHAR procName4[] = L"C:\\Windows\\System32\\winlogon.exe";
	WCHAR procName5[] = L"C:\\Windows\\System32\\lsass.exe";
	WCHAR procName6[] = L"C:\\Windows\\System32\\spoolsv.exe";
	WCHAR procName7[] = L"C:\\Windows\\System32\\taskhostw.exe";
	WCHAR procName8[] = L"C:\\Windows\\System32\\dllhost.exe";
	WCHAR procName9[] = L"C:\\Windows\\System32\\RuntimeBroker.exe";
	WCHAR procName10[] = L"C:\\Windows\\System32\\sihost.exe";
	printf("Pid for process %S = %d \n", procName1, GetPidOpeningFilePath(procName1));
	printf("Pid for process %S = %d \n", procName2, GetPidOpeningFilePath(procName2));
	printf("Pid for process %S = %d \n", procName3, GetPidOpeningFilePath(procName3));
	printf("Pid for process %S = %d \n", procName4, GetPidOpeningFilePath(procName4));
	printf("Pid for process %S = %d \n", procName5, GetPidOpeningFilePath(procName5));
	printf("Pid for process %S = %d \n", procName6, GetPidOpeningFilePath(procName6));
	printf("Pid for process %S = %d \n", procName7, GetPidOpeningFilePath(procName7));
	printf("Pid for process %S = %d \n", procName8, GetPidOpeningFilePath(procName8));
	printf("Pid for process %S = %d \n", procName9, GetPidOpeningFilePath(procName9));
	printf("Pid for process %S = %d \n", procName10, GetPidOpeningFilePath(procName10));
	return 0;
}

DWORD GetPidOpeningFilePath(PWCHAR filePath) {
	DWORD retPid = 0;
	IO_STATUS_BLOCK iosb;
	HANDLE hFile;
	PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL;
	int FileProcessIdsUsingFileInformation = 47;
	ULONG pfpiufiLen = 0;
	PULONG_PTR processIdListPtr = NULL;
	NTSTATUS status = 0;
	pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile");
	hFile = CreateFile(filePath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile != INVALID_HANDLE_VALUE)
	{
		pfpiufiLen = 8192;
		pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen);
		status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
		while (status == STATUS_INFO_LENGTH_MISMATCH) {
			pfpiufiLen = pfpiufiLen + 8192;
			pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen);
			status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
		}
		processIdListPtr = pfpiufi->ProcessIdList;
		// we return only the first pid, it's usually the right one
		if (pfpiufi->NumberOfProcessIdsInList >= 1)
			retPid = *processIdListPtr;
		HeapFree(GetProcessHeap(), 0, pfpiufi);
		CloseHandle(hFile);
	}
	return retPid;
}
	#include "Windows.h"
	#include "stdio.h"
	#include "strsafe.h"
	#include "winternl.h"

	#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004

	typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION
	{
	ULONG NumberOfProcessIdsInList;
	ULONG_PTR ProcessIdList[1];
	} FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION;

	typedef NTSTATUS(NTAPI* pNtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);

	DWORD GetPidOpeningFilePath(PWCHAR filePath);

	int main()
	{
	WCHAR procName1[] = L"C:\\Windows\\explorer.exe";
	WCHAR procName2[] = L"C:\\Windows\\System32\\csrss.exe";
	WCHAR procName3[] = L"C:\\Windows\\System32\\services.exe";
	WCHAR procName4[] = L"C:\\Windows\\System32\\winlogon.exe";
	WCHAR procName5[] = L"C:\\Windows\\System32\\lsass.exe";
	WCHAR procName6[] = L"C:\\Windows\\System32\\spoolsv.exe";
	WCHAR procName7[] = L"C:\\Windows\\System32\\taskhostw.exe";
	WCHAR procName8[] = L"C:\\Windows\\System32\\dllhost.exe";
	WCHAR procName9[] = L"C:\\Windows\\System32\\RuntimeBroker.exe";
	WCHAR procName10[] = L"C:\\Windows\\System32\\sihost.exe";
	printf("Pid for process %S = %d \n", procName1, GetPidOpeningFilePath(procName1));
	printf("Pid for process %S = %d \n", procName2, GetPidOpeningFilePath(procName2));
	printf("Pid for process %S = %d \n", procName3, GetPidOpeningFilePath(procName3));
	printf("Pid for process %S = %d \n", procName4, GetPidOpeningFilePath(procName4));
	printf("Pid for process %S = %d \n", procName5, GetPidOpeningFilePath(procName5));
	printf("Pid for process %S = %d \n", procName6, GetPidOpeningFilePath(procName6));
	printf("Pid for process %S = %d \n", procName7, GetPidOpeningFilePath(procName7));
	printf("Pid for process %S = %d \n", procName8, GetPidOpeningFilePath(procName8));
	printf("Pid for process %S = %d \n", procName9, GetPidOpeningFilePath(procName9));
	printf("Pid for process %S = %d \n", procName10, GetPidOpeningFilePath(procName10));
	return 0;
	}

	DWORD GetPidOpeningFilePath(PWCHAR filePath) {
	DWORD retPid = 0;
	IO_STATUS_BLOCK iosb;
	HANDLE hFile;
	PFILE_PROCESS_IDS_USING_FILE_INFORMATION pfpiufi = NULL;
	int FileProcessIdsUsingFileInformation = 47;
	ULONG pfpiufiLen = 0;
	PULONG_PTR processIdListPtr = NULL;
	NTSTATUS status = 0;
	pNtQueryInformationFile NtQueryInformationFile = (pNtQueryInformationFile)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQueryInformationFile");
	hFile = CreateFile(filePath, FILE_READ_ATTRIBUTES, FILE_SHARE_READ \| FILE_SHARE_WRITE \| FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile != INVALID_HANDLE_VALUE)
	{
	pfpiufiLen = 8192;
	pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufiLen);
	status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
	while (status == STATUS_INFO_LENGTH_MISMATCH) {
	pfpiufiLen = pfpiufiLen + 8192;
	pfpiufi = (PFILE_PROCESS_IDS_USING_FILE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pfpiufi, pfpiufiLen);
	status = NtQueryInformationFile(hFile, &iosb, pfpiufi, pfpiufiLen, (FILE_INFORMATION_CLASS)FileProcessIdsUsingFileInformation);
	}
	processIdListPtr = pfpiufi->ProcessIdList;
	// we return only the first pid, it's usually the right one
	if (pfpiufi->NumberOfProcessIdsInList >= 1)
	retPid = *processIdListPtr;
	HeapFree(GetProcessHeap(), 0, pfpiufi);
	CloseHandle(hFile);
	}
	return retPid;
	}