Record the process of reverse task manager

keyword ：

Task manager , reverse ,WdcSafeOpenProcess,ResolveImagePath_Desktop,OpenProcess

Preface

Record the process of this reverse task manager , The whole process is relatively pleasant and easy .

There is no detailed analysis of the function implementation of the task manager , In this reverse , only Focus on a function point —— How does the task manager get the process id by 4 Of system Of relevant information ？ Because I've done Windows The process related programming is clear , Microsoft offers API Function except to get System Process name and pid Outside , Other information ( Such as path 、 Command line, etc ) It's impossible to get .

Text

Let's take a look at the display of the task manager ：

Where did the description information of this process come from ？ We can even right-click to open the location of the file ...

First , open IDA, Let's start with a wave of Static analysis ：

From the import table , See how the task manager gets the process handle ( Guess there is special treatment here ？)

We see OpenProcess function , Take a look at how it is called in the task manager , View the of this function Cross reference