# Processes Enumeration ### Enumerating Windows Processes with the WinAPI – A Practical Guide for Malware Development ⚠️ This content is for educational and research purposes only. Unauthorized use or deployment of malware is illegal. ## 🧠 Process Enumeration in Malware A technique used by malicious software to identify active processes running on a system. * **Purpose:** To hide the malware by injecting its code into legitimate processes and to evaluate the system environment. * **Function:** It gathers a list of running processes, selects targets based on privileges, and uses APIs such as `EnumWindows`. * **Risks:** Enables stealth, privilege escalation, lateral movement, and data theft. ### 🔍 What is Process Enumeration? Process enumeration is a technique used by malware to identify and analyze running processes on a system. It helps the malware hide its activity or target specific processes. ### 💡 Why is it used? It is used to determine suitable processes for malicious code injection, allowing the malware to blend in with legitimate system processes and assess the system environment to avoid detection. ### ⚙️ What does it do? It queries the system for running processes, selects them based on criteria like privileges, and may use APIs to detect processes associated with visible windows. ### 🚨 What are the risks? It allows malware to operate undetected, escalate privileges, move laterally across networks, and steal sensitive information. --- ### Windows API Functions Utilized | **Function** | **Description** | **Documentation** | | ------------------------- | ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | | `EnumProcesses` | Retrieves the process identifier for each process object in the system. | [View Docs](https://learn.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocesses) | | `GetStdHandle` | Retrieves a handle to the specified standard device (input, output, or error). | [View Docs](https://learn.microsoft.com/en-us/windows/console/getstdhandle) | | `OpenProcess` | Opens an existing local process object. | [View Docs](https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess) | | `EnumProcessModules` | Retrieves a handle for each module in the specified process. | [View Docs](https://learn.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocessmodules) | | `GetModuleBaseNameW` | Retrieves the base name of the specified module. | [View Docs](https://learn.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulebasenamew) | | `SetConsoleTextAttribute` | Sets the attributes of characters written to the console screen buffer. | [View Docs](https://learn.microsoft.com/en-us/windows/console/setconsoletextattribute) | | `MessageBoxW` | Displays a modal dialog box that contains a system icon, a set of buttons, and a message. | [View Docs](https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxw) | | `CloseHandle` | Closes an open object handle. | [View Docs](https://learn.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-closehandle) | --- ### 1. **Includes** ```c #include <windows.h> #include <psapi.h> #include <stdio.h> ``` Imports Windows API (`windows.h`), process module functions (`psapi.h`), and standard I/O (`stdio.h`). ### 2. **PrintAllProcesses Function and Process List** ```c void PrintAllProcesses() { DWORD processes[1024], cbNeeded; if (!EnumProcesses(processes, sizeof(processes), &cbNeeded)) return; ``` Defines a function to enumerate processes. `EnumProcesses` fills an array with up to 1024 process IDs and returns the bytes used in `cbNeeded`. ### 3. **Process Count and Console Setup** ```c DWORD count = cbNeeded / sizeof(DWORD); HANDLE console = GetStdHandle(STD_OUTPUT_HANDLE); BOOL found = FALSE; ``` Calculates the number of processes. Gets a console handle for output formatting. Sets a flag to track if `notepad.exe` is found. ### 4. **Loop Through Processes** ```c for (DWORD i = 0; i < count; i++) { DWORD pid = processes[i]; if (pid == 0) continue; HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid); if (!hProcess) continue; ``` Iterates through process IDs, skips system process (PID 0), and opens a handle to each process with query and read permissions. ### 5. **Get Process Name** ```c HMODULE hMod; WCHAR name[MAX_PATH] = L"<unknown>"; DWORD cbNeededModules; if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeededModules)) { GetModuleBaseNameW(hProcess, hMod, name, MAX_PATH); ``` Declares variables for module handling. Uses `EnumProcessModules` to get the first module and `GetModuleBaseNameW` to retrieve the process name. ### 6. **Check for Notepad.exe** ```c if (_wcsicmp(name, L"notepad.exe") == 0) { SetConsoleTextAttribute(console, 10); // Green wprintf(L"[PID: %-5lu] %s\n", pid, name); SetConsoleTextAttribute(console, 7); // Default if (!found) { WCHAR msg[100]; swprintf(msg, 100, L"Found Notepad.exe! PID: %lu", pid); MessageBoxW(NULL, msg, L"Process Found", MB_OK | MB_ICONINFORMATION); found = TRUE; } } else { wprintf(L"[PID: %-5lu] %s\n", pid, name); } ``` Compares the process name to `notepad.exe` (case-insensitive). If found, prints in green, shows a message box, and sets `found` to `TRUE`. Otherwise, prints the process name normally. ### 7. **Clean Up and Not Found Case** ```c CloseHandle(hProcess); } if (!found) { SetConsoleTextAttribute(console, 12); // Red wprintf(L"[-] Notepad.exe Not Found\n"); SetConsoleTextAttribute(console, 7); // Default } ``` Closes the process handle to free resources. If `notepad.exe` wasn’t found, prints a red error message and resets console color. ### 8. **Main Function** ```c int main() { PrintAllProcesses(); return 0; } ``` Entry point of the program. Calls `PrintAllProcesses` and exits with status 0. --- If Notepad is found   If Notepad is not found