Bueno, éste es un tema que ví en foro.elhacker.net/programacion_visual_basic/abrir_ejecutable_en_un_form_iquestes_posible_abrir_chrome-t429104.0.html (http://foro.elhacker.net/programacion_visual_basic/abrir_ejecutable_en_un_form_iquestes_posible_abrir_chrome-t429104.0.html) para obtener el path de un archivo en ejecución sin hooks, aparentemente vé de donde se abrió, ahora posteo el código y un par de ejemplos:
Option Explicit
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
Public Const PROCESS_ALL_ACCESS = &H1F0FFF 'Specifies all possible access flags for the process object.
Public Const PROCESS_CREATE_THREAD = &H2 'Enables using the process handle in the CreateRemoteThread function to create a thread in the process.
Public Const PROCESS_DUP_HANDLE = &H40 'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle.
Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object.
Public Const PROCESS_SET_INFORMATION = &H200 'Enables using the process handle in the SetPriorityClass function to set the priority class of the process.
Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process.
Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
Public Const PROCESS_VM_READ = &H10 'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process.
Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process.
Public Const SYNCHRONIZE = &H100000 'Enables using the process handle in any of the wait functions to wait for the process to terminate.
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
'The WideCharToMultiByte function maps a wide-character string to a new character string.
'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL.
'CodePage
Private Const CP_ACP = 0 'ANSI
Private Const CP_MACCP = 2 'Mac
Private Const CP_OEMCP = 1 'OEM
Private Const CP_UTF7 = 65000
Private Const CP_UTF8 = 65001
'dwFlags
Private Const WC_NO_BEST_FIT_CHARS = &H400
Private Const WC_COMPOSITECHECK = &H200
Private Const WC_DISCARDNS = &H10
Private Const WC_SEPCHARS = &H20 'Default
Private Const WC_DEFAULTCHAR = &H40
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Public Function ByteArrayToString(Bytes() As Byte) As String
Dim iUnicode As Long, i As Long, j As Long
On Error Resume Next
i = UBound(Bytes)
If (i < 1) Then
'ANSI, just convert to unicode and return
ByteArrayToString = StrConv(Bytes, vbUnicode)
Exit Function
End If
i = i + 1
'Examine the first two bytes
CopyMemory iUnicode, Bytes(0), 2
If iUnicode = Bytes(0) Then 'Unicode
'Account for terminating null
If (i Mod 2) Then i = i - 1
'Set up a buffer to recieve the string
ByteArrayToString = String$(i / 2, 0)
'Copy to string
CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i
Else 'ANSI
ByteArrayToString = StrConv(Bytes, vbUnicode)
End If
End Function
Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte()
Dim lRet As Long
Dim bytBuffer() As Byte
Dim lLenB As Long
If bReturnAsUnicode Then
'Number of bytes
lLenB = LenB(strInput)
'Resize buffer, do we want terminating null?
If bAddNullTerminator Then
ReDim bytBuffer(lLenB)
Else
ReDim bytBuffer(lLenB - 1)
End If
'Copy characters from string to byte array
CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
Else
'METHOD ONE
' 'Get rid of embedded nulls
' strRet = StrConv(strInput, vbFromUnicode)
' lLenB = LenB(strRet)
' If bAddNullTerminator Then
' ReDim bytBuffer(lLenB)
' Else
' ReDim bytBuffer(lLenB - 1)
' End If
' CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
'METHOD TWO
'Num of characters
lLenB = Len(strInput)
If bAddNullTerminator Then
ReDim bytBuffer(lLenB)
Else
ReDim bytBuffer(lLenB - 1)
End If
lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&)
End If
StringToByteArray = bytBuffer
End Function
Option Explicit
Private Sub Command1_Click()
Dim handle_Process As Double
handle_Process = OpenProcess(PROCESS_ALL_ACCESS, False, Val(Text1.Text))
If handle_Process <> 0 Then
Dim zBytes(256) As Byte
Dim lb As Long
lb = LoadLibraryA("KERNEL32.DLL")
If lb = 0 Then
lb = &H77C50000
End If
'kernel32.dll+C6320
'0x77D16320
If ReadProcessMemory(handle_Process, lb + &HC6320, zBytes(0), 256, 0&) <> 0 Then
Clipboard.SetText ByteArrayToString(zBytes)
MsgBox Clipboard.GetText
Else
MsgBox "Error al ejecutar ReadProcessMemory. (" & Err.LastDllError & ")"
End If
Call CloseHandle(handle_Process)
Else
MsgBox "Error al ejecutar OpenProcess. (" & Err.LastDllError & ")"
End If
End Sub
Private Sub Form_Load()
Text1.Text = GetCurrentProcessId()
End Sub
TaskMgr:
opera.exe 236 C:\Program Files\Opera\20.0.1387.91\opera.exe
OUTPUT: C:\Program Files\Opera\
McTray.exe 1796 C:\Program Files\McAfee\Common Framework\McTray.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\
Project1.exe 2368 (éste) C:\Users\***00001**\Desktop\Program Opened from\Project1.exe
OUTPUT: C:\Users\***00001**\Desktop\Program Opened from\
TeamViewer.exe 3308 C:\Program Files\TeamViewer\Version9\TeamViewer.exe
OUTPUT: C:\Windows\system32\ (muestra este output porque se cargó como servicio y aparentemente se abre desde ese path)
cheatengine-i386.exe 4320 C:\Misery-PC\Descargas\CE 6.3\CE 6.3\cheatengine-i386.exe
OUTPUT: C:\Misery-PC\Descargas\CE 6.3\CE 6.3\
UdaterUI.exe 5216 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
OUTPUT: C:\Program Files\McAfee\Common Framework\
notepad++.exe 7464 C:\Program Files\Notepad++\notepad++.exe
OUTPUT: C:\Users\***00001**\Desktop\GOTTA DO\ (abrí un txt desde ese lugar)
Si bien no muestra el path del ejecutable, muestra el path de donde se abrió, seguramente que por el address KERNEL32.DLL+offset debe estar el path original del .exe, cualquier cosa nueva la posteo.
Saludos.