Enumerate Process via Error / Exception - Delphi Snippet

Enumerate Process via Error / Exception - Delphi

Description

This process enumeration technique identifies running processes by brute-forcing Process IDs (PIDs) and attempting to open them using APIs that require a valid PID (e.g., OpenProcess). This approach intentionally avoids using standard enumeration methods such as CreateToolhelp32Snapshot or NtQuerySystemInformation, which are commonly used to list all processes.

On Windows, PIDs start from 0 (typically reserved for the System Idle Process) and can go up to the maximum value defined by the system (commonly 0xFFFFFFFF or HIGH(DWORD)).

Instead of retrieving a list of all active processes using standard system calls, this technique:

Iterates through a range of possible PIDs, typically from 0 to the maximum.
For each PID, it attempts to call OpenProcess (or another API depending on valid PIDs) with limited access rights.
If OpenProcess succeeds, it implies the PID is valid and represents a running process.

Once a handle is obtained, additional information (such as the process name, image path, or memory usage) can be queried using other APIs like GetModuleBaseName orQueryFullProcessImageName`.

DarkCoderSc

Jean-Pierre LESUEUR

for var I := 0 to High(Cardinal) -1 do begin
    try
        var AProcessName := GetProcessName_QueryFullProcessImageName(I);
    
        WriteLn(Format('%s (%d)', [
          ExtractFileName(AProcessName),
          I
        ]));
    except
        // Ignore: GetProcessName_QueryFullProcessImageName raise exception on fail
    end;
end;

Implemented By Technique

Running Process Enumeration

Created

April 14, 2025

Last Revised

April 14, 2025