Process32First

From aldeid
Jump to navigation Jump to search

Description

Used to begin enumerating processes from a previous call to CreateToolhelp32Snapshot.

Note
Malware often enumerates through processes to find a process to inject into.

Syntax

BOOL WINAPI Process32First(
  _In_     HANDLE hSnapshot,
  _Inout_  LPPROCESSENTRY32 lppe
);

Parameters

hSnapshot [in]
A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
lppe [in, out]
A pointer to a PROCESSENTRY32 structure. It contains process information such as the name of the executable file, the process identifier, and the process identifier of the parent process.

Return value

Returns TRUE if the first entry of the process list has been copied to the buffer or FALSE otherwise. The ERROR_NO_MORE_FILES error value is returned by the GetLastError function if no processes exist or the snapshot does not contain process information.

Remarks

  • The calling application must set the dwSize member of PROCESSENTRY32 to the size, in bytes, of the structure.
  • To retrieve information about other processes recorded in the same snapshot, use the Process32Next function.
Retrieved from "https://www.aldeid.com/w/index.php?title=Process32First&oldid=30555"