Let’s take for example notepad. How can I in my application be 100% sure whether notepad is running or not?
By 100% I mean, if there is another process whose name is “notepad.exe” which in fact is not a real notepad but for example an imitation, I don’t want to detect it. Only real notepads.
I’ve already thought about reading the process memory but it’s more difficult than it appears to be, because of memory displacements etc.
The standard way is by name, right? But for me it is really important, that it is not any other program since I want to interact with it what would critical fail if I found a wrong process.
Does anyone know a good way of doing this?
PS: There is no specific programming language to do it in. If possible I would prefer an indipendent solution. But if required, I specifically use .Net/C#.
The only way to be 99.9%1 sure you’re looking at the right executable is to validate the file’s digital signature. For example, you’d ensure that the notepad.exe in question was signed by “Microsoft Corporation”.
I’d do something like this:
This method avoids issues like having to know ahead of time where the file should be located (which is nearly impossible – Notepad is installed in two locations), what its hash value should be (obviously bound to change), or strange user behavior (replacing Notepad with some other text editor).
1 – of course, it’s impossible to be 100% sure. Someone really determined could self-sign an executable with the expected signer name and add the certificate to their machine’s root store, causing the signature to appear valid.