How does debugger identify a VDF process? << Back



Have you ever wondered how the Studio/Debugger identify which processes show up in the list below?

The debugger simply enumerates all the processes which have a certain Named Shared Memory object. So, if you are to fake a VDF process from a C++ program, you could do so by creating a file mapping object named "VDF%Version%CTX%ProcessId%". For example, I am trying to fake a VDF 19 process, my %Version% would be "190". The %ProcessId% is the actual process identifier in 32bit hex form (thus 8-character long). This is just a piece of random knowledge, which may or may not serve any real purpose. Anyway, here is a C++ snippet to show you how it's done. 

void FakeVDF(DWORD dwVersion)
{
	TCHAR szProcessId[20];
	wsprintf(szProcessId, TEXT("VDF%uCTX%.8lX"), dwVersion, GetCurrentProcessId());
	HANDLE hMap = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 32, szProcessId);
	MessageBox(NULL, szProcessId, NULL, 0);
	CloseHandle(hMap);
}

FakeVDF(190);
Free Web Hosting