flat assembler
Message board for the users of flat assembler.
Index
> Windows > Please help me by my FASM code problem |
Author |
|
AsmGuru62 13 Apr 2012, 16:07
Few things:
1. You use EAX for getmodules and getbasename, however handle is in EBX and EAX is getting killed. 2. printf is called by cinvoke, not by invoke. it is possible few more issues are there. Anyhow, I have fixed your code, but it always returns "ACCESS DENIED". Here is the code: Code: ; --------------------------------------------------------------------------- ; FILE: A1.Asm ; DATE: April 13, 2012 ; --------------------------------------------------------------------------- format PE CONSOLE 4.0 entry start stack 4000h, 4000h include 'Win32A.Inc' ; {INSMODDEF} Module Definitions inserted immediately before this line ; --------------------------------------------------------------------------- section '.data' data readable writeable NumProcesses dd 0 NumModules dd 0 ; --------------------------------------------------------------------------- acc_den db '<ACCESS DENIED>',0 printv db '%s PID: %d',0Dh,0Ah,0 printerr db 'LAST ERROR: %08Xh PID: %d',0Dh,0Ah,0 strbuf rb 261 ; --------------------------------------------------------------------------- align 4 ArrModules rd 1024 ArrProcesses rd 1024 ; --------------------------------------------------------------------------- section '.code' code readable executable ; {INSMODIMPL} Module Implementations inserted immediately before this line ; --------------------------------------------------------------------------- ; PROGRAM ENTRY POINT ; --------------------------------------------------------------------------- align 32 start: ; ; TODO: your application code goes here ... ; mov esi,ArrProcesses invoke enumproc,esi,1024*4,NumProcesses test eax,eax jz .error mov ecx, [NumProcesses] shr ecx, 2 .next_process: push ecx ; ; skip IDs = 0 (why are these returned btw?!..) ; cmp dword [esi], 0 je .skip ; ; open process using its ID and store handle into EBX, ; because EBX is not disturbed by API calls. ; invoke openproc,0400h,0,[esi] mov ebx,eax ; ; skip in case can't open this process ; test eax,eax jz .skip ; ; get a list of HMODULEs for the process ; invoke getmodules,ebx,ArrModules,4*1024,NumModules test eax,eax jz .cant_get_modules ; ; another loop needed here to enumerate all modules in ; filled vector 'ArrModules' -- for now I am just passing ; NULL as HMODULE to receive the name for a main file, ; which started this process. ; mov ecx,strbuf invoke getbasename,ebx,0,strbuf,261 ; ; do not forget to close it ; invoke closeit,ebx ; ; report it to console ; .report: cinvoke printf,printv,strbuf,[esi] jmp .skip .no_access: invoke strcopy,strbuf,acc_den jmp .report .cant_get_modules: invoke LastErr cmp eax, 5 je .no_access cinvoke printf,printerr,eax,[esi] ; ; next process ID from array ; .skip: add esi,4 pop ecx dec ecx jnz .next_process invoke terminate,ecx .error: ret ; --------------------------------------------------------------------------- section '.idata' import data readable writeable library psapi,'psapi.dll',msclib,'msvcrt.dll',kernel32,'Kernel32.dll' import psapi,enumproc,'EnumProcesses',getbasename,'GetModuleBaseNameA',\ getmodules,'EnumProcessModules' import msclib,printf,'printf' import kernel32,closeit,'CloseHandle',LastErr,'GetLastError',\ strcopy,'lstrcpyA',\ terminate,'ExitProcess',openproc,'OpenProcess' Now, I will try the Tool Help. |
|||
13 Apr 2012, 16:07 |
|
Picnic 13 Apr 2012, 16:46
AsmGuru62 wrote: Anyhow, I have fixed your code, but it always returns "ACCESS DENIED". Try this change on the flag bits. PROCESS_QUERY_INFORMATION = 0400h PROCESS_VM_READ = 010h Code: invoke openproc,0410h,0,dword[esi] |
|||
13 Apr 2012, 16:46 |
|
AsmGuru62 13 Apr 2012, 18:35
Thanks, Picnic.
I tried the snapshot and it works (not on all processes): Code: ; --------------------------------------------------------------------------- ; FILE: A2.Asm ; DATE: April 13, 2012 ; --------------------------------------------------------------------------- format PE CONSOLE 4.0 entry start stack 4000h, 4000h include 'Win32A.Inc' ; --------------------------------------------------------------------------- virtual at 0 PROCESSENTRY32: .dwSize dd ? .dwUnused1 dd ? .dwProcessID dd ? .dwUnused2 dd ? .dwUnused3 dd ? .dwNumThreads dd ? .dwParentID dd ? .lBasePriCls dd ? .dwUnused4 dd ? .szExeFile rb MAX_PATH .size = $ end virtual ; --------------------------------------------------------------------------- section '.data' data readable writeable fmt db '%60s PID: %5d',0Dh,0Ah,0 ; --------------------------------------------------------------------------- section '.code' code readable executable align 32 GetFullExeDir: ; --------------------------------------------------------------------------- ; EDI = address into PROCESSENTRY32 structure ; --------------------------------------------------------------------------- pusha ; ; get process handle to query information ; invoke OpenProcess, 0400h, 0, [edi + PROCESSENTRY32.dwProcessID] mov ebx, eax test eax, eax jz .exit ; ; put the EXE dir back into PROCESSENTRY32 structure ; lea esi, [edi + PROCESSENTRY32.szExeFile] invoke GetProcessImageFileName, ebx, esi, MAX_PATH invoke CloseHandle, ebx .exit: popa ret ; --------------------------------------------------------------------------- ; PROGRAM ENTRY POINT ; --------------------------------------------------------------------------- align 32 start: ; ; include all processes into snapshot ; invoke CreateToolhelp32Snapshot, 2, 0 mov ebx, eax ; ; Allocate PROCESSENTRY32 structure on stack and set EDI to it ; sub esp, PROCESSENTRY32.size mov edi, esp ; ; get the 1st process info ; mov [edi + PROCESSENTRY32.dwSize], PROCESSENTRY32.size invoke Process32First, ebx, edi ; ; can't be! no 1st process!!?? no way! ; who is running THIS CODE then?.. not really need that. ; test eax, eax jz .done ; ; report the info on console ; .report: ; ; This function will try to get the full dir for EXE files for ; processes, but may fail due to the fact that some processes are ; not allowed to be queried by a USER MODE application, only from KERNEL MODE. ; You can comment this out and then you will get only EXE names - without path. ; call GetFullExeDir lea eax, [edi + PROCESSENTRY32.szExeFile] cinvoke printf, fmt, eax, [edi + PROCESSENTRY32.dwProcessID] ; ; In a loop get all other processes ; invoke Process32Next, ebx, edi ; ; need this one check -- otherwise, endless loop! ; test eax, eax jnz .report .done: ; ; cleanup: ; - restore stack ; - close snapshot handle ; - quit back to Windows ; add esp, PROCESSENTRY32.size invoke CloseHandle, ebx invoke ExitProcess, 0 ; --------------------------------------------------------------------------- section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',msclib,'MSVCRT.DLL',psapi,'PSAPI.DLL' import psapi,GetProcessImageFileName,'GetProcessImageFileNameA' import msclib,printf,'printf' import kernel32,CreateToolhelp32Snapshot,'CreateToolhelp32Snapshot',\ CloseHandle,'CloseHandle',\ OpenProcess,'OpenProcess',\ Process32First,'Process32First',\ Process32Next,'Process32Next',\ ExitProcess,'ExitProcess' @badc0de: The function GetProcessImageFileName is in PSAPI.DLL, but in Win 7 it is in KERNEL32.DLL, so to make this code work in Win 7 you need to do some changes. I am not sure how to make one EXE work in both cases: Win 7 and Win XP. Probably, with GetVersion and LoadLibrary/GetProcAddress. I am not doing it now, however, for simplicity. |
|||
13 Apr 2012, 18:35 |
|
badc0de 13 Apr 2012, 19:13
Thanks AsmGuru62
with Tool Help works now perfectly |
|||
13 Apr 2012, 19:13 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.