flat assembler
Message board for the users of flat assembler.

Index > Windows > CreateToolhelp32Snapshot (x64)

Author
Thread Post new topic Reply to topic
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Code:
include '%fasm%\win64ax.inc'
section '.code' executable
start:
        sub rsp,8*5

        invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows NT\CurrentVersion\Winlogon',\
               NULL,KEY_READ,phkResult
        invoke RegQueryValueEx,[phkResult],'shell',NULL,NULL,lpDir,lpcbData
        invoke RegCloseKey,[phkResult]
        invoke PathRemoveFileSpec,lpDir

        invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows NT\CurrentVersion\Winlogon',\
               NULL,KEY_READ,phkResult
        invoke RegQueryValueEx,[phkResult],'shell',NULL,NULL,lpFile,lpcbData
        invoke RegCloseKey,[phkResult]
        invoke PathStripPath,lpFile

        invoke CreateToolhelp32Snapshot,0fh,NULL
        mov [handle_snap],eax
        invoke Process32First,eax,pe32
@@:
        nop
        invoke Process32Next,[handle_snap],pe32
        test eax,eax
        jz @f
        invoke lstrcmpi,pe32.szExeFile,lpFile
        test eax,eax
        jnz @r
        invoke OpenProcess,1,NULL,[pe32.th32ProcessID]
        invoke TerminateProcess,eax,NULL
@@:
        invoke ShellExecute,NULL,NULL,lpFile,NULL,lpDir,SW_SHOWNORMAL
exit:
        invoke ExitProcess,NULL

section '.data' readable writable

        lpDir db MAX_PATH dup NULL
        lpFile db MAX_PATH dup NULL

        lpcbData dq MAX_PATH
        phkResult dq NULL

        handle_snap dd NULL
        handle_proc dd NULL
 
        struct PROCESSENTRY32
        dwSize dq MAX_PATH
        cntUsage dq NULL
        th32ProcessID dq NULL
        th32DefaultHeapID dq NULL
        th32ModuleID dq NULL
        cntThreads dq NULL
        th32ParentProcessID dq NULL
        pcPriClassBase dq NULL
        dwFlags dq NULL
        szExeFile dq MAX_PATH dup NULL
        ends

        pe32 PROCESSENTRY32

section '.idata' import readable

        library advapi32,'ADVAPI32.DLL',kernel32,'KERNEL32.DLL',shlwapi,'shlwapi.dll',shell32,'SHELL32.DLL',user32,'USER32.DLL'
        import shlwapi,PathStripPath,'PathStripPathA',PathRemoveFileSpec,'PathRemoveFileSpecA'
        include '%fasm%\api\advapi32.inc'
        include '%fasm%\api\kernel32.inc'
        include '%fasm%\api\shell32.inc'
        include '%fasm%\api\user32.inc'    


It's working only as x86 compilation on 32bits windows.
Where is a problem at x64 platform?

Confused

_________________
Memory=8388608
Post 16 Dec 2010, 23:39
View user's profile Send private message ICQ Number Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Handles must be 'dq' not 'dd'

API's functions return values are at rax, not eax.
Post 17 Dec 2010, 00:22
View user's profile Send private message Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
OK! Still not work...
Post 17 Dec 2010, 00:34
View user's profile Send private message ICQ Number Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Try this:

Code:
struct PROCESSENTRY32
        dwSize                  dd ?
        cntUsage                dd ?
        th32ProcessID           dd ?
        th32DefaultHeapID       dd ?
        th32ModuleID            dd ?
        cntThreads              dd ?
        th32ParentProcessID     dd ?
        pcPriClassBase          dd ?
        dwFlags                 dd ?
        szExeFile               dw MAX_PATH dup (?)
  ends
    


and insert "align 16" at the beginning of ".data"
Post 17 Dec 2010, 00:36
View user's profile Send private message Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Nothing Confused
Post 17 Dec 2010, 01:25
View user's profile Send private message ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3043
Location: vpcmipstrm
bitRAKE
The documentation is fairly clear. LONG is a DWORD, PTR is QWORD in 64-bit, and TCHAR is a BYTE/WORD depending on ASCII/Wide character usage.

It is also clear about the size of the structure needing to be set prior to use. Try using some error checking and it will pin-point where the error is.
Code:
include 'win64ax.inc'
section '.text' code readable executable
entry $
start:
        sub rsp,8

        invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows NT\CurrentVersion\Winlogon',NULL,KEY_READ,phkResult
        invoke RegQueryValueEx,[phkResult],'shell',NULL,NULL,lpDir,lpcbData
        invoke RegCloseKey,[phkResult]

        invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows NT\CurrentVersion\Winlogon',NULL,KEY_READ,phkResult
        invoke RegQueryValueEx,[phkResult],'shell',NULL,NULL,lpFile,lpcbData
        invoke RegCloseKey,[phkResult]

        invoke PathRemoveFileSpec,lpDir
        invoke PathStripPath,lpFile

        ; TH32CS_SNAPHEAPLIST|TH32CS_SNAPPROCESS|TH32CS_SNAPTHREAD|TH32CS_SNAPMODULE
        invoke CreateToolhelp32Snapshot,0Fh,NULL
        mov [handle_snap],rax

        mov [pe32.dwSize],sizeof.PROCESSENTRY32
        invoke Process32First,[handle_snap],pe32
        jmp .0
@@:
nop

        mov [pe32.dwSize],sizeof.PROCESSENTRY32
        invoke Process32Next,[handle_snap],pe32
.0:     test eax,eax
        jz @f
        invoke lstrcmpi,pe32.szExeFile,lpFile
        test eax,eax
        jnz @r


        invoke OpenProcess,1,NULL,[pe32.th32ProcessID]
        invoke TerminateProcess,eax,NULL
@@:
        invoke ShellExecute,NULL,NULL,lpFile,NULL,lpDir,SW_SHOWNORMAL
exit:
        invoke ExitProcess,NULL



section '.data' data readable writeable

        lpDir db MAX_PATH dup NULL
        lpFile db MAX_PATH dup NULL

        lpcbData dq MAX_PATH
        phkResult dq NULL

        handle_snap dq NULL
        handle_proc dd NULL
 
struct PROCESSENTRY32
  dwSize dd MAX_PATH
  cntUsage dd NULL
  th32ProcessID dd NULL
  rd 1
  th32DefaultHeapID dq NULL
  th32ModuleID dd NULL
  cntThreads dd NULL
  th32ParentProcessID dd NULL
  pcPriClassBase dd NULL
  dwFlags dd NULL
  szExeFile db MAX_PATH dup NULL
ends

        pe32 PROCESSENTRY32

section '.idata' import readable

        library advapi32,'ADVAPI32.DLL',kernel32,'KERNEL32.DLL',shlwapi,'shlwapi.dll',shell32,'SHELL32.DLL',user32,'USER32.DLL'
        import shlwapi,PathStripPath,'PathStripPathA',PathRemoveFileSpec,'PathRemoveFileSpecA'
        include 'api\advapi32.inc'
        include 'api\kernel32.inc'
        include 'api\shell32.inc'
        include 'api\user32.inc'    
Good luck!
Post 17 Dec 2010, 06:57
View user's profile Send private message Visit poster's website Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Unbelievable! It's work! Smile
WinXP x64 SP2
Big thanks!
---

and this possible to use 32bit program the same to close 64-bit apps,
but win64ax.inc PE64 is very nice allways!
Very Happy
Post 17 Dec 2010, 15:06
View user's profile Send private message ICQ Number Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
Code:
;; mov [pe32.dwSize],sizeof.PROCESSENTRY32  ; Is it need to be moved twice?
invoke Process32Next,[handle_snap],pe32    

in structure:

... th32ProcessID dq NULL
;; rd 1
th32DefaultHeapID dq NULL

? Embarassed Smile
Post 17 Dec 2010, 16:49
View user's profile Send private message ICQ Number Reply with quote
semiono



Joined: 31 Aug 2007
Posts: 176
Location: section '.code' executable
semiono
SHFileOperationA,lpFileOp:

Code:
        struct LPSHFILEOPSTRUCT
        hwnd dq NULL
        wFunc dq NULL
        pFrom dq NULL
        pTo dq NULL
        fFlags dq NULL
        fAnyOperationsAborted dq NULL
        hNameMappings dq NULL
        lpszProgressTitle dq NULL
        ends

        lpFileOp LPSHFILEOPSTRUCT    

Worked with qwords! Smile
Post 17 Dec 2010, 22:25
View user's profile Send private message ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3043
Location: vpcmipstrm
bitRAKE
It is best to follow the documentation:
Quote:
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
TCHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;
All types are aligned to their own size. So, QWORD must be on Mod8 boundary -- hence the RD1. I am too ignorant to advice otherwise.
semiono wrote:
Code:
;; mov [pe32.dwSize],sizeof.PROCESSENTRY32  ; Is it need to be moved twice?
invoke Process32Next,[handle_snap],pe32    
That is most likely okay - since prior function did not error.
Post 18 Dec 2010, 01:31
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.