flat assembler
Message board for the users of flat assembler.
Index
> Windows > CreateToolhelp32Snapshot (x64) |
Author |
|
ctl3d32 17 Dec 2010, 00:22
Handles must be 'dq' not 'dd'
API's functions return values are at rax, not eax. |
|||
17 Dec 2010, 00:22 |
|
semiono 17 Dec 2010, 00:34
OK! Still not work...
|
|||
17 Dec 2010, 00:34 |
|
ctl3d32 17 Dec 2010, 00:36
Try this:
Code: struct PROCESSENTRY32 dwSize dd ? cntUsage dd ? th32ProcessID dd ? th32DefaultHeapID dd ? th32ModuleID dd ? cntThreads dd ? th32ParentProcessID dd ? pcPriClassBase dd ? dwFlags dd ? szExeFile dw MAX_PATH dup (?) ends and insert "align 16" at the beginning of ".data" |
|||
17 Dec 2010, 00:36 |
|
semiono 17 Dec 2010, 01:25
Nothing
|
|||
17 Dec 2010, 01:25 |
|
bitRAKE 17 Dec 2010, 06:57
The documentation is fairly clear. LONG is a DWORD, PTR is QWORD in 64-bit, and TCHAR is a BYTE/WORD depending on ASCII/Wide character usage.
It is also clear about the size of the structure needing to be set prior to use. Try using some error checking and it will pin-point where the error is. Code: include 'win64ax.inc' section '.text' code readable executable entry $ start: sub rsp,8 invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows NT\CurrentVersion\Winlogon',NULL,KEY_READ,phkResult invoke RegQueryValueEx,[phkResult],'shell',NULL,NULL,lpDir,lpcbData invoke RegCloseKey,[phkResult] invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows NT\CurrentVersion\Winlogon',NULL,KEY_READ,phkResult invoke RegQueryValueEx,[phkResult],'shell',NULL,NULL,lpFile,lpcbData invoke RegCloseKey,[phkResult] invoke PathRemoveFileSpec,lpDir invoke PathStripPath,lpFile ; TH32CS_SNAPHEAPLIST|TH32CS_SNAPPROCESS|TH32CS_SNAPTHREAD|TH32CS_SNAPMODULE invoke CreateToolhelp32Snapshot,0Fh,NULL mov [handle_snap],rax mov [pe32.dwSize],sizeof.PROCESSENTRY32 invoke Process32First,[handle_snap],pe32 jmp .0 @@: nop mov [pe32.dwSize],sizeof.PROCESSENTRY32 invoke Process32Next,[handle_snap],pe32 .0: test eax,eax jz @f invoke lstrcmpi,pe32.szExeFile,lpFile test eax,eax jnz @r invoke OpenProcess,1,NULL,[pe32.th32ProcessID] invoke TerminateProcess,eax,NULL @@: invoke ShellExecute,NULL,NULL,lpFile,NULL,lpDir,SW_SHOWNORMAL exit: invoke ExitProcess,NULL section '.data' data readable writeable lpDir db MAX_PATH dup NULL lpFile db MAX_PATH dup NULL lpcbData dq MAX_PATH phkResult dq NULL handle_snap dq NULL handle_proc dd NULL struct PROCESSENTRY32 dwSize dd MAX_PATH cntUsage dd NULL th32ProcessID dd NULL rd 1 th32DefaultHeapID dq NULL th32ModuleID dd NULL cntThreads dd NULL th32ParentProcessID dd NULL pcPriClassBase dd NULL dwFlags dd NULL szExeFile db MAX_PATH dup NULL ends pe32 PROCESSENTRY32 section '.idata' import readable library advapi32,'ADVAPI32.DLL',kernel32,'KERNEL32.DLL',shlwapi,'shlwapi.dll',shell32,'SHELL32.DLL',user32,'USER32.DLL' import shlwapi,PathStripPath,'PathStripPathA',PathRemoveFileSpec,'PathRemoveFileSpecA' include 'api\advapi32.inc' include 'api\kernel32.inc' include 'api\shell32.inc' include 'api\user32.inc' |
|||
17 Dec 2010, 06:57 |
|
semiono 17 Dec 2010, 15:06
Unbelievable! It's work!
WinXP x64 SP2 Big thanks! --- and this possible to use 32bit program the same to close 64-bit apps, but win64ax.inc PE64 is very nice allways! |
|||
17 Dec 2010, 15:06 |
|
semiono 17 Dec 2010, 16:49
Code: ;; mov [pe32.dwSize],sizeof.PROCESSENTRY32 ; Is it need to be moved twice? invoke Process32Next,[handle_snap],pe32 in structure: ... th32ProcessID dq NULL ;; rd 1 th32DefaultHeapID dq NULL ? |
|||
17 Dec 2010, 16:49 |
|
semiono 17 Dec 2010, 22:25
SHFileOperationA,lpFileOp:
Code: struct LPSHFILEOPSTRUCT hwnd dq NULL wFunc dq NULL pFrom dq NULL pTo dq NULL fFlags dq NULL fAnyOperationsAborted dq NULL hNameMappings dq NULL lpszProgressTitle dq NULL ends lpFileOp LPSHFILEOPSTRUCT Worked with qwords! |
|||
17 Dec 2010, 22:25 |
|
bitRAKE 18 Dec 2010, 01:31
It is best to follow the documentation:
Quote: typedef struct tagPROCESSENTRY32 { semiono wrote:
|
|||
18 Dec 2010, 01:31 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.