flat assembler
Message board for the users of flat assembler.

Index > Windows > Please help me by my FASM code problem

Author
Thread Post new topic Reply to topic
badc0de



Joined: 13 Apr 2012
Posts: 15
badc0de 13 Apr 2012, 13:18
Code:
format PE CONSOLE 4.0
include 'win32a.inc'
entry entry_point

section 'code.bin' code readable
        entry_point:
                invoke enumproc,pidarr,1024*4,pdl
                cmp eax,1
                jne error
                mov esi,pidarr
                edfg: add esi,4
                invoke sleep,100
                invoke openproc,0010h,0,[esi]
                mov ebx,eax
                invoke getmodules,eax,[hmod],4,[pdl]
                invoke getbasename,eax,[hmod],strbuf,260
                invoke printf,printv,strbuf,[esi]
                jmp edfg
                ret
                error: ret

section 'lib.data' import readable
        library psapi,'psapi.dll',msclib,'msvcrt.dll',kernel32,'Kernel32.dll'
        import psapi,enumproc,'EnumProcesses',getbasename,'GetModuleBaseNameA',getmodules,'EnumProcessModules'
        import msclib,printf,'printf'
        import kernel32,sleep,'Sleep',terminate,'TerminateProcess',openproc,'OpenProcess'

section '.data' data readable writeable
        hprocess dw 0,0,0
        pidarr: times 1024*4  db 0
        printv: db '%s PID: %d',0Ah,0
        pdl: db  0,0,0,0,0
        strbuf: times 261 db 0
        hmod: dw ?
    


I wish to enum all process names and process ids i realy fight with my code Embarassed please help me
Post 13 Apr 2012, 13:18
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1619
Location: Toronto, Canada
AsmGuru62 13 Apr 2012, 16:07
Few things:
1. You use EAX for getmodules and getbasename, however handle is in EBX and EAX is getting killed.
2. printf is called by cinvoke, not by invoke.

it is possible few more issues are there.

Anyhow, I have fixed your code, but it always returns "ACCESS DENIED".
Here is the code:
Code:
; ---------------------------------------------------------------------------
; FILE: A1.Asm
; DATE: April 13, 2012
; ---------------------------------------------------------------------------

format  PE CONSOLE 4.0
entry   start
stack   4000h, 4000h

    include 'Win32A.Inc'
    ; {INSMODDEF} Module Definitions inserted immediately before this line

; ---------------------------------------------------------------------------
section '.data' data readable writeable

NumProcesses   dd 0
NumModules     dd 0
; ---------------------------------------------------------------------------
acc_den        db '<ACCESS DENIED>',0
printv         db '%s PID: %d',0Dh,0Ah,0
printerr       db 'LAST ERROR: %08Xh PID: %d',0Dh,0Ah,0
strbuf         rb 261
; ---------------------------------------------------------------------------
align 4
ArrModules     rd 1024
ArrProcesses   rd 1024

; ---------------------------------------------------------------------------
section '.code' code readable executable

    ; {INSMODIMPL} Module Implementations inserted immediately before this line

; ---------------------------------------------------------------------------
; PROGRAM ENTRY POINT
; ---------------------------------------------------------------------------
align 32
start:
    ;
    ; TODO: your application code goes here ...
    ;
    mov       esi,ArrProcesses
    invoke    enumproc,esi,1024*4,NumProcesses
    test      eax,eax
    jz        .error

    mov       ecx, [NumProcesses]
    shr       ecx, 2

.next_process:
    push      ecx
    ;
    ; skip IDs = 0 (why are these returned btw?!..)
    ;
    cmp       dword [esi], 0
    je        .skip
    ;
    ; open process using its ID and store handle into EBX,
    ; because EBX is not disturbed by API calls.
    ;
    invoke    openproc,0400h,0,[esi]
    mov       ebx,eax
    ;
    ; skip in case can't open this process
    ;
    test      eax,eax
    jz        .skip
    ;
    ; get a list of HMODULEs for the process
    ;
    invoke    getmodules,ebx,ArrModules,4*1024,NumModules
    test      eax,eax
    jz        .cant_get_modules
    ;
    ; another loop needed here to enumerate all modules in
    ; filled vector 'ArrModules' -- for now I am just passing
    ; NULL as HMODULE to receive the name for a main file,
    ; which started this process.
    ;
    mov       ecx,strbuf
    invoke    getbasename,ebx,0,strbuf,261
    ;
    ; do not forget to close it
    ;
    invoke    closeit,ebx
    ;
    ; report it to console
    ;
.report:
    cinvoke   printf,printv,strbuf,[esi]
    jmp       .skip

.no_access:
    invoke    strcopy,strbuf,acc_den
    jmp       .report

.cant_get_modules:
    invoke    LastErr
    cmp       eax, 5
    je        .no_access

    cinvoke   printf,printerr,eax,[esi]
    ;
    ; next process ID from array
    ;
.skip:
    add       esi,4
    pop       ecx
    dec       ecx
    jnz       .next_process

    invoke    terminate,ecx

.error:
    ret

; ---------------------------------------------------------------------------
section '.idata' import data readable writeable

    library   psapi,'psapi.dll',msclib,'msvcrt.dll',kernel32,'Kernel32.dll' 
    import    psapi,enumproc,'EnumProcesses',getbasename,'GetModuleBaseNameA',\
              getmodules,'EnumProcessModules' 
    import    msclib,printf,'printf' 
    import    kernel32,closeit,'CloseHandle',LastErr,'GetLastError',\
              strcopy,'lstrcpyA',\
              terminate,'ExitProcess',openproc,'OpenProcess' 
    

Now, I will try the Tool Help.
Post 13 Apr 2012, 16:07
View user's profile Send private message Send e-mail Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1389
Location: Piraeus, Greece
Picnic 13 Apr 2012, 16:46
AsmGuru62 wrote:
Anyhow, I have fixed your code, but it always returns "ACCESS DENIED".


Try this change on the flag bits.

PROCESS_QUERY_INFORMATION = 0400h
PROCESS_VM_READ = 010h

Code:
invoke openproc,0410h,0,dword[esi]
    
Post 13 Apr 2012, 16:46
View user's profile Send private message Visit poster's website Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1619
Location: Toronto, Canada
AsmGuru62 13 Apr 2012, 18:35
Thanks, Picnic.
I tried the snapshot and it works (not on all processes):
Code:
; ---------------------------------------------------------------------------
; FILE: A2.Asm
; DATE: April 13, 2012
; ---------------------------------------------------------------------------

format  PE CONSOLE 4.0
entry   start
stack   4000h, 4000h

    include 'Win32A.Inc'

; ---------------------------------------------------------------------------
virtual at 0
PROCESSENTRY32:
    .dwSize        dd  ?
    .dwUnused1     dd  ?
    .dwProcessID   dd  ?
    .dwUnused2     dd  ?
    .dwUnused3     dd  ?
    .dwNumThreads  dd  ?
    .dwParentID    dd  ?
    .lBasePriCls   dd  ?
    .dwUnused4     dd  ?
    .szExeFile     rb  MAX_PATH
    .size = $
end virtual

; ---------------------------------------------------------------------------
section '.data' data readable writeable

    fmt    db  '%60s PID: %5d',0Dh,0Ah,0

; ---------------------------------------------------------------------------
section '.code' code readable executable

align 32
GetFullExeDir:
; ---------------------------------------------------------------------------
; EDI = address into PROCESSENTRY32 structure
; ---------------------------------------------------------------------------
    pusha
    ;
    ; get process handle to query information
    ;
    invoke    OpenProcess, 0400h, 0, [edi + PROCESSENTRY32.dwProcessID]
    mov       ebx, eax

    test      eax, eax
    jz        .exit
    ;
    ; put the EXE dir back into PROCESSENTRY32 structure
    ;
    lea       esi, [edi + PROCESSENTRY32.szExeFile]
    invoke    GetProcessImageFileName, ebx, esi, MAX_PATH
    invoke    CloseHandle, ebx

.exit:
    popa
    ret

; ---------------------------------------------------------------------------
; PROGRAM ENTRY POINT
; ---------------------------------------------------------------------------
align 32
start:
    ;
    ; include all processes into snapshot
    ;
    invoke    CreateToolhelp32Snapshot, 2, 0
    mov       ebx, eax
    ;
    ; Allocate PROCESSENTRY32 structure on stack and set EDI to it
    ;
    sub       esp, PROCESSENTRY32.size
    mov       edi, esp
    ;
    ; get the 1st process info
    ;
    mov       [edi + PROCESSENTRY32.dwSize], PROCESSENTRY32.size
    invoke    Process32First, ebx, edi
    ;
    ; can't be! no 1st process!!?? no way!
    ; who is running THIS CODE then?.. not really need that.
    ;
    test      eax, eax
    jz        .done
    ;
    ; report the info on console
    ;
.report:
    ;
    ; This function will try to get the full dir for EXE files for
    ; processes, but may fail due to the fact that some processes are
    ; not allowed to be queried by a USER MODE application, only from KERNEL MODE.
    ; You can comment this out and then you will get only EXE names - without path.
    ;
    call      GetFullExeDir

    lea       eax, [edi + PROCESSENTRY32.szExeFile]
    cinvoke   printf, fmt, eax, [edi + PROCESSENTRY32.dwProcessID]
    ;
    ; In a loop get all other processes
    ;
    invoke    Process32Next, ebx, edi
    ;
    ; need this one check -- otherwise, endless loop!
    ;
    test      eax, eax
    jnz       .report

.done:
    ;
    ; cleanup:
    ; - restore stack
    ; - close snapshot handle
    ; - quit back to Windows
    ;
    add       esp, PROCESSENTRY32.size
    invoke    CloseHandle, ebx
    invoke    ExitProcess, 0

; ---------------------------------------------------------------------------
section '.idata' import data readable writeable

    library   kernel32,'KERNEL32.DLL',msclib,'MSVCRT.DLL',psapi,'PSAPI.DLL'
    import    psapi,GetProcessImageFileName,'GetProcessImageFileNameA'
    import    msclib,printf,'printf'
    import    kernel32,CreateToolhelp32Snapshot,'CreateToolhelp32Snapshot',\
              CloseHandle,'CloseHandle',\
              OpenProcess,'OpenProcess',\
              Process32First,'Process32First',\
              Process32Next,'Process32Next',\
              ExitProcess,'ExitProcess'
    

@badc0de:
The function GetProcessImageFileName is in PSAPI.DLL, but in Win 7 it is in KERNEL32.DLL, so to make this code work in Win 7 you need to do some changes. I am not sure how to make one EXE work in both cases: Win 7 and Win XP. Probably, with GetVersion and LoadLibrary/GetProcAddress. I am not doing it now, however, for simplicity.
Post 13 Apr 2012, 18:35
View user's profile Send private message Send e-mail Reply with quote
badc0de



Joined: 13 Apr 2012
Posts: 15
badc0de 13 Apr 2012, 19:13
Thanks AsmGuru62
with Tool Help works now perfectly
Post 13 Apr 2012, 19:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.