flat assembler
Message board for the users of flat assembler.

Index > Windows > Help-- EnumProcesses in win7.64bit

Author
Thread Post new topic Reply to topic
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung 13 May 2012, 14:19
Hello!

I'm try to get Pid of notepad.exe in my machine, but it not work??? this is my code

Code:
format PE64 GUI 5.0
entry start

include 'win64a.inc'

section '.text' code readable executable

proc strcmpi str1,str2
        push rsi rdi
        mov rsi,[str1]
        mov rdi,[str2]
        invoke MessageBox,0,esi,edi,0
        strcmp_loop:
          lodsb
          mov ah,[rdi]
          or al,32
          or ah,32
          cmp al,0
          je strcmp_loopRet
          cmp al,ah
          je strcmp_loop
          strcmpi_notE:
          pop rdi rsi
          xor rax,rax
          ret
          strcmp_loopRet:
          cmp al,ah
          jne strcmpi_notE
          pop rdi rsi
          mov rax,1
          ret
endp



proc start
    invoke EnumProcesses,Pidarr,4000,Pidcount
    mov [count],0
    process_loop:
        mov ebx,[count]
        mov eax,[Pidarr+ebx*4]
        invoke OpenProcess,2035711,0,eax
        test rax,rax
        je process_loop_cmp
        mov [hProcess],eax
        invoke GetModuleBaseName,eax,0,Pname,1000
        invoke MessageBox,0,Pname,pname,0
        stdcall strcmpi,Pname,pname
        test rax,rax
        jne process_loop_cmp
        mov ebx,[count]
        mov eax,[Pidarr+ebx*4]
        mov [pid],eax
        jmp process_loop_out
        process_loop_cmp:
        inc [count]
        mov ebx,[count]
        cmp ebx,[Pidcount]
        jl process_loop
        process_loop_out:
    ret
endp



section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          psapi,'Psapi.dll',\
          user,'user32.dll'

  import kernel,\
         OpenProcess,'OpenProcess',\
         LoadLibraryW,'LoadLibraryW'
  import user,\
         MessageBox,'MessageBoxA'
  import psapi,\
         EnumProcesses,'EnumProcesses',\
         GetModuleBaseName,'GetModuleBaseNameA'

section '.data' readable writeable executable
        pid dd 0
        count dd 0
        pname db 'notepad.exe',0
        hProcess dd 0
        Pidcount dd 0

        Pidarr  rd 4000
        Pname rb 1000
    

but it list all process if i exclude strcmpi
Code:

format PE64 GUI 5.0
entry start

include 'win64a.inc'

section '.text' code readable executable

proc start
    invoke EnumProcesses,Pidarr,4000,Pidcount
    mov [count],0
    process_loop:
        mov ebx,[count]
        mov eax,[Pidarr+ebx*4]
        invoke OpenProcess,2035711,0,eax
        test rax,rax
        je process_loop_cmp
        mov [hProcess],eax
        invoke GetModuleBaseName,eax,0,Pname,1000
        invoke MessageBox,0,Pname,pname,0
        ;stdcall strcmpi,Pname,pname
        ;test rax,rax
        ;jne process_loop_cmp
        ;mov ebx,[count]
        ;mov eax,[Pidarr+ebx*4]
        ;mov [pid],eax
        ;jmp process_loop_out
        process_loop_cmp:
        inc [count]
        mov ebx,[count]
        cmp ebx,[Pidcount]
        jl process_loop
        process_loop_out:
    ret
endp



section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          psapi,'Psapi.dll',\
          user,'user32.dll'

  import kernel,\
         OpenProcess,'OpenProcess',\
         LoadLibraryW,'LoadLibraryW'
  import user,\
         MessageBox,'MessageBoxA'
  import psapi,\
         EnumProcesses,'EnumProcesses',\
         GetModuleBaseName,'GetModuleBaseNameA'

section '.data' readable writeable executable
        pid dd 0
        count dd 0
        pname db 'notepad.exe',0
        hProcess dd 0
        Pidcount dd 0

        Pidarr  rd 4000
        Pname rb 1000
    

????
and in Mylib.dll
Code:
format PE64 GUI 4.0 DLL
entry DllEntryPoint

include 'win64a.inc'

section '.text' code readable executable


Mess db 'dll inject, im Here',0


proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
     mov rax,[fdwReason]
     cmp rax,1
     jne DllEntryPoint_ret
     ;invoke  CreateThread,0,0,ShowMessage,0,0,0
     DllEntryPoint_ret:
        mov     rax,TRUE
        ret
endp

proc ShowMessage   Pid,pname
        invoke  MessageBox,0,[pname],[pname],0
        ret
endp


section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'

  import kernel,\
         GetCommandLine,'GetCommandLineA',\
         CreateThread,'CreateThread',\
         Sleep,'Sleep'

  import user,\
         MessageBox,'MessageBoxA',\
          MessageBoxTimeoutA,'MessageBoxTimeoutA'

section '.edata' export data readable

  export 'MyLib.dll',\
         ShowMessage,'ShowMessage'

section '.reloc' fixups data discardable
    

when i load it

if i add invoke CreateThread,0,0,ShowMessage,0,0,0 in mycode it OK-- why???
Image

_________________
sorry for my english
Post 13 May 2012, 14:19
View user's profile Send private message Yahoo Messenger Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung 15 May 2012, 12:44
??? nobody help me?

this is bug of fasm???
Post 15 May 2012, 12:44
View user's profile Send private message Yahoo Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 15 May 2012, 13:12
You will have to wait until someone with a 64-bit system sees this topic and does a test.
Post 15 May 2012, 13:12
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 15 May 2012, 13:15
Perhaps the version number needs updating?
Code:
format PE64 GUI 4.0 DLL    
Try with a higher number perhaps?
Post 15 May 2012, 13:15
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 15 May 2012, 13:23
It may be related to the infamous empty fixups and/or empty section problem (RIP-relative addressing does not need relocations).
Post 15 May 2012, 13:23
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 15 May 2012, 13:46
Empty data section will break it (or probably any section).

I always add
Code:
section '.bss' data readable writable
align 16
dd 0
    

To my Win7 64bit code. Seems to make Microsoft cooperate.
Post 15 May 2012, 13:46
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
MinhHung



Joined: 10 Sep 2010
Posts: 51
Location: Viet Nam
MinhHung 16 May 2012, 04:00
Yeah..
Thanks All... Very very much
Post 16 May 2012, 04:00
View user's profile Send private message Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.