Joined: 12 Jun 2012
Posts: 29
Force 27 Feb 2014, 18:59
I don't know why it does not work
Anybody can help about it ?

 format PE GUI 4.0
include '\fasm\include\win32a.inc'
entry start

dwSize                     dd ?
cntUsage                   dd ?
th32ProcessID              dd ?
th32DefaultHeapID          dd ?
th32ModuleID               dd ?
cntThreads                 dd ?
th32ParentProcessID        dd ?
pcPriClassBase             dd ?
dwFlags                    dd ?
szExeFile db MAX_PATH dup(?)

section '.data' data readable writeable

Process db "iexplore.exe",0
succ db  "Process terminated successfully !",0
hProcessSnap      dd ?

section '.code ' code readable executable

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS, 0
mov [hProcessSnap],eax
mov [pe32.dwSize],sizeof.PROCESSENTRY32
invoke Process32First,[hProcessSnap],pe32
invoke lstrcmp,pe32.szExeFile, Process
cmp eax,0
jnz next
invoke OpenProcess,PROCESS_TERMINATE, 0, [pe32.th32ProcessID]
invoke TerminateProcess,eax,0
cmp eax,0
je next
invoke MessageBox,NULL,succ,0,0


invoke Process32Next,[hProcessSnap],pe32
cmp eax,TRUE
je fix
invoke CloseHandle,[hProcessSnap]

invoke ExitProcess,NULL

section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL',\

include '\fasm\include\api\kernel32.inc'
include '\fasm\include\api\user32.inc'     

Joined: 19 Mar 2008
Posts: 1651
baldr 27 Feb 2014, 20:07

Probably because an address of the dword containing the snapshot handle won't be accepted instead of that handle itself?
Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 27 Feb 2014, 23:05
Force, I have two suggestions:
  • Use a debugger
  • Check all return values from API calls for errors
Depending upon the user's security settings you might not be permitted to terminate another process.
Joined: 12 Jun 2012
Posts: 29
Force 27 Feb 2014, 23:07
Thanks Baldr yes you are right
i changed it .. i used [hProcesses] and [hProcess]
it is working now

    format pe GUI 4.0
    entry main
    include '\fasm\include\win32a.inc'
    section '.data' data readable writeable
    struct PROCESSENTRY32                                        
           dwSize                    dd              ?           
           cntUsage                  dd              ?           
           th32ProcessID             dd              ?           
           th32DefaultHeapID         dd              ?           
           th32ModuleID              dd              ?           
           cntThreads                dd              ?           
           th32ParentProcessID       dd              ?           
           pcPriClassBase            dd              ?           
           dwFlags                   dd              ?           
           szExeFile                 rb              MAX_PATH    
    pe32                   PROCESSENTRY32
    hProcess                dd              ?                    
    hProcesses              dd              ?                    
    TH32CS_SNAPPROCESS      equ             0x00000002           
    NORM_IGNORECASE         equ             0x00000001           
    LOCALE_USER_DEFAULT     equ             0x0400               
    CSTR_EQUAL              equ             0x2                  
    PROCESS_TERMINATE       equ             0x0001               
    process                 db             'iexplore.exe',0
    ok                      db             "Process terminated successfully !",0
    section '.code' code readable executable

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0

mov [hProcesses],eax
mov eax,sizeof.PROCESSENTRY32
mov [pe32.dwSize], eax
invoke Process32First,[hProcess],pe32


invoke lstrcmp,pe32.szExeFile,process
cmp eax,0
jne Next

invoke OpenProcess,PROCESS_TERMINATE,FALSE,[pe32.th32ProcessID]
cmp eax,0
je Next
mov [hProcess],eax

invoke TerminateProcess,[hProcess],0
invoke CloseHandle,[hProcess]
invoke MessageBox,NULL,ok,0,0


invoke Process32Next,[hProcesses],pe32
cmp eax,FALSE
je Quit
jmp fixx


invoke CloseHandle,[hProcesses]
invoke ExitProcess,NULL

section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL',\

include '\fasm\include\api\kernel32.inc'
include '\fasm\include\api\user32.inc'    
Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 27 Feb 2014, 23:19
Are you sure this line does what you expect?
invoke Process32First,[hProcess],pe32    
Please see my above two suggestions.
Joined: 12 Jun 2012
Posts: 29
Force 27 Feb 2014, 23:32

if we look at that C code then my code is wrong
 #include <windows.h>
#include <tlhelp32.h>

HANDLE hProcessSnap;
HANDLE hProcess;


char Report[6];

BOOL KillProcess(char *Process)
         hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
         pe32.dwSize = sizeof(PROCESSENTRY32);
         Process32First(hProcessSnap, &pe32);
         while(Process32Next(hProcessSnap, &pe32))
                if(!strcmp(pe32.szExeFile, Process))
                   strcpy(Report, "Found");
                   hProcess = OpenProcess(PROCESS_TERMINATE, 0, pe32.th32ProcessID);
                   if(TerminateProcess(hProcess, 0) == 0)
                          MessageBox(NULL, "Terminating process failed !", "KillProcess", MB_OK | MB_ICONERROR);
                   if(TerminateProcess(hProcess, 0) != 0)
                          MessageBox(NULL, "Process terminated successfully !", "KillProcess", MB_OK | MB_ICONINFORMATION);
         if(strcmp(Report, "Found"))
         MessageBox(NULL, "Process cannot be found !", "KillProcess", MB_OK | MB_ICONWARNING);
         strcpy(Report, "");

        WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR CmdLine,int CmdShow)

interesting but it works now
Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 27 Feb 2014, 23:47
Force wrote:
if we look at that C code then my code is wrong
That C code is awful and is a poor example to work from. But anyhow, yes, your code is wrong. Did you check the return code from the call? Use a debugger and see why.
Joined: 12 Jun 2012
Posts: 29
Force 28 Feb 2014, 00:01
invoke Process32First,[hProcess],pe32     

return value is 0 Shocked

how does it work then ?

i need to use debugger
Joined: 12 Jun 2012
Posts: 29
Force 28 Feb 2014, 00:09
it is okay now

    format pe GUI 4.0
    entry main
    include '\fasm\include\win32a.inc'
  ; include 'dwtoa.inc'
    section '.data' data readable writeable
    struct PROCESSENTRY32                                        
           dwSize                    dd              ?           
           cntUsage                  dd              ?           
           th32ProcessID             dd              ?           
           th32DefaultHeapID         dd              ?           
           th32ModuleID              dd              ?           
           cntThreads                dd              ?           
           th32ParentProcessID       dd              ?           
           pcPriClassBase            dd              ?           
           dwFlags                   dd              ?           
           szExeFile                 rb              MAX_PATH    
    pe32                   PROCESSENTRY32
    hProcess                dd              ?                    
    hProcesses              dd              ?                    
    TH32CS_SNAPPROCESS      equ             0x00000002           
    NORM_IGNORECASE         equ             0x00000001           
    LOCALE_USER_DEFAULT     equ             0x0400               
    CSTR_EQUAL              equ             0x2                  
    PROCESS_TERMINATE       equ             0x0001               
    process                 db             'iexplore.exe',0
    ok                      db             "Process terminated successfully !",0
    buf db 50 dup (?)
    section '.code' code readable executable

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0

mov [hProcesses],eax
mov eax,sizeof.PROCESSENTRY32
mov [pe32.dwSize], eax
invoke Process32First,[hProcesses],pe32
;stdcall dwtoa,eax,buf
;invoke MessageBox,NULL,buf,0,0


invoke lstrcmp,pe32.szExeFile,process
cmp eax,0
jne Next

invoke OpenProcess,PROCESS_TERMINATE,FALSE,[pe32.th32ProcessID]
cmp eax,0
je Next
mov [hProcess],eax

invoke TerminateProcess,[hProcess],0
invoke CloseHandle,[hProcess]
invoke MessageBox,NULL,ok,0,0


invoke Process32Next,[hProcesses],pe32
cmp eax,FALSE
je Quit
jmp fixx


invoke CloseHandle,[hProcesses]
invoke ExitProcess,NULL

section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL',\

include '\fasm\include\api\kernel32.inc'
include '\fasm\include\api\user32.inc'    
Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 28 Feb 2014, 00:19
Process32First returns the first snapshot so you should do it like this


          //work with very first process

With the way you're doing it, you're skipping out one process.
Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 28 Feb 2014, 01:28
Force, I highly recommend you check the return values from the all of the API calls. There are many and varied reasons why a call could fail. Simply assuming each call will succeed is a path to failure. Wink It succeeded once with a single test value but that gives no assurance about future outcomes.
