flat assembler
Message board for the users of flat assembler.

Index > Windows > Terminate Process

Author
Thread Post new topic Reply to topic
Force



Joined: 12 Jun 2012
Posts: 29
Force 27 Feb 2014, 18:59
I don't know why it does not work
Anybody can help about it ?

Code:
 format PE GUI 4.0
include '\fasm\include\win32a.inc'
entry start


struct PROCESSENTRY32
dwSize                     dd ?
cntUsage                   dd ?
th32ProcessID              dd ?
th32DefaultHeapID          dd ?
th32ModuleID               dd ?
cntThreads                 dd ?
th32ParentProcessID        dd ?
pcPriClassBase             dd ?
dwFlags                    dd ?
szExeFile db MAX_PATH dup(?)
ends


section '.data' data readable writeable

pe32 PROCESSENTRY32
TH32CS_SNAPPROCESS = 2
Process db "iexplore.exe",0
succ db  "Process terminated successfully !",0
hProcessSnap      dd ?




section '.code ' code readable executable
start:

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS, 0
mov [hProcessSnap],eax
mov [pe32.dwSize],sizeof.PROCESSENTRY32
invoke Process32First,[hProcessSnap],pe32
fix:
invoke lstrcmp,pe32.szExeFile, Process
cmp eax,0
jnz next
invoke OpenProcess,PROCESS_TERMINATE, 0, [pe32.th32ProcessID]
invoke TerminateProcess,eax,0
cmp eax,0
je next
invoke MessageBox,NULL,succ,0,0

next:

invoke Process32Next,[hProcessSnap],pe32
cmp eax,TRUE
je fix
invoke CloseHandle,[hProcessSnap]

invoke ExitProcess,NULL


section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL',\
        user32,'USER32.DLL'


include '\fasm\include\api\kernel32.inc'
include '\fasm\include\api\user32.inc'     


Last edited by Force on 27 Feb 2014, 20:38; edited 1 time in total
Post 27 Feb 2014, 18:59
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 27 Feb 2014, 20:07
Force,

Probably because an address of the dword containing the snapshot handle won't be accepted instead of that handle itself?
Post 27 Feb 2014, 20:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 27 Feb 2014, 23:05
Force, I have two suggestions:
  • Use a debugger
  • Check all return values from API calls for errors
Depending upon the user's security settings you might not be permitted to terminate another process.
Post 27 Feb 2014, 23:05
View user's profile Send private message Visit poster's website Reply with quote
Force



Joined: 12 Jun 2012
Posts: 29
Force 27 Feb 2014, 23:07
Thanks Baldr yes you are right
i changed it .. i used [hProcesses] and [hProcess]
it is working now

Code:
 
     
    format pe GUI 4.0
    entry main
    include '\fasm\include\win32a.inc'
    section '.data' data readable writeable
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    struct PROCESSENTRY32                                        
           dwSize                    dd              ?           
           cntUsage                  dd              ?           
           th32ProcessID             dd              ?           
           th32DefaultHeapID         dd              ?           
           th32ModuleID              dd              ?           
           cntThreads                dd              ?           
           th32ParentProcessID       dd              ?           
           pcPriClassBase            dd              ?           
           dwFlags                   dd              ?           
           szExeFile                 rb              MAX_PATH    
    ends                                                         
    pe32                   PROCESSENTRY32
    hProcess                dd              ?                    
    hProcesses              dd              ?                    
    TH32CS_SNAPPROCESS      equ             0x00000002           
    NORM_IGNORECASE         equ             0x00000001           
    LOCALE_USER_DEFAULT     equ             0x0400               
    CSTR_EQUAL              equ             0x2                  
    PROCESS_TERMINATE       equ             0x0001               
    process                 db             'iexplore.exe',0
    ok                      db             "Process terminated successfully !",0
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    section '.code' code readable executable
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    main:                                                        


invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0

mov [hProcesses],eax
mov eax,sizeof.PROCESSENTRY32
mov [pe32.dwSize], eax
invoke Process32First,[hProcess],pe32


fixx:

invoke lstrcmp,pe32.szExeFile,process
cmp eax,0
jne Next

invoke OpenProcess,PROCESS_TERMINATE,FALSE,[pe32.th32ProcessID]
cmp eax,0
je Next
mov [hProcess],eax

invoke TerminateProcess,[hProcess],0
invoke CloseHandle,[hProcess]
invoke MessageBox,NULL,ok,0,0

Next:

invoke Process32Next,[hProcesses],pe32
cmp eax,FALSE
je Quit
jmp fixx

Quit:

invoke CloseHandle,[hProcesses]
invoke ExitProcess,NULL


section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL',\
        user32,'USER32.DLL'


include '\fasm\include\api\kernel32.inc'
include '\fasm\include\api\user32.inc'    
Post 27 Feb 2014, 23:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 27 Feb 2014, 23:19
Are you sure this line does what you expect?
Code:
invoke Process32First,[hProcess],pe32    
Please see my above two suggestions.
Post 27 Feb 2014, 23:19
View user's profile Send private message Visit poster's website Reply with quote
Force



Joined: 12 Jun 2012
Posts: 29
Force 27 Feb 2014, 23:32
revolution


if we look at that C code then my code is wrong
Code:
 #include <windows.h>
#include <tlhelp32.h>

HANDLE hProcessSnap;
HANDLE hProcess;

PROCESSENTRY32 pe32;

char Report[6];

BOOL KillProcess(char *Process)
{
         hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
         
         pe32.dwSize = sizeof(PROCESSENTRY32);
                 
         Process32First(hProcessSnap, &pe32);
                 
         while(Process32Next(hProcessSnap, &pe32))
         {
                if(!strcmp(pe32.szExeFile, Process))
                {
                   strcpy(Report, "Found");
                                                                   
                   hProcess = OpenProcess(PROCESS_TERMINATE, 0, pe32.th32ProcessID);
                   
                   if(TerminateProcess(hProcess, 0) == 0)
                   {
                          MessageBox(NULL, "Terminating process failed !", "KillProcess", MB_OK | MB_ICONERROR);
                   }
                   
                   if(TerminateProcess(hProcess, 0) != 0)
                   {
                          MessageBox(NULL, "Process terminated successfully !", "KillProcess", MB_OK | MB_ICONINFORMATION);
                   }
                }
         }
                 
         CloseHandle(hProcess);
         CloseHandle(hProcessSnap);
         
         if(strcmp(Report, "Found"))
         MessageBox(NULL, "Process cannot be found !", "KillProcess", MB_OK | MB_ICONWARNING);
         
         strcpy(Report, "");
}

int WINAPI
        WinMain(HINSTANCE hInstance,HINSTANCE hPrevInst,LPSTR CmdLine,int CmdShow)
{
        KillProcess("notepad.exe");
}
    


interesting but it works now
Post 27 Feb 2014, 23:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 27 Feb 2014, 23:47
Force wrote:
if we look at that C code then my code is wrong
That C code is awful and is a poor example to work from. But anyhow, yes, your code is wrong. Did you check the return code from the call? Use a debugger and see why.
Post 27 Feb 2014, 23:47
View user's profile Send private message Visit poster's website Reply with quote
Force



Joined: 12 Jun 2012
Posts: 29
Force 28 Feb 2014, 00:01
Code:
invoke Process32First,[hProcess],pe32     


return value is 0 Shocked

how does it work then ?

i need to use debugger
Post 28 Feb 2014, 00:01
View user's profile Send private message Reply with quote
Force



Joined: 12 Jun 2012
Posts: 29
Force 28 Feb 2014, 00:09
it is okay now

Code:
     
    format pe GUI 4.0
    entry main
    include '\fasm\include\win32a.inc'
  ; include 'dwtoa.inc'
    section '.data' data readable writeable
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    struct PROCESSENTRY32                                        
           dwSize                    dd              ?           
           cntUsage                  dd              ?           
           th32ProcessID             dd              ?           
           th32DefaultHeapID         dd              ?           
           th32ModuleID              dd              ?           
           cntThreads                dd              ?           
           th32ParentProcessID       dd              ?           
           pcPriClassBase            dd              ?           
           dwFlags                   dd              ?           
           szExeFile                 rb              MAX_PATH    
    ends                                                         
    pe32                   PROCESSENTRY32
    hProcess                dd              ?                    
    hProcesses              dd              ?                    
    TH32CS_SNAPPROCESS      equ             0x00000002           
    NORM_IGNORECASE         equ             0x00000001           
    LOCALE_USER_DEFAULT     equ             0x0400               
    CSTR_EQUAL              equ             0x2                  
    PROCESS_TERMINATE       equ             0x0001               
    process                 db             'iexplore.exe',0
    ok                      db             "Process terminated successfully !",0
    buf db 50 dup (?)
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    section '.code' code readable executable
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    main:                                                        


invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0

mov [hProcesses],eax
mov eax,sizeof.PROCESSENTRY32
mov [pe32.dwSize], eax
invoke Process32First,[hProcesses],pe32
;stdcall dwtoa,eax,buf
;invoke MessageBox,NULL,buf,0,0

fixx:

invoke lstrcmp,pe32.szExeFile,process
cmp eax,0
jne Next

invoke OpenProcess,PROCESS_TERMINATE,FALSE,[pe32.th32ProcessID]
cmp eax,0
je Next
mov [hProcess],eax

invoke TerminateProcess,[hProcess],0
invoke CloseHandle,[hProcess]
invoke MessageBox,NULL,ok,0,0

Next:

invoke Process32Next,[hProcesses],pe32
cmp eax,FALSE
je Quit
jmp fixx

Quit:

invoke CloseHandle,[hProcesses]
invoke ExitProcess,NULL


section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL',\
        user32,'USER32.DLL'


include '\fasm\include\api\kernel32.inc'
include '\fasm\include\api\user32.inc'    
Post 28 Feb 2014, 00:09
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 28 Feb 2014, 00:19
Process32First returns the first snapshot so you should do it like this

Code:
if(Process32First())
{

  do{
          //work with very first process
      }while(Process32Next());
}
    


With the way you're doing it, you're skipping out one process.
Post 28 Feb 2014, 00:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20300
Location: In your JS exploiting you and your system
revolution 28 Feb 2014, 01:28
Force, I highly recommend you check the return values from the all of the API calls. There are many and varied reasons why a call could fail. Simply assuming each call will succeed is a path to failure. Wink It succeeded once with a single test value but that gives no assurance about future outcomes.
Post 28 Feb 2014, 01:28
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.