flat assembler
Message board for the users of flat assembler.

Index > Windows > Process32First returns ERROR_BAD_LENGTH (only in 64bit)

Author
Thread Post new topic Reply to topic
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 30 Jan 2018, 00:10
Hello Everyone.

Today i made a working x86 ASM code into 64bit, but Process32First returns ERROR_BAD_LENGTH. There seem to be fixes for C/C++ projects, but i like to do it in FASM. Does anyone know a workaround ?

Code:
include 'win64ax.inc'
entry main




main:
        sub rsp,8

        mov    [prcs.dwSize],sizeof.PROCESSENTRY32
        invoke  CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0

        mov    [hSnapshot], rax

        invoke  Process32First, [hSnapshot], prcs

        ; returns ERROR_BAD_LENGTH


        invoke GetLastError
        invoke FormatMessage,FORMAT_MESSAGE_FROM_SYSTEM+FORMAT_MESSAGE_ALLOCATE_BUFFER,0,eax,0,error_buffer,0,0
        invoke MessageBox,0,[error_buffer],'error',MB_OK


.loop:

        invoke  StrStrI, prcs.szExeFile, szCalc

        cmp    rax,0
        je     .next
        jmp    found

.next:

        invoke  Process32Next, [hSnapshot], prcs

        cmp    rax,0
        jne    .loop
        jmp    exit



found:  invoke  MessageBox, 0, szMes, szCap, MB_OK




exit:   xor   rcx,rcx
        call  [ExitProcess]




TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES =28h
TH32CS_SNAPPROCESS = 2

 
struct PROCESSENTRY32
    dwSize               dd 0
    cntUsage             dd 0
    th32ProcessID        dd 0
    th32DefaultHeapID    dd 0
    th32ModuleID         dd 0
    cntThreads           dd 0
    th32ParentProcessID  dd 0
    pcPriClassBase       dd 0
    dwFlags              dd 0
    szExeFile            rb MAX_PATH
ends

prcs           PROCESSENTRY32
szCalc         db 'calc.exe',0
szMes          db 'Calc.exe found !!',0
szCap          db 'Success !!',0
hSnapshot      dq 0
error_buffer   dq ?



section '.idata' import data readable writeable

  library kernel32,'KERNEL32.DLL',\
          user32,'USER32.DLL',\
          shell32,'SHELL32.DLL'

  include 'api\kernel32.inc'
  include 'api\user32.inc'
  include 'api\shell32.inc'
    
Post 30 Jan 2018, 00:10
View user's profile Send private message MSN Messenger Reply with quote
alkap



Joined: 18 Feb 2015
Posts: 44
Location: Dnipro, Ukraine
alkap 30 Jan 2018, 07:23
This post referenced below suggests defining dwFlags as ULONG_PTR, which is a 64 bit unsigned long type. See if that helps.
Quote:

On x64 you need to change dwFlags in TProcessEntry32 from a DWORD to a ULONG_PTR and then Process32Next will work. its expecting 304 bytes not 300.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/d63cc18c-f54d-4e5a-964f-dda789b1f318/createtoolhelp32snapshot-on-a-64-bit-machine?forum=vcgeneral
Post 30 Jan 2018, 07:23
View user's profile Send private message Send e-mail Reply with quote
alkap



Joined: 18 Feb 2015
Posts: 44
Location: Dnipro, Ukraine
alkap 30 Jan 2018, 08:17
Just tried running your code with dwFlags declared as dq, but to no avail.
No answer for you at the moment. Sorry.
Post 30 Jan 2018, 08:17
View user's profile Send private message Send e-mail Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4042
Location: vpcmpistri
bitRAKE 30 Jan 2018, 09:25
Would also need to pad the DWORD before the ULONG_PTR as alignment is granular to the object size (i.e. quad words on eight byte boundary).
Code:
struct PROCESSENTRY32 
    dwSize               dd 0 
    cntUsage             dd 0 
    th32ProcessID        dd 0
        rd 1 ; padding
    th32DefaultHeapID    dq 0 ; PTR is quadword
    th32ModuleID         dd 0 
    cntThreads           dd 0 
    th32ParentProcessID  dd 0 
    pcPriClassBase       dd 0 
    dwFlags              dd 0 
    szExeFile            rb MAX_PATH 
ends    
...based on https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 30 Jan 2018, 09:25
View user's profile Send private message Visit poster's website Reply with quote
jochenvnltn



Joined: 15 Jul 2011
Posts: 96
jochenvnltn 30 Jan 2018, 16:39
bitRAKE wrote:
Would also need to pad the DWORD before the ULONG_PTR as alignment is granular to the object size (i.e. quad words on eight byte boundary).
Code:
struct PROCESSENTRY32 
    dwSize               dd 0 
    cntUsage             dd 0 
    th32ProcessID        dd 0
        rd 1 ; padding
    th32DefaultHeapID    dq 0 ; PTR is quadword
    th32ModuleID         dd 0 
    cntThreads           dd 0 
    th32ParentProcessID  dd 0 
    pcPriClassBase       dd 0 
    dwFlags              dd 0 
    szExeFile            rb MAX_PATH 
ends    
...based on https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx
thank you guys for the quick response and fix Smile
bitRAKE's fix with the padding in the struct finally fixed the problem. The code is working now as expected and i have learned something new. thank you bitRAKE !!! Wink
Post 30 Jan 2018, 16:39
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.