Index
> Windows > CreateToolhelp32Snapshot usage |
| Author |
|
|
decard 28 Oct 2004, 20:42
if you declare structure this way, sizeof.PROCESSENTRY32 is defined so you can use it in your code:
Code: mov eax,sizeof.PROCESSENTRY32 ; load PROCESSENTRY32 size into eax |
|||
28 Oct 2004, 20:42 |
|
|
thirteen 28 Oct 2004, 21:25
Code: include "%fasminc%\win32ax.inc" include "processentry32.inc" .data SnapHandle dd 0 processentry PROCESSENTRY32 .code start: invoke CreateToolhelp32Snapshot, 2, 0 mov dword [SnapHandle], eax mov dword [processentry.size], sizeof.PROCESSENTRY32 invoke Process32First, dword [SnapHandle], processentry invoke MessageBox, 0, processentry.FileName, processentry.FileName, 0 invoke ExitProcess, 0 .end start and nothing, no filename is showed, only a empty messagebox. It would be nice if you can give a working example, that would be very very helpful! thx anyway, thirteen |
|||
|
28 Oct 2004, 21:25 |
|
|
vbVeryBeginner 29 Oct 2004, 00:56
here is the example (no comment added coz i just created it fast),
something like the microsoft process viewer 
you could enhance it by using the listview control and make it refreshes automatically when a new process is created or deleted sincerely, sulaiman chang Code: format PE GUI 4.0 entry start include '%fasminc%\win32a.inc' struct PROCESSENTRY32 .dwSize dd ? .cntUsage dd ? .th32ProcessID dd ? .th32DefaultHeapID dd ? .th32ModuleID dd ? .cntThreads dd ? .th32ParentProcessID dd ? .pcPriClassBase dd ? .dwFlags dd ? .szExeFile rb 260 ends TH32CS_SNAPPROCESS = 0x2 section '.data' data readable writeable ctlClsNameEdit db 'EDIT',0 insH dd ? wndH dd ? wndClsName db 'PROCESSENTRY32',0 wndTitle db 'Process Entry 32',0 wndCls WNDCLASS wndMsg MSG proSnapH dd ? proRet dd TRUE proEntry PROCESSENTRY32 edit1H dd ? edit1BufTmp rb 0x100 edit1BufStart db 'PID',9,' Num. Threads',9,'Full Path',13,10 edit1Buf rb 0x400 edit1Offset dd edit1Buf edit1F1 db '%s',13,10,0 edit1F2 db '%X',9,0 edit1F3 db '%lu',9,0 font1S LOGFONT font1H dd ? font1FaceName db 'MS Sans Serif',0 section '.code' code readable executable start: invoke GetModuleHandle,0 mov [insH],eax mov [wndCls.hInstance],eax mov [wndCls.style],CS_HREDRAW + CS_VREDRAW mov [wndCls.lpfnWndProc],window_procedure mov [wndCls.lpszClassName],wndClsName mov [wndCls.hbrBackground],COLOR_BTNFACE + 1 invoke LoadIcon,NULL,IDI_APPLICATION mov [wndCls.hIcon],eax invoke LoadCursor,NULL,IDC_ARROW mov [wndCls.hCursor],eax invoke RegisterClass,wndCls invoke CreateWindowEx,WS_EX_CLIENTEDGE,\ wndClsName,wndTitle,\ WS_OVERLAPPEDWINDOW + WS_VISIBLE,\ CW_USEDEFAULT,CW_USEDEFAULT,\ 500,300,\ NULL,NULL,[insH],NULL mov [wndH],eax window_message_loop_start: invoke GetMessage,wndMsg,NULL,0,0 or eax,eax je window_message_loop_end invoke TranslateMessage,wndMsg invoke DispatchMessage,wndMsg jmp window_message_loop_start window_message_loop_end: invoke ExitProcess,0 proc window_procedure,hWnd,uMsg,wParam,lParam push ebx esi edi cmp [uMsg],WM_SIZE je wmSIZE cmp [uMsg],WM_CTLCOLOREDIT je wmCTLCOLOREDIT cmp [uMsg],WM_CREATE je wmCREATE cmp [uMsg],WM_DESTROY je wmDESTROY wmDEFAULT: invoke DefWindowProc,[hWnd],[uMsg],[wParam],[lParam] jmp wmBYE wmCTLCOLOREDIT: invoke SetTextColor,[wParam],0x00FFFFC0 invoke SetBkColor,[wParam],0x00000000 invoke GetStockObject,BLACK_BRUSH jmp wmBYE wmSIZE: mov edx,[lParam] mov ecx,edx shr ecx,16 and edx,0xFFFF invoke MoveWindow,[edit1H],0,0,edx,ecx,TRUE jmp wmBYE wmCREATE: invoke lstrcpy,font1S.lfFaceName,font1FaceName mov [font1S.lfWidth],6 mov [font1S.lfHeight],6 invoke CreateFontIndirect,font1S push eax invoke CreateWindowEx,NULL,ctlClsNameEdit,NULL,\ WS_CHILD + WS_VISIBLE + WS_VSCROLL + WS_HSCROLL + ES_MULTILINE + ES_AUTOHSCROLL + ES_AUTOVSCROLL,\ 0,0,0,0,\ [hWnd],NULL,[insH],NULL mov [edit1H],eax pop eax invoke SendMessage,[edit1H],WM_SETFONT,eax,FALSE invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 mov [proSnapH],eax mov [proEntry.dwSize],sizeof.PROCESSENTRY32 invoke Process32First,[proSnapH],proEntry cmp eax,FALSE je wmCREATE_PROCESS_EXIT wmCREATE_PROCESS_NEXT: invoke RtlZeroMemory,edit1BufTmp,0x100 invoke wsprintf,edit1BufTmp,edit1F2,[proEntry.th32ProcessID] invoke lstrcpy,[edit1Offset],edit1BufTmp invoke lstrlen,edit1BufTmp add [edit1Offset],eax invoke wsprintf,edit1BufTmp,edit1F3,[proEntry.cntThreads] invoke lstrcpy,[edit1Offset],edit1BufTmp invoke lstrlen,edit1BufTmp add [edit1Offset],eax invoke wsprintf,edit1BufTmp,edit1F1,proEntry.szExeFile invoke lstrcpy,[edit1Offset],edit1BufTmp invoke lstrlen,edit1BufTmp add [edit1Offset],eax invoke Process32Next,[proSnapH],proEntry cmp eax,FALSE je wmCREATE_PROCESS_EXIT jmp wmCREATE_PROCESS_NEXT wmCREATE_PROCESS_EXIT: invoke CloseHandle,[proSnapH] invoke SetWindowText,[edit1H],edit1BufStart jmp wmBYE wmDESTROY: invoke PostQuitMessage,0 wmBYE: pop edi esi ebx return endp proc window_child_procedure,hWnd,uMsg,wParam,lParam return endp section '.idata' import data readable library KERNEL32, 'KERNEL32.DLL',\ USER32, 'USER32.DLL',\ GDI32, 'GDI32.DLL' import KERNEL32,\ lstrlen, 'lstrlenA',\ lstrcpy, 'lstrcpy',\ GetModuleHandle, 'GetModuleHandleA',\ CloseHandle, 'CloseHandle',\ CreateToolhelp32Snapshot, 'CreateToolhelp32Snapshot',\ Process32First, 'Process32First',\ Process32Next, 'Process32Next',\ RtlZeroMemory, 'RtlZeroMemory',\ ExitProcess, 'ExitProcess' import USER32,\ wsprintf, 'wsprintfA',\ LoadIcon, 'LoadIconA',\ LoadCursor, 'LoadCursorA',\ RegisterClass, 'RegisterClassA',\ CreateWindowEx, 'CreateWindowExA',\ MoveWindow, 'MoveWindow',\ SetWindowText, 'SetWindowTextA',\ GetMessage, 'GetMessageA',\ SendMessage, 'SendMessageA',\ DefWindowProc, 'DefWindowProcA',\ TranslateMessage, 'TranslateMessage',\ DispatchMessage, 'DispatchMessageA',\ PostQuitMessage, 'PostQuitMessage' import GDI32,\ SetTextColor, 'SetTextColor',\ SetBkColor, 'SetBkColor',\ CreateFontIndirect, 'CreateFontIndirectA',\ GetStockObject, 'GetStockObject' 
 |
|||
|
29 Oct 2004, 00:56 |
|
|
thirteen 29 Oct 2004, 11:20
ok i have found the problem:
Code: .FileName rb 260d and not Code: .FileName rb 256d now that works: Code: include "%fasminc%\win32ax.inc" include "processentry32.inc" .data SnapHandle dd ? processentry PROCESSENTRY32 .code start: invoke CreateToolhelp32Snapshot, 2, 0 mov [SnapHandle], eax mov [processentry.size], sizeof.PROCESSENTRY32 invoke Process32First, [SnapHandle], processentry FindNext: cmp eax, 0 je Exit invoke MessageBox, 0, processentry.FileName, processentry.FileName, 0 invoke Process32Next, [SnapHandle], processentry jmp FindNext Exit: invoke ExitProcess, 0 .end start include file: Code: struct PROCESSENTRY32
.size dd ?
.usage dd ?
.processID dd ?
.defaultHeapID dd ?
.moduleID dd ?
.threads dd ?
.parentProcessID dd ?
.priClassBase dd ?
.flags dd ?
.FileName rb 260d
ends thx alot, thirteen |
|||
|
29 Oct 2004, 11:20 |
|
|
thirteen 29 Oct 2004, 11:30
only one more thing,
On WinXP it only shows the filename (without full path), why?! |
|||
|
29 Oct 2004, 11:30 |
|
|
thirteen 29 Oct 2004, 13:37
now i tested it with snapshot of modules, to get full path of executed files, and it dont work, whats wrong with this?! it drives me crazy...
Code: include "%fasminc%\win32ax.inc" include "processentry32.inc" .data SnapHandle dd ? processentry PROCESSENTRY32 module MODULEENTRY32 .code start: invoke CreateToolhelp32Snapshot, 8, 0 ;8 = module snap mov [SnapHandle], eax ;mov [processentry.dwSize], sizeof.PROCESSENTRY32 mov [module.dwSize], sizeof.MODULEENTRY32 ;invoke Process32First, [SnapHandle], processentry invoke Module32First, [SnapHandle], module FindNext: cmp eax, 0 je Exit ;invoke MessageBox, 0, processentry.szExeFile, processentry.szExeFile, 0 invoke MessageBox, 0, module.szExePath, module.szExePath, 0 ;invoke Process32Next, [SnapHandle], processentry invoke Module32Next, [SnapHandle], module jmp FindNext Exit: invoke ExitProcess, 0 .end start include: Code: struct PROCESSENTRY32
.dwSize dd ?
.cntUsage dd ?
.th32ProcessID dd ?
.th32DefaultHeapID dd ?
.th32ModuleID dd ?
.cntThreads dd ?
.th32ParentProcessID dd ?
.pcPriClassBase dd ?
.dwFlags dd ?
.szExeFile rb 260
ends
struct MODULEENTRY32
.dwSize dd ?
.th32ModuleID dd ?
.GlblcntUsage dd ?
.ProccntUsage dd ?
.modBaseAddr dd ?
.modBaseSize dd ?
.hModule dd ?
.szModule rb 256 ;MAX_MODULE_NAME32(255) + 1
.szExePath rb 260
ends
sorry for wasting maybe time, thx anyway, thirteen |
|||
|
29 Oct 2004, 13:37 |
|
< Last Thread | Next Thread > |
Forum Rules:
|