PROJECT : Process Viewer (ProcessView.exe)
AUTHOR(S) : Pegasus, Reverse Engineering Network,[imgmail]http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=8df0fe5caf4e4f9837da87f25c1253a8[/imgmail]
LANGUAGE : assembler (MASM V8)
VERSION : 1.05 - 2004-02-13
OS : Windows 95/98/ME/2K/XP/2K3

DESCRIPTION : This project is an simple example on how to access system information via
"CreateToolhelp32Snapshot" and displaying it by using a TreeView.
On Windows NT-based operating systems, also additional informations are
displayed for modules, heaps and threads by using "SeDebugPrivilege" and
changing the TokenPrivileges.

TIPS : If you have trouble compiling this project, be sure your "windows.inc"
contains the following line: (THE NEW WINDOWS.INC DIDN'T CONTAIN IT!!)
TV_INSERTSTRUCT equ <TVINSERTSTRUCTA>

Compilable via RadASM 2.0.4.0 (ProcessView.rap) or commandline (_build.bat)

DISCLAIMER : Usage on own risk. The authors assume no responsibility for errors or
omissions. Neither is an liability assumed for damages resulting from
the use of this application.

Posted on 2004-02-13 11:32:53 by cu.Pegasus
Originally posted by cu.Pegasus


PROJECT : Process Viewer (ProcessView.exe)
/snip/
OS : Windows 95/98/ME/[b]NT[/b]/2K/XP/2K3


When I first downloaded it at home and took a quick look at the source, I suspected it is *not* NT-compatible (because you are using ToolHelp API which is not available on WinNT4). I couldn't check it at home, so today at my office I downloaded it again, compiled and tried to run - and I was right. The executable complains about Module32First not being found in kernel32.dll and terminates. So, your ProcessViewer is not for WinNT (4 and earlier).
Posted on 2004-02-16 04:28:37 by Morris
Hi,
as told by Morris, this application wont run with NT4 (and lower). In order to avoid the execution on this OS, add the codeparts between "Insert" and "Insert-End" to your source. The OS is checked by using the entries of ProcessEnvoronmentBlock..
... and of course don't forget the data for the MessageBox (szNT4Error & szNT4Caption) ;)



; -- NT-based OS check ;)
assume fs:nothing ; it's masm, so we need it...
mov eax,fs:[18h] ; get TEB self pointer
mov ebx,fs:[30h] ; get pointer to PEB /process data base
.if eax==7FFDE000h && ebx==7FFDF000h

;----------- <<INSERT>>
; -- avoid NT4 and lower execution...
mov ebx,[ebx+0A4h] ; get the major OS version (PEB)
.if ebx < 5 ; lower then Windows 2000
invoke MessageBox,NULL,addr szNT4Error,addr szNT4Caption,MB_OK
jmp _leaveApp
.endif
;----------- <<INSERT-END>>

; -- it's NT-based, so we are able to use debug mode!
invoke GetCurrentProcess ; get THIS process handle
mov _hProcess,eax ; and store it
invoke OpenProcessToken,_hProcess,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr _hToken
lea eax,tkp.Privileges[0].Luid ; needes for AdjustTokenPrivileges
invoke LookupPrivilegeValue,NULL,offset szString,eax; get the value for "SeDebugPrivilege"
mov tkp.PrivilegeCount,1 ; we have one array
mov tkp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED ; enable our privilege
invoke AdjustTokenPrivileges,_hToken,FALSE,addr tkp, sizeof tkp, NULL, NULL
invoke CloseHandle,_hToken ; close the opened token
.endif ; -- of NT based check

invoke InitCommonControls ; init treeview usage
invoke DialogBoxParam,hInstance,IDD_DIALOG,NULL,offset DlgProc,NULL

;----------- <<INSERT>>
_leaveApp:
;----------- <<INSERT-END>>

invoke ExitProcess,NULL ; cleanup and kill process


I've seen the solution and source code written by Morris for WindowsNT4. Very good, Morris.
Maybe you could post it also, so ppl could see the differences?

Regards, Pegasus
Posted on 2004-02-16 05:20:52 by cu.Pegasus
A C++ class incorporating an easy windows crossplatform port of the ToolHelp32 functions (including NT4) is available here: How to kill a process given a name. The code is readily translatable to asm.
Posted on 2004-02-16 19:35:19 by Poimander
Originally posted by cu.Pegasus
Hi,
as told by Morris, this application wont run with NT4 (and lower). In order to avoid the execution on this OS, add the codeparts between "Insert" and "Insert-End" to your source. The OS is checked by using the entries of ProcessEnvoronmentBlock...

Unfortunately, the program will never get there (on WinNT4), because it will be terminated at load-and-resolve-imports stage. Your fix is not enough to termiante the application in a graceful way :) You also have to load the ToolHelp API functions dynamically (ie. GetModuleHandle(kernel32), GetProcAddress(Process32First) and so on).

I've seen the solution and source code written by Morris for WindowsNT4. Very good, Morris.
Maybe you could post it also, so ppl could see the differences?


I've gotta clean it up a bit before I can post it ;)

Morris
Posted on 2004-02-17 01:01:48 by Morris