Hi !
I hope following code always computing real exec.file for any Win OS:
;
invoke GetWindowThreadProcessId,hWnd,addr processid
mov threadid,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,processid
mov hSnapshot,eax
mov PROCESSENTRY32.dwSize,sizeof PROCESSENTRY32
invoke Process32First,eax,addr PROCESSENTRY32
@@:
test eax,eax
jz _err
mov eax,processid
cmp PROCESSENTRY32.th32ProcessID,eax
jz @f
invoke Process32Next,hSnapshot,addr PROCESSENTRY32
jmp @b
@@:
invoke lstrcpy,addr windowfile,addr PROCESSENTRY32.szExeFile
;
... But I have only 98 and 2kSP4 :-(
Can you help me to test it on XP and 2k3 ?
It's a part of my tiny utility WinTreeSnap
(http://www.asmcommunity.net/board/showthread.php?threadid=18195),
current version attached.
Thanks
I hope following code always computing real exec.file for any Win OS:
;
invoke GetWindowThreadProcessId,hWnd,addr processid
mov threadid,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,processid
mov hSnapshot,eax
mov PROCESSENTRY32.dwSize,sizeof PROCESSENTRY32
invoke Process32First,eax,addr PROCESSENTRY32
@@:
test eax,eax
jz _err
mov eax,processid
cmp PROCESSENTRY32.th32ProcessID,eax
jz @f
invoke Process32Next,hSnapshot,addr PROCESSENTRY32
jmp @b
@@:
invoke lstrcpy,addr windowfile,addr PROCESSENTRY32.szExeFile
;
... But I have only 98 and 2kSP4 :-(
Can you help me to test it on XP and 2k3 ?
It's a part of my tiny utility WinTreeSnap
(http://www.asmcommunity.net/board/showthread.php?threadid=18195),
current version attached.
Thanks
Hi,
I have tested your app, it give out a text file but i came accross the following... don't know if it ts normal for you (Windows XP HOME Sp1).
The Last error returned ERROR_ACCESS_DENIED (00000005) in ollydb.
00401205 |. 6A FC PUSH -4 ; /Index = GWL_WNDPROC
00401207 |. 53 PUSH EBX ; |hWnd
00401208 |. E8 03040000 CALL <JMP.&user32.GetWindowLongA> ; GetWindowLongA
Registers (Might be unnessary but why not)
EAX 00000000
ECX 77D4400A user32.77D4400A
EDX 7FFE0304
EBX 00010014 UNICODE "LUSERSPROFILE=C:Documents and SettingsAll Users"
ESP 0012FFA8
EBP 0012FFB4
ESI 77D45950 user32.77D45950
EDI 00403466 ASCII "> VE "
EIP 0040120D wintrees.0040120D
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_ACCESS_DENIED (00000005)
EFL 00000286 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty -UNORM 8A3A 77F57D70 77F944A8
ST1 empty +UNORM 0001 00000000 005703F8
ST2 empty +UNORM 450C 77D4C6D4 77D4C6D4
ST3 empty +UNORM 0082 00000000 00000002
ST4 empty +UNORM 3A50 00000000 00000000
ST5 empty 0.0000000000000004740e-4933
ST6 empty 0.0
ST7 empty -UNORM E000 00000000 77D4A8FE
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Seems to be from here
invoke GetWindowLong,ebx,GWL_USERDATA
mov userdata,eax
invoke GetClassLong,ebx,GCL_WNDPROC
mov wndproc2,eax
invoke GetWindowLong,ebx,GWL_WNDPROC
mov wndproc1,eax
mov byte ptr wproc_flag,20h
cmp eax,wndproc2 ; subclassed ?
jz @f
test eax,eax
jz @f
mov byte ptr wproc_flag,':'
PS - there isn't suppose to be a window displayed? Right.
Black iCE
:stupid:
I have tested your app, it give out a text file but i came accross the following... don't know if it ts normal for you (Windows XP HOME Sp1).
The Last error returned ERROR_ACCESS_DENIED (00000005) in ollydb.
00401205 |. 6A FC PUSH -4 ; /Index = GWL_WNDPROC
00401207 |. 53 PUSH EBX ; |hWnd
00401208 |. E8 03040000 CALL <JMP.&user32.GetWindowLongA> ; GetWindowLongA
Registers (Might be unnessary but why not)
EAX 00000000
ECX 77D4400A user32.77D4400A
EDX 7FFE0304
EBX 00010014 UNICODE "LUSERSPROFILE=C:Documents and SettingsAll Users"
ESP 0012FFA8
EBP 0012FFB4
ESI 77D45950 user32.77D45950
EDI 00403466 ASCII "> VE "
EIP 0040120D wintrees.0040120D
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_ACCESS_DENIED (00000005)
EFL 00000286 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty -UNORM 8A3A 77F57D70 77F944A8
ST1 empty +UNORM 0001 00000000 005703F8
ST2 empty +UNORM 450C 77D4C6D4 77D4C6D4
ST3 empty +UNORM 0082 00000000 00000002
ST4 empty +UNORM 3A50 00000000 00000000
ST5 empty 0.0000000000000004740e-4933
ST6 empty 0.0
ST7 empty -UNORM E000 00000000 77D4A8FE
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Seems to be from here
invoke GetWindowLong,ebx,GWL_USERDATA
mov userdata,eax
invoke GetClassLong,ebx,GCL_WNDPROC
mov wndproc2,eax
invoke GetWindowLong,ebx,GWL_WNDPROC
mov wndproc1,eax
mov byte ptr wproc_flag,20h
cmp eax,wndproc2 ; subclassed ?
jz @f
test eax,eax
jz @f
mov byte ptr wproc_flag,':'
PS - there isn't suppose to be a window displayed? Right.
Black iCE
:stupid:
Just if you wanna look at your text file and see if it is working. Seems to be!
Hi, Black iCE
Thank you very much for detail report and especially for snap,
i got important info about OS that i havn't on my computer.
> don't know if it ts normal for you (Windows XP HOME Sp1).
> The Last error returned ERROR_ACCESS_DENIED (00000005) in ollydb.
Of course it isn't normal for me, and i'll think about this case...
But i forgot to forestall that WinTreeSnap must be using
only when window tree is stable.
Maybe some windows were created or died when WTS was working ?
Maybe OlliDbg too interjected to window tree ?
Or - the error above appears on XP always ?
I havn't it on 2kSP4...
> Seems to be from here
> ...
> invoke GetWindowLong,ebx,GWL_WNDPROC
> mov wndproc1,eax
This is important point at all.
With kindly Win98 we have two sympathetic WndProc columns:
GetWindowLong GetClassLong
WndProc WndProc
8020e47a 8020e47a
8020e464 8020e464
8020e1e6 8020e1e6
bfc015d2 bfc015d2
004019ef 004019ef
00402a63 : 8020de60 => subclassed
00406710 00406710
00406426 00406426
bfc065a0 bfc065a0
00401460 00401460
bfc02049 bfc02049
But for 2kSP4 or XP 'GetWindowLong WndProc' column contains only zeros...
Thank you very much for detail report and especially for snap,
i got important info about OS that i havn't on my computer.
> don't know if it ts normal for you (Windows XP HOME Sp1).
> The Last error returned ERROR_ACCESS_DENIED (00000005) in ollydb.
Of course it isn't normal for me, and i'll think about this case...
But i forgot to forestall that WinTreeSnap must be using
only when window tree is stable.
Maybe some windows were created or died when WTS was working ?
Maybe OlliDbg too interjected to window tree ?
Or - the error above appears on XP always ?
I havn't it on 2kSP4...
> Seems to be from here
> ...
> invoke GetWindowLong,ebx,GWL_WNDPROC
> mov wndproc1,eax
This is important point at all.
With kindly Win98 we have two sympathetic WndProc columns:
GetWindowLong GetClassLong
WndProc WndProc
8020e47a 8020e47a
8020e464 8020e464
8020e1e6 8020e1e6
bfc015d2 bfc015d2
004019ef 004019ef
00402a63 : 8020de60 => subclassed
00406710 00406710
00406426 00406426
bfc065a0 bfc065a0
00401460 00401460
bfc02049 bfc02049
But for 2kSP4 or XP 'GetWindowLong WndProc' column contains only zeros...
No problem kero, i am only happy to help as i can.
kero, i have run the app obviously outside Ollydb to see if it works then to test it inside to see why it failed, in both cases i did not see any window creation but in both cases the snap was generated.
If there is anything else you would like me to do just ask.:alright:
Kindly,
Black iCE
kero, i have run the app obviously outside Ollydb to see if it works then to test it inside to see why it failed, in both cases i did not see any window creation but in both cases the snap was generated.
If there is anything else you would like me to do just ask.:alright:
Kindly,
Black iCE
Thanx, Black iCE
Only reason why i added this thread to this forum is following.
Under Win98 if use such way to get executable for target window -
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,processid
mov hSnapshot,eax
mov PROCESSENTRY32.dwSize,sizeof PROCESSENTRY32
invoke Process32First,hSnapshot,addr PROCESSENTRY32
invoke lstrcpy,addr exefile,addr PROCESSENTRY32.szExeFile
- often returns, for example, USER.EXE, but not the real executable
(BTW GetWindowModuleFileName isn't fit here at all).
So - attempt with GetWindowThreadProcessId and due loop for ProcessID testing.
---
Of course situation "ERROR_ACCESS_DENIED... in ollydb" didn't plan :-(
About window of WinTreeSnap: purposely not exist. Only aim of WTS - snap file.
I didn't want to interject to window tree for "About me" window :-)
But WTS allows to catch some "jittery" windows. For example - temporary Edit,
that we create every time when select name of any file for rename
(make a shortcut with hotkey, say - Ctrl+Shift+W, assignment to WTS).
Only reason why i added this thread to this forum is following.
Under Win98 if use such way to get executable for target window -
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,processid
mov hSnapshot,eax
mov PROCESSENTRY32.dwSize,sizeof PROCESSENTRY32
invoke Process32First,hSnapshot,addr PROCESSENTRY32
invoke lstrcpy,addr exefile,addr PROCESSENTRY32.szExeFile
- often returns, for example, USER.EXE, but not the real executable
(BTW GetWindowModuleFileName isn't fit here at all).
So - attempt with GetWindowThreadProcessId and due loop for ProcessID testing.
---
Of course situation "ERROR_ACCESS_DENIED... in ollydb" didn't plan :-(
About window of WinTreeSnap: purposely not exist. Only aim of WTS - snap file.
I didn't want to interject to window tree for "About me" window :-)
But WTS allows to catch some "jittery" windows. For example - temporary Edit,
that we create every time when select name of any file for rename
(make a shortcut with hotkey, say - Ctrl+Shift+W, assignment to WTS).
Kero, i tested it with a diffrent pc Windows XP Pro. (No SP) and i got the same result. i did use a shortcut key with the generation. here i'll attach the file.
Kindly,
Black iCE
Kindly,
Black iCE
Thanx again, Black iCE :-)