Am getting error message 'Access Denied' while accessing module informations of some specific process (for eg: zlclient, vsmon etc). Below is code snippet to get better idea.
invoke GetCurrentProcess
mov hProcess, eax
invoke OpenProcessToken, hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
lea eax, tkp.Privileges[0].Luid
invoke LookupPrivilegeValue, NULL, SADD("SeDebugPrivilege"), eax
mov tkp.PrivilegeCount, 1
mov tkp.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, sizeof tkp, NULL, NULL
invoke CloseHandle, hToken
invoke CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0
mov hSnapShot, eax
mov process.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnapShot, ADDR process
mov module.dwSize, sizeof module
.while eax
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, process.th32ProcessID
mov hSnapShot2, eax
.if eax == INVALID_HANDLE_VALUE
invoke MessageBox, 0, ADDR process.szExeFile, 0, 0
; invoke GetLastError
; invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM ...
.endif
invoke Process32Next, hSnapShot, ADDR process
.endw
please help me to sort out.
thank you.
invoke GetCurrentProcess
mov hProcess, eax
invoke OpenProcessToken, hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
lea eax, tkp.Privileges[0].Luid
invoke LookupPrivilegeValue, NULL, SADD("SeDebugPrivilege"), eax
mov tkp.PrivilegeCount, 1
mov tkp.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, sizeof tkp, NULL, NULL
invoke CloseHandle, hToken
invoke CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0
mov hSnapShot, eax
mov process.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnapShot, ADDR process
mov module.dwSize, sizeof module
.while eax
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, process.th32ProcessID
mov hSnapShot2, eax
.if eax == INVALID_HANDLE_VALUE
invoke MessageBox, 0, ADDR process.szExeFile, 0, 0
; invoke GetLastError
; invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM ...
.endif
invoke Process32Next, hSnapShot, ADDR process
.endw
please help me to sort out.
thank you.
debzequke,
You don't have to call createsnapshot second time, cause in the first call you've already specified TH32CS_SNAPALL
Toolhelp object , which handle you receive, will give you all the info you need.
You don't have to call createsnapshot second time, cause in the first call you've already specified TH32CS_SNAPALL
Toolhelp object , which handle you receive, will give you all the info you need.
invoke CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0
mov hSnapShot, eax
xor eax,-1
jz @@error
mov process.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnapShot, ADDR process
mov module.dwSize, sizeof module
.while eax
invoke MessageBox, 0, ADDR process.szExeFile, 0, 0
invoke Process32Next, hSnapShot, ADDR process
.endw
@@error:
; invoke GetLastError
; invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM ...
... ;do smthYou don't have to call createsnapshot second time, cause in the first call you've already specified TH32CS_SNAPALL
Toolhelp object , which handle you receive, will give you all the info you need.
Toolhelp object , which handle you receive, will give you all the info you need.
Yes, that works fine to just enumerate the heap or module state for the current processes by specifying the
TH32CS_SNAPALL value and the current process. Then, for each process in the snapshot that is not the current process,
you have to call CreateToolhelp32Snapshot again, specifying the process identifier and the TH32CS_SNAPHEAPLIST or
TH32CS_SNAPMODULE value. Since TH32CS_SNAPHEAPLIST and TH32CS_SNAPMODULE values are process specific.
Yeah, I was a dumb a little that time... ;)
Anyway for me there is no reason to use toolhelp.It was good for 9x which is dead for programming(reversing).
BTW NtQuerySystemInformation is documented. Under 2k it is used by the very toolhelp
and PSAPI(probably it's also true for XP).
Anyway for me there is no reason to use toolhelp.It was good for 9x which is dead for programming(reversing).
BTW NtQuerySystemInformation is documented. Under 2k it is used by the very toolhelp
and PSAPI(probably it's also true for XP).