I would like some help adding some code to determine when bartshell.exe has been terminated and then run this.

Thanks.

; PPC_gone.asm  This version doesn't displays messages.   
;
;                Run this AFTER bartshell.exe has been terminated !!! 
;           
; Help from Tedd,sinsi,Nordwind64,AsmGuru62,Jongware,
;               
;
; Terminates PeoplePC.exe!!
; This program leaves ports open even after modem has been disconnected !!
;
; (A badly behaved program that likes to HANG around :-))
;
; Run this AFTER bartshell.exe has been terminated !!!                           
;
.586
.model flat,stdcall
option casemap:none

include  \masm32\include\windows.inc
include  \masm32\include\user32.inc
include  \masm32\include\kernel32.inc
include  \masm32\include\shlwapi.inc
include  \masm32\macros\macros.asm
include  \masm32\include\advapi32.inc

includelib  \masm32\lib\advapi32.lib
includelib  \masm32\lib\user32.lib
includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\shlwapi.lib

; Local Prototypes

    IsWinNT        PROTO
    ReqNTPrivilege  PROTO :DWORD
   
.const

    dwMaskNT        DWORD  2

WinMain proto :DWORD,:DWORD,:DWORD,:DWORD

.data

    msg_NotNT  BYTE    "This is NOT an NT system.",0
    msg_NotPL  BYTE    "Privilege requested NOT granted.",0
    BoxName    BYTE    "ASM Win NT Shutdown",0
    Watermark  BYTE    "Andrew Kennedy 5/10/07",0

  ClassName    BYTE    "MainWinClass",0
  AppName      BYTE    "CLOSE THIS WINDOW!",0
  ProcessName  BYTE    "PeoplePC.exe",0
  started      BYTE    "KillIt",0
  successtext  BYTE    "PeoplePC.exe has been terminated!",0
  failedtext  BYTE    "Program is not currently running!",0

.data?

  hInstance  HINSTANCE ?
  CommandLine LPSTR    ?

.code

start:

    invoke LoadIcon,hInstance,200    ; icon ID


    invoke GetModuleHandle, NULL
    mov    hInstance,eax
   
    invoke GetCommandLine
    mov    CommandLine,eax
   
    invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT

    ; with ReqNTPrivilege call, we ask for the 'SeShutdownPrivilege'
    ; note string names of possible privilege are in windows.inc

    invoke  ReqNTPrivilege, SADD("SeShutdownPrivilege")
    .if eax == FALSE
      invoke  MessageBox,NULL,addr msg_NotPL,addr BoxName,MB_OK
      invoke  ExitProcess,NULL
    .endif

    invoke ExitProcess,eax
   
KillProcess proc lpszExecutable:LPSTR
    LOCAL bLoop:BOOL
    LOCAL bResult:BOOL
    LOCAL pe32:PROCESSENTRY32
    LOCAL hProcess:HANDLE
    LOCAL hProcesses:HANDLE

    mov bLoop,TRUE
    mov bResult,FALSE

    ; Returns an open handle to the specified snapshot if successful or - 1 otherwise.
    invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
    mov hProcesses,eax    ;  Did not need 2 copies of your snap shot

    mov pe32.dwSize,SIZEOF PROCESSENTRY32

    invoke Process32First,hProcesses,ADDR pe32
    .IF eax
        .WHILE bLoop
            invoke CompareString, LOCALE_USER_DEFAULT, NORM_IGNORECASE, addr pe32.szExeFile, -1, lpszExecutable, -1
            .IF eax==2 ; check if strings are equal in lexical value

                      ;  With having addr pe32.th32ProcessID you were getting an invalid PID
                invoke OpenProcess, PROCESS_TERMINATE, FALSE, pe32.th32ProcessID ; returns handle 

                .IF eax!=NULL
                    mov hProcess, eax        ; Need to save the process handle to terminate
                    invoke TerminateProcess, hProcess, 0
                    invoke CloseHandle, hProcess ; fails if eax is zero
                   
                    mov bResult,TRUE;
                   
                .endif
            .endif
          ; why go on to next process ?
          invoke Process32Next, hProcesses, ADDR pe32
            ; Retrieves information about the next process recorded in a system snapshot.

            mov bLoop,eax
        .endw
        invoke CloseHandle,hProcesses
    .endif
    mov eax,bResult
    ret

KillProcess endp

WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
    LOCAL wc:WNDCLASSEX
    LOCAL msg:MSG
    LOCAL hwnd:HWND
    LOCAL tc  :DWORD ; added 4:08:27 AM Wednesday, May 23, 2007

    mov  wc.cbSize,SIZEOF WNDCLASSEX
    mov  wc.style, CS_HREDRAW or CS_VREDRAW
    mov  wc.lpfnWndProc, OFFSET WndProc
    mov  wc.cbClsExtra,NULL
    mov  wc.cbWndExtra,NULL
    push  hInstance
    pop  wc.hInstance
    mov  wc.hbrBackground,COLOR_BTNFACE+1
    mov  wc.lpszMenuName,NULL
    mov  wc.lpszClassName,OFFSET ClassName
   
    invoke LoadIcon,NULL,IDI_APPLICATION
    mov  wc.hIcon,eax
    mov  wc.hIconSm,eax
   
    invoke LoadCursor,NULL,IDC_ARROW
    mov  wc.hCursor,eax
   
 
    invoke RegisterClassEx, addr wc

    ; If I want a window off screen, do I change the CW_USEDEFAULT statements to some x and
    ; y co-ordinates off screen, and if so what would be some good values ?
    ;
                        ; getting rid of CW_USEDEFAULT with NULL creates a "hidden" window

    INVOKE CreateWindowEx,NULL,ADDR ClassName,ADDR AppName,\
          WS_OVERLAPPEDWINDOW,NULL,\ ; creates a "hidden" window
          CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,\
          hInst,NULL
    mov  hwnd,eax

    invoke ShowWindow, hwnd,SW_MINIMIZE    ;Minimal window
    invoke UpdateWindow, hwnd

    add tc,1    ; get rid of window quickly 
                ;2000 =  2 seconds

    ; ------------------------------------------------
    ; loop until Tick count catches up with added time
    ; ------------------------------------------------
    @@:
      invoke GetTickCount
        .if tc > eax
          jmp @B
        .endif
    ; -------------------
    ; Close screen
    ; -------------------
      invoke SendMessage,hwnd,WM_SYSCOMMAND,SC_CLOSE,NULL

    ;-----------------------------------
    ; Loop until PostQuitMessage is sent
    ;-----------------------------------
    StartLoop:
      invoke GetMessage,ADDR msg,NULL,0,0
      cmp eax, 0
      je ExitLoop
      invoke TranslateMessage, ADDR msg
      invoke DispatchMessage,  ADDR msg
      jmp StartLoop
    ExitLoop:
   
    mov    eax,msg.wParam
    ret

WinMain endp

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
   
    LOCAL bResult:BOOL
    LOCAL bLoop:BOOL

    .IF uMsg==WM_DESTROY
        invoke PostQuitMessage,NULL

    .ELSEIF uMsg==WM_CREATE
        mov eax, -1        ;FALSE
       
        mov bResult,eax
        ;invoke MessageBox,0,OFFSET startedtext,OFFSET started,MB_OK
        invoke KillProcess,OFFSET ProcessName

        ;mov bResult,eax ;
       

        ;.IF bResult==FALSE
        ;    invoke MessageBox,0,OFFSET failedtext,OFFSET started,MB_OK
        ;.ELSE
        ;    invoke MessageBox,0,OFFSET successtext,OFFSET started,MB_OK
        ;.ENDIF

        ; mov bLoop,FALSE
                 
        ret
   
    .ELSE
        invoke DefWindowProc,hWnd,uMsg,wParam,lParam       
        ret
    .ENDIF
   
    xor eax,eax
    ret
WndProc endp

ReqNTPrivilege proc lpPrivilegeName:DWORD

; return TRUE (not zero) in eax if privilege is granted
; lpPrivilegeName parameter points to a string with request privilege name

    LOCAL  hProcess:DWORD
    LOCAL  hToken:DWORD
    LOCAL  phToken:DWORD
    LOCAL  RetLen:DWORD
    LOCAL  pRetLen:DWORD
    LOCAL  tkp:TOKEN_PRIVILEGES
    LOCAL  tkp_old:TOKEN_PRIVILEGES
;
    invoke  GetCurrentProcess
    mov    hProcess, eax
    lea    eax, hToken
    mov    phToken, eax
    invoke  OpenProcessToken, hProcess, \
            TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, \
            phToken 
    .if eax != FALSE
      lea    eax, tkp.Privileges[0].Luid
      invoke  LookupPrivilegeValue, NULL, \
              lpPrivilegeName, \
              eax
      lea    eax, RetLen
      mov    pRetLen, eax
      mov    tkp.PrivilegeCount, 1
      mov    tkp.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED
      invoke  AdjustTokenPrivileges, hToken, \
              NULL, \
              addr tkp, \
              sizeof tkp_old, \
              addr tkp_old, \
              pRetLen
    .endif
    ret
   
ReqNTPrivilege endp

end start

Posted on 2007-05-25 21:45:55 by skywalker

I am not at all happy about your previous post.
Not because I believe that this is a serious attempt to disguise malicious intent, but because the answer you seek is right before your very eyes, and yet you are too blind to see it.
You posted this sourcecode, but you obviously did not write it, and you obviously did not even read it, and so your request for assistance is, at the very least, premature.
Posted on 2007-05-26 00:32:32 by Homer


I am not at all happy about your previous post.

Not because I believe that this is a serious attempt to disguise malicious intent, but because the answer you seek is right before your very eyes, and yet you are too blind to see it.

Blind...  Maybe you don't understand what I am looking for ?

You posted this sourcecode, but you obviously did not write it, and you obviously did not even read it, and so your request for assistance is, at the very least, premature.

I wrote quite a bit of it.

Posted on 2007-05-26 15:23:59 by skywalker
I interpreted your post (prior to your recent editing) as a request for a method of enumerating all running processes in order to determine the state of a particular process (which you would like to terminate, if it is indeed active).
One of the functions you provided (KillProcess) actually performs this task, although it's not set up to determine whether a given process is 'alive', its not much work to gut it and rewrite it as two new procs (IsProcessAlive and KillActiveProcess).
That's why I jumped up and down on your thread ;)
Posted on 2007-05-27 00:48:04 by Homer
. The termination status of the process changes from STILL_ACTIVE to the exit value of the process.

Looking at this, then if STILL_ACTIVE isn't returned, then it's OK to send Robo Killer
after the last victim?

Andy
Posted on 2007-05-27 10:00:42 by skywalker

KillProcess is returning a BOOLEAN (TRUE/FALSE) result in eax.
TRUE if the Process was Terminated, and FALSE if it was not found.
If only one instance of this process is expected, I recommend that you insert a line containing only '.break' after the one that sets the result to TRUE, which will break your WHILE loop.. if multiple instance expected, leave it alone.

KillProcess is being called from WndProc, and so the result is being returned to WndProc.. everything would be peachy, except for 2 things:
1) you've commented out the line in WndProc which stores the result, and
2) you're storing the result in a Local Variable of a Procedure (WndProc), which is only valid storage within the context of a single execution of WndProc, ie, this is a 'transient' variable, only good for storing data of a very temporary and immediately-used nature.. once WndProc returns, that data is gone forever, and certainly is not accessible from outside of WndProc.


Posted on 2007-05-28 02:54:11 by Homer
Alright. Let me look at how to declare it globally and get back with you.

Can resource files be named with a different extension and still work instead of everything in it's own directory ? whoops, forgot about the QE macros. 

Andy
Posted on 2007-05-29 05:21:49 by skywalker
I recommend you take a look at RadAsm, and especially any example of a RadAsm Project (.RAP file) to see a really nice editor in action.
You can edit multiple files simultaneously, it has nice colored syntax hilighting, and other nice features, its extremely configurable, supports plugins for bonus functionality, a joy to work with.
Posted on 2007-05-29 10:01:04 by Homer