Uses the UNDOCUMENTED ZwQuerySystemInformation api to enumerate Running Processes
Macros come from the OA32 toolset.


UNICODE_STRING struct
    wLength dw ?
    MaximumLength dw ?
    Buffer dd ?
UNICODE_STRING ends

CLIENT_ID struct
    UniqueProcess dd ?
    UniqueThread dd ?
CLIENT_ID ends

SYSTEM_THREAD_INFORMATION struct
    KernelTime QWORD ?;            // time spent in kernel mode
    UserTime QWORD ?;              // time spent in user mode
    CreateTime QWORD ?;            // thread creation time
    WaitTime dd ?;              // wait time
    StartAddress dd ?;          // start address
    ClientId CLIENT_ID <>;              // thread and process IDs
    Priority dd ?;              // dynamic priority
    BasePriority dd ?;          // base priority
    ContextSwitchCount dd ?;    // number of context switches
    State dd ?;                  // current state
    WaitReason dd ?;            // wait reason
SYSTEM_THREAD_INFORMATION ends

SYSTEM_PROCESS_INFORMATION struct
    NextEntryDelta dd ?
    dThreadCount dd ?
    dReserved01 dd ?
    dReserved02 dd ?
    dReserved03 dd ?
    dReserved04 dd ?
    dReserved05 dd ?
    dReserved06 dd ?
    ftCreateTime FILETIME <>; /* relative to 01-01-1601 */
    ftUserTime  FILETIME <>;  /* 100 nsec units */
    ftKernelTime FILETIME <>; /* 100 nsec units */
    ProcessName  UNICODE_STRING <>
    BasePriority dd ?
    dUniqueProcessId dd ?
    dParentProcessID dd ?
    dHandleCount dd ?
    dReserved07 dd ?
    dReserved08 dd ?
    VmCounters dd ?
    dCommitCharge dd ?
    ThreadInfos SYSTEM_THREAD_INFORMATION <>
SYSTEM_PROCESS_INFORMATION ends

EnumProcesses proc uses esi edi
LOCAL pMem,BytesUsed
LOCAL buf[512]:BYTE
invoke GetModuleHandle,$OfsCStr ("ntdll")
.if eax!=0
invoke GetProcAddress,eax,$OfsCStr ("ZwQuerySystemInformation")
.if eax!=0
mov edi,eax
mov pMem,$MemAlloc (65536,MEM_INIT_ZERO)
.if eax!=0
invoke SendDlgItemMessage,hWnd,1001,LB_RESETCONTENT,0,0
lea eax,BytesUsed
push eax
push 65536
push pMem
push 5
call edi
mov esi,pMem
;We need to skip the first entry in the process list
;because its the "idle" process
add esi,.SYSTEM_PROCESS_INFORMATION.NextEntryDelta
;Now we may begin :)
.repeat

lea eax,buf
invoke WideCharToMultiByte,CP_OEMCP, 0, .SYSTEM_PROCESS_INFORMATION.ProcessName.Buffer, -1, eax, 256, NULL, NULL
;Add the Process Name to the listbox
invoke SendDlgItemMessage,hWnd,1001,LB_ADDSTRING,0,addr buf
;Associate the ProcessID with the ProcessName
invoke SendDlgItemMessage,hWnd,1001,LB_SETITEMDATA,eax, .SYSTEM_PROCESS_INFORMATION.dUniqueProcessId

.break .if .SYSTEM_PROCESS_INFORMATION.NextEntryDelta==0
add esi,.SYSTEM_PROCESS_INFORMATION.NextEntryDelta
.until 0
MemFree pMem
.endif
.endif
.endif
ret
EnumProcesses endp

Posted on 2007-11-30 09:47:41 by Homer
Noticably faster than toolhelp? And whatabout psapi?
Posted on 2007-11-30 18:16:16 by f0dder

Uses the UNDOCUMENTED ZwQuerySystemInformation api to enumerate Running Processes
Macros come from the OA32 toolset.


Well, not really undocumented, just one of those soon to be deprecated functions....

http://msdn2.microsoft.com/en-us/library/ms725506.aspx
Posted on 2007-11-30 22:13:52 by donkey


Uses the UNDOCUMENTED ZwQuerySystemInformation api to enumerate Running Processes
Macros come from the OA32 toolset.


Well, not really undocumented, just one of those soon to be deprecated functions....

http://msdn2.microsoft.com/en-us/library/ms725506.aspx

Partially documented at best - only a very few of the available zwQuerySystemInformation calls/classes are documented, and for those that are documented, only parts of the structs are filled, used (but "we don't want you to know about these") fields are named "reserved", etc.

Sure, it's partially because Microsoft wants to be able to change those calls, but I bet that's not the full story...
Posted on 2007-12-01 02:59:09 by f0dder
Its faster mainly because we're not going through ntdll.NTQuerySystemInformation, which seems to be acting as a filter to only show certain information as it translates the arrays from one form to another.

Using this api with the param "11" instead of "5", we can enumerate the Modules of the currently-enumerated Process (we do this with nested code inside the previous example).

The results are interesting as they include all the Drivers supporting a given Process.
This information is not available by NTQuerySystemInformation.
Posted on 2007-12-02 08:14:23 by Homer