Home » Forums » MAIN » Module32First Help

Module32First Help
Am trying to find the full path of the processes that is running on my machine. I was able to find the name of the processes using the Process32Next and Process32First functions.

But now to find the complete path of the running processes am finding problems. Here is my code,


include C:\masm32\include\kernel32.inc 
includelib C:\masm32\lib\kernel32.lib
include C:\masm32\include\user32.inc 
includelib C:\masm32\lib\user32.lib 

.data?

CreateToolhwnd dd ?
CreateToolhwnd1 dd ?

.data

Processentry PROCESSENTRY32 <>
Moduleentry MODULEENTRY32 <>

.code
start:

invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov CreateToolhwnd, eax


mov ecx, SIZEOF Processentry
mov Processentry.dwSize, ecx

invoke Process32First, CreateToolhwnd, ADDR Processentry

invoke MessageBox, NULL, ADDR Processentry.szExeFile, ADDR MsgCap, MB_OK

.while TRUE

invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, Processentry.th32ProcessID
mov CreateToolhwnd1, eax

mov ecx, SIZEOF Moduleentry
mov Moduleentry.dwSize, ecx

invoke Module32First, CreateToolhwnd1, ADDR Moduleentry
.if eax == TRUE
invoke MessageBox, NULL, ADDR Moduleentry.szExePath, ADDR MsgCap, MB_OK
invoke CloseHandle, CreateToolhwnd1
.else
jmp aa
.endif

invoke Process32Next, CreateToolhwnd, ADDR Processentry

.endw

aa:

invoke CloseHandle, CreateToolhwnd

invoke ExitProcess, NULL

end start


Not sure as to what am missing out....

Thanks for your help in advance,

C K.
Posted on 2009-05-20 04:22:01 by karthikeyanck
Re: Module32First Help
Use these APIs:

EnumProcesses()
OpenProcess()
EnumProcessModules()
GetModuleFilenameEx()

That's all you need. Enumerate the processes. Open each process with PROCESS_VM_READ access. Then enumerate the modules of each process with EnumProcessModules() and use GetModuleFilenameEx() to get the file name of that module. I haven't done any MASM in a long time so I can't put anything together fast as an example. You will figure it out though.
Posted on 2009-05-21 04:56:50 by XCHG
Re: Module32First Help
Okay I wrote this now:

.586
.model flat,stdcall
option casemap:none

   include windows.inc
   include user32.inc
   include kernel32.inc
   include psapi.inc
   
   
   includelib user32.lib
   includelib kernel32.lib
   includelib psapi.lib
   


WinMain proto :DWORD,:DWORD,:DWORD,:DWORD


.data
   ClassName db "MainWinClass",0
   AppName  db "Main Window",0

.data?
   hInstance HINSTANCE ?
   CommandLine LPSTR ?
   FileAddress DB 1024 DUP(?)
   
   ProcessHandleArray DWORD 1024 DUP(?)
   CB                 DWORD ?

.code


; ---------------------------------------------------------------------------


start:
	invoke GetModuleHandle, NULL
	mov    hInstance,eax
	
	invoke GetCommandLine
	mov    CommandLine,eax
	
	invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
	invoke ExitProcess,eax

WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
	LOCAL wc:WNDCLASSEX
	LOCAL msg:MSG
	LOCAL hwnd:HWND
	
	mov   wc.cbSize,SIZEOF WNDCLASSEX
	mov   wc.style, CS_HREDRAW or CS_VREDRAW
	mov   wc.lpfnWndProc, OFFSET WndProc
	mov   wc.cbClsExtra,NULL
	mov   wc.cbWndExtra,NULL
	push  hInstance
	pop   wc.hInstance
	mov   wc.hbrBackground,COLOR_BTNFACE+1
	mov   wc.lpszMenuName,NULL
	mov   wc.lpszClassName,OFFSET ClassName
	
	invoke LoadIcon,NULL,IDI_APPLICATION
	mov   wc.hIcon,eax
	mov   wc.hIconSm,eax
	
	invoke LoadCursor,NULL,IDC_ARROW
	mov   wc.hCursor,eax
	
	invoke RegisterClassEx, addr wc
	INVOKE CreateWindowEx,NULL,ADDR ClassName,ADDR AppName,\
           WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,\
           CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,\
           hInst,NULL
	mov   hwnd,eax
	
	invoke ShowWindow, hwnd,SW_SHOWNORMAL
	invoke UpdateWindow, hwnd
	
	.WHILE TRUE
		invoke GetMessage, ADDR msg,NULL,0,0
		.BREAK .IF (!eax)
		invoke TranslateMessage, ADDR msg
		invoke DispatchMessage, ADDR msg
	.ENDW
	
	mov     eax,msg.wParam
	ret
WinMain endp

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
	
	
	LOCAL     ThisProcess:DWORD
	LOCAL     Module:DWORD
	
	
	.IF uMsg==WM_DESTROY
		invoke PostQuitMessage,NULL
	.ELSEIF uMsg==WM_CREATE

		
    INVOKE      EnumProcesses, OFFSET ProcessHandleArray, sizeof ProcessHandleArray, OFFSET CB
    LEA         EDI , DWORD PTR 
    MOV         ECX , DWORD PTR 
    SHR         ECX , 2
    @@Loop:
      PUSH        ECX
      INVOKE      OpenProcess, PROCESS_QUERY_INFORMATION OR PROCESS_VM_READ, FALSE, DWORD PTR 
      ADD         EDI , sizeof DWORD
      TEST        EAX , EAX
      JZ          @@LoopTail
      MOV         DWORD PTR  , EAX
      INVOKE      EnumProcessModules, DWORD PTR , ADDR Module, SIZEOF Module, ADDR CB
      INVOKE      GetModuleFileNameEx, DWORD PTR , DWORD PTR , OFFSET FileAddress, SIZEOF FileAddress
      INVOKE      MessageBox, 0, OFFSET FileAddress, 0, MB_ICONINFORMATION      
      INVOKE      CloseHandle, DWORD PTR  
      @@LoopTail:
      POP         ECX
      DEC         ECX
      JNZ         @@Loop
    
		
	.ELSE
		invoke DefWindowProc,hWnd,uMsg,wParam,lParam		
		ret
	.ENDIF
	
	xor eax,eax
	ret
WndProc endp


end start
Posted on 2009-05-21 06:18:46 by XCHG
Re: Module32First Help
Thanks XCHG, works perfectly fine  8)

But can't we achieve the same through Module32Next and Module32First API's (ofcourse other API's will be included when required).... Is there any difference in performance?

Thanks,

C K
Posted on 2009-05-21 08:21:49 by karthikeyanck