when i use CreateToolhelp32Snapshot on xp/2k it doesnt return the full path of the executable loaded in memory in win2k/xp like it does on 9x... how can i get the full path ?

tre had tried something like this but it was a little buggy maybe someone can help point out the problem

; Lookup Executable Path (invoke FindPath,Process.th32ProcessID,hSnapshot,addr ThaPath)

invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, PID
mov ME.dwSize, SIZEOF ME
invoke Module32First, hSnapshot, ADDR ME
; check to see if Module32(First/Next) had an error
test eax, eax
jz NotFound

; Compare to our ID
mov eax, ME.th32ModuleID
cmp eax, ModuleID
je Found

; Get the next module in the list
invoke Module32Next, hSnapshot, ADDR ME
jmp ModuleLoop

invoke lstrcpy, PathAddr, ADDR ME.szExePath
invoke CloseHandle, hSnapshot
mov eax, TRUE

push esi
mov esi, PathAddr
xor eax, eax
pop esi
invoke CloseHandle, hSnapshot
xor eax, eax
FindPath ENDP
Posted on 2002-09-27 22:05:15 by illwill
On NT use undocumented NtQuerySystemInformation in ntdll.dll
Posted on 2002-09-27 22:27:16 by vhasm
not much luck with finding anything on google for that dll.. nothing on the boards either
Posted on 2002-09-27 22:59:29 by illwill
Don't compare me32.th32ModuleID with pe32.th32ModuleID. They have different meaning.
You should compare me32.szModule with the file name recieved from Process32First/Process32Next.

There is a book by Gary Nebbett "Windows NT-2000 Native API Reference"
Posted on 2002-09-28 04:25:57 by Four-F
if you want to see the whole source its here http://www.illmob.org/sources/aphex.html maybe that would help more .. the source isnt done and i commented out a few steps for testing
Posted on 2002-09-28 13:47:01 by illwill
well got the code finished tre figure out the problem if you want to view a quick method of the full path of a file loaded into memory you can view the source here: http://www.illmob.org/sources/aphex.html
or the whole program here: http://www.illmob.org/files/Aphexkill.zip
Posted on 2002-09-28 19:44:59 by illwill