when i use CreateToolhelp32Snapshot on xp/2k it doesnt return the full path of the executable loaded in memory in win2k/xp like it does on 9x... how can i get the full path ?

tre had tried something like this but it was a little buggy maybe someone can help point out the problem

; Lookup Executable Path (invoke FindPath,Process.th32ProcessID,hSnapshot,addr ThaPath)
FindPath PROC PID:DWORD, ModuleID:DWORD, PathAddr:DWORD
LOCAL ME:MODULEENTRY32
LOCAL hSnapshot:HANDLE

invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, PID
mov ME.dwSize, SIZEOF ME
invoke Module32First, hSnapshot, ADDR ME
ModuleLoop:
; check to see if Module32(First/Next) had an error
test eax, eax
jz NotFound

; Compare to our ID
mov eax, ME.th32ModuleID
cmp eax, ModuleID
je Found

; Get the next module in the list
invoke Module32Next, hSnapshot, ADDR ME
jmp ModuleLoop

Found:
invoke lstrcpy, PathAddr, ADDR ME.szExePath
invoke CloseHandle, hSnapshot
mov eax, TRUE
ret

NotFound:
push esi
mov esi, PathAddr
xor eax, eax
stosb
pop esi
invoke CloseHandle, hSnapshot
xor eax, eax
ret
FindPath ENDP
Posted on 2002-09-27 22:05:15 by illwill
On NT use undocumented NtQuerySystemInformation in ntdll.dll
Posted on 2002-09-27 22:27:16 by vhasm
not much luck with finding anything on google for that dll.. nothing on the boards either
Posted on 2002-09-27 22:59:29 by illwill
Don't compare me32.th32ModuleID with pe32.th32ModuleID. They have different meaning.
You should compare me32.szModule with the file name recieved from Process32First/Process32Next.

There is a book by Gary Nebbett "Windows NT-2000 Native API Reference"
Posted on 2002-09-28 04:25:57 by Four-F
if you want to see the whole source its here http://www.illmob.org/sources/aphex.html maybe that would help more .. the source isnt done and i commented out a few steps for testing
Posted on 2002-09-28 13:47:01 by illwill
well got the code finished tre figure out the problem if you want to view a quick method of the full path of a file loaded into memory you can view the source here: http://www.illmob.org/sources/aphex.html
or the whole program here: http://www.illmob.org/files/Aphexkill.zip
Posted on 2002-09-28 19:44:59 by illwill