CreateToolhelp32Snapshot v1.2 Beta * Updated

[guga]

CreateToolhelp32Snapshot v 1.2 (Updated version on 09/07/2014)

v 1.2 (SnapShot_Guga3c2.zip - Works on WinNT and above)
* Added RTF (2.0) display
* Fixed support to Window NT (I hope :) )
* Fixed Module and thread listings
* Fixed process listings.
* Fixed SSE2 check - I hope :)
* Enabling report export in rtf format
v 1.2 (Xp version only to compare to the other one that also works on NT - SnapShot_Original3b2.zip)
________________________________________________________________________________________
Requirements:
RichEdit 2.0

Todo List:
Create the heap listings.
Clean up the code
Finish further testings to compare the results of the original and mine version before implement the functions as a dll and make sure the functions are working on NT
Rebuild the SSE2 check to make it be for more general use. (See CPUID how they manage it. Or at intel references..They have a C code that can be ported to Assembly)
after creating the dll, add a progressbar on the executable demo just for fun

P.S.:  The source code is embedded in the executable. To view or edit the source code you need to open the file in RosAsm.
________________________________________________________________________________________
________________________________________________________________________________________
CreateToolhelp32Snapshot v 1.1 (Updated version on 06/07/2014)

v 1.1 (SnapShot_Guga2c.zip)
* Fixed the last module thatwas not being displayed
* Implemented routines to check if the CPU contains SSE2
* Added faster memcopy and zeromemory routines to work with SSE2 (When the CPU allows it. Otherwise, it will use the default functions)
* Removed the calls to toolsnapshot win Apis from the demo to be tested on NT. Now it contains only mine versions of toolhelp
* Added the follwoing functions:
    Module32First   Module32FirstW
    Module32Next    Module32NextW
    Thread32First   Thread32Next

This is a test of the series of ToolHelp functions recreated from the original M$ Api.

So far, i suceeded to rebuild the following Apis

• CreateToolhelp32Snapshot
• Process32First
• Process32FirstW
• Process32Next
• Process32NextW

I´m pretty sure that on Process32Next there is a minor bug somewhere. I´m tracing it to compare to the results i found on the original APi to see if i can fix it.

Can someone test to see if the App works on WinnT ? (And on others windows versions too, such as win7, winvista, etc etc)

Note: This demo version was not designed to work on Win9x or below.

Btw:
SnapShot_Guga.zip = Mine version with the rebuilded Apis
SnapShot2_Original.zip = Same app using the M$ Apis



Note: This is a functional test, but the loading of modules and threads are disabled because i didn´t started to write the corresponding Apis. But...on SnapShot2_Original you can see the modules and threads just uncommenting the following lines inside "BeginProcess" TITLE.

Code: [Select]

        ; List the modules and threads associated with this process
        ;call ListProcessModules D$hEdit, D@PROCESSENTRY32.th32ProcessIDDis
        ;call ListProcessThreads D$hEdit, D@PROCESSENTRY32.th32ProcessIDDis
DON´T UNCOMMENT THEM ON MINE VERSION BECAUSE I DIDN´T BUILD THE NECESSARY APIS.
If you want to see the list of modules and threads uncoment those lines only on the original version

[adeyblue]

I ran it on NT4 SP2, this is what happened

Seems both exes import the actual Toolhelp functions. So I patched the export table of the _Guga.exe, and ran it again.
It started (exe was in taskmgr) but nothing happened, then about 4 seconds later it crashed with the bottom message. It's probably because NT4 before SP5 doesn't natively support SSE2 rather than any actual bugs (the illegal instruction is movdqu xmm1, qword ptr [esi+edx*8]).

It works on XP though

[guga]

Tks adeyblue. I saw it.

This is because i forgot to remove the call to CreateToolhelp32Snapshot. I simply commented the functions that called them, but forgot to remove from this demo.

I´ll fix that and also see the problem of SSE2 instruction. I´ll have to add a routine to check for the SSE2 instructions and if it is not found, use the regular memcpy function.

I´m fixing that small problem of the absense of loading the last module (and therefore, the current we are using). It is a small mistake on the counting of the total loaded modules.

Once i fix i´ll post here with the corected functions to properly try to  load on NT.

Many many tks for testing :):):)

[guga]

I made a small function that checks for the presence of SSE2, but i´m not sure if NT have this Api

Code: [Select]

Proc SSE2_Available_init:
    Uses ebx, esi, edi

    C_call 'kernel32.IsProcessorFeaturePresent' &PF_XMMI64_INSTRUCTIONS_AVAILABLE
    mov D$sse2_available eax
    mov D$use_sse2_mathfcns eax

EndP
Does NT have thisapi inside ?

If not, i´ll try using the cpuid technique.

Btw...Dave, your routines of using cpuid to check for the processor also works to see if it contains SSE2 ?

[dedndave]

because you are dealing with older machines...
you should first verify that the CPU supports CPUID
i'm not sure what the minimum processor is for NT, but i know Win95 would install on some older ones
but - the test is simple enough
you just test to see if you can toggle bit 21 of the EFLAGS register

Code: [Select]

    pushfd
    pop     eax
    mov     ecx,200000h
    mov     edx,eax
    xor     eax,ecx
    push    eax
    popfd
    pushfd
    pop     eax
    xor     eax,edx
    and     eax,ecx
    jz      cpuid_not_supported
once you know CPUID is supported
execute CPUID with EAX = 0 to verify function 1 (at least) is supported
CPUID leaf 00000001h, EDX, bit 26 indicates SSE2 support

Code: [Select]

    xor     eax,eax
    cpuid                             ;masm processor must be .586 or higher to assemble
    or      eax,eax
    jz      function_1_not_supported

    cmp     ah,5                      ;verify not pre-B0 step family 5
    jz      function_1_not_supported

    mov     eax,1
    cpuid
    test    edx,4000000h              ;could also use BT EDX,26 -> sets CF if set
    jnz     sse2_supported
all CPU's that support SSE2 also support CPUID leaf 1 or higher

[guga]

Tks Dave, i´ll give a try :t :t

One dumb question...In older machines that does not support cpuid...it also means that they don´t support SS/SSE2, right ?

[dedndave]

all CPU's that support SSE2 also support CPUID function 1 or higher

i added that line at the end - probably after you saw the post   :P

[dedndave]

seems to work...

Code: [Select]

;***********************************************************************************************

IsSse2 PROC

;returns TRUE if SSE2 is supported

    push    ebx
    pushfd
    pop     eax
    mov     ecx,200000h
    mov     edx,eax
    xor     eax,ecx
    push    eax
    popfd
    pushfd
    pop     eax
    xor     eax,edx
    and     eax,ecx
    jz      exit_proc

;once you know CPUID is supported
;execute CPUID with EAX = 0 to verify function 1 (at least) is supported
;CPUID leaf 00000001h, EDX, bit 26 indicates SSE2 support

    xor     eax,eax
    cpuid                             ;masm processor must be .586 or higher to assemble
    or      eax,eax
    jz      exit_proc

    cmp     ah,5                      ;verify not pre-B0 step family 5
    jnz     continue_test

    xor     eax,eax
    jmp     exit_proc

continue_test:
    mov     eax,1
    cpuid
    xchg    eax,edx
    shr     eax,26
    and     eax,1

exit_proc:
    pop     ebx
    ret

IsSse2 ENDP

;***********************************************************************************************
EDIT: couple minor improvements in flow
EDIT: also added PUSH/POP - easy to forget that CPUID alters EBX   :P

[dedndave]

here's one that's probably a bit more useful
it returns a value in EAX with individual bits set for MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, and SSE4.2

Code: [Select]

;***********************************************************************************************

GetSseLevel PROC

;EAX return bits:
;0 = MMX
;1 = SSE
;2 = SSE2
;3 = SSE3
;4 = SSSE3
;5 = SSE4.1
;6 = SSE4.2

    pushfd
    pop     eax
    mov     ecx,200000h
    mov     edx,eax
    xor     eax,ecx
    push    eax
    popfd
    pushfd
    pop     eax
    xor     eax,edx
    and     eax,ecx
    .if !ZERO?
        push    ebx
        xor     eax,eax
        dw      0A20Fh                                        ;cpuid instruction
        .if eax
            .if ah==5
                xor     eax,eax
            .else
                mov     eax,1
                dw      0A20Fh                                ;cpuid instruction
                xor     eax,eax
                bt      ecx,20                                ;SSE4.2
                rcl     eax,1                                 ;into bit 6
                bt      ecx,19                                ;SSE4.1
                rcl     eax,1                                 ;into bit 5
                bt      ecx,9                                 ;SSSE3
                rcl     eax,1                                 ;into bit 4
                bt      ecx,0                                 ;SSE3
                rcl     eax,1                                 ;into bit 3
                bt      edx,26                                ;SSE2
                rcl     eax,1                                 ;into bit 2
                bt      edx,25                                ;SSE
                rcl     eax,1                                 ;into bit 1
                bt      ecx,0                                 ;MMX
                rcl     eax,1                                 ;into bit 0
            .endif
        .endif
        pop     ebx
    .endif
    ret

GetSseLevel ENDP

[guga]

Excellent code Dave 

One question. Why you set the opcodes of cpuid, instead the instrucion itself ? Is it a problem on older versions of masm that does not assemble cpuid (as a mnemonic), or olders CPUs have different opcodes for cpuid ?

Btw: I fixed the minor bugs and now i´m rebuilding the Module32FirstW api. The next ones will be Module32Next and the Thread32First , Thread32Next series. Those will be enough to make the demo work properly to test on NT etc. Once i done them i´ll finish the rest of the whole set of toolhelp Apis and make a dll for it.

Another bug that is fixed from the original windows version is on Module32First Api, that returns ERROR_INVALID_PARAMETER instead the conversion of NTError code STATUS_INFO_LENGTH_MISMATCH.

Once i suceed to rebuild this whole toolhelp Api set, i´l try to add a couple of export functions that may be helpfull, such as a get SNAPSHOT structure to retrieve the Data directly from this structure that is loaded internally on the apis. And perhaps add more info related to the cpu, and possibly allowing dumping modules, processes, threads etc etc.

[dedndave]

no - masm assembles the instruction fine
but, you must select .586 processor
by using DW, it will assemble with any selected 32-bit processor
unfortunately, masm32rt.inc has .486 in it - it would be better if it had .586   :P

[guga]

AHn...i edited the previous comment while you were typing

If you have any ideas of functions to add to this apis i´m rebuilding, let me know.

[dedndave]

i guess i could have used PUSHCONTEXT/POPCONTEXT and .586   :P

Code: [Select]

;***********************************************************************************************

GetSseLevel PROC

;EAX return bits:
;0 = MMX
;1 = SSE
;2 = SSE2
;3 = SSE3
;4 = SSSE3
;5 = SSE4.1
;6 = SSE4.2

        PUSHCONTEXT
        .586

    pushfd
    pop     eax
    mov     ecx,200000h
    mov     edx,eax
    xor     eax,ecx
    push    eax
    popfd
    pushfd
    pop     eax
    xor     eax,edx
    and     eax,ecx
    .if !ZERO?
        push    ebx
        xor     eax,eax
        cpuid
        .if eax
            .if ah==5
                xor     eax,eax
            .else
                mov     eax,1
                cpuid
                xor     eax,eax
                bt      ecx,20                                ;SSE4.2
                rcl     eax,1                                 ;into bit 6
                bt      ecx,19                                ;SSE4.1
                rcl     eax,1                                 ;into bit 5
                bt      ecx,9                                 ;SSSE3
                rcl     eax,1                                 ;into bit 4
                bt      ecx,0                                 ;SSE3
                rcl     eax,1                                 ;into bit 3
                bt      edx,26                                ;SSE2
                rcl     eax,1                                 ;into bit 2
                bt      edx,25                                ;SSE
                rcl     eax,1                                 ;into bit 1
                bt      ecx,0                                 ;MMX
                rcl     eax,1                                 ;into bit 0
            .endif
        .endif
        pop     ebx
    .endif
    ret

        POPCONTEXT

GetSseLevel ENDP

;***********************************************************************************************

[guga]

OK, guys

I updated the file. Can someone test it on NT ?

adeyblue can you try now to see if it works ?

Many tks.

[adeyblue]

It crashes in the same way, on what looks like exactly the same instruction though it's now at 0x406f4e. My CPU supports SSE2 (Intel Pentium 2020M), I think it's something within NT that hates it, so it'd require a version check as well as a CPUID check.

Anyway, I hacked your exe to always use non-SSE path and the dialog appears. Here's the text it shows. Looks good, the PID's correspond with what taskmgr shows anyway.

For reference, IsProcessorFeaturePresent exists on NT4, but not on either NT 3 version if that matters. I've got some VMs of those but I'm currently fighting Adobe Premiere Pro so it might be a few days before I can test them.