Author Topic: CreateToolhelp32Snapshot v1.2 Beta * Updated  (Read 19368 times)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1239
  • Assembly is a state of art.
    • RosAsm
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #15 on: July 07, 2014, 01:22:46 PM »
Indeed, a windows version check would also be required then.

But....at least i´m glad to know the function is actually working on WINNT  :biggrin: :biggrin: :biggrin: :biggrin:

I´try to finishing this app to build the proper dll to everyone can use it on their own apps :greenclp:
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #16 on: July 07, 2014, 02:35:21 PM »
it might be better to use LoadLibrary/GetProcAddress/FreeLibrary
the reason is.....
on some versions of windows CE, the system architect may select which functions are to be supported
so - checking the version may not always get you the info you need

i use this method on a few functions
if the OS doesn't support the function, i don't call it   :biggrin:

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #17 on: July 07, 2014, 02:42:14 PM »
also....
there were a few problems in the masm32 package with Process32First/Next and Module32First/Next
possibly with Thread32First/Next, Heap32First/Next, and Heap32ListFirst/Next

some of the history...

http://www.masmforum.com/board/index.php?topic=18294.0
http://www.masmforum.com/board/index.php?topic=18850.15
http://www.masmforum.com/board/index.php?topic=18900.0

guga

  • Moderator
  • Member
  • *****
  • Posts: 1239
  • Assembly is a state of art.
    • RosAsm
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #18 on: July 07, 2014, 05:38:56 PM »
Using loadlibrary... Why ? WinCE does not have the ntdll apis ??

I´m not sure i understood this. You mean that if i build a dll containing mine version of this Apis, WinCE will choose the ones existent inside kernel just because the Api names are the same ?

The functions im making are not the ones inside kernel. I rebuilded them to they also work in NT (That don´t have those Apis) and fixed some bugs existent inside the ones from Kernel32.dll.

For example, mine version of CreateToolhelp32Snapshot is this:

Code: [Select]

Proc CreateToolhelp32Snapshot::
    Arguments @dwFlags, @th32ProcessID
    Local @RawDebugInfo, @RawModule, @RawProcess, @CurProcID, @SectionHandle
    Uses esi, ecx, ebx

    If D@th32ProcessID = 0
        call 'KERNEL32.GetCurrentProcessId'
    Else
        mov eax D@th32ProcessID
    End_If
    mov D@CurProcID eax

    lea ecx D@RawDebugInfo | mov D$ecx 0
    lea ebx D@RawModule | mov D$ebx 0
    lea eax D@RawProcess | mov D$eax 0
    call ThpCreateRawSnap D@dwFlags, D@CurProcID, eax, ebx, ecx
    If eax <> &STATUS_SUCCESS
        call BaseSetLastNTError eax
        or eax &INVALID_HANDLE_VALUE | ExitP
    End_If

    lea eax D@SectionHandle | mov D$eax 0
    call ThpAllocateSnapshotSection eax, D@dwFlags, D@CurProcID, D@RawProcess, D@RawModule, D@RawDebugInfo
    If eax <> &STATUS_SUCCESS
        call BaseSetLastNTError eax
        or eax &INVALID_HANDLE_VALUE | ExitP
    End_If

    call ThpProcessToSnap D@dwFlags, D@CurProcID, D@SectionHandle, D@RawProcess, D@RawModule, D@RawDebugInfo
    If eax <> &STATUS_SUCCESS
        mov esi eax
        call 'kernel32.CloseHandle' D@SectionHandle
        call BaseSetLastNTError esi
        or eax &INVALID_HANDLE_VALUE | ExitP
    End_If

    mov eax D@SectionHandle

EndP


(...)
Code: [Select]

Proc ThpAllocateSnapshotSection:
    Arguments @SnapSection, @dwFlags, @th32ProcessID, @RawProcess, @RawModule, @RawDebugInfo
    Local @IsRawProcess, @IsModule, @IsHeapList, @RegionSize, @SnapshotBase, @SnapShotSize, @ThreadCount,
          @ProcessCount, @ModuleCount, @HeapListCount, @Status
    Uses ebx, esi, edi, ecx, edx


    mov D@ModuleCount 0
    mov D@HeapListCount 0
    mov D@ProcessCount 0
    mov D@ThreadCount 0
    mov D@IsRawProcess &FALSE
    mov D@IsModule &FALSE
    mov D@IsHeapList &FALSE
    mov D@SnapShotSize Size_Of_SNAPSHOTSTATE

    ;  calculate the required snapshot size
    .Test_If D@dwFlags &TH32CS_SNAPPROCESS__&TH32CS_SNAPTHREAD

        mov esi D@RawProcess; current position of the structure
        Do
            inc D@ProcessCount ; the total amount of the process used on the system
            mov ecx D$esi+SYSTEM_PROCESS_INFORMATION.NumberOfThreadsDis | add D@ThreadCount ecx ; how many threads we have so far ?
            ; the next entry is the current address plus the next offset
            add esi D$esi+SYSTEM_PROCESS_INFORMATION.NextEntryOffsetDis
            ; See if the next entry we have something there. If there is no next entry, end the loop
        Loop_Until D$esi+SYSTEM_PROCESS_INFORMATION.NextEntryOffsetDis = 0
        inc D@ProcessCount ; and finally, include the previous process
        mov ecx D$esi+SYSTEM_PROCESS_INFORMATION.NumberOfThreadsDis
        add D@ThreadCount ecx


        Test_If D@dwFlags &TH32CS_SNAPPROCESS
            mov esi D@ProcessCount | imul esi Size_Of_PROCESSENTRY32W | add esi Size_Of_SNAPSHOTSTATE | mov D@SnapShotSize esi
        Test_End

        Test_If D@dwFlags &TH32CS_SNAPTHREAD
            mov eax D@ThreadCount | imul eax Size_Of_THREADENTRY32 | add D@SnapShotSize eax
        Test_End
         mov D@IsRawProcess &TRUE

    .Test_End

    Test_If D@dwFlags &TH32CS_SNAPMODULE
        mov eax D@RawModule | mov eax D$eax+RTL_DEBUG_INFORMATION.ModulesDis | mov eax D$eax+RTL_PROCESS_MODULES.NumberOfModulesDis | mov D@ModuleCount eax
        imul eax Size_of_MODULEENTRY32W | add D@SnapShotSize eax
        mov D@IsModule &TRUE
    Test_End

    Test_If D@dwFlags &TH32CS_SNAPHEAPLIST
        mov eax D@RawDebugInfo | mov eax D$eax+RTL_DEBUG_INFORMATION.HeapsDis | mov eax D$eax+RTL_PROCESS_HEAPS.NumberOfHeapsDis | mov D@HeapListCount eax
        imul eax Size_Of_HEAPLIST32 | add D@SnapShotSize eax
        mov D@IsHeapList &TRUE
    Test_End

    ; Create a security object if needed
    Test_If D@dwFlags &TH32CS_INHERIT
        mov D$SECURITY_ATTRIBUTES.nLength Size_Of_SECURITY_ATTRIBUTES
        mov D$SECURITY_ATTRIBUTES.lpSecurityDescriptor 0
        mov D$SECURITY_ATTRIBUTES.bInheritHandle &TRUE
        mov eax SECURITY_ATTRIBUTES
    Test_Else
        xor eax eax
    Test_End

    ; create a pagefile section to contain the snapshot
    call BaseFormatObjectAttributes OBJECT_ATTRIBUTES, eax, &NULL
    move D$SectionSize.LowPart D@SnapShotSize
    mov D$SectionSize.HiPart 0

    call 'ntdll.NtCreateSection' D@SnapSection, &STANDARD_RIGHTS_REQUIRED__&SECTION_MAP_READ__&SECTION_MAP_WRITE__&SECTION_QUERY,
                                 eax, SectionSize, &PAGE_READWRITE, &SEC_COMMIT, &NULL
    On eax <> &STATUS_SUCCESS, ExitP
    ; that´s weird. Here D@SnapSection  points to what seems to be a structure. The 6ths member seems to points to the stack of the functon hat called the dl.
    mov D$SectionOffset.LowPart 0
    mov D$SectionOffset.HiPart 0
    mov D$ViewSize 0
    mov D$ViewSize+4 0
    mov esi D@SnapSection
    lea eax D@SnapshotBase | mov D@SnapshotBase 0
    call 'ntdll.NtMapViewOfSection' D$esi, 0-1, eax, 0, 0, SectionOffset, ViewSize, &SECTION_INHERIT_VIEWSHARE, &NULL, &PAGE_READWRITE
    mov D@Status eax
    ...If eax <> &STATUS_SUCCESS
        ; free all memory if failure
        call 'kernel32.CloseHandle' D$esi

        If D@IsRawProcess = &TRUE
            mov edi D@RawProcess
            mov D@RegionSize 0
            lea eax D@RegionSize
            call 'ntdll.NtFreeVirtualMemory' 0-1, edi, eax, &MEM_RELEASE
            mov D$edi 0
        End_If
        If_Or D@IsModule = &TRUE, D@IsRawProcess = &TRUE
            mov edi D@RawModule
            call 'ntdll.RtlDestroyQueryDebugBuffer' edi
            mov D$edi 0
        End_If
        If D@IsHeapList = &TRUE
            mov edi D@RawDebugInfo
            call 'ntdll.RtlDestroyQueryDebugBuffer' edi
            mov D$edi 0
        End_If

    ...Else
        ; return resources
        mov eax D@SnapshotBase
        move D$eax+SNAPSHOTSTATE.HeapListCountDis D@HeapListCount
        move D$eax+SNAPSHOTSTATE.ProcessCountDis D@ProcessCount
        move D$eax+SNAPSHOTSTATE.ModuleCountDis D@ModuleCount
        move D$eax+SNAPSHOTSTATE.ThreadCountDis D@ThreadCount
        call 'ntdll.NtUnmapViewOfSection' 0-1, D@SnapshotBase
    ...End_If

    mov eax D@Status

EndP
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Tedd

  • Member
  • ***
  • Posts: 377
  • Procrastinor Extraordinaire
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #19 on: July 07, 2014, 09:59:17 PM »
If you could not spam the entire forum userbase with notifications about this, that would be great.
Potato2

sinsi

  • Guest
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #20 on: July 07, 2014, 10:02:26 PM »
If you could not spam the entire forum userbase with notifications about this, that would be great.

So I was not the only one then...

jj2007

  • Member
  • *****
  • Posts: 10464
  • Assembler is fun ;-)
    • MasmBasic
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #21 on: July 07, 2014, 10:45:43 PM »
I don't get notifications. What do they show in this case?

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #22 on: July 07, 2014, 11:18:13 PM »
Jochen - we all received an e-mail announcing this thread, basically   :dazzled:

Gustavo - sorry - i misunderstood the problem

nidud

  • Member
  • *****
  • Posts: 1980
    • https://github.com/nidud/asmc
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #23 on: July 08, 2014, 12:17:16 AM »
I checked my email account
turns out the mail server closed down four months ago   :lol:

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 7460
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #24 on: July 08, 2014, 01:45:31 AM »
I got one as well. ( have turned that option off as we don't want anyone sending notifications to all members.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :skrewy:

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #25 on: July 08, 2014, 02:24:39 AM »
So what. Gustavo made a little flaw, but he meant well. No big deal.

Gunther
Get your facts first, and then you can distort them.

guga

  • Moderator
  • Member
  • *****
  • Posts: 1239
  • Assembly is a state of art.
    • RosAsm
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #26 on: July 08, 2014, 04:05:36 AM »
Oops...sorry about that. I checked the option thinking it was simply put a warning message on the topic saying it have a newer version when i uploaded one.

Didn´t knew it will send emails to everyone.

Tks steve, the option is disable now :)
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #27 on: July 09, 2014, 03:36:18 AM »
ok - i have a couple questions for Bob (adeyblue)

if your install of NT4 does not support SSE2, but your CPU does...
1) does your CPU report SSE2 with the GetSseLevel procedure i posted earlier ? (see reply #8 or 12)
i.e., the OS may disable the feature bit
2) are you able to use MMX or SSE(1) instructions ?

adeyblue

  • Member
  • **
  • Posts: 89
    • Airesoft
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #28 on: July 09, 2014, 07:32:52 AM »
haha, my names not Bob. That's just an old habit of what I type in VMs. My name's Adrian.

Anyway:
1) NT4 returns 0x1f in eax so everything up to SSSE3. On Win7 I get 0x7f, which is news to me because I didn't know I had SSE4.2 but appparently so.
2) MMX works, at least movq and emms do. SSE, at least xorps, don't (illegal instruction).

There's apparently a driver in NT4 SP5 which enables at least some SSE functionality, but my SP5 exe is on a different machine so I can't install and test it.

dedndave

  • Member
  • *****
  • Posts: 8827
  • Still using Abacus 2.0
    • DednDave
Re: CreateToolhelp32Snapshot v1.0 Beta
« Reply #29 on: July 09, 2014, 08:05:18 AM »
ok, Bob  Adrian   :biggrin:

no need for SP5 test - you told me exactly what i wanted to know
that is: if IsProcessorFeaturePresent is not exported in kernel32, we can assume there is no SSE support
probably a good assumption, at least