GetProcAddress and Process32~ functions.

[acake]

Hello everyone,

So I understood that there isn't Process32Next, Process32First and others function to list modules and processes in kernel32.inc (if someone can explain me why I would be glad to know because I'm a bit confused).

So I basically decided to retrieve the address of Process32Next/First with GetProcAddress (yeah I'm a form of genius I know...).

Here is my code:

Code Select Expand


push 00h
push 02h
call CreateToolhelp32Snapshot
mov lpSnapshot, eax
push offset libk
call GetModuleHandle
mov kernel32, eax
push offset pnext
push kernel32
push GetProcAddress
mov Process32Next, eax
push offset pfirst
push kernel32
push GetProcAddress
mov Process32First, eax
push offset pe32
push lpSnapshot
call dword ptr Process32First
.while 01h
push offset pe32
push lpSnapshot
call dword ptr Process32Next
.if eax == 00h
invoke DPrint, pe32.th32ProcessID, 01h ; that line is useless yeah you're right
.break
.endif
invoke DPrint, pe32.th32ProcessID, 01h
.continue
.endw


And here is my variables:

Code Select Expand


.data
pe32 PROCESSENTRY32 <>

pnext db "Process32Next", 00h
pfirst db "Process32First", 00h
libk db "kernel32", 00h
.data?
Process32First dd ?
Process32Next dd ?
lpSnapshot HANDLE ?
kernel32 HANDLE ?


But the problem is that the program crash...
And when I print the address of Process32Next retrieved by GetProcAddress it is different from the one retrieved by my program that basically retrieve functions addresses inside DLLs.

The funniest I think is that when I directly call the address of the functions that I got from my external program, those functions returns 0 and GetLastError return "242".
Imagine how frustrated  I was when I discovered that the error 242 doesn't exist hahaha.

So I don't really know how to solve that problem...

(I actually have some headhaches so I might did something really stupid but at least I tried to solve the problem for at least 45minutes, so be comprehensive haha...).
Thanks.

-

I SOLVED THE PROBLEM BUT I CAN'T DELETE THE TOPIC SO...
BUT I JUST FORGOT TO SET THE FIELD dwSize IN THE PROCESSENTRY32 STRUCTURE HAHA
THANKS FOR READING BUT SORRY FOR THE USELESS TOPIC

[aw27]

So I understood that there isn't Process32Next, Process32First and others function to list modules and processes in kernel32.inc (if someone can explain me why I would be glad to know because I'm a bit confused).

Someone may have deleted them from your kernel32.inc file. 
They deleted from mine as well.   

[jj2007]

Someone may have deleted them from your kernel32.inc file. 

Yes, there are really evil people around

Btw is this supposed to be French?

La mort prouve l'immortalité car l'homme ne peut pas plus cesser d'être que le néant de peut cesser de ne pas être

Un vrai Français rit à en crever quand il voit de telles bêtises.

[sinsi]

http://masm32.com/board/index.php?topic=4526.msg48443#msg48443

[aw27]

http://masm32.com/board/index.php?topic=4526.msg48443#msg48443

Yeah, everyone needs to fix their own.

[aw27]

Un vrai Français rit à en crever quand il voit de telles bêtises.

M. Macron would be happy to know that.

[hutch--]

There has always been a technique to discover various API functions, LoadLibrary(), GetProcAddress(). Identify the system DLL with LoadLibrary and test if the function is available with GetProcAddress. Once you have it IF it is available on the particular OS version, then get its arguments AND any structures required and write the code.

You could also write a simple app that does the test for you by passing 2 string arguments on the command line.

[aw27]

There is the /DELAYLOAD linker switch too, but does not work with kernel32 functions.

[hutch--]

I did a quick toy to test for procedures in a DLL.

http://masm32.com/board/index.php?topic=8210.msg89984#new

[acake]

Btw is this supposed to be French?

La mort prouve l'immortalité car l'homme ne peut pas plus cesser d'être que le néant de peut cesser de ne pas être

Un vrai Français rit à en crever quand il voit de telles bêtises.

Oui c'est du français, une citation d'Eliphas Levi ;).
"Un vrai Français rit à en crever quand il voit de telles bêtises" comment ça "de telles bêtises" ? Serais-tu entrain de juger les écrit de l'un de mes philosophes préféré haha :( ?

Or maybe you don't speak French, I guess you do.

[acake]

And is there any way to delete my own topic on that forum ?
I actually can't now but maybe I need some reputation (that would be kinda stupid) or anything like that no ?

[hutch--]

It is blocked off due to people getting the answer they wanted then deleting the thread. Once they would delete the thread including answers that other members made, that will not happen again.

[jj2007]

Oui c'est du français, une citation d'Eliphas Levi ;).

You should at least cite him correctly: "la mort prouve l'immortalité, puisque l'être ne peut pas plus cesser d'être que le néant ne peut cesser de ne pas être"

It basically push the string "WinExec\0" into the stack at "[ebp-4]"

So you have given up the idea to use WinExec, and now you are trying your luck with the Process32* stuff?

include \masm32\MasmBasic\MasmBasic.inc         ; download
Init
  Print "ct", Tb$, "ID", Tb$, "path"
  For_ ecx=0 To GetProcessArray(?)-1
       Print Str$("\n%i\t", ecx), Str$(MbProcID(ecx)), Tb$, MbProc$(ecx)
  Next
  If_ FindProcess("Explorer.exe") Then MsgBox 0, Str$("FindProcess returned ID %i\n", [eax.PROCESSENTRY32.th32ProcessID]), "Hi", MB_OK
EndOfCode

Code Select Expand

ct      ID      path
0       1600    C:\Windows\System32\taskhost.exe
1       2132    C:\Windows\System32\dwm.exe
2       2160    C:\Windows\explorer.exe
3       3032    C:\Program Files (x86)\AutoHotkey\AutoHotkey.exe
...

[aw27]

No matter what is the theme, what is the thread and how everything begun in the end everybody will receive their portion of Masm Basic crapware. JJ2007 is in complete despair.

[aw27]

What I read was:
"la mort prouve l'immortalité, puisque l'être ne peut pas plus cesser d'être que le néant ne peut cesser de ne pas être"
May be it was from a different book edition.