Hi,all
UASM64,This is a simple application to find which dll has been loaded by the process. if you run it as administrator's authority,then find some DLL of the system process.
Enjoy yourselves!
regards
six_L
edit : +KillProcess
Very nice :thumbsup:
Can you make to kill a process in the list?
Hi six_L
Nice application. Would you share the source?
Biterider :thumbsup:
Hi six_L,
Very nice application, thanks :thumbsup:
Hi,HSE/Biterider/Vortex
Thank your friendly words. I am very happy that you have liked it.
prompt:
1, Since M$ doesn't make to public the "DEBUG_BUFFER STRUCT", so it maybe error, but the "DEBUG_MODULE_INFORMATION" and "DEBUG_MODULE" is correct.
2, Use the "RichEdit" to show entirely.
3, Can't get and kill the system process.
GetProcessList.asm
option casemap:none
option win64:7
include \UASM64\include\windows.inc
include \UASM64\include\commctrl.inc
include \UASM64\include\tlhelp32.inc
includelib \UASM64\Lib\kernel32.lib
includelib \UASM64\Lib\user32.lib
includelib \UASM64\Lib\gdi32.lib
includelib \UASM64\Lib\advapi32.lib
xLUID_AND_ATTRIBUTES STRUCT
LowPart DWORD ?
HighPart DWORD ?
attributes DWORD ?
xLUID_AND_ATTRIBUTES ENDS
xTOKEN_PRIVILEGES STRUCT
privilegecount DWORD ?
theluid xLUID_AND_ATTRIBUTES <?>
xTOKEN_PRIVILEGES ENDS
DEBUG_MODULE STRUCT
Section HANDLE ? ;
MappedBase PVOID ? ;
ImageBase PVOID ? ;
ImageSize ULONG ? ;
Flags ULONG ? ;
LoadOrderIndex USHORT ? ;
InitOrderIndex USHORT ? ;
LoadCount USHORT ? ;
OffsetToFileName USHORT ? ;
FullPathName db 256 dup(?)
DEBUG_MODULE ENDS
PDEBUG_MODULE typedef ptr DEBUG_MODULE
DEBUG_MODULE_INFORMATION STRUCT
NumberOfModules ULONG ? ;
Modules DEBUG_MODULE <>
DEBUG_MODULE_INFORMATION ENDS
PDEBUG_MODULE_INFORMATION typedef ptr DEBUG_MODULE_INFORMATION
DEBUG_BUFFER STRUCT
SectionHandle HANDLE ?
ViewBaseClient PVOID ?
ViewBaseTarget PVOID ?
ViewBaseDelta ULONG_PTR ?
EventPairClient HANDLE ?
EventPairTarget HANDLE ?
TargetProcessHandle HANDLE ?
TargetThreadHandle HANDLE ?
Unknown dq 14 dup(?)
Flags ULONG ?
OffsetFree SIZE_T ?
CommitSize SIZE_T ?
ViewSize SIZE_T ?
ModuleInformation DEBUG_MODULE_INFORMATION <>
BackTraceInformation dq ?
HeapInformation dq ?
LockInformation dq ?
VerifierOptions dq ?
ProcessHeap dq ?
CriticalSectionHandle dq ?
CriticalSectionOwnerThread dq ?
Reserved dq ?
DEBUG_BUFFER ENDS
PDEBUG_BUFFER typedef ptr DEBUG_BUFFER
RtlQueryProcessDebugInformation typedef PROTO ProcessId:DWORD,PDI_MODULES:DWORD,buf:PVOID
@RtlQueryProcessDebugInformation typedef ptr RtlQueryProcessDebugInformation
RtlCreateQueryDebugBuffer typedef PROTO :DWORD,xtype:DWORD
@RtlCreateQueryDebugBuffer typedef ptr RtlCreateQueryDebugBuffer
RtlDestroyQueryDebugBuffer typedef PROTO buf:PVOID
@RtlDestroyQueryDebugBuffer typedef ptr RtlDestroyQueryDebugBuffer
ICO_MAIN equ 1000h
DLG_MAIN equ 1000
IDC_CLEAR equ 1004
IDC_GETPROC equ 1005
IDC_LIST equ 1006
IDM_PROCESS equ 1011
IDM_PARENTPROCESS equ 1012
IDM_KILLPROCESS equ 1013
IDC_INPUT equ 1007
IDD_BMP1 equ 8001
IDD_BMP2 equ 8002
IDD_BMP3 equ 8003
PDI_MODULES equ 01
.data
dqListIndex dq 0
debug_buf dq 0
.data?
hInstance dq ?
hNtdll dq ?
g_hList dq ?
ListBuf dq ?
hHeap dq ?
hSnapshot dq ?
hListMenu dq ?
hMain dq ?
hRichEditDLL dq ?
hRichEdit dq ?
pRtlQueryProcessDebugInformation @RtlQueryProcessDebugInformation ?
pRtlCreateQueryDebugBuffer @RtlCreateQueryDebugBuffer ?
pRtlDestroyQueryDebugBuffer @RtlDestroyQueryDebugBuffer ?
.code
ErrorMessage Proc USES RBX lpCaption:qword
Local lpErrorMessage:QWORD
call GetLastError
lea rbx,lpErrorMessage
invoke FormatMessage, FORMAT_MESSAGE_ALLOCATE_BUFFER or FORMAT_MESSAGE_FROM_SYSTEM, NULL, EAX, LANG_NEUTRAL,Rbx,0,NULL
invoke MessageBox, 0, lpErrorMessage, lpCaption, MB_OK
invoke LocalFree, lpErrorMessage
ret
ErrorMessage EndP
GetNtdllFunctions proc
;// get ntdll base
invoke GetModuleHandle,CStr("ntdll.dll")
.if rax
mov hNtdll,rax
;// get RtlQueryProcessDebugInformation ptr
invoke GetProcAddress,hNtdll,CStr("RtlQueryProcessDebugInformation")
mov pRtlQueryProcessDebugInformation,rax
.if rax == NULL
invoke ErrorMessage,CStr("RtlQueryProcessDebugInformation")
jmp @Err
.endif
;// get RtlCreateQueryDebugBuffer ptr
invoke GetProcAddress,hNtdll,CStr("RtlCreateQueryDebugBuffer")
mov pRtlCreateQueryDebugBuffer,rax
.if rax == NULL
invoke ErrorMessage,CStr("RtlCreateQueryDebugBuffer")
jmp @Err
.endif
;// get RtlDestroyQueryDebugBuffer ptr
invoke GetProcAddress,hNtdll,CStr("RtlDestroyQueryDebugBuffer")
mov pRtlDestroyQueryDebugBuffer,rax
.if rax == NULL
invoke ErrorMessage,CStr("RtlDestroyQueryDebugBuffer")
jmp @Err
.endif
.else
invoke MessageBox,NULL,CStr("ntdll.dll load Failed"),CStr("GetModuleHandle"),MB_OK
jmp @Err
.endif
mov rax,0
ret
@Err:
mov rax,1
ret
GetNtdllFunctions endp
AddItem proc iRow:QWORD, iCol:QWORD, tdata:QWORD
LOCAL newitem:LV_ITEM
LOCAL lstmsg:DWORD
mov newitem.mask_, LVIF_TEXT
mov rax,iRow
mov newitem.iItem, eax
mov rax,iCol
mov newitem.iSubItem, eax
mov rax,tdata
mov newitem.pszText, rax
invoke lstrlen, tdata
inc rax
mov newitem.cchTextMax, eax
.IF iCol == 0h
mov lstmsg, LVM_INSERTITEM
.ELSE
mov lstmsg, LVM_SETITEM
.ENDIF
invoke SendMessage, g_hList, lstmsg, 0h, addr newitem
invoke SendMessage, g_hList, LVM_ENSUREVISIBLE, iRow, FALSE
ret
AddItem endp
AddItemInt proc iRow:QWORD, iCol:QWORD, tdword:QWORD
invoke wsprintf, ListBuf, CStr('%i'), tdword
invoke AddItem, iRow, iCol, ListBuf
ret
AddItemInt endp
AddColumn proc tdata:QWORD, cnum:QWORD, wth:QWORD
LOCAL ncol:LV_COLUMN
mov rax,wth
mov ncol.cx_, eax
mov rax,tdata
mov ncol.pszText,rax
invoke lstrlen, tdata
inc rax
mov ncol.cchTextMax, Eax
mov ncol.mask_, LVCF_TEXT
.IF ncol.cx_ != 0h
or ncol.mask_, LVCF_WIDTH
.ENDIF
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol
ret
AddColumn endp
GetfocusItemStr proc hList:QWORD, subitem:QWORD
LOCAL lvitem:LV_ITEM
Local item:DWORD
mov lvitem.mask_,LVIF_TEXT
invoke SendMessage,hList,LVM_GETNEXTITEM,-1,LVNI_FOCUSED
mov item,eax
mov rax,subitem
mov lvitem.iSubItem,eax
mov rax,ListBuf
mov lvitem.pszText,rax
mov lvitem.cchTextMax, 1500d
invoke SendMessage, hList, LVM_GETITEMTEXT, item, addr lvitem
.IF rax == 0h
xor rax, rax
.ELSE
mov rax, ListBuf
.ENDIF
ret
GetfocusItemStr endp
InitListView proc Fontcolor:QWORD, BKcolor:QWORD, Recvcolor:QWORD
invoke SendMessage, g_hList, LVM_SETEXTENDEDLISTVIEWSTYLE, 0, LVS_EX_FULLROWSELECT or LVS_EX_GRIDLINES
invoke SendMessage, g_hList, LVM_SETTEXTCOLOR, 0h,Fontcolor ; font colors
invoke SendMessage, g_hList, LVM_SETBKCOLOR, 0h, BKcolor ; table colors
invoke SendMessage, g_hList, LVM_SETTEXTBKCOLOR, 0h, Recvcolor ; set recover colors
invoke AddColumn, CStr('Index'), 0h, 45d
invoke AddColumn, CStr('ProcessName'), 1d, 300d
invoke AddColumn, CStr('Process_id'), 2d, 100d
invoke AddColumn, CStr('ParentProcess_id'), 3d, 120d
ret
InitListView endp
AdjustToken proc lpszPrivilege:QWORD
LOCAL hProcessHandle:QWORD
LOCAL hToken:QWORD
LOCAL sedebugnameValue:xLUID_AND_ATTRIBUTES
LOCAL tkp:xTOKEN_PRIVILEGES
;int 3
invoke GetCurrentProcess ; get the current process handle
mov hProcessHandle,rax ; save it to hProcessHandle
invoke OpenProcessToken,hProcessHandle,TOKEN_ADJUST_PRIVILEGES OR TOKEN_QUERY,ADDR hToken
.if rax==0
invoke ErrorMessage,CStr("OpenProcessToken")
mov rax,FALSE
ret
.endif
invoke LookupPrivilegeValue,NULL,lpszPrivilege,ADDR sedebugnameValue
.if rax==0
invoke ErrorMessage,CStr("LookupPrivilegeValue")
invoke CloseHandle,hToken
mov rax,FALSE
ret
.endif
lea rax, sedebugnameValue ; address of sedebugnameValue into rax
; Contents of sedebugnameValue into ecx:edx
mov ecx, (xLUID_AND_ATTRIBUTES PTR [rax]).LowPart
mov edx, (xLUID_AND_ATTRIBUTES PTR [rax]).HighPart
lea rax, tkp ; address of tkp into rax
mov (xTOKEN_PRIVILEGES PTR [rax]).privilegecount, 1
mov (xTOKEN_PRIVILEGES PTR [rax]).theluid.LowPart, ecx
mov (xTOKEN_PRIVILEGES PTR [rax]).theluid.HighPart, edx
mov (xTOKEN_PRIVILEGES PTR [rax]).theluid.attributes, SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,hToken,FALSE, addr tkp, sizeof tkp, NULL, NULL
.if rax==0
invoke ErrorMessage,CStr("AdjustTokenPrivileges")
invoke CloseHandle,hToken
mov rax,FALSE
ret
.endif
mov rax,TRUE
ret
AdjustToken endp
_GetProcList proc USES rbx
LOCAL uProcess:PROCESSENTRY32
invoke SendMessage, g_hList, LVM_DELETEALLITEMS, 0h, 0h
mov uProcess.dwSize, sizeof uProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS, 0
mov hSnapshot, rax
invoke Process32First, rax, ADDR uProcess
mov dqListIndex,0
.while rax
mov rbx,dqListIndex
inc rbx
invoke AddItemInt, dqListIndex, 0d, rbx
invoke AddItem, dqListIndex, 1d, ADDR uProcess.szExeFile
invoke AddItemInt, dqListIndex, 2d, uProcess.th32ProcessID
invoke AddItemInt, dqListIndex, 3d, uProcess.th32ParentProcessID
invoke Process32Next,hSnapshot, ADDR uProcess
inc dqListIndex
.endw
invoke CloseHandle,hSnapshot
ret
_GetProcList endp
atodq proc uses rsi rdi String:QWORD
; ----------------------------------------
; Convert decimal string into qword value
; return value in rax
; ----------------------------------------
xor rax, rax
mov rsi, [String]
xor rcx, rcx
xor rdx, rdx
mov al, [rsi]
inc rsi
;cmp al, "-"
cmp al, 2Dh
jne @1
mov al, [rsi]
not rdx
inc rsi
jmp @1
@@:
sub al, 30h
lea rcx, qword ptr [rcx+4*rcx]
lea rcx, qword ptr [rax+2*rcx]
mov al, [rsi]
inc rsi
@1:
or al, al
jne @B
lea rax, qword ptr [rdx+rcx]
xor rax, rdx
ret
atodq endp
_GetProcessModules proc uses rbx rsi rdi r12 pId:DWORD
Local szTmp[1024]:BYTE
Local dwDllCount:DWORD
invoke pRtlCreateQueryDebugBuffer,NULL,FALSE
mov debug_buf,rax
invoke pRtlQueryProcessDebugInformation,pId,PDI_MODULES, debug_buf
.if rax < 0
invoke ErrorMessage,CStr("RtlQueryProcessDebugInformation")
.else
invoke SetDlgItemText,hMain,IDC_INPUT,NULL
mov rbx,debug_buf
lea rsi,(DEBUG_BUFFER PTR [rbx]).ModuleInformation
mov eax,(DEBUG_MODULE_INFORMATION PTR [rsi]).NumberOfModules
mov dwDllCount,eax
lea r12,(DEBUG_MODULE_INFORMATION PTR [rsi]).Modules
xor rdi,rdi
.repeat
invoke RtlZeroMemory, addr szTmp, sizeof szTmp
mov rbx,rdi
inc rbx ;for list from 1,not 0
invoke wsprintf,ADDR szTmp,CStr("%02d), Module: %s, BaseAddress: %08Xh, Size: %u bytes",13,10),\
rbx,addr (DEBUG_MODULE PTR [r12]).FullPathName,(DEBUG_MODULE PTR [r12]).ImageBase,\
(DEBUG_MODULE PTR [r12]).ImageSize
invoke SendDlgItemMessage, hMain,IDC_INPUT, EM_SETSEL, -1, -1
invoke SendDlgItemMessage, hMain,IDC_INPUT, EM_REPLACESEL, FALSE, addr szTmp
invoke SendDlgItemMessage, hMain,IDC_INPUT, EM_SCROLLCARET, 0, 0
add r12,sizeof DEBUG_MODULE
inc rdi
.until edi == dwDllCount
.endif
invoke pRtlDestroyQueryDebugBuffer,debug_buf
ret
_GetProcessModules endp
Refresh proc
invoke CreateThread,NULL,NULL,offset _GetProcList,NULL,NULL,NULL
invoke CloseHandle,rax
ret
Refresh endp
_ProcDlgMain Proc USES rsi rdi hWnd:qword,wMsg:dword,wParam:qword,lParam:qword
Local hBmp1:HANDLE
Local hBmp2:HANDLE
Local hBmp3:HANDLE
Local hFont:HANDLE
mov eax,wMsg
.if eax == WM_INITDIALOG
mov rax,hWnd
mov hMain,rax
invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,rax
invoke HeapAlloc,hHeap,HEAP_ZERO_MEMORY, 1024d
mov ListBuf,rax
invoke GetDlgItem,hWnd,IDC_LIST
mov g_hList,rax
invoke InitListView,0FF00h,0h,0h
invoke CreateWindowEx,WS_EX_CLIENTEDGE,CStr("RichEdit50W"),NULL,\
ES_LEFT + ES_MULTILINE + ES_WANTRETURN + ES_READONLY + ES_AUTOHSCROLL + ES_AUTOVSCROLL + WS_VSCROLL + WS_HSCROLL \
+ WS_VISIBLE + WS_CHILD,7, 230, 597, 188,\
hWnd,IDC_INPUT,hInstance,NULL
mov hRichEdit,rax
invoke CreateFont,15,0,0,0,0,FALSE,FALSE,FALSE, \
DEFAULT_CHARSET,OUT_DEFAULT_PRECIS,CLIP_DEFAULT_PRECIS, \
DEFAULT_QUALITY,FIXED_PITCH, CStr("Cambria")
mov hFont, rax
invoke SendMessage,hRichEdit,WM_SETFONT,rax, 0
invoke CloseHandle,hFont
invoke CreatePopupMenu
mov hListMenu, rax
invoke AppendMenu, hListMenu, MF_STRING, IDM_PROCESS, CStr(" Get-Process-Modules")
invoke AppendMenu, hListMenu, MF_STRING, IDM_PARENTPROCESS, CStr(" Get-ParentProcess-Modules")
invoke AppendMenu, hListMenu, MF_SEPARATOR, 0, NULL
invoke AppendMenu, hListMenu, MF_STRING, IDM_KILLPROCESS, CStr(" Kill-FocusedProcess")
invoke LoadImage,hInstance,IDD_BMP1,IMAGE_BITMAP,0,0,LR_LOADTRANSPARENT
mov hBmp1, rax
invoke SetMenuItemBitmaps,hListMenu,IDM_PROCESS,MF_BYCOMMAND,hBmp1,NULL
invoke LoadImage,hInstance,IDD_BMP2,IMAGE_BITMAP,0,0,LR_LOADTRANSPARENT
mov hBmp2, rax
invoke SetMenuItemBitmaps,hListMenu,IDM_PARENTPROCESS,MF_BYCOMMAND,hBmp2,NULL
invoke LoadImage,hInstance,IDD_BMP3,IMAGE_BITMAP,0,0,LR_LOADTRANSPARENT
mov hBmp3, rax
invoke SetMenuItemBitmaps,hListMenu,IDM_KILLPROCESS,MF_BYCOMMAND,hBmp3,NULL
invoke CloseHandle,hBmp1
invoke CloseHandle,hBmp2
invoke CloseHandle,hBmp3
invoke AdjustToken,CStr("SeDebugPrivilege")
;// get ntdll function ptrs
invoke GetNtdllFunctions
.elseif eax == WM_CONTEXTMENU
invoke SendMessage, g_hList, LVM_GETITEMCOUNT, 0, 0
.if eax != 0
mov esi, dword ptr lParam
mov edi, esi
and esi, 0FFFFh
shr edi, 16
invoke TrackPopupMenu, hListMenu, TPM_LEFTALIGN, esi, edi, NULL, hWnd, NULL
.endif
.elseif eax == WM_COMMAND
mov rax,wParam
.if ax == IDCANCEL
invoke EndDialog,hWnd,NULL
.elseif ax == IDC_GETPROC
.if dqListIndex == 0
invoke Refresh
.else
invoke MessageBox, 0, CStr('Please Clear the List'), CStr('GetProcessList'), MB_OK
.endif
.elseif ax == IDC_CLEAR
mov dqListIndex,0
invoke SendMessage, g_hList, LVM_DELETEALLITEMS, 0h, 0h
invoke SetDlgItemText,hMain,IDC_INPUT,NULL
.elseif ax == IDM_PROCESS
invoke GetfocusItemStr,g_hList,2
invoke atodq,rax
invoke _GetProcessModules,eax
.elseif ax == IDM_PARENTPROCESS
invoke GetfocusItemStr,g_hList,3
invoke atodq,rax
invoke _GetProcessModules,eax
.elseif ax == IDM_KILLPROCESS
invoke GetfocusItemStr,g_hList,2
invoke atodq,rax
invoke OpenProcess, PROCESS_TERMINATE, 1,eax ; eax = process id
invoke TerminateProcess, rax, 1
.if rax != 0
invoke MessageBox,NULL,CStr("Killed the Process"),CStr("TerminateProcess"),MB_OK or MB_ICONASTERISK
invoke Refresh
.else
invoke ErrorMessage,CStr("TerminateProcess")
.endif
.endif
.elseif eax == WM_CLOSE
invoke HeapFree,hHeap,HEAP_ZERO_MEMORY,ListBuf
invoke CloseHandle,hListMenu
invoke FreeLibrary,hNtdll
invoke EndDialog,hWnd,NULL
.else
mov rax,FALSE
ret
.endif
mov rax,TRUE
ret
_ProcDlgMain endp
WinMainCRTStartup Proc
invoke GetModuleHandle,NULL
mov hInstance,rax
invoke LoadLibrary,CStr("msftedit.dll")
mov hRichEditDLL,rax
invoke GetProcessHeap
mov hHeap, rax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
invoke FreeLibrary,hRichEditDLL
invoke ExitProcess,NULL
WinMainCRTStartup Endp
end
rcrc.rc:
#include <\UASM64\include\resource.h>
#define ICO_MAIN 0x1000
#define DLG_MAIN 1000
#define IDC_CLEAR 1004
#define IDC_GETPROC 1005
#define IDC_LIST 1006
#define IDC_INPUT 1007
#define IDD_BMP1 8001
#define IDD_BMP2 8002
#define IDD_BMP3 8003
ICO_MAIN ICON "Amain.ico"
DLG_MAIN DIALOG 293, 180, 350, 227
STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME
CAPTION "GetProcessList"
FONT 10, "Cambria"
{
CONTROL "List1",IDC_LIST,"SysListView32", LVS_REPORT | WS_BORDER | WS_TABSTOP,5,2,339,105
PUSHBUTTON "Exit(&X)", IDCANCEL, 315,108,30, 14
CONTROL "GetProcess",IDC_GETPROC,"Button",0x50010000,4,108,40,13
CONTROL "Cls",IDC_CLEAR,"Button",0x50010000,45,108,30,13
}
IDD_BMP1 BITMAP DISCARDABLE "menu1.bmp"
IDD_BMP2 BITMAP DISCARDABLE "menu2.bmp"
IDD_BMP3 BITMAP DISCARDABLE "menu3.bmp"
1 24 "manifest.xml" // manifest file
Quote from: six_L on June 23, 2023, 01:42:40 AM
prompt:
1, Since M$ doesn't make to public the "DEBUG_BUFFER STRUCT", so it maybe error, but the "DEBUG_MODULE_INFORMATION" and "DEBUG_MODULE" is correct.
Regarding _DEBUG_BUFFER structure this is maybe helpful:
https://doxygen.reactos.org/d0/ddb/struct__DEBUG__BUFFER.html
https://evilcodecave.wordpress.com/tag/pdebug_buffer/
:biggrin: I have a little crazy problem.
This message work perfectly if only is going to set width, but go nowhere if is setting text:
mov ncol.mask_, 0;LVCF_TEXT
.IF ncol.cx_ != 0h
or ncol.mask_, LVCF_WIDTH
.ENDIF
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol
mov rax,tdata
mov ncol.pszText,rax
invoke lstrlen, tdata
inc rax
mov ncol.cchTextMax, Eax
mov ncol.mask_,LVCF_TEXT
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol
Any idea?
Thanks in advance, HSE.
Quote from: HSE on June 24, 2023, 04:19:12 AM
:biggrin: I have a little crazy problem.
This message work perfectly if only is going to set width, but go nowhere if is setting text:
mov ncol.mask_, 0;LVCF_TEXT
.IF ncol.cx_ != 0h
or ncol.mask_, LVCF_WIDTH
.ENDIF
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol
mov rax,tdata
mov ncol.pszText,rax
invoke lstrlen, tdata
inc rax
mov ncol.cchTextMax, Eax
mov ncol.mask_,LVCF_TEXT
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol
Any idea?
Thanks in advance, HSE.
Not really ...
However, the member cchTextMax is not nessecary if you want to set the text.
QuotecchTextMax
Type: int
Size in TCHARs of the buffer pointed to by the pszText member. If the structure is not receiving information about a column, this member is ignored.
:biggrin: There is something wrong with LV_COLUMN structure in includes:
mov ncol.pszText, rax
...
mov ncol.cchTextMax, Eax
Six_L say: mov qword ptr [rbp-10H], rax
...
mov dword ptr [rbp-8H], eax
here say: mov qword ptr [rbp-14], rax
...
mov dword ptr [rbp-C], eax
Thanks.
Quote from: HSE on June 24, 2023, 06:16:53 AM
here say: mov qword ptr [rbp-14], rax
...
mov dword ptr [rbp-C], eax
I'm no expert in Windows programming anymore, but a struct member of type QWORD is always ( in both Win32 and Win64 ) assumed to also be aligned on a QWORD boundary - IOW: the offset of such a member within the struct must end with either 0 or 8.
Thanks Baron!
Quote from: _japheth on June 24, 2023, 04:04:07 PM
assumed to also be aligned on a QWORD boundary
:thumbsup: Exactly that was missing in structure:
QuoteLVCOLUMNA struct
mask_ DWORD ?
fmt DWORD ?
cx_ DWORD ?
align 8
pszText LPSTR ?
cchTextMax DWORD ?
iSubItem DWORD ?
if (_WIN32_IE ge 0300h)
iImage DWORD ?
iOrder DWORD ?
endif
LVCOLUMNA ends
Still don't working, perhaps other structures have same problem in UAsm's WinInc 2.10
Hi,Greenhorn
QuoteRegarding _DEBUG_BUFFER structure this is maybe helpful:
https://doxygen.reactos.org/d0/ddb/struct__DEBUG__BUFFER.html
https://evilcodecave.wordpress.com/tag/pdebug_buffer/
Thanks your help.
but the _DEBUG_BUFFER maybe works on 32bit system.
DEBUG_BUFFER_1 STRUCT
SectionHandle HANDLE ? ;
SectionBase PVOID ?
RemoteSectionBase PVOID ?
SectionBaseDelta ULONG ?
EventPairHandle HANDLE ?
Unknown2 ULONG ?
RemoteThreadHandle HANDLE ?
InfoClassMask ULONG ?
SizeOfInfo ULONG ?
AllocatedSize ULONG ?
SectionSize ULONG ?
ModuleInformation PVOID ?
BackTraceInformation PVOID ?
HeapInformation PVOID ?
LockInformation PVOID ?
Reserved PVOID ?
DEBUG_BUFFER_1 ENDS
PDEBUG_BUFFER_1 typedef ptr DEBUG_BUFFER_1
Quotemov rbx,debug_buf
lea rsi,(DEBUG_BUFFER PTR [rbx]).ModuleInformation
lea rdi,(DEBUG_BUFFER_1 PTR [rbx]).ModuleInformation
invoke wsprintf,ADDR szTmp,CStr("STRUCT1=%016IXh, STRUCT2= %016IXh",13,10),rsi,rdi
result :
QuoteSTRUCT1=000001B97AF200D0h, STRUCT2= 000001B97AF20048h
Hi,HSE
QuoteStill don't working, perhaps other structures have same problem in UAsm's WinInc 2.10
uasm64 -c -win64 -Zp8 at compiling src.
Quote from: six_L on June 25, 2023, 01:29:02 AM
uasm64 -c -win64 -Zp8 at compiling src.
:thumbsup:
I assumed that don't work because must be a default for win64 :biggrin:
According to the documentation from the links, the structure should be defined like this:
_DEBUG_BUFFER STRUCT
SectionHandle HANDLE ? ;
SectionBase PVOID ?
RemoteSectionBase PVOID ?
SectionBaseDelta ULONG ?
EventPairHandle HANDLE ?
Unknown ULONG 2 dup (?)
RemoteThreadHandle HANDLE ?
InfoClassMask ULONG ?
SizeOfInfo ULONG ?
AllocatedSize ULONG ?
SectionSize ULONG ?
ModuleInformation PVOID ?
BackTraceInformation PVOID ?
HeapInformation PVOID ?
LockInformation PVOID ?
Reserved PVOID 8 dup (?)
_DEBUG_BUFFER ENDS
PDEBUG_BUFFER typedef ptr _DEBUG_BUFFER
Hi,Greenhorn
Thanks you. now i'v known the " ULONG Unknown[2];" -->"Unknown ULONG 2 dup (?)"
still the tested result is not right on 64bit system.
DEBUG_BUFFER STRUCT
SectionHandle HANDLE ?
ViewBaseClient PVOID ?
ViewBaseTarget PVOID ?
ViewBaseDelta ULONG_PTR ?
EventPairClient HANDLE ?
EventPairTarget HANDLE ?
TargetProcessHandle HANDLE ?
TargetThreadHandle HANDLE ?
Unknown dq 14 dup(?)
Flags ULONG ?
OffsetFree SIZE_T ?
CommitSize SIZE_T ?
ViewSize SIZE_T ?
ModuleInformation DEBUG_MODULE_INFORMATION <>
BackTraceInformation dq ?
HeapInformation dq ?
LockInformation dq ?
VerifierOptions dq ?
ProcessHeap dq ?
CriticalSectionHandle dq ?
CriticalSectionOwnerThread dq ?
Reserved dq ?
DEBUG_BUFFER ENDS
PDEBUG_BUFFER typedef ptr DEBUG_BUFFER
DEBUG_BUFFER_1 STRUCT
SectionHandle HANDLE ? ;
SectionBase PVOID ?
RemoteSectionBase PVOID ?
SectionBaseDelta ULONG ?
EventPairHandle HANDLE ?
Unknown ULONG 2 dup (?)
RemoteThreadHandle HANDLE ?
InfoClassMask ULONG ?
SizeOfInfo ULONG ?
AllocatedSize ULONG ?
SectionSize ULONG ?
ModuleInformation PVOID ?
BackTraceInformation PVOID ?
HeapInformation PVOID ?
LockInformation PVOID ?
Reserved PVOID 8 dup (?)
DEBUG_BUFFER_1 ENDS
PDEBUG_BUFFER_1 typedef ptr DEBUG_BUFFER_1
... mov rbx,debug_buf
lea rsi,(DEBUG_BUFFER PTR [rbx]).ModuleInformation ;right
lea rdi,(DEBUG_BUFFER_1 PTR [rbx]).ModuleInformation ;error
invoke wsprintf,ADDR szTmp,CStr("STRUCT1= %016IXh, STRUCT2= %016IXh",13,10),rsi,rdi
QuoteSTRUCT1= 0000029A05E900D0h, STRUCT2= 0000029A05E90048h
Quote from: Greenhorn on June 23, 2023, 05:40:54 PM
Regarding _DEBUG_BUFFER structure this is maybe helpful:
https://doxygen.reactos.org/d0/ddb/struct__DEBUG__BUFFER.html
ReactOs is an Operative System unrelated to Windows!!
(perhaps some ideas :biggrin: )
Quote from: HSE on June 25, 2023, 02:14:23 PM
ReactOs is an Operative System unrelated to Windows!!
Yeah, it's completely unrelated :badgrin: