News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

found some DLL in process

Started by six_L, June 21, 2023, 02:26:02 AM

Previous topic - Next topic

six_L

Hi,all
UASM64,This is a simple application to find which dll has been loaded by the process. if you run it as administrator's authority,then find some DLL of the system process.

Enjoy yourselves!

regards
six_L

edit : +KillProcess
Say you, Say me, Say the codes together for ever.

HSE

Very nice  :thumbsup:

Can you make to kill a process in the list?
Equations in Assembly: SmplMath

Biterider

Hi six_L
Nice application. Would you share the source?

Biterider  :thumbsup:

Vortex

Hi six_L,

Very nice application, thanks :thumbsup:

six_L

Hi,HSE/Biterider/Vortex
Thank your friendly words. I am very happy that you have liked it.

prompt:
1, Since M$ doesn't make to public the "DEBUG_BUFFER STRUCT", so it maybe error, but the "DEBUG_MODULE_INFORMATION" and "DEBUG_MODULE" is correct.
2, Use the "RichEdit" to show entirely.
3, Can't get and kill the system process.

GetProcessList.asm
option casemap:none
option win64:7

include \UASM64\include\windows.inc
include \UASM64\include\commctrl.inc
include \UASM64\include\tlhelp32.inc

includelib \UASM64\Lib\kernel32.lib
includelib \UASM64\Lib\user32.lib
includelib \UASM64\Lib\gdi32.lib
includelib \UASM64\Lib\advapi32.lib

xLUID_AND_ATTRIBUTES STRUCT
LowPart DWORD      ?
HighPart DWORD      ?
attributes DWORD      ?
xLUID_AND_ATTRIBUTES ENDS

xTOKEN_PRIVILEGES STRUCT
privilegecount DWORD      ?
theluid xLUID_AND_ATTRIBUTES   <?>
xTOKEN_PRIVILEGES ENDS

DEBUG_MODULE STRUCT
Section HANDLE ? ;           
MappedBase PVOID ? ;       
ImageBase PVOID ? ;         
ImageSize ULONG ? ;         
Flags ULONG ? ;             
LoadOrderIndex USHORT ? ;   
InitOrderIndex USHORT ? ;   
LoadCount USHORT ? ;         
OffsetToFileName USHORT ?
FullPathName db 256 dup(?)
DEBUG_MODULE ENDS
PDEBUG_MODULE typedef ptr DEBUG_MODULE

DEBUG_MODULE_INFORMATION STRUCT
NumberOfModules ULONG ? ;           
        Modules DEBUG_MODULE <>
DEBUG_MODULE_INFORMATION ENDS
PDEBUG_MODULE_INFORMATION typedef ptr DEBUG_MODULE_INFORMATION

DEBUG_BUFFER STRUCT
SectionHandle        HANDLE ?
        ViewBaseClient       PVOID ?
        ViewBaseTarget       PVOID ?
        ViewBaseDelta        ULONG_PTR ?
        EventPairClient      HANDLE ?
        EventPairTarget      HANDLE ?
        TargetProcessHandle  HANDLE ?
        TargetThreadHandle   HANDLE ?
       
Unknown              dq 14 dup(?)

        Flags      ULONG ?
        OffsetFree           SIZE_T ?
        CommitSize           SIZE_T ?
        ViewSize             SIZE_T ?
        ModuleInformation    DEBUG_MODULE_INFORMATION <>

        BackTraceInformation dq ?
        HeapInformation      dq ?
        LockInformation      dq ?
VerifierOptions      dq ?
ProcessHeap      dq ?
CriticalSectionHandle dq ?
CriticalSectionOwnerThread dq ?
        Reserved             dq ?
DEBUG_BUFFER ENDS
PDEBUG_BUFFER typedef ptr DEBUG_BUFFER

RtlQueryProcessDebugInformation typedef PROTO ProcessId:DWORD,PDI_MODULES:DWORD,buf:PVOID
@RtlQueryProcessDebugInformation typedef ptr RtlQueryProcessDebugInformation

RtlCreateQueryDebugBuffer typedef PROTO :DWORD,xtype:DWORD
@RtlCreateQueryDebugBuffer typedef ptr RtlCreateQueryDebugBuffer

RtlDestroyQueryDebugBuffer typedef PROTO buf:PVOID
@RtlDestroyQueryDebugBuffer typedef ptr RtlDestroyQueryDebugBuffer

ICO_MAIN equ 1000h
DLG_MAIN equ 1000
IDC_CLEAR equ 1004
IDC_GETPROC equ 1005
IDC_LIST equ 1006
IDM_PROCESS equ 1011
IDM_PARENTPROCESS equ 1012
IDM_KILLPROCESS equ 1013
IDC_INPUT equ 1007
IDD_BMP1 equ 8001
IDD_BMP2 equ 8002
IDD_BMP3 equ 8003

PDI_MODULES equ 01

.data
        dqListIndex dq 0
debug_buf dq 0

.data?
hInstance dq ?
hNtdll dq ?
g_hList dq ?
ListBuf dq ?
hHeap dq ?
hSnapshot dq ?
hListMenu dq ?
hMain dq ?
hRichEditDLL dq ?
hRichEdit dq ?

pRtlQueryProcessDebugInformation @RtlQueryProcessDebugInformation ?
pRtlCreateQueryDebugBuffer @RtlCreateQueryDebugBuffer ?
pRtlDestroyQueryDebugBuffer @RtlDestroyQueryDebugBuffer ?

.code

ErrorMessage Proc USES RBX lpCaption:qword
Local lpErrorMessage:QWORD

call GetLastError
lea rbx,lpErrorMessage
invoke FormatMessage, FORMAT_MESSAGE_ALLOCATE_BUFFER or FORMAT_MESSAGE_FROM_SYSTEM, NULL, EAX, LANG_NEUTRAL,Rbx,0,NULL
invoke MessageBox, 0, lpErrorMessage, lpCaption, MB_OK
invoke LocalFree, lpErrorMessage
ret   

ErrorMessage EndP

GetNtdllFunctions proc

;// get ntdll base
invoke GetModuleHandle,CStr("ntdll.dll")
.if rax
mov hNtdll,rax
;// get RtlQueryProcessDebugInformation ptr
invoke GetProcAddress,hNtdll,CStr("RtlQueryProcessDebugInformation")
mov pRtlQueryProcessDebugInformation,rax
.if rax == NULL
invoke ErrorMessage,CStr("RtlQueryProcessDebugInformation")
jmp @Err
.endif

;// get RtlCreateQueryDebugBuffer ptr
invoke GetProcAddress,hNtdll,CStr("RtlCreateQueryDebugBuffer")
mov pRtlCreateQueryDebugBuffer,rax
.if rax == NULL
invoke ErrorMessage,CStr("RtlCreateQueryDebugBuffer")
jmp @Err
.endif

;// get RtlDestroyQueryDebugBuffer ptr
invoke GetProcAddress,hNtdll,CStr("RtlDestroyQueryDebugBuffer")
mov pRtlDestroyQueryDebugBuffer,rax
.if rax == NULL
invoke ErrorMessage,CStr("RtlDestroyQueryDebugBuffer")
jmp @Err
.endif
.else
invoke MessageBox,NULL,CStr("ntdll.dll load Failed"),CStr("GetModuleHandle"),MB_OK
jmp @Err
.endif
mov rax,0
ret
@Err:
mov rax,1
ret

GetNtdllFunctions endp

AddItem proc iRow:QWORD, iCol:QWORD, tdata:QWORD
LOCAL newitem:LV_ITEM
LOCAL lstmsg:DWORD

mov newitem.mask_, LVIF_TEXT
mov rax,iRow
mov newitem.iItem, eax

mov rax,iCol
mov newitem.iSubItem, eax

mov rax,tdata
mov newitem.pszText, rax
invoke lstrlen, tdata
inc rax
mov newitem.cchTextMax, eax
.IF iCol == 0h
mov lstmsg, LVM_INSERTITEM
.ELSE
mov lstmsg, LVM_SETITEM
.ENDIF
invoke SendMessage, g_hList, lstmsg, 0h, addr newitem
invoke SendMessage, g_hList, LVM_ENSUREVISIBLE, iRow, FALSE
ret

AddItem endp

AddItemInt proc iRow:QWORD, iCol:QWORD, tdword:QWORD

invoke wsprintf, ListBuf, CStr('%i'), tdword
invoke AddItem, iRow, iCol, ListBuf
ret

AddItemInt endp

AddColumn proc tdata:QWORD, cnum:QWORD, wth:QWORD
LOCAL ncol:LV_COLUMN

mov rax,wth
mov ncol.cx_, eax

mov rax,tdata
mov ncol.pszText,rax
invoke lstrlen, tdata
inc rax
mov ncol.cchTextMax, Eax
mov ncol.mask_, LVCF_TEXT
.IF ncol.cx_ != 0h
or ncol.mask_, LVCF_WIDTH
.ENDIF
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol
ret

AddColumn endp

GetfocusItemStr proc hList:QWORD, subitem:QWORD
LOCAL lvitem:LV_ITEM
Local item:DWORD

mov lvitem.mask_,LVIF_TEXT
invoke SendMessage,hList,LVM_GETNEXTITEM,-1,LVNI_FOCUSED
mov item,eax

mov rax,subitem
mov lvitem.iSubItem,eax

mov rax,ListBuf
mov lvitem.pszText,rax

mov lvitem.cchTextMax, 1500d
invoke SendMessage, hList, LVM_GETITEMTEXT, item, addr lvitem
.IF rax == 0h
xor rax, rax
.ELSE
mov rax, ListBuf
.ENDIF
ret

GetfocusItemStr endp

InitListView proc Fontcolor:QWORD, BKcolor:QWORD, Recvcolor:QWORD

invoke SendMessage, g_hList, LVM_SETEXTENDEDLISTVIEWSTYLE, 0, LVS_EX_FULLROWSELECT or LVS_EX_GRIDLINES

invoke SendMessage, g_hList, LVM_SETTEXTCOLOR, 0h,Fontcolor ; font colors
invoke SendMessage, g_hList, LVM_SETBKCOLOR, 0h, BKcolor ; table colors
invoke SendMessage, g_hList, LVM_SETTEXTBKCOLOR, 0h, Recvcolor ; set recover colors

invoke AddColumn, CStr('Index'), 0h, 45d
invoke AddColumn, CStr('ProcessName'), 1d, 300d
invoke AddColumn, CStr('Process_id'), 2d, 100d
invoke AddColumn, CStr('ParentProcess_id'), 3d, 120d
ret

InitListView endp

AdjustToken proc lpszPrivilege:QWORD
LOCAL hProcessHandle:QWORD
LOCAL hToken:QWORD
LOCAL sedebugnameValue:xLUID_AND_ATTRIBUTES
LOCAL tkp:xTOKEN_PRIVILEGES
;int 3
invoke GetCurrentProcess       ; get the current process handle
mov hProcessHandle,rax ; save it to hProcessHandle

invoke OpenProcessToken,hProcessHandle,TOKEN_ADJUST_PRIVILEGES OR TOKEN_QUERY,ADDR hToken
.if rax==0
invoke ErrorMessage,CStr("OpenProcessToken")
mov rax,FALSE
ret
.endif

invoke LookupPrivilegeValue,NULL,lpszPrivilege,ADDR sedebugnameValue
.if rax==0
invoke ErrorMessage,CStr("LookupPrivilegeValue")
invoke CloseHandle,hToken
mov rax,FALSE
ret
.endif

lea rax, sedebugnameValue               ; address of sedebugnameValue into rax

; Contents of sedebugnameValue into ecx:edx
mov ecx, (xLUID_AND_ATTRIBUTES PTR [rax]).LowPart
mov edx, (xLUID_AND_ATTRIBUTES PTR [rax]).HighPart

lea rax, tkp                   ; address of tkp into rax
   
mov (xTOKEN_PRIVILEGES PTR [rax]).privilegecount, 1
mov (xTOKEN_PRIVILEGES PTR [rax]).theluid.LowPart, ecx
mov (xTOKEN_PRIVILEGES PTR [rax]).theluid.HighPart, edx
mov (xTOKEN_PRIVILEGES PTR [rax]).theluid.attributes, SE_PRIVILEGE_ENABLED

invoke AdjustTokenPrivileges,hToken,FALSE, addr tkp, sizeof tkp, NULL, NULL
.if rax==0
invoke ErrorMessage,CStr("AdjustTokenPrivileges")
invoke CloseHandle,hToken
mov rax,FALSE
ret
.endif

mov rax,TRUE
ret

AdjustToken endp

_GetProcList proc USES rbx
LOCAL uProcess:PROCESSENTRY32

invoke SendMessage, g_hList, LVM_DELETEALLITEMS, 0h, 0h
mov uProcess.dwSize, sizeof uProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS, 0
mov hSnapshot, rax
invoke Process32First, rax, ADDR uProcess
mov dqListIndex,0
.while rax
mov rbx,dqListIndex
inc rbx
invoke AddItemInt, dqListIndex, 0d, rbx
invoke AddItem, dqListIndex, 1d, ADDR uProcess.szExeFile
invoke AddItemInt, dqListIndex, 2d, uProcess.th32ProcessID
invoke AddItemInt, dqListIndex, 3d, uProcess.th32ParentProcessID
invoke Process32Next,hSnapshot, ADDR uProcess
inc dqListIndex
.endw
invoke CloseHandle,hSnapshot
ret

_GetProcList endp

atodq proc uses rsi rdi String:QWORD
; ----------------------------------------
; Convert decimal string into qword value
; return value in rax
; ----------------------------------------

xor rax, rax
mov rsi, [String]
xor rcx, rcx
xor rdx, rdx
mov al, [rsi]
inc rsi
;cmp al, "-"

cmp al, 2Dh
jne @1
mov al, [rsi]
not rdx
inc rsi
jmp @1
@@:
sub al, 30h
lea rcx, qword ptr [rcx+4*rcx]
lea rcx, qword ptr [rax+2*rcx]
mov al, [rsi]
inc rsi
@1:
or al, al
jne @B
lea rax, qword ptr [rdx+rcx]
xor rax, rdx
ret

atodq endp

_GetProcessModules proc uses rbx rsi rdi r12 pId:DWORD
Local szTmp[1024]:BYTE
Local dwDllCount:DWORD

invoke  pRtlCreateQueryDebugBuffer,NULL,FALSE
mov     debug_buf,rax
invoke  pRtlQueryProcessDebugInformation,pId,PDI_MODULES, debug_buf
.if rax < 0
invoke ErrorMessage,CStr("RtlQueryProcessDebugInformation")
.else
invoke SetDlgItemText,hMain,IDC_INPUT,NULL
mov     rbx,debug_buf
lea rsi,(DEBUG_BUFFER PTR [rbx]).ModuleInformation
mov eax,(DEBUG_MODULE_INFORMATION PTR [rsi]).NumberOfModules
mov dwDllCount,eax
lea r12,(DEBUG_MODULE_INFORMATION PTR [rsi]).Modules
xor rdi,rdi
.repeat

invoke RtlZeroMemory, addr szTmp, sizeof szTmp
mov rbx,rdi
inc rbx ;for list from 1,not 0
invoke  wsprintf,ADDR szTmp,CStr("%02d), Module: %s, BaseAddress: %08Xh, Size: %u bytes",13,10),\
rbx,addr (DEBUG_MODULE PTR [r12]).FullPathName,(DEBUG_MODULE PTR [r12]).ImageBase,\
(DEBUG_MODULE PTR [r12]).ImageSize

invoke SendDlgItemMessage, hMain,IDC_INPUT, EM_SETSEL, -1, -1
invoke SendDlgItemMessage, hMain,IDC_INPUT, EM_REPLACESEL, FALSE, addr szTmp
invoke SendDlgItemMessage, hMain,IDC_INPUT, EM_SCROLLCARET, 0, 0
add     r12,sizeof DEBUG_MODULE
inc rdi

.until  edi ==  dwDllCount

.endif
invoke  pRtlDestroyQueryDebugBuffer,debug_buf

ret
_GetProcessModules endp

Refresh proc
invoke CreateThread,NULL,NULL,offset _GetProcList,NULL,NULL,NULL
invoke CloseHandle,rax
ret
Refresh endp

_ProcDlgMain Proc USES rsi rdi hWnd:qword,wMsg:dword,wParam:qword,lParam:qword
Local hBmp1:HANDLE
Local hBmp2:HANDLE
Local hBmp3:HANDLE
Local hFont:HANDLE

mov eax,wMsg
.if eax == WM_INITDIALOG
mov rax,hWnd
mov hMain,rax

invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,rax

invoke HeapAlloc,hHeap,HEAP_ZERO_MEMORY, 1024d
mov ListBuf,rax
invoke GetDlgItem,hWnd,IDC_LIST
mov g_hList,rax
invoke InitListView,0FF00h,0h,0h

invoke CreateWindowEx,WS_EX_CLIENTEDGE,CStr("RichEdit50W"),NULL,\
ES_LEFT + ES_MULTILINE + ES_WANTRETURN + ES_READONLY  + ES_AUTOHSCROLL + ES_AUTOVSCROLL + WS_VSCROLL + WS_HSCROLL \
+ WS_VISIBLE + WS_CHILD,7, 230, 597, 188,\
hWnd,IDC_INPUT,hInstance,NULL
mov hRichEdit,rax

invoke  CreateFont,15,0,0,0,0,FALSE,FALSE,FALSE, \
DEFAULT_CHARSET,OUT_DEFAULT_PRECIS,CLIP_DEFAULT_PRECIS, \
DEFAULT_QUALITY,FIXED_PITCH, CStr("Cambria")
mov hFont, rax
invoke SendMessage,hRichEdit,WM_SETFONT,rax, 0
invoke CloseHandle,hFont

invoke CreatePopupMenu
mov hListMenu, rax
invoke AppendMenu, hListMenu, MF_STRING, IDM_PROCESS, CStr(" Get-Process-Modules")
invoke AppendMenu, hListMenu, MF_STRING, IDM_PARENTPROCESS, CStr(" Get-ParentProcess-Modules")
invoke AppendMenu, hListMenu, MF_SEPARATOR, 0, NULL
invoke AppendMenu, hListMenu, MF_STRING, IDM_KILLPROCESS, CStr(" Kill-FocusedProcess")

invoke LoadImage,hInstance,IDD_BMP1,IMAGE_BITMAP,0,0,LR_LOADTRANSPARENT
mov hBmp1, rax
invoke SetMenuItemBitmaps,hListMenu,IDM_PROCESS,MF_BYCOMMAND,hBmp1,NULL

invoke LoadImage,hInstance,IDD_BMP2,IMAGE_BITMAP,0,0,LR_LOADTRANSPARENT
mov hBmp2, rax
invoke SetMenuItemBitmaps,hListMenu,IDM_PARENTPROCESS,MF_BYCOMMAND,hBmp2,NULL

invoke LoadImage,hInstance,IDD_BMP3,IMAGE_BITMAP,0,0,LR_LOADTRANSPARENT
mov hBmp3, rax
invoke SetMenuItemBitmaps,hListMenu,IDM_KILLPROCESS,MF_BYCOMMAND,hBmp3,NULL

invoke CloseHandle,hBmp1
invoke CloseHandle,hBmp2
invoke CloseHandle,hBmp3

invoke AdjustToken,CStr("SeDebugPrivilege")
;// get ntdll function ptrs
invoke GetNtdllFunctions

.elseif eax == WM_CONTEXTMENU
invoke SendMessage, g_hList, LVM_GETITEMCOUNT, 0, 0
.if eax != 0
mov esi, dword ptr lParam
mov edi, esi
and esi, 0FFFFh
shr edi, 16
invoke TrackPopupMenu, hListMenu, TPM_LEFTALIGN, esi, edi, NULL, hWnd, NULL
.endif

.elseif eax == WM_COMMAND
mov rax,wParam
.if ax == IDCANCEL
invoke EndDialog,hWnd,NULL
.elseif ax == IDC_GETPROC
.if dqListIndex == 0
invoke Refresh
.else
invoke MessageBox, 0, CStr('Please Clear the List'), CStr('GetProcessList'), MB_OK
.endif
.elseif ax == IDC_CLEAR
mov dqListIndex,0
invoke SendMessage, g_hList, LVM_DELETEALLITEMS, 0h, 0h
invoke SetDlgItemText,hMain,IDC_INPUT,NULL
.elseif ax == IDM_PROCESS
invoke GetfocusItemStr,g_hList,2
invoke atodq,rax
invoke _GetProcessModules,eax
.elseif ax == IDM_PARENTPROCESS
invoke GetfocusItemStr,g_hList,3
invoke atodq,rax
invoke _GetProcessModules,eax
.elseif ax == IDM_KILLPROCESS
invoke GetfocusItemStr,g_hList,2
invoke atodq,rax
invoke OpenProcess, PROCESS_TERMINATE, 1,eax  ; eax = process id
invoke TerminateProcess, rax, 1
.if rax != 0
invoke MessageBox,NULL,CStr("Killed the Process"),CStr("TerminateProcess"),MB_OK or MB_ICONASTERISK
invoke Refresh
.else
invoke ErrorMessage,CStr("TerminateProcess")
.endif
.endif
.elseif eax == WM_CLOSE
invoke HeapFree,hHeap,HEAP_ZERO_MEMORY,ListBuf
invoke CloseHandle,hListMenu
invoke  FreeLibrary,hNtdll
invoke EndDialog,hWnd,NULL
.else
mov rax,FALSE
ret
.endif
mov rax,TRUE
ret

_ProcDlgMain endp

WinMainCRTStartup Proc 

invoke GetModuleHandle,NULL
mov hInstance,rax
invoke LoadLibrary,CStr("msftedit.dll")
mov hRichEditDLL,rax
invoke GetProcessHeap
mov hHeap, rax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
invoke FreeLibrary,hRichEditDLL
invoke ExitProcess,NULL

WinMainCRTStartup  Endp


end



rcrc.rc:
#include <\UASM64\include\resource.h>

#define ICO_MAIN 0x1000
#define DLG_MAIN 1000
#define IDC_CLEAR 1004
#define IDC_GETPROC 1005
#define IDC_LIST 1006
#define IDC_INPUT 1007
#define IDD_BMP1 8001
#define IDD_BMP2 8002
#define IDD_BMP3 8003

ICO_MAIN ICON "Amain.ico"

DLG_MAIN DIALOG 293, 180, 350, 227
STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME
CAPTION "GetProcessList"
FONT 10, "Cambria"
{
CONTROL "List1",IDC_LIST,"SysListView32", LVS_REPORT | WS_BORDER | WS_TABSTOP,5,2,339,105
PUSHBUTTON "Exit(&X)", IDCANCEL, 315,108,30, 14
CONTROL "GetProcess",IDC_GETPROC,"Button",0x50010000,4,108,40,13
CONTROL "Cls",IDC_CLEAR,"Button",0x50010000,45,108,30,13
}
IDD_BMP1 BITMAP DISCARDABLE "menu1.bmp"
IDD_BMP2 BITMAP DISCARDABLE "menu2.bmp"
IDD_BMP3 BITMAP DISCARDABLE "menu3.bmp"
1 24 "manifest.xml"    // manifest file
Say you, Say me, Say the codes together for ever.

Greenhorn

Quote from: six_L on June 23, 2023, 01:42:40 AM
prompt:
1, Since M$ doesn't make to public the "DEBUG_BUFFER STRUCT", so it maybe error, but the "DEBUG_MODULE_INFORMATION" and "DEBUG_MODULE" is correct.

Regarding _DEBUG_BUFFER structure this is maybe helpful:
https://doxygen.reactos.org/d0/ddb/struct__DEBUG__BUFFER.html
https://evilcodecave.wordpress.com/tag/pdebug_buffer/
Kole Feut un Nordenwind gift en krusen Büdel un en lütten Pint.

HSE

 :biggrin: I have a little crazy problem.

This message work perfectly if only is going to set width, but go nowhere if is setting text:

Code (Perfect) Select
mov ncol.mask_, 0;LVCF_TEXT
.IF ncol.cx_ != 0h
or ncol.mask_, LVCF_WIDTH
.ENDIF
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol


Code (NoWhere) Select
mov rax,tdata
mov ncol.pszText,rax
invoke lstrlen, tdata
inc rax
mov ncol.cchTextMax, Eax
mov ncol.mask_,LVCF_TEXT
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol


Any idea?

Thanks in advance, HSE.
Equations in Assembly: SmplMath

HSE

Equations in Assembly: SmplMath

Greenhorn

Quote from: HSE on June 24, 2023, 04:19:12 AM
:biggrin: I have a little crazy problem.

This message work perfectly if only is going to set width, but go nowhere if is setting text:

Code (Perfect) Select
mov ncol.mask_, 0;LVCF_TEXT
.IF ncol.cx_ != 0h
or ncol.mask_, LVCF_WIDTH
.ENDIF
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol


Code (NoWhere) Select
mov rax,tdata
mov ncol.pszText,rax
invoke lstrlen, tdata
inc rax
mov ncol.cchTextMax, Eax
mov ncol.mask_,LVCF_TEXT
invoke SendMessage, g_hList, LVM_INSERTCOLUMN, cnum, addr ncol


Any idea?

Thanks in advance, HSE.

Not really ...

However, the member cchTextMax is not nessecary if you want to set the text.

QuotecchTextMax

Type: int

Size in TCHARs of the buffer pointed to by the pszText member. If the structure is not receiving information about a column, this member is ignored.
Kole Feut un Nordenwind gift en krusen Büdel un en lütten Pint.

HSE

 :biggrin: There is something wrong with LV_COLUMN structure in includes:

   mov ncol.pszText, rax
      ...
   mov ncol.cchTextMax, Eax 



Six_L say:   mov     qword ptr [rbp-10H], rax 
      ...
   mov     dword ptr [rbp-8H], eax   


here say:   mov     qword ptr [rbp-14], rax 
      ...
   mov     dword ptr [rbp-C], eax   


Thanks.
Equations in Assembly: SmplMath

_japheth

Quote from: HSE on June 24, 2023, 06:16:53 AM
here say:   mov     qword ptr [rbp-14], rax 
      ...
   mov     dword ptr [rbp-C], eax   



I'm no expert in Windows programming anymore, but a struct member of type QWORD is always ( in both Win32 and Win64 ) assumed to also be aligned on a QWORD boundary - IOW:  the offset of such a member within the struct must end with either 0 or 8.
Dummheit, gepaart mit Dreistigkeit - eine furchtbare Macht.

HSE

Thanks Baron!

Quote from: _japheth on June 24, 2023, 04:04:07 PM
assumed to also be aligned on a QWORD boundary

:thumbsup: Exactly that was missing in structure:
QuoteLVCOLUMNA   struct
mask_   DWORD   ?
fmt   DWORD   ?
cx_   DWORD   ?
align 8
pszText   LPSTR   ?
cchTextMax   DWORD   ?
iSubItem   DWORD   ?
if (_WIN32_IE ge 0300h)
iImage   DWORD   ?
iOrder   DWORD   ?
endif
LVCOLUMNA   ends

Still don't working, perhaps other structures have same problem in UAsm's WinInc 2.10
Equations in Assembly: SmplMath

six_L

Hi,Greenhorn
QuoteRegarding _DEBUG_BUFFER structure this is maybe helpful:
https://doxygen.reactos.org/d0/ddb/struct__DEBUG__BUFFER.html
https://evilcodecave.wordpress.com/tag/pdebug_buffer/

Thanks your help.

but the _DEBUG_BUFFER maybe works on 32bit system.
DEBUG_BUFFER_1 STRUCT
SectionHandle HANDLE  ? ;
SectionBase PVOID   ?
RemoteSectionBase PVOID   ?
SectionBaseDelta ULONG   ?
EventPairHandle HANDLE  ?
Unknown2 ULONG
RemoteThreadHandle HANDLE
InfoClassMask ULONG
SizeOfInfo ULONG
AllocatedSize ULONG
SectionSize ULONG ?   
ModuleInformation PVOID ?   
BackTraceInformation PVOID ?   
HeapInformation PVOID ?   
LockInformation PVOID ?   
Reserved PVOID ?
DEBUG_BUFFER_1 ENDS
PDEBUG_BUFFER_1 typedef ptr DEBUG_BUFFER_1

Quotemov   rbx,debug_buf
         lea   rsi,(DEBUG_BUFFER PTR [rbx]).ModuleInformation
         lea   rdi,(DEBUG_BUFFER_1 PTR [rbx]).ModuleInformation
         invoke  wsprintf,ADDR szTmp,CStr("STRUCT1=%016IXh, STRUCT2= %016IXh",13,10),rsi,rdi
result :
QuoteSTRUCT1=000001B97AF200D0h, STRUCT2= 000001B97AF20048h

Hi,HSE

QuoteStill don't working, perhaps other structures have same problem in UAsm's WinInc 2.10
uasm64 -c -win64 -Zp8 at compiling src.
Say you, Say me, Say the codes together for ever.

HSE

Quote from: six_L on June 25, 2023, 01:29:02 AM
uasm64 -c -win64 -Zp8 at compiling src.

:thumbsup:

I assumed that don't work because must be a default for win64  :biggrin:
Equations in Assembly: SmplMath

Greenhorn

According to the documentation from the links, the structure should be defined like this:
_DEBUG_BUFFER STRUCT
SectionHandle HANDLE  ? ;
SectionBase PVOID   ?
RemoteSectionBase PVOID   ?
SectionBaseDelta ULONG   ?
EventPairHandle HANDLE  ?
Unknown ULONG 2 dup (?)
RemoteThreadHandle HANDLE ?
InfoClassMask ULONG ?
SizeOfInfo ULONG ?
AllocatedSize ULONG ?
SectionSize ULONG ?   
ModuleInformation PVOID ?   
BackTraceInformation PVOID ?   
HeapInformation PVOID ?   
LockInformation PVOID ?   
Reserved PVOID 8 dup (?)
_DEBUG_BUFFER ENDS
PDEBUG_BUFFER typedef ptr _DEBUG_BUFFER
Kole Feut un Nordenwind gift en krusen Büdel un en lütten Pint.