Chip 1998 July

home *** CD-ROM | disk | FTP | other *** search

/ Chip 1998 July / CHIP_CD_1998_07_PL.iso / SOFTWARE / bezpiecz / getadmin / Psapi.cpp < prev

Wrap

C/C++ Source or Header | 1997-06-30 | 13.8 KB | 538 lines

#include <windows.h> DWORD PsGetProcessIdFromModuleName(LPCTSTR szName); extern "C"{ DWORD __stdcall NtQuerySystemInformation(DWORD,DWORD,DWORD,DWORD); DWORD __stdcall NtQueryInformationProcess(DWORD,DWORD,DWORD,DWORD,DWORD); DWORD __stdcall RtlNtStatusToDosError(DWORD); } #pragma warning( disable : 4035 ) DWORD __declspec(naked) __stdcall EnumProcesses(DWORD* ProcessesId, DWORD SizeofProcessesIds/*sizeof ProcessesId*/, DWORD* done) { __asm{ ; S u b r o u t i n e ;EnumProcesses proc , pProcessesId: DWORD, ; sizeofProcessesId :DWORD, ; pDone: DWORD mov eax, fs:0 push ebp mov ebp, esp push 0FFFFFFFFh push 731B3448h push 731B2E38h push eax mov fs:0, esp sub esp, 14h ; Integer Subtraction push ebx push esi push edi mov esi, 8000h xor edi, edi ; Logical Exclusive OR mov [ebp-18h], esp loc_731B2B37: ; CODE XREF: EnumProcesses+61.j push esi push edi call dword ptr LocalAlloc ; Indirect Call Near Procedure mov [ebp-1Ch], eax cmp eax, edi ; Compare Two Operands jz loc_731B2C12 ; Jump if Zero (ZF=1) push edi push esi push eax push 5 call NtQuerySystemInformation ; Indirect Call Near Procedure cmp eax, 0C0000004h ; Compare Two Operands jnz short loc_731B2B6D ; Jump if Not Zero (ZF=0) push dword ptr [ebp-1Ch] call dword ptr LocalFree ; Indirect Call Near Procedure add esi, 8000h ; Add jmp short loc_731B2B37 ; Jump ;──────────────────────────────────────────────────────────────────────────── loc_731B2B6D: ; CODE XREF: EnumProcesses+50.j test eax, eax ; Logical Compare jge short loc_731B2B84 ; Jump if Greater or Equal (SF=OF) push eax call RtlNtStatusToDosError ; Indirect Call Near Procedure push eax call dword ptr SetLastError ; Indirect Call Near Procedure jmp loc_731B2C12 ; Jump ;──────────────────────────────────────────────────────────────────────────── loc_731B2B84: ; CODE XREF: EnumProcesses+65.j xor esi, esi ; Logical Exclusive OR mov edx, [ebp+0Ch] shr edx, 2 ; Shift Logical Right xor edi, edi ; Logical Exclusive OR mov ecx, [ebp+8] loc_731B2B91: ; CODE XREF: EnumProcesses+AB.j mov eax, [ebp-1Ch] add eax, esi ; Add cmp edi, edx ; Compare Two Operands jnb short loc_731B2BAF ; Jump if Not Below (CF=0) mov dword ptr [ebp-4], 0 mov ebx, [eax+44h] mov [ecx+edi*4], ebx inc edi ; Increment by 1 mov dword ptr [ebp-4], 0FFFFFFFFh loc_731B2BAF: ; CODE XREF: EnumProcesses+8E.j mov eax, [eax] add esi, eax ; Add test eax, eax ; Logical Compare jnz short loc_731B2B91 ; Jump if Not Zero (ZF=0) mov esi, 1 mov [ebp-4], esi lea ecx, ds:0[edi*4] ; Load Effective Address mov eax, [ebp+10h] mov [eax], ecx mov dword ptr [ebp-4], 0FFFFFFFFh push dword ptr [ebp-1Ch] call dword ptr LocalFree ; Indirect Call Near Procedure mov eax, esi jmp short loc_731B2C14 ; Jump loc_731B2C12: ; CODE XREF: EnumProcesses+3A.j ; EnumProcesses+75.j xor eax, eax ; Logical Exclusive OR loc_731B2C14: ; CODE XREF: EnumProcesses+D3.j mov ecx, [ebp-10h] pop edi mov fs:0, ecx pop esi pop ebx mov esp, ebp pop ebp retn 0Ch ; Return Near from Procedure } //;EnumProcesses endp } DWORD __declspec(naked) __stdcall EnumProcessModules(HANDLE hProcess, HMODULE* hModule /*array*/, DWORD SizeofhModule/* sizeof(hModule) */, DWORD* done) { __asm { ; S u b r o u t i n e mov eax, fs:0 push ebp mov ebp, esp push 0FFFFFFFFh push 731B3178h push 731B2E38h push eax mov fs:0, esp sub esp, 78h ; Integer Subtraction lea eax, [ebp-40h] ; Load Effective Address push ebx push esi push edi mov [ebp-18h], esp push 0 push 18h push eax push 0 push dword ptr [ebp+8] call NtQueryInformationProcess ; Indirect Call Near Procedure test eax, eax ; Logical Compare jge short loc_731B15BF ; Jump if Greater or Equal (SF=OF) push eax call RtlNtStatusToDosError ; Indirect Call Near Procedure push eax call dword ptr SetLastError ; Indirect Call Near Procedure jmp loc_731B169E ; Jump ;──────────────────────────────────────────────────────────────────────────── loc_731B15BF: ; CODE XREF: EnumProcessModules+3B.j push 0 lea eax, [ebp-28h] ; Load Effective Address push 4 push eax mov eax, [ebp-3Ch] add eax, 0Ch ; Add push eax push dword ptr [ebp+8] call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz loc_731B169E ; Jump if Zero (ZF=1) mov esi, [ebp-28h] push 0 add esi, 14h ; Add push 4 lea eax, [ebp-1Ch] ; Load Effective Address push eax push esi push dword ptr [ebp+8] call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz loc_731B169E ; Jump if Zero (ZF=1) mov eax, [ebp+10h] xor edi, edi ; Logical Exclusive OR shr eax, 2 ; Shift Logical Right cmp esi, [ebp-1Ch] ; Compare Two Operands mov [ebp-24h], eax jz short loc_731B1657 ; Jump if Zero (ZF=1) mov ebx, [ebp+0Ch] loc_731B1612: ; CODE XREF: EnumProcessModules+E6.j mov eax, [ebp-1Ch] push 0 sub eax, 8 ; Integer Subtraction push 48h lea ecx, [ebp-88h] ; Load Effective Address push ecx push eax push dword ptr [ebp+8] call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz short loc_731B169E ; Jump if Zero (ZF=1) cmp edi, [ebp-24h] ; Compare Two Operands jnb short loc_731B1649 ; Jump if Not Below (CF=0) mov dword ptr [ebp-4], 0 mov eax, [ebp-70h] mov [ebx], eax mov dword ptr [ebp-4], 0FFFFFFFFh loc_731B1649: ; CODE XREF: EnumProcessModules+C5.j add ebx, 4 ; Add inc edi ; Increment by 1 mov eax, [ebp-80h] mov [ebp-1Ch], eax cmp esi, eax ; Compare Two Operands jnz short loc_731B1612 ; Jump if Not Zero (ZF=0) loc_731B1657: ; CODE XREF: EnumProcessModules+9E.j mov eax, 1 mov [ebp-4], eax lea edx, ds:0[edi*4] ; Load Effective Address mov ecx, [ebp+14h] mov [ecx], edx mov dword ptr [ebp-4], 0FFFFFFFFh jmp short loc_731B16A0 ; Jump loc_731B169E: ; CODE XREF: EnumProcessModules+4B.j ; EnumProcessModules+6A.j ... xor eax, eax ; Logical Exclusive OR loc_731B16A0: ; CODE XREF: EnumProcessModules+103.j mov ecx, [ebp-10h] pop edi mov fs:0, ecx pop esi pop ebx mov esp, ebp pop ebp retn 10h ; Return Near from Procedure } //EnumProcessModules endp } __declspec(naked) sub_731B14A5() { __asm{ ; S u b r o u t i n e ;sub_731B14A5 proc near ; CODE XREF: GetModuleFileNameExW+11.p ; GetModuleBaseNameW+11.p ... push ebp mov ebp, esp sub esp, 20h ; Integer Subtraction push ebx lea eax, [ebp-20h] ; Load Effective Address push esi push edi push 0 mov esi, [ebp+8] push 18h push eax push 0 push esi call NtQueryInformationProcess ; Indirect Call Near Procedure test eax, eax ; Logical Compare jge short loc_731B14D3 ; Jump if Greater or Equal (SF=OF) push eax call RtlNtStatusToDosError ; Indirect Call Near Procedure push eax jmp loc_731B1557 ; Jump ;──────────────────────────────────────────────────────────────────────────── loc_731B14D3: ; CODE XREF: sub_731B14A5+1F.j cmp dword ptr [ebp+0Ch], 0 ; Compare Two Operands mov edi, [ebp-1Ch] jnz short loc_731B14F3 ; Jump if Not Zero (ZF=0) push 0 lea eax, [ebp+0Ch] ; Load Effective Address push 4 lea ecx, [edi+8] ; Load Effective Address push eax push ecx push esi call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz short loc_731B155D ; Jump if Zero (ZF=1) loc_731B14F3: ; CODE XREF: sub_731B14A5+35.j push 0 lea eax, [ebp-8] ; Load Effective Address push 4 add edi, 0Ch ; Add push eax push edi push esi call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz short loc_731B155D ; Jump if Zero (ZF=1) mov edi, [ebp-8] push 0 add edi, 14h ; Add push 4 lea eax, [ebp-4] ; Load Effective Address push eax push edi push esi call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz short loc_731B155D ; Jump if Zero (ZF=1) cmp [ebp-4], edi ; Compare Two Operands jz short loc_731B1555 ; Jump if Zero (ZF=1) mov ebx, [ebp+10h] loc_731B152C: ; CODE XREF: sub_731B14A5+AE.j mov eax, [ebp-4] push 0 sub eax, 8 ; Integer Subtraction push 48h push ebx push eax push esi call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jz short loc_731B155D ; Jump if Zero (ZF=1) mov eax, [ebp+0Ch] cmp [ebx+18h], eax ; Compare Two Operands jz short loc_731B1568 ; Jump if Zero (ZF=1) mov eax, [ebx+8] mov [ebp-4], eax cmp eax, edi ; Compare Two Operands jnz short loc_731B152C ; Jump if Not Zero (ZF=0) loc_731B1555: ; CODE XREF: sub_731B14A5+82.j push 6 loc_731B1557: ; CODE XREF: sub_731B14A5+29.j call dword ptr SetLastError ; Indirect Call Near Procedure loc_731B155D: ; CODE XREF: sub_731B14A5+4C.j ; sub_731B14A5+63.j ... xor eax, eax ; Logical Exclusive OR loc_731B155F: ; CODE XREF: sub_731B14A5+C8.j pop edi pop esi pop ebx mov esp, ebp pop ebp retn 0Ch ; Return Near from Procedure loc_731B1568: ; CODE XREF: sub_731B14A5+A4.j mov eax, 1 jmp short loc_731B155F ; Jump ;sub_731B14A5 endp } } DWORD __declspec(naked) __stdcall GetModuleBaseNameW(HANDLE hProcess,HMODULE hMod, WCHAR* szProcessName, DWORD SizeofszProcessName/* sizeof szProcessName*/ ) { __asm { ; S u b r o u t i n e push ebp mov ebp, esp sub esp, 48h ; Integer Subtraction push esi lea eax, [ebp-48h] ; Load Effective Address push eax push dword ptr [ebp+0Ch] push dword ptr [ebp+8] call sub_731B14A5 ; Call Procedure test eax, eax ; Logical Compare jnz short loc_731B1793 ; Jump if Not Zero (ZF=0) xor eax, eax ; Logical Exclusive OR jmp short loc_731B17CB ; Jump loc_731B1793: ; CODE XREF: GetModuleBaseNameW+18.j movzx esi, word ptr [ebp-1Ah] ; Move with Zero-Extend mov eax, [ebp+14h] add eax, eax ; Add cmp esi, eax ; Compare Two Operands jbe short loc_731B17A2 ; Jump if Below or Equal (CF=1 | ZF=1) mov esi, eax loc_731B17A2: ; CODE XREF: GetModuleBaseNameW+29.j push 0 push esi push dword ptr [ebp+10h] push dword ptr [ebp-18h] push dword ptr [ebp+8] call dword ptr ReadProcessMemory ; Indirect Call Near Procedure test eax, eax ; Logical Compare jnz short loc_731B17BC ; Jump if Not Zero (ZF=0) xor eax, eax ; Logical Exclusive OR jmp short loc_731B17CB ; Jump loc_731B17BC: ; CODE XREF: GetModuleBaseNameW+41.j movzx eax, word ptr [ebp-1Ah] ; Move with Zero-Extend cmp eax, esi ; Compare Two Operands jnz short loc_731B17C7 ; Jump if Not Zero (ZF=0) sub esi, 2 ; Integer Subtraction loc_731B17C7: ; CODE XREF: GetModuleBaseNameW+4D.j mov eax, esi shr eax, 1 ; Shift Logical Right loc_731B17CB: ; CODE XREF: GetModuleBaseNameW+1C.j ; GetModuleBaseNameW+45.j pop esi mov esp, ebp pop ebp retn 10h ; Return Near from Procedure ;GetModuleBaseNameW endp } } DWORD __declspec(naked) __stdcall GetModuleBaseNameA(HANDLE hProcess,HMODULE hMod, char* szProcessName, DWORD SizeofszProcessName/* sizeof szProcessName*/ ) { __asm { push ebx push esi mov esi, [esp+18h] push edi push ebp lea eax, ds:0[esi*2] ; Load Effective Address push eax push 0 call dword ptr LocalAlloc ; Indirect Call Near Procedure mov edi, eax test edi, edi ; Logical Compare jnz short loc_731B17F4 ; Jump if Not Zero (ZF=0) xor eax, eax ; Logical Exclusive OR jmp short loc_731B1830 ; Jump ;──────────────────────────────────────────────────────────────────────────── loc_731B17F4: ; CODE XREF: GetModuleBaseNameA+1C.j push esi push edi push dword ptr [esp+20h] push dword ptr [esp+20h] call GetModuleBaseNameW ; Call Procedure mov ecx, eax cmp eax, esi ; Compare Two Operands mov ebx, eax jnb short loc_731B180E ; Jump if Not Below (CF=0) lea ecx, [ebx+1] ; Load Effective Address loc_731B180E: ; CODE XREF: GetModuleBaseNameA+37.j xor ebp, ebp ; Logical Exclusive OR push ebp push ebp push esi push dword ptr [esp+28h] push ecx push edi push ebp push ebp call dword ptr WideCharToMultiByte ; Indirect Call Near Procedure test eax, eax ; Logical Compare jnz short loc_731B1827 ; Jump if Not Zero (ZF=0) xor ebx, ebx ; Logical Exclusive OR loc_731B1827: ; CODE XREF: GetModuleBaseNameA+51.j push edi call dword ptr LocalFree ; Indirect Call Near Procedure mov eax, ebx loc_731B1830: ; CODE XREF: GetModuleBaseNameA+20.j pop ebp pop edi pop esi pop ebx retn 10h ; Return Near from Procedure ;GetModuleBaseNameA endp } } DWORD PsGetProcessIdFromModuleName(LPCTSTR szName) { DWORD ProcessesId[1024],cProcesses,done; DWORD pid; HMODULE hMod; HANDLE hProcess; char szProcessName[MAX_PATH]; unsigned i; if(!EnumProcesses(ProcessesId,sizeof(ProcessesId),&done)) { return (DWORD)-1; } cProcesses = done / sizeof(DWORD); for(i=2;i<cProcesses;i++) { strcpy(szProcessName,"unknown"); pid = ProcessesId[i]; hProcess = OpenProcess(PROCESS_QUERY_INFORMATION| PROCESS_VM_READ, FALSE,pid); if(!hProcess) continue; if(EnumProcessModules(hProcess,&hMod,sizeof(hMod),&done) ) { GetModuleBaseNameA(hProcess,hMod,szProcessName,sizeof(szProcessName)); } CloseHandle(hProcess); if(!strcmp(szProcessName,szName)) return pid; } return 0; }