News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Problems with uProcess.th32ParentProcessID

Started by Celtic, October 07, 2008, 07:37:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Celtic

October 07, 2008, 07:37:59 AM
I have Problem with this testcode:

.386
.model flat,stdcall
option casemap:none

include kernel32.inc
include windows.inc
include user32.inc
includelib user32.lib
includelib kernel32.lib
include masm32.inc
includelib masm32.lib

.data?
   
   hSnapshot   dd      ?
   uProcess   PROCESSENTRY32   <>

.data


prog db "notepad.exe"
handle dd ?
pid dd ?
.code
start:

   mov   [uProcess.dwSize], sizeof uProcess
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
   mov   [hSnapshot], eax
   invoke   Process32First, eax, ADDR uProcess
   .while eax
   
    invoke lstrcmp, addr uProcess.szExeFile, addr prog
    .if !eax
    mov eax,[uProcess.th32ParentProcessID]
    invoke GetWindowThreadProcessId,eax,addr pid
   invoke OpenProcess,PROCESS_ALL_ACCESS,0,pid
   mov handle,eax
    invoke SendMessage,handle,WM_CLOSE,NULL,NULL
    invoke CloseHandle, [hSnapshot]
    .endif
   invoke   Process32Next, [hSnapshot], ADDR uProcess
   .endw
   invoke   CloseHandle, [hSnapshot]


    invoke ExitProcess,NULL

end start


The handle is allways 0 and i do not know anymore.

Sorry for my bad english.

n00b!

#1
October 07, 2008, 01:38:56 PM
Code Select
invoke GetWindowThreadProcessId,eax,addr pid

The first parameter has to be a window handle, not the pid of the process which created notepad.exe

Either you make it like this:

Code Select
szClass db "Notepad", 0
PID dd ?

push 0 ;Could be like "Unnamed - Notepad"
push offset szClass
call FindWindow
push offset PID
push eax
call GetWindowThreadProcessId

To get the PID of the notepad-process and then use it with OpenProcess

or you change this:
Code Select
;mov eax,[uProcess.th32ParentProcessID]
;invoke GetWindowThreadProcessId,eax,addr pid
invoke OpenProcess,PROCESS_ALL_ACCESS,0,uProcess.th32ProcessID ;<--

Celtic

#2
October 07, 2008, 03:58:36 PM
Hmmm. I have change the Code to:

.386
.model flat,stdcall
option casemap:none

include kernel32.inc
include windows.inc
include user32.inc
includelib user32.lib
includelib kernel32.lib
include masm32.inc
includelib masm32.lib

.data?
   
   hSnapshot   dd      ?
   uProcess   PROCESSENTRY32   <>

.data


prog db "notepad.exe"
handle dd ?
pid dd ?
.code
start:

   mov   [uProcess.dwSize], sizeof uProcess
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
   mov   [hSnapshot], eax
   invoke   Process32First, eax, ADDR uProcess
   .while eax
   
   
    .if !eax
   invoke OpenProcess,PROCESS_ALL_ACCESS,0,uProcess.th32ProcessID <= i have this change
   mov handle,eax
    invoke ShowWindow,handle,SW_HIDE <= and this
    invoke CloseHandle, [hSnapshot]
    .endif
   invoke   Process32Next, [hSnapshot], ADDR uProcess
   .endw
   invoke   CloseHandle, [hSnapshot]


    invoke ExitProcess,NULL

end start

   
but nothing happens ????

Celtic

#3
October 07, 2008, 03:59:51 PM
and when i make it with prog db "mspaint.exe",0 is it the same problem :(

ragdog

#4
October 07, 2008, 06:12:02 PM
Hi This

This get the ProcessId not the window handle

For Handle use:
;This hide the app
Findwindow,Class,Windowname
mov handle,eax
invoke ShowWindow,handle,SW_HIDE <= and this

For ProcessId :
;This kill The app


invoke lstrcmp, addr uProcess.szExeFile, addr prog
    .if !eax
    mov eax,[uProcess.th32ParentProcessID]
invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax
   invoke   TerminateProcess, eax, 0


What need you,Hide a app or kill process?

Greets

Celtic

#5
October 07, 2008, 07:04:15 PM
I will hide a Process with this function:


mov   [uProcess.dwSize], sizeof uProcess
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
   mov   [hSnapshot], eax
   invoke   Process32First, eax, ADDR uProcess
   .while eax
   invoke lstrcmp, addr uProcess.szExeFile, addr prog
   
    .if !eax

       
   invoke ShowWindow,uProcess.th32ProcessID,SW_HIDE
   
   
    invoke CloseHandle, [hSnapshot]
    .endif
   invoke   Process32Next, [hSnapshot], ADDR uProcess
   .endw
   invoke   CloseHandle, [hSnapshot]

   
but it will not ,but I do not understand why

ragdog

#6
October 07, 2008, 07:36:28 PM
 :bdg :bdg

Hide a process with this :lol

   invoke ShowWindow,hWNd,SW_HIDE  ;<<<Hide only a dialog not a process

This say the name "ShowWindow"

U must coding a driver for hide a process

n00b!

#7
October 07, 2008, 07:44:18 PM Last Edit: October 29, 2008, 09:38:16 PM by n00b!
EDIT: ragdog was faster (took me writing this so I didn't notice)  :P

To hide a Process you'll need to code a service which runs in kernel-mode.

Could it be, that you want to hide a Window?

If so, you won't need a Process ID.
Just use FindWindow (http://msdn.microsoft.com/en-us/library/ms633499.aspx) and ShowWindow (http://msdn.microsoft.com/en-us/library/ms633548.aspx).
for example:
Code Select
invoke FindWindow, offset szClass, offset szTitle
invoke ShowWindow, eax, SW_HIDE

ragdog

#8
October 07, 2008, 08:03:01 PM
@nOOB :bg

QuoteTo hide a Process you'll need to code a service which runs in kernel-mode.

Yes i mean this!!


n00b!

#9
October 07, 2008, 08:49:15 PM
If you want the ID of a Process to terminate it or something like that or if you want to hide a window you should have been helped now.

But you won't get help if you want to have a rootkit to hide processes like trojan horses
since it's not allowed, see here
Print
Go Up Pages1
User actions