Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Campus => Topic started by: Celtic on October 07, 2008, 07:37:59 AM

Title: Problems with uProcess.th32ParentProcessID
Post by: Celtic on October 07, 2008, 07:37:59 AM
I have Problem with this testcode:

.386
.model flat,stdcall
option casemap:none

include kernel32.inc
include windows.inc
include user32.inc
includelib user32.lib
includelib kernel32.lib
include masm32.inc
includelib masm32.lib

.data?
   
   hSnapshot   dd      ?
   uProcess   PROCESSENTRY32   <>

.data


prog db "notepad.exe"
handle dd ?
pid dd ?
.code
start:

   mov   [uProcess.dwSize], sizeof uProcess
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
   mov   [hSnapshot], eax
   invoke   Process32First, eax, ADDR uProcess
   .while eax
   
    invoke lstrcmp, addr uProcess.szExeFile, addr prog
    .if !eax
    mov eax,[uProcess.th32ParentProcessID]
    invoke GetWindowThreadProcessId,eax,addr pid
   invoke OpenProcess,PROCESS_ALL_ACCESS,0,pid
   mov handle,eax
    invoke SendMessage,handle,WM_CLOSE,NULL,NULL
    invoke CloseHandle, [hSnapshot]
    .endif
   invoke   Process32Next, [hSnapshot], ADDR uProcess
   .endw
   invoke   CloseHandle, [hSnapshot]


    invoke ExitProcess,NULL

end start


The handle is allways 0 and i do not know anymore.

Sorry for my bad english.
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: n00b! on October 07, 2008, 01:38:56 PM
Code Select
invoke GetWindowThreadProcessId,eax,addr pid

The first parameter has to be a window handle, not the pid of the process which created notepad.exe

Either you make it like this:

Code Select
szClass db "Notepad", 0
PID dd ?

push 0 ;Could be like "Unnamed - Notepad"
push offset szClass
call FindWindow
push offset PID
push eax
call GetWindowThreadProcessId

To get the PID of the notepad-process and then use it with OpenProcess

or you change this:
Code Select
;mov eax,[uProcess.th32ParentProcessID]
;invoke GetWindowThreadProcessId,eax,addr pid
invoke OpenProcess,PROCESS_ALL_ACCESS,0,uProcess.th32ProcessID ;<--
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: Celtic on October 07, 2008, 03:58:36 PM
Hmmm. I have change the Code to:

.386
.model flat,stdcall
option casemap:none

include kernel32.inc
include windows.inc
include user32.inc
includelib user32.lib
includelib kernel32.lib
include masm32.inc
includelib masm32.lib

.data?
   
   hSnapshot   dd      ?
   uProcess   PROCESSENTRY32   <>

.data


prog db "notepad.exe"
handle dd ?
pid dd ?
.code
start:

   mov   [uProcess.dwSize], sizeof uProcess
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
   mov   [hSnapshot], eax
   invoke   Process32First, eax, ADDR uProcess
   .while eax
   
   
    .if !eax
   invoke OpenProcess,PROCESS_ALL_ACCESS,0,uProcess.th32ProcessID <= i have this change
   mov handle,eax
    invoke ShowWindow,handle,SW_HIDE <= and this
    invoke CloseHandle, [hSnapshot]
    .endif
   invoke   Process32Next, [hSnapshot], ADDR uProcess
   .endw
   invoke   CloseHandle, [hSnapshot]


    invoke ExitProcess,NULL

end start

   
but nothing happens ????
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: Celtic on October 07, 2008, 03:59:51 PM
and when i make it with prog db "mspaint.exe",0 is it the same problem :(
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: ragdog on October 07, 2008, 06:12:02 PM
Hi This

This get the ProcessId not the window handle

For Handle use:
;This hide the app
Findwindow,Class,Windowname
mov handle,eax
invoke ShowWindow,handle,SW_HIDE <= and this

For ProcessId :
;This kill The app


invoke lstrcmp, addr uProcess.szExeFile, addr prog
    .if !eax
    mov eax,[uProcess.th32ParentProcessID]
invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax
   invoke   TerminateProcess, eax, 0


What need you,Hide a app or kill process?

Greets
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: Celtic on October 07, 2008, 07:04:15 PM
I will hide a Process with this function:


mov   [uProcess.dwSize], sizeof uProcess
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
   mov   [hSnapshot], eax
   invoke   Process32First, eax, ADDR uProcess
   .while eax
   invoke lstrcmp, addr uProcess.szExeFile, addr prog
   
    .if !eax

       
   invoke ShowWindow,uProcess.th32ProcessID,SW_HIDE
   
   
    invoke CloseHandle, [hSnapshot]
    .endif
   invoke   Process32Next, [hSnapshot], ADDR uProcess
   .endw
   invoke   CloseHandle, [hSnapshot]

   
but it will not ,but I do not understand why
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: ragdog on October 07, 2008, 07:36:28 PM
 :bdg :bdg

Hide a process with this :lol

   invoke ShowWindow,hWNd,SW_HIDE  ;<<<Hide only a dialog not a process

This say the name "ShowWindow"

U must coding a driver for hide a process
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: n00b! on October 07, 2008, 07:44:18 PM
EDIT: ragdog was faster (took me writing this so I didn't notice)  :P

To hide a Process you'll need to code a service which runs in kernel-mode.

Could it be, that you want to hide a Window?

If so, you won't need a Process ID.
Just use FindWindow (http://msdn.microsoft.com/en-us/library/ms633499.aspx) and ShowWindow (http://msdn.microsoft.com/en-us/library/ms633548.aspx).
for example:
Code Select
invoke FindWindow, offset szClass, offset szTitle
invoke ShowWindow, eax, SW_HIDE
Title: Re: Problems with uProcess.th32ParentProcessID
Post by: ragdog on October 07, 2008, 08:03:01 PM
@nOOB :bg

QuoteTo hide a Process you'll need to code a service which runs in kernel-mode.

Yes i mean this!!


Title: Re: Problems with uProcess.th32ParentProcessID
Post by: n00b! on October 07, 2008, 08:49:15 PM
If you want the ID of a Process to terminate it or something like that or if you want to hide a window you should have been helped now.

But you won't get help if you want to have a rootkit to hide processes like trojan horses
since it's not allowed, see here (http://www.masm32.com/board/index.php?topic=3296.0)
Text only | Text with Images