Am getting error message 'Access Denied' while accessing module informations of some specific process (for eg: zlclient, vsmon etc). Below is code snippet to get better idea.
invoke GetCurrentProcess
mov hProcess, eax
invoke OpenProcessToken, hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
lea eax, tkp.Privileges[0].Luid
invoke LookupPrivilegeValue, NULL, SADD("SeDebugPrivilege"), eax
mov tkp.PrivilegeCount, 1
mov tkp.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, sizeof tkp, NULL, NULL
invoke CloseHandle, hToken
invoke CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0
mov hSnapShot, eax
mov process.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnapShot, ADDR process
mov module.dwSize, sizeof module
.while eax
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, process.th32ProcessID
mov hSnapShot2, eax
.if eax == INVALID_HANDLE_VALUE
invoke MessageBox, 0, ADDR process.szExeFile, 0, 0
; invoke GetLastError
; invoke FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM ...
.endif
invoke Process32Next, hSnapShot, ADDR process
.endw
please help me to sort out.
thank you.
to open zlclient or vsmon with full access you must first inject csrss.exe and use it's opened handles to processes.
See in ProcessExplorer - select process csrss, in lower handles-pane add columns handle+access and search for zclient handle :)
Now if your injected csrss - do not try to open new handles to ZA (access denied), use those opened
how to inject? VirtualAlloc, WriteProcessMemory...
how to find handle to zapro from injected process? handle is 16-bit value, just search in a loop for "PID from current handle" using xp-api GetProcessId(handle) and compare return value with zapro PID :)
http://img477.imageshack.us/img477/7586/shkillprocesshowitworks3ki.jpg
Terminating newest vsmon from within csrss - works ok, but the system shows message "blah vsmon is bad and must be closed"
akane,
what i am trying to do is, just obtain list of running processes and then enumrate all modules specific to each process.
Everything is fine but for some process like vsmon, its not possible to enumerate module state, since call to
CreateToolhelp32Snapshot by specifying TH32CS_SNAPMODULE value and process identifier, is ended up with an extended
error message 'Access Denied'.
I think i have adjusted required token privilege but still no idea what is foiling behind the call.
Someone with code snippet is greatly appreciated.
thank you.
debzequke,
Welcome A Board !!! :U
What is target OS for this code? ( Hint: You don't all your bases covered yet. )
Hint: If you use 'Search', we have code already for this.
Check here too: http://win.asmcommunity.net/board/index.php
Regards, P1 :8)
Going by the fact that ZoneAlarm is a firewall, it wouldn't surprise me if they'd implemented some way of preventing other processes from looking too closely at them. It may just be a case of saying to your user that 'This process could not be enumerated' or something like that.
Quote from: zooba on January 12, 2006, 11:43:26 PM
Going by the fact that ZoneAlarm is a firewall, it wouldn't surprise me if they'd implemented some way of preventing other processes from looking too closely at them. It may just be a case of saying to your user that 'This process could not be enumerated' or something like that.
I'm trying to remain open minded about what they are trying to do.
So now that the subject has come up. What are you trying to do? I hope you have read the forum rules.
Regards, P1 :8)
QuoteWhat is target OS for this code? ( Hint: You don't all your bases covered yet. )
Hint: If you use 'Search', we have code already for this.
Ok good, i have searched the forum and also found couple of source codes.
Wait ... oops they too fail at the same point.
BTW, am working on XP.
Umm ProcDump works perfect. I will try a little better ...
hey dude, seems to be a bit suss...
why do you need to know other processes,
and their modules?
have you read the rules?
i suggest you read and assimilate them...
Personally I think it's a case of 'wanting' to know rather than 'needing' to know. Process explorer style tools are entirely legitimate AFAIK.
The 'suss' bit is akane's suggestion. Closing down someones firewall is definitely not permitted around here.
I will make things clear, its not a matter of security hazard, actually i came over this when i was coding my own personel PE editor. More over i think i need a walkup if i find something lurking on my system. I am glad to accept if someone is going to help me personally.
thank you.
Quote from: zooba on January 14, 2006, 10:41:20 PM
Personally I think it's a case of 'wanting' to know rather than 'needing' to know. Process explorer style tools are entirely legitimate AFAIK.
The 'suss' bit is akane's suggestion. Closing down someones firewall is definitely not permitted around here.
but the original post mentioned 2 programs...the Zone Alarm client and its assocaited monitor...and only 2
With XP, you want to EnumProcesses. I use GetVersionEx ( VER_PLATFORM_WIN32_NT ) to determine whether to go CreateToolhelp32Snapshot or EnumProcesses.
Do a Search, and you should come up with some viable code.
Regards, P1 :8)
Quote from: sinsi on January 16, 2006, 11:26:09 AM
Quote from: zooba on January 14, 2006, 10:41:20 PM
Personally I think it's a case of 'wanting' to know rather than 'needing' to know. Process explorer style tools are entirely legitimate AFAIK.
The 'suss' bit is akane's suggestion. Closing down someones firewall is definitely not permitted around here.
but the original post mentioned 2 programs...the Zone Alarm client and its assocaited monitor...and only 2
Quote from: debzequke on January 12, 2006, 02:18:49 AM
Am getting error message 'Access Denied' while accessing module informations of some specific process (for eg: zlclient, vsmon etc).
He is attempting to enumerate ALL processes and ALL modules (invoke CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0) and was wondering why there were some processes that couldn't be enumerated. My suggestion was that the processes are protecting themselves from being looked at since they are designed to protect the system. I don't believe debzequke is attempting anything like akane has suggested, and the fact that he has provided a code snippet only increases his credibility.
I have closed this topic becauase after numerous questions, we still do not know what debzequke wants to do with this info. Evasive answers are sufficient to close a topic that borders on rule violation and unless the moderators team is given a very good reason why it should be reopened, it will go to the scrap heap soon.
QuoteUmm ProcDump works perfect. I will try a little better ...
Pro: From what I can tell he is doing a dump of PE headers from Processes running in the system. He can not open the .exe files because of access violations of being open and in use. On top of that, he should be using EnumProcesses.
Con: After that, he wants to edit them. And is avoiding questions about that part. Recent/low posting member tackling advanced topics.
Personal Message Hutch or one of the moderators.
debzequke, please fill out more of your profile.
Regards, P1 :8)
I will open the topic on the basis that the member has contacted me but I am yet to hear a good reason why the member is trying to access code of this type. We have no problem with anyone writing a PE file editor but we do with anyone who wants access to any running process to modify it on the fly while in memory. This is technically the basis of many of the modern trojan forms, in memory patching of OS files and the like.
Please understand that with the membership in this forum that you collectively have hundreds of years of experience and no-one misses what is going on with unusual questions. To allow further postings we need a clear explanation of WHAT the member wants to do, not an assurance that its not security related.
If we get an acceptable answer, the topic will remain open, if not it goes to the scrap heap.
i started up doing a simple PE editor. i thought to add process viewer to the proggy, anyway thats what most PE editor do. the part with process viewer is that few process behaved differently while others including core process like smss, svchost etc were responding, while i was just trying to populate their modules. i would have not been surprised if they responded in a such a manner when i tried to kill them, rather that was not the case.
if that was the final stage i would have not troubled myself but i came across some process viewers able to succeed. so i want to understand why did i fail ?
What you are after sounds OK but understand we have been burnt a few times with guys trying to feed us bullsh*t while fishing for technical data for illegal purposes and we will never allow this. The tool you are trying to do sounds something like the Sys Internals "Process Explorer" which is very useful if you can get it onto a machine that has been trojan damaged as it allows you to shut down rogue processes and try and fix the OS installation.
This type of stuff is fine but make sure the topic does not wander off into the area of memory patching or other methods of circumventing commercial or OS software as we will close it down for good if it does.