Hi everybody
I'm working on the structs: PROCESSENTRY32, MODULEENTRY32 and THREADENTRY32 for 64 bit platform
In the structs PROCESSENTRY32 and MODULEENTRY32 I needed to introduce padding to make it work fine.
The struct THREADENTRY32 doesn't need padding but the result that I obtain I think it is not completely right.
I specify the struct as follow:
THREADENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ThreadID DWORD ?
th32OwnerProcessID DWORD ?
tpBasePri DWORD ?
tpDeltaPri DWORD ?
dwFlags DWORD ?
THREADENTRY32 ENDS
The size of it is 1C.
1st doubt:
When I call the API Thread32First It changes the dwSize to 23F28C (hex). The help of this API said that dwSize can be change but never for upper number that I specify before the calling
2nd doubt:
I made some test with my program. I know that my program use 2 Thread, and the result that I got was:
- 1st Thread
dwSize 23F28C <= That is wrong
cntUsage 0 <= OK
th32ThreadID 403014 <= Maybe
th32OwnerProcessID 9D8 <= That's OK in the Test
tpBasePri 8 <= It is in the range 0..1F. Maybe it is right
tpDeltaPri 403023 <= That's wrong
dwFlags 0 <= OK
- 2nd Thread
dwSize 23F28C <= That is wrong
cntUsage 0 <= OK
th32ThreadID 403014 <= Maybe
th32OwnerProcessID 9D8 <= That's OK in the Test
tpBasePri 8 <= It is in the range 0..1F. Maybe it is right
tpDeltaPri 403023 <= That's wrong
dwFlags 0 <= OK
I had the same value for the two thread, ???
Anyone is it working on THREADENTRY32 struct ?
Best Regards,
GUAN
Your definition of THREADENTRY32 is correct, maybe there's some other problem with your code.
The new dwSize value is incorrect. If the function would change it, I can imagine values 14h or 18h (since the last two members of the structure are unused). We can help you if you'll post a sample which replicates this problem.
If the Struct is right then I don't know what is wrong in my code or maybe to enum the thread in 64 platform is different than 32 bits, but I don't find nothing about it in the msdn.
I attacht my includes, my radasm proyect and mi masm64.ini for working with RADASM ( I don't know if it is completely necessary). Sorry because the comment in the files are in Spanish.
I use the same way for listing the current processes and heapes and that works correctly. You can see it at Procesos.inc in Comunes folders
The function in charge of enumeration the Threads of a process is that:
***************************************************
; Func is the offset to a callback function
;
; Callback Prototype LpTE:QWORD (poiter to a THREADENTRY32 sctruct)
;
; If the callback returns 0 Stop the enumeration
; 1 Continue with the enumeration
;***************************************************
function EnumThread,func:QWORD,ProcID:DWORD
begin_alloc
alloc_var hSnapshot:QWORD
alloc_var te32:THREADENTRY32
end_alloc
invoke CreateToolhelp32Snapshot,TH32CS_SNAPTHREAD, ProcID
@IF <<cmp rax,INVALID_HANDLE_VALUE>>, NOEQUAL?
mov hSnapshot,rax
mov te32.THREADENTRY32.dwSize, sizeof THREADENTRY32
invoke Thread32First, hSnapshot, addr te32
EnumThread_otro:
@IF <<cmp rax,0>>, NOEQUAL?
xor rax,rax
mov eax, te32.THREADENTRY32.th32OwnerProcessID
@IF <<cmp eax,ProcID>>,EQUAL?
;alloc space in the stack for the argument
sub rsp,8*4
;arg 1
lea rcx,te32
;calling to the callback function
mov rax,func
call rax
; Free the memory in the stack
add rsp,8*4
; Test the return for the function
cmp rax,0
je EnumThread_FIN ; If the jump is done the enumeration is finished
@ENDIF
mov te32.THREADENTRY32.dwSize, sizeof THREADENTRY32
invoke Thread32Next, hSnapshot, addr te32
jmp EnumThread_otro
@ENDIF
EnumThread_FIN:
; END
invoke CloseHandle, hSnapshot
@ENDIF
exitf
This Function is called when You press the button.
As you can see I use the macros x64calling but modify by me to make it work with wsprinf function and others small bugs that I found.
[attachment deleted by admin]
Those are my includes for the proyect and my init file por use ml64 with RADASM
[attachment deleted by admin]
I have found my mistake.
The code is right, the problem was in the callback function when I printed the value of the struct using wsprintf and MessageBox.
Thanks
GUAN