CreateToolHelp32SnapShot

[FlySky]

Hey guys,

I am just playing with listing all loaded modules by a process. The problem I am having is the following it keeps re-adding the modules in my listbox and doesn't stop.

Here is my code:

RetrieveModules FRAME
LOCAL xModule      :MODULEENTRY32                           ;A pointer to a MODULEENTRY32 structure.

Invoke GetDlgItem, [DLLDialogHandle], 420                                  ;Retrieve the handle to our listbox
mov [ListboxMod],eax                                                   ;Store the handle of the listbox
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, [ProcessId]                         ;Takes a snapshot of the specified processes, from all modules used by this proces.
mov [hSnap], eax                                 ;Copy open handle to the specified snapshot to variable hSnap
mov  D[xModule.dwSize], sizeof xModule
invoke Module32First, [hSnap], offset xModule                        ;Retrieves information about the first module associated with the process.
GetDLL:   
Invoke SendMessage, [ListboxMod], LB_ADDSTRING, NULL, offset xModule.szModule            ;Write the name of the modules in our listbox
invoke  Module32Next, [hSnap], offset xModule
test eax, eax                                    ;Did we went through all modules?                     
jnz <GetDLL
invoke CloseHandle, [hSnap]
xor eax, eax
RET

ENDF

The function is called as soon as the Dialogbox opensup so it's called when the Dialogbox is initiliazed. It can be called from here right as the Dialogbox will only be initialized just ones when it is created?

[FlySky]

I made this topic to fast sorry for that guys.

I fixed my mistake and below this reply you will find the new source code to it:

It seems I placed the conditional jump which determines if the dialogbox is created at the wrong spot. I placed it below the instruction that calls the function to see which modules are loaded within a selected process. So it was calling the function all the time therefor it kept re-doing the reading of loaded modules by a selected process.

Here is the source code:

DLLProc FRAME hWndDLL, uMsg, wParam, lParam

Wm_1a:
            cmp D[uMsg],WM_INITDIALOG
       jnz >Wm_2a           
            mov ebx, [hWndDLL]
            mov [DLLDialogHandle],ebx
            invoke RetrieveModules
                   
Wm_2a:
       cmp D[uMsg],WM_COMMAND
            jnz >Wm_3a
              
Wm_3a:
            xor   eax, eax
            ret
ENDF

RetrieveModules FRAME
LOCAL xModule      :MODULEENTRY32                           ;A pointer to a MODULEENTRY32 structure.

Invoke GetDlgItem, [DLLDialogHandle], 420                                  ;Retrieve the handle to our listbox
mov [ListboxMod],eax                                                   ;Store the handle of the listbox
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, [ProcessId]                         ;Takes a snapshot of the specified processes, from all modules used by this proces.
mov [hSnap], eax                                 ;Copy open handle to the specified snapshot to variable hSnap
mov  D[xModule.dwSize], sizeof xModule
invoke Module32First, [hSnap], offset xModule                        ;Retrieves information about the first module associated with the process.
GetDLL:   
Invoke SendMessage, [ListboxMod], LB_ADDSTRING, NULL, offset xModule.szModule            ;Write the name of the modules in our listbox
invoke  Module32Next, [hSnap], offset xModule
test eax, eax                                    ;Did we went through all modules?                     
jnz <GetDLL
invoke CloseHandle, [hSnap]
xor eax, eax
RET

ENDF

[FlySky]

Morning everyone,

I am facing a little problem I am not understanding in anyway.

I will first explain the problem than post my source code:

I am trying to enumrate all modules from a specified process. Sounds easy you might think, but I am facing a really weird issue.
But at the moment I am checking the loaded modules not all modules are loaded, could that be a problem when
trying to enumrate the modules?
No matter what I try, it keeps getting back with the return value ffffffff I used
GetLasError API to determine the error code and it's: partial copy 0x12b / ERROR_PARTIAL_COPY
From what I understand from the MSDN this can happen when the process trying to enumrate from is 64 bit
and the calling process is 32 bit. But that's not the case. Both processes are 32 bit so I don't understand why
it wouldn't enumrate the modules.

Below is the snippet of the function I am using.

Invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,[pinfo.dwProcessId]

GetModuleSnapshot frame pModuleName
Local hProcessSnap:D
Local mProcessSnap:D
Local me32:MODULEENTRY32
Local pe32:PROCESSENTRY32

//Invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,[pinfo.dwProcessId] //This snaps all modules including 64 bit ones. If the calling process is 32 bit it will fail with
                                                     //partial copy 0x12b / ERROR_PARTIAL_COPY (299). We need to snap all 32 bit modules!.
//invoke GetLastError
Invoke CreateToolhelp32Snapshot,10h,[pinfo.dwProcessId]
mov [mProcessSnap], Eax
mov D[me32.dwSize],SIZEOF PROCESSENTRY32                           //Copy size of module entry
Invoke Module32First, [hProcessSnap], Addr me32                                //Load first module
test eax, eax
jnz >CheckModule

W1:
   Invoke Module32Next, [hProcessSnap], Addr me32
   Test Eax, Eax
   Jz > L2

CheckModule:
   Invoke lstrcmpi, Offset me32.szModule, [pModuleName]
   Test Eax, Eax
   Jnz < W1
   Mov Eax, [me32.hModule] //Copy base of module/ handle of module in eax and ret
   Ret
L2:
   Xor Eax, Eax
   Ret
endf

[donkey]

GetLasError API to determine the error code and it's: partial copy 0x12b / ERROR_PARTIAL_COPY
From what I understand from the MSDN this can happen when the process trying to enumrate from is 64 bit
and the calling process is 32 bit. But that's not the case. Both processes are 32 bit so I don't understand why
it wouldn't enumrate the modules.

Hi Flysky,

I am not completely sure whether any 64 bit WoW modules are opaque to the 32 bit toolhelp api but if one is it would give that error. I would suggest that you run Windows XP mode to see if the problem persists in a fully 32 bit OS.

Edgar

Edgar