error accessing process modules

[debzequke]

Am getting error message 'Access Denied' while accessing module informations of some specific process (for eg: zlclient, vsmon etc). Below is code snippet to get better idea.

invoke   GetCurrentProcess                           
mov         hProcess, eax                               
invoke   OpenProcessToken, hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken
lea           eax, tkp.Privileges[0].Luid
invoke    LookupPrivilegeValue, NULL, SADD("SeDebugPrivilege"), eax
mov         tkp.PrivilegeCount, 1
mov         tkp.Privileges[0].Attributes, SE_PRIVILEGE_ENABLED
invoke   AdjustTokenPrivileges, hToken, FALSE, addr tkp, sizeof tkp, NULL, NULL
invoke   CloseHandle, hToken

invoke   CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0
mov      hSnapShot, eax

   
mov      process.dwSize, sizeof PROCESSENTRY32
invoke   Process32First, hSnapShot, ADDR process
mov      module.dwSize, sizeof module

.while   eax      
   invoke   CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, process.th32ProcessID      
   mov   hSnapShot2, eax
   .if      eax ==  INVALID_HANDLE_VALUE
      invoke   MessageBox, 0, ADDR process.szExeFile, 0, 0
;      invoke   GetLastError
;      invoke   FormatMessage, FORMAT_MESSAGE_FROM_SYSTEM ...
   .endif   
   invoke  Process32Next, hSnapShot, ADDR process     
.endw

please help me to sort out.

thank you.

[akane]

to open zlclient or vsmon with full access you must first inject csrss.exe and use it's opened handles to processes.
See in ProcessExplorer - select process csrss, in lower handles-pane add columns handle+access and search for zclient handle :)

Now if your injected csrss - do not try to open new handles to ZA (access denied), use those opened

how to inject? VirtualAlloc, WriteProcessMemory...
how to find handle to zapro from injected process? handle is 16-bit value, just search in a loop for "PID from current handle" using xp-api GetProcessId(handle) and compare return value with zapro PID :)
http://img477.imageshack.us/img477/7586/shkillprocesshowitworks3ki.jpg

Terminating newest vsmon from within csrss - works ok, but the system shows message "blah vsmon is bad and must be closed"

[debzequke]

akane,

what i am trying to do is, just obtain list of running processes and then enumrate all modules specific to each process.
Everything is fine but for some process like vsmon, its not possible to enumerate module state, since call to
CreateToolhelp32Snapshot by specifying TH32CS_SNAPMODULE value and process identifier, is ended up with an extended
error message 'Access Denied'.

I think i have adjusted required token privilege but still no idea what is foiling behind the call.

Someone with code snippet is greatly appreciated.

thank you.

[P1]

debzequke,

Welcome A Board !!!    :U

What is target OS for this code?  ( Hint: You don't all your bases covered yet. )

Hint:  If you use 'Search', we have code already for this.

Check here too:  http://win.asmcommunity.net/board/index.php

Regards,  P1  :8)

[zooba]

Going by the fact that ZoneAlarm is a firewall, it wouldn't surprise me if they'd implemented some way of preventing other processes from looking too closely at them. It may just be a case of saying to your user that 'This process could not be enumerated' or something like that.

[P1]

Going by the fact that ZoneAlarm is a firewall, it wouldn't surprise me if they'd implemented some way of preventing other processes from looking too closely at them. It may just be a case of saying to your user that 'This process could not be enumerated' or something like that.

I'm trying to remain open minded about what they are trying to do.

So now that the subject has come up.  What are you trying to do?  I hope you have read the forum rules.

Regards,  P1  :8)

[debzequke]

What is target OS for this code?  ( Hint: You don't all your bases covered yet. )
Hint:  If you use 'Search', we have code already for this.

Ok good, i have searched the forum and also found couple of source codes.
Wait ... oops they too fail at the same point.


BTW, am working on XP.

[debzequke]

Umm ProcDump works perfect.  I will try a little better ...

[sinsi]

hey dude, seems to be a bit suss...
why do you need to know other processes,
and their modules?

have you read the rules?

i suggest you read and assimilate them...

[zooba]

Personally I think it's a case of 'wanting' to know rather than 'needing' to know. Process explorer style tools are entirely legitimate AFAIK.

The 'suss' bit is akane's suggestion. Closing down someones firewall is definitely not permitted around here.

[debzequke]

I will make things clear, its not a matter of security hazard, actually i came over this when i was coding my own personel PE editor. More over i think i need a walkup if i find something lurking on my system. I am glad to accept if someone is going to help me personally.

thank you.

[sinsi]

Personally I think it's a case of 'wanting' to know rather than 'needing' to know. Process explorer style tools are entirely legitimate AFAIK.

The 'suss' bit is akane's suggestion. Closing down someones firewall is definitely not permitted around here.

but the original post mentioned 2 programs...the Zone Alarm client and its assocaited monitor...and only 2

[P1]

With XP, you want to EnumProcesses.  I use GetVersionEx ( VER_PLATFORM_WIN32_NT ) to determine whether to go CreateToolhelp32Snapshot or EnumProcesses. 

Do a Search, and you should come up with some viable code.

Regards,  P1  :8)

[zooba]

Personally I think it's a case of 'wanting' to know rather than 'needing' to know. Process explorer style tools are entirely legitimate AFAIK.

The 'suss' bit is akane's suggestion. Closing down someones firewall is definitely not permitted around here.

but the original post mentioned 2 programs...the Zone Alarm client and its assocaited monitor...and only 2

Am getting error message 'Access Denied' while accessing module informations of some specific process (for eg: zlclient, vsmon etc).

He is attempting to enumerate ALL processes and ALL modules (invoke   CreateToolhelp32Snapshot, TH32CS_SNAPALL, 0) and was wondering why there were some processes that couldn't be enumerated. My suggestion was that the processes are protecting themselves from being looked at since they are designed to protect the system. I don't believe debzequke is attempting anything like akane has suggested, and the fact that he has provided a code snippet only increases his credibility.

[hutch--]

I have closed this topic becauase after numerous questions, we still do not know what debzequke wants to do with this info. Evasive answers are sufficient to close a topic that borders on rule violation and unless the moderators team is given a very good reason why it should be reopened, it will go to the scrap heap soon.