Jump to content
Nytro

[MASM] Native Enum Processes

Recommended Posts

[MASM] Native Enum Processes

Author: steve10120

; steve10120@ic0de.org

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
include \masm32\include\masm32rt.inc
include \masm32\include\ntdll.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\ntdll.lib
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

CLIENT_ID STRUCT
UniqueProcess dd ?
UniqueThread dd ?
CLIENT_ID ENDS

SYSTEM_THREADS struct
KernelTime LARGE_INTEGER <>
UserTime LARGE_INTEGER <>
CreateTime LARGE_INTEGER <>
WaitTime dd ?
StartAddress dd ?
ClientId CLIENT_ID <>
Priority SDWORD ?
BasePriority SDWORD ?
ContextSwitchCount dd ?
State dd ?
WaitReason dd ?
SYSTEM_THREADS ends

UNICODE_STRING STRUCT
Len WORD ?
MaximumLength WORD ?
Buffer PWSTR ?
UNICODE_STRING ends

VM_COUNTERS STRUCT
PeakVirtualSize DWORD ? ; SIZE_T
VirtualSize DWORD ? ; SIZE_T
PageFaultCount DWORD ?
PeakWorkingSetSize DWORD ? ; SIZE_T
WorkingSetSize DWORD ? ; SIZE_T
QuotaPeakPagedPoolUsage DWORD ? ; SIZE_T
QuotaPagedPoolUsage DWORD ? ; SIZE_T
QuotaPeakNonPagedPoolUsage DWORD ? ; SIZE_T
QuotaNonPagedPoolUsage DWORD ? ; SIZE_T
PagefileUsage DWORD ? ; SIZE_T
PeakPagefileUsage DWORD ? ; SIZE_T
VM_COUNTERS ENDS

SYSTEM_PROCESS_INFORMATION struct
NextEntryDelta dd ?
ThreadCount dd ?
Reserved1 dd 6 dup (?)
CreateTime LARGE_INTEGER <>
UserTime LARGE_INTEGER <>
KernelTime LARGE_INTEGER <>
ProcessName UNICODE_STRING <>
BasePriority SDWORD ?
ProcessId dd ?
InheritedFromProcessId dd ?
HandleCount dd ?
Reserved2 dd 2 dup (?)
VmCounters VM_COUNTERS <>
;IO_COUNTERS IoCounters; // Windows 2000 only
Threads SYSTEM_THREADS <>
SYSTEM_PROCESS_INFORMATION ends

.data
szBuffer db 256 dup(0)

.data?
dwReturnLength dd ?
.code

WideToAnsi proc szData:DWORD
invoke WideCharToMultiByte, CP_ACP, WC_COMPOSITECHECK, szData, INVALID_HANDLE_VALUE, ADDR szBuffer, 256, NULL, NULL
LEAVE
RETN 4
WideToAnsi endp

start:

invoke NtQuerySystemInformation, 5, NULL, 0, ADDR dwReturnLength
invoke VirtualAlloc, NULL, dwReturnLength, MEM_COMMIT, PAGE_READWRITE
TEST EAX, EAX
JE EndMain
MOV EDI, EAX
invoke NtQuerySystemInformation, 5, EDI, dwReturnLength, ADDR dwReturnLength
TEST EAX, EAX
JNE FreeMem
ASSUME EDI:PTR SYSTEM_PROCESS_INFORMATION
ProcessLoop:
MOV EAX, [EDI].ProcessName.Buffer
TEST EAX, EAX
JE NextItem
invoke WideToAnsi, EAX
print OFFSET szBuffer, 13, 10

NextItem:
CMP [EDI].NextEntryDelta, 0
JE FreeMem
ADD EDI, [EDI].NextEntryDelta
JMP ProcessLoop
FreeMem:
invoke VirtualFree, EDI, 0, MEM_RELEASE
EndMain:
inkey
RETN

end start

Sursa: ic0de.org

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...