Jump to content

The Code which is not working only in windows xp

oguzhankrcby
 Share

Recommended Posts

oguzhankrcby Apprentice

oguzhankrcby 2

Posted
Posted
Hi to all !
 
I have made a code which can enumerate module names associated threads.
But there is a problem in windows xp. When i enumarate modules dll names return NULL.
 
IN WINDOWS XP LIKE THAT :
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
IN WINDOWS 8 , WINDOWS 7 , WIN 8.1
Karacabay-Scan : Dlls : D:TEMIZ METIN2 - HS CALISMAgiris.exe
Karacabay-Scan : Dlls : D:TEMIZ METIN2 - HS CALISMAgiris.exe
Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll
Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll
Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll
Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll
Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll
Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll
Karacabay-Scan : Dlls : C:Windowssystem32mswsock.dll
 
And here is my source :
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define ThreadQuerySetWin32StartAddress 9
typedef NTSTATUS (WINAPI *NTQUERYINFOMATIONTHREAD)(HANDLE, LONG, PVOID, ULONG, PULONG);
 
BOOL MatchAddressToModule(__in DWORD dwProcId, __out_bcount(MAX_PATH) LPTSTR lpstrModule, __in DWORD dwThreadStartAddr, __out_opt PDWORD pModuleStartAddr) // by Echo
{
    BOOL bRet = FALSE;
HANDLE hSnapshot;
MODULEENTRY32 moduleEntry32;
 
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPALL, dwProcId);
 
moduleEntry32.dwSize = sizeof(MODULEENTRY32);
moduleEntry32.th32ModuleID = 1;
 
if(Module32First(hSnapshot, &moduleEntry32)){
   if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){
           
wcscpy(lpstrModule, moduleEntry32.szExePath);
    //convert from wide char to narrow char array
   
 
   }else{
            while(Module32Next(hSnapshot, &moduleEntry32)){
                if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){
                   wcscpy(lpstrModule, moduleEntry32.szExePath);
 
 
                    break;
                }
            }
   }
    }
 
    if(pModuleStartAddr) *pModuleStartAddr = (DWORD)moduleEntry32.modBaseAddr;
CloseHandle(hSnapshot);
 
return bRet;
}
 
DWORD WINAPI GetThreadStartAddress(__in HANDLE hThread) // by Echo
{
    NTSTATUS ntStatus;
    DWORD dwThreadStartAddr = 0;
    HANDLE hPeusdoCurrentProcess, hNewThreadHandle;
    NTQUERYINFOMATIONTHREAD NtQueryInformationThread;
 
    if((NtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), ("NtQueryInformationThread")))){
        hPeusdoCurrentProcess = GetCurrentProcess();
        if(DuplicateHandle(hPeusdoCurrentProcess, hThread, hPeusdoCurrentProcess, &hNewThreadHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
            ntStatus = NtQueryInformationThread(hNewThreadHandle, ThreadQuerySetWin32StartAddress, &dwThreadStartAddr, sizeof(DWORD), NULL);
            CloseHandle(hNewThreadHandle);
            if(ntStatus != STATUS_SUCCESS){
return 0;
}
        }
 
    }
 
    return dwThreadStartAddr;
}
 
int threadmodules()
{
 HANDLE hSnapshot, hThread;
    THREADENTRY32 threadEntry32;
    DWORD dwModuleBaseAddr, dwThreadStartAddr;
    TCHAR lpstrModuleName[MAX_PATH] = {0};
CHAR moduleget[MAX_PATH] = {0};
    if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, GetCurrentProcessId())) == INVALID_HANDLE_VALUE) return 0;
 
    threadEntry32.dwSize = sizeof(THREADENTRY32);
    threadEntry32.cntUsage = 0;
 
    if(Thread32First(hSnapshot, &threadEntry32)){
        if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID);
dwThreadStartAddr = GetThreadStartAddress(hThread);
MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr);
std::wstring aaa  (lpstrModuleName);
std::string mystr (aaa.begin() , aaa.end());
 
fstream textfile;
textfile.open ("mgm.log", ios::out | ios::app);
textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl;
 
CloseHandle(hThread);
}
while(Thread32Next(hSnapshot, &threadEntry32)){
if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID);
dwThreadStartAddr = GetThreadStartAddress(hThread);
MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr);
std::wstring aaa  (lpstrModuleName);
std::string mystr (aaa.begin() , aaa.end());
 
fstream textfile;
textfile.open ("mgm.log", ios::out | ios::app);
textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl;
 
CloseHandle(hThread);
}
        }
    }
 
CloseHandle(hSnapshot);
return 0;
}
 
Link to comment
Share on other sites
  • Replies 6
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

cBaraN
cBaraN

@Shogun @Denis I think they can help.

oguzhankrcby
oguzhankrcby

Thank you very much bro

metin2team
metin2team

but Shogun is not a C++ developer xD   good luck.

Denis Mentor

Denis 1462

Posted
Posted

This should work:

int GetDLLS()
{
	DWORD dwPID = GetCurrentProcessId;
	HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
	MODULEENTRY32 me32;
	hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
	if(hModuleSnap == INVALID_HANDLE_VALUE)
	{
		
	}
	me32.dwSize = sizeof(MODULEENTRY32);
	if(!Module32First(hModuleSnap, &me32))
	{
		CloseHandle(hModuleSnap);
	}
	int tuplemain_index = 0;
	do{tuplemain_index++;}while(Module32Next(hModuleSnap, &me32));
	PyObject *DllTupleMain = PyTuple_New(tuplemain_index);
	PyObject *DllTupleChild;

	Module32First(hModuleSnap, &me32);
	tuplemain_index = 0;
	fstream log;
	log.open("log.txt",ios::out|ios::app);	
	do
	{
		log << "DLL: " << me32.szModule << endl;
		tuplemain_index++;
	}while(Module32Next(hModuleSnap, &me32));
	log << "DLL Count " << tuplemain_index << endl;
	CloseHandle(hModuleSnap);
}
Link to comment
Share on other sites
oguzhankrcby Apprentice

oguzhankrcby 2

Posted
  • Author
Posted

 

This should work:

int GetDLLS()
{
	DWORD dwPID = GetCurrentProcessId;
	HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
	MODULEENTRY32 me32;
	hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
	if(hModuleSnap == INVALID_HANDLE_VALUE)
	{
		
	}
	me32.dwSize = sizeof(MODULEENTRY32);
	if(!Module32First(hModuleSnap, &me32))
	{
		CloseHandle(hModuleSnap);
	}
	int tuplemain_index = 0;
	do{tuplemain_index++;}while(Module32Next(hModuleSnap, &me32));
	PyObject *DllTupleMain = PyTuple_New(tuplemain_index);
	PyObject *DllTupleChild;

	Module32First(hModuleSnap, &me32);
	tuplemain_index = 0;
	fstream log;
	log.open("log.txt",ios::out|ios::app);	
	do
	{
		log << "DLL: " << me32.szModule << endl;
		tuplemain_index++;
	}while(Module32Next(hModuleSnap, &me32));
	log << "DLL Count " << tuplemain_index << endl;
	CloseHandle(hModuleSnap);
}

 

but i need module names which are associated threads not only module name :(

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.