oguzhankrcby 2 Posted August 6, 2014 Share Posted August 6, 2014 Hi to all ! I have made a code which can enumerate module names associated threads. But there is a problem in windows xp. When i enumarate modules dll names return NULL. IN WINDOWS XP LIKE THAT : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : IN WINDOWS 8 , WINDOWS 7 , WIN 8.1 Karacabay-Scan : Dlls : D:TEMIZ METIN2 - HS CALISMAgiris.exe Karacabay-Scan : Dlls : D:TEMIZ METIN2 - HS CALISMAgiris.exe Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll Karacabay-Scan : Dlls : C:WindowsSYSTEM32ntdll.dll Karacabay-Scan : Dlls : C:Windowssystem32mswsock.dll And here is my source : #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define ThreadQuerySetWin32StartAddress 9 typedef NTSTATUS (WINAPI *NTQUERYINFOMATIONTHREAD)(HANDLE, LONG, PVOID, ULONG, PULONG); BOOL MatchAddressToModule(__in DWORD dwProcId, __out_bcount(MAX_PATH) LPTSTR lpstrModule, __in DWORD dwThreadStartAddr, __out_opt PDWORD pModuleStartAddr) // by Echo { BOOL bRet = FALSE; HANDLE hSnapshot; MODULEENTRY32 moduleEntry32; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPALL, dwProcId); moduleEntry32.dwSize = sizeof(MODULEENTRY32); moduleEntry32.th32ModuleID = 1; if(Module32First(hSnapshot, &moduleEntry32)){ if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){ wcscpy(lpstrModule, moduleEntry32.szExePath); //convert from wide char to narrow char array }else{ while(Module32Next(hSnapshot, &moduleEntry32)){ if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){ wcscpy(lpstrModule, moduleEntry32.szExePath); break; } } } } if(pModuleStartAddr) *pModuleStartAddr = (DWORD)moduleEntry32.modBaseAddr; CloseHandle(hSnapshot); return bRet; } DWORD WINAPI GetThreadStartAddress(__in HANDLE hThread) // by Echo { NTSTATUS ntStatus; DWORD dwThreadStartAddr = 0; HANDLE hPeusdoCurrentProcess, hNewThreadHandle; NTQUERYINFOMATIONTHREAD NtQueryInformationThread; if((NtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), ("NtQueryInformationThread")))){ hPeusdoCurrentProcess = GetCurrentProcess(); if(DuplicateHandle(hPeusdoCurrentProcess, hThread, hPeusdoCurrentProcess, &hNewThreadHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){ ntStatus = NtQueryInformationThread(hNewThreadHandle, ThreadQuerySetWin32StartAddress, &dwThreadStartAddr, sizeof(DWORD), NULL); CloseHandle(hNewThreadHandle); if(ntStatus != STATUS_SUCCESS){ return 0; } } } return dwThreadStartAddr; } int threadmodules() { HANDLE hSnapshot, hThread; THREADENTRY32 threadEntry32; DWORD dwModuleBaseAddr, dwThreadStartAddr; TCHAR lpstrModuleName[MAX_PATH] = {0}; CHAR moduleget[MAX_PATH] = {0}; if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, GetCurrentProcessId())) == INVALID_HANDLE_VALUE) return 0; threadEntry32.dwSize = sizeof(THREADENTRY32); threadEntry32.cntUsage = 0; if(Thread32First(hSnapshot, &threadEntry32)){ if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){ hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID); dwThreadStartAddr = GetThreadStartAddress(hThread); MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr); std::wstring aaa (lpstrModuleName); std::string mystr (aaa.begin() , aaa.end()); fstream textfile; textfile.open ("mgm.log", ios::out | ios::app); textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl; CloseHandle(hThread); } while(Thread32Next(hSnapshot, &threadEntry32)){ if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){ hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID); dwThreadStartAddr = GetThreadStartAddress(hThread); MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr); std::wstring aaa (lpstrModuleName); std::string mystr (aaa.begin() , aaa.end()); fstream textfile; textfile.open ("mgm.log", ios::out | ios::app); textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl; CloseHandle(hThread); } } } CloseHandle(hSnapshot); return 0; } Link to comment Share on other sites More sharing options...
cBaraN 109 Posted August 6, 2014 Share Posted August 6, 2014 @Shogun @Denis I think they can help. 1 Link to comment Share on other sites More sharing options...
oguzhankrcby 2 Posted August 6, 2014 Author Share Posted August 6, 2014 @Shogun @Denis I think they can help. Thank you very much bro 1 Link to comment Share on other sites More sharing options...
metin2team 766 Posted August 6, 2014 Share Posted August 6, 2014 @Shogun but Shogun is not a C++ developer xD good luck. 1 Link to comment Share on other sites More sharing options...
cBaraN 109 Posted August 6, 2014 Share Posted August 6, 2014 @Shogun but Shogun is not a C++ developer xD good luck. I think that can help :D Link to comment Share on other sites More sharing options...
Denis 1476 Posted August 6, 2014 Share Posted August 6, 2014 This should work: int GetDLLS() { DWORD dwPID = GetCurrentProcessId; HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID); if(hModuleSnap == INVALID_HANDLE_VALUE) { } me32.dwSize = sizeof(MODULEENTRY32); if(!Module32First(hModuleSnap, &me32)) { CloseHandle(hModuleSnap); } int tuplemain_index = 0; do{tuplemain_index++;}while(Module32Next(hModuleSnap, &me32)); PyObject *DllTupleMain = PyTuple_New(tuplemain_index); PyObject *DllTupleChild; Module32First(hModuleSnap, &me32); tuplemain_index = 0; fstream log; log.open("log.txt",ios::out|ios::app); do { log << "DLL: " << me32.szModule << endl; tuplemain_index++; }while(Module32Next(hModuleSnap, &me32)); log << "DLL Count " << tuplemain_index << endl; CloseHandle(hModuleSnap); } Link to comment Share on other sites More sharing options...
oguzhankrcby 2 Posted August 6, 2014 Author Share Posted August 6, 2014 This should work: int GetDLLS() { DWORD dwPID = GetCurrentProcessId; HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID); if(hModuleSnap == INVALID_HANDLE_VALUE) { } me32.dwSize = sizeof(MODULEENTRY32); if(!Module32First(hModuleSnap, &me32)) { CloseHandle(hModuleSnap); } int tuplemain_index = 0; do{tuplemain_index++;}while(Module32Next(hModuleSnap, &me32)); PyObject *DllTupleMain = PyTuple_New(tuplemain_index); PyObject *DllTupleChild; Module32First(hModuleSnap, &me32); tuplemain_index = 0; fstream log; log.open("log.txt",ios::out|ios::app); do { log << "DLL: " << me32.szModule << endl; tuplemain_index++; }while(Module32Next(hModuleSnap, &me32)); log << "DLL Count " << tuplemain_index << endl; CloseHandle(hModuleSnap); } but i need module names which are associated threads not only module name Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now