Jump to content

Recommended Posts

Process + Thread + DLL Functions UDFs

Posted Image Posted Image

Fully tested on O/S's from Windows 2000 -> Windows 7, in both 32-bit and 64-bit modes.

*Note: the dropdown box in the GUI has issues in Windows 2000 - workaround - type 1st letter of process.

Also, RemoteThreads may not start if Terminal Services is not installed on Win2000.

This is a compilation of all my Process, Thread, and DLL functions (and now Driver functions) into a number of UDF modules. Most every and anything useful can be done with these functions. The best part is the GUI interfaces (ProcessFunctionsTest, ThreadFunctionsTest) which let you experiment with what functions do without even touching a line of code. And whats that? Oh yes - it creates Threads. Even 'Wow64' threads, which requires a new way of thinking =)

Bundled with the core Process, Thread, and DLL UDF's are numerous support functions, examples, and even a DLL Injection module. A comparison program 'ProcessListPropertiesTest' is also included for comparison against PsaltyDS's _ProcessListProperties UDF).

The GUI's pictured above are the best way to explore the possible uses of the Process + Thread functions included, but the functionality extends beyond those default function calls. For example, there are more filters for the 'List' functions, plus other functionality that is not exposed in the GUI examples. There's also the DLL Functions which aren't even touched on (but are made use of nonetheless).

*For another example use of the Process Functions UDF see the ProcessGetWinPEImportExports UDF.

Below is a list of all the functions available (check the function headers for more info):

ProcessFunctions UDF's

_ProcessFunctions.au3

; General Functions:
;   _ProcessOpen()          ; Open a handle to a Process(). Also returns ProcessID# in @extended
;   _ProcessCloseHandle()   ; Close the handle of a Process opened with _ProcessOpen()
;   _ProcessGetPID()        ; Given a Process handle, returns the Process ID#. Not necessary for properly written code.
;   _ProcessGetExitCode()   ; Get exit code for a Process that has terminated
;   _ProcessIsWow64()       ; Returns True if Process being accessed is running in 32-bit mode on an x64 O/S
;   _ProcessGetPriorityX()  ; Gets the Process Priority Class. 'X' tacked on due to name conflict with _ProcessGetPriority()
;   _ProcessSetPriorityX()  ; Sets the Process's Priority Class. 'X' tacked on to keep consistent with above function.
;   _ProcessGetAffinityMask() ; Gets the Affinity Mask for the given Process. Also returns the current System Affinity mask
;   _ProcessSetAffinityMask() ; Sets the Affinity Mask for the given Process.
;   _ProcessGetTimes()      ; Returns Process Creation, Exit, Kernel/User-mode Times [<_WinTimeFunctions.au3> is helpful here)
;   _ProcessGetSessionID()  ; Returns Session ID # for a given ProcessID #. May be restrictions based on Privilege level.
;   _ProcessGetOwner()      ; Returns the Owner/'User Name' for a given Process.
;   _ProcessGetHandleCount(); Returns the # of open handles for a given Process
;   _ProcessGetIOCounters() ; Returns information on I/O Counters (read/write operation counts and bytes) for given Process
;   _ProcessGetGUIResources(); Returns the # of GDI or 'USER' Objects for a given Process
;   _ProcessGetFilename() ; Returns the process name based on Process handle (Win2000 and XP/2003+ dual support)
;   _ProcessGetFilenameByPID() ; Returns the process name based on Process ID#
;   _ProcessGetPathname() ; Returns the full Pathname for a given Process handle (chooses 1 of 3 different API calls).
;                    ; NOTE: Due to issues with 'device name' returns on XP & 2003 versions, this may call 2 internal funcs
;   _ProcessWaitForInputIdle()  ; Waits for a Process with a GUI to become ready to receive input on startup.
;
; Memory Functions:
;   _ProcessGetMemInfo()            ; Returns information on Memory usage of the Process
;   _ProcessEmptyWorkingSet()       ; Flushes non-essential memory of a Process to the Pagefile
;   _ProcessMemoryRead()            ; Read from a Process's memory
;   _ProcessMemoryReadSimple()  ; Read simple datatype from a Process's memory
;   _ProcessMemoryWrite()           ; Write to a Process's memory
;   _ProcessMemoryWriteSimple() ; Write simple datatype to a Process's memory
;   _ProcessMemoryAlloc()           ; Allocates memory for a given Process (mostly same as _MemVirtualAllocEx)
;   _ProcessMemoryFree()            ; Frees memory allocated with _ProcessMemoryAlloc() (mostly same as _MemVirtualFreeEx)
;   _ProcessMemoryVirtualQuery()    ; Retrieves various info on the Process's memory where a given address is located
;   _ProcessMemoryVirtualProtect()  ; Alters the protection type of a Process's memory
;
; Termination Function:
;   _ProcessTerminate()     ; Terminates the given Process (with optional exit code)
;
; Extra Wrapper Functions:
;   _ProcessIs32Bit()       ; Returns True if Process is 32-bit (makes _ProcessIsWow64() use more simpler)
;   _ProcessIs64Bit()       ; Returns True if Process is 64-bit (makes _ProcessIsWow64() use more simpler)

_ProcessListFunctions.au3

; List/Enumeration Functions (all but 2 functions here utilize CreateToolHelp32Snapshot):
;   _ProcessListEx()        ; Get a List of Processes with extended info (like ProcessList but with Parent PID, etc)
;   _ProcessListWTS()       ; Get a List of Processes like ProcessList, with extra info: Session ID and Owner/'User Name' info
;   _ProcessListHeaps()     ; Get a List of Heap information for a Process (with optional Heap-walking)
;   _ProcessListThreads()   ; Get a List of Threads for *all* processes, or filtered for a select Process
;   _ProcessListModules()   ; Get a List of Module for a Process (with Filtering options)
;                           ; NOTE: Getting 32-bit Modules in addition to 64-bit modules may cause the main EXE to be listed twice
;                           ; (at the start of the 32-bit Modules list). This generally only happens when probing 32-bit Processes.
;   _ProcessWinList()       ; Get a List of Window handles belonging to a Process, with filter options
;   _ProcessesWinList()   ; List of Window handles belonging to Processes [i]plural[/i]
;
; Extra Wrapper Functions:
;   _ProcessGetChildren()   ; Returns child process(es) info for given process (utilizes _ProcessListEx())
;   _ProcessGetParent()     ; Returns parent process information for given process (utilizes _ProcessListEx())
;   _ProcessGetModuleBaseAddress()  ; Returns the Base address for the Module in the given process (utilizes _ProcessListModules())
;                                   ; NOTE that the process name itself is also a module, so its address can also be looked up
;   _ProcessGetModuleByAddress()    ; Returns module info for the module that contains the given address.

_ProcessUndocumented.au3

; Main Functions:
;   _ProcessUDGetStrings()      ; Retrieves Command Line, Current Directory, Invokation method, Environment, etc strings.
;   _ProcessUDGetPID()          ; Retrieves the Process ID for a given Process handle. Unnecessary for properly written code.
;   _ProcessUDGetParentPID()    ; Retrieves the Parent Process ID for a given Process - fastest method!
;   _ProcessUDGetSessionID()    ; Retrieves the Session ID for a given Process (uses Process *Handles* vs the standard API call)
;   _ProcessUDGetHandleCount()  ; Retrieves count of open handles for a Process
;
; Memory Functions:
;   _ProcessUDGetMemInfo()  ; Returns information on Memory usage of the Process
;                           ; (Virtual Size elements are what distinguish this call from _ProcessGetMemInfo())
;   _ProcessUDGetHeaps()    ; Returns an array of Process heaps (base pointers)
;
; Misc. Functions:
;   _ProcessUDGetSubSystemInfo()    ; Returns the Image SubSystem type for the Process.
;                                   ; Typical returns: 1 (Native System Process), 2 (GUI), 3 (CUI)
;
; Suspend/Resume Functions:
;   _ProcessUDSuspend()     ; Suspends the given Process (or increments Suspend count)
;   _ProcessUDResume()      ; Resumes the given Process (or decrements the Suspend count)

_ProcessUndocumentedList.au3

; Main Function(s):
;   _ProcessUDListEverything()  ; Gets basically anything and everything for every running Process and it's threads
;                               ; Big advantage of this is no special privileges or administrative mode required,
;                               ; and works from 32->64 bit Processes.
;                               ; (inspired by Manko's _WinAPI_ThreadsnProcesses module)
;   _ProcessUDListModules()     ; Get a List of Module for a Process (with Filtering options), using 'undocumented' functions.
;                               ; NOTE: 32-bit code can not get modules for 64-bit Processes, and 64-bit code can not
;                               ;   get 32-bit modules for 32-bit Processes (it will only return 64-bit Wow64 module info)
;
; Wrapper Functions:
;   _ProcessUDIsSuspended()         ; Uses _ProcessUDListEverything() in determining if a specific Process is Suspended
;   _ProcessUDGetModuleBaseAddress(); Returns the Base address for the Module in the given Process (utilizes _ProcessUDListModules())
;                                   ; NOTE that the process name itself is also a module, so its address can also be looked up
;   _ProcessUDGetModuleByAddress()  ; Returns module info for the module that contains the given address.

_ProcessCreateRemoteThread.au3

; Functions:
;   _ProcessCreateRemoteThread()    ; create a Thread in another Process

_ProcessCreateRemoteThreadStub.au3

; Functions:
;   _ProcessGenerateThreadStub()    ; Creates the binary code for a Thread Stub, but doesn't inject it
;   _ProcessCreateRemoteThreadStub(); Creates a remote Thread Stub, injects it, and returns a pointer to it
;                                   ; NOTE that this *MUST* be destroyed AFTER the Thread has terminated, and
;                                   ; *BEFORE* program Exit. It will not free itself on its own.
;   _ProcessDestroyRemoteThreadStub()   ; Destroys the Remote Stub created by _ProcessCreateRemoteThreadStub()
;                                       ; As above, note that this MUST be done AFTER Thread termination

_ProcessDLLProcFunctions.au3

; Functions:
;   _ProcessGetProcAddresses()  ; Returns pointers to base DLL & functions in an external Process
;   _ProcessGetProcAddress()    ; Returns a single pointer to a function in an external Process (@extended=Base DLL)

_ProcessUDGetPEB.au3

; Functions:
;   _ProcessUDGetPEB()  ; Returns the full PEB structure for a Process (fully defined in the UDF)

Thread Functions UDF's

_ThreadFunctions.au3

; Functions:
;   _ThreadOpen()           ; Opens a handle to a Thread.
;   _ThreadGetCurrentID()   ; Gets the current Thread ID #
;   _ThreadCreate()         ; Creates a Thread for the current process and returns a handle to it (@extended = Thread ID#)
;   _ThreadGetThreadID()    ; Returns Thread ID given a Thread handle. Vista/2008+ req'd. Not necessary for properly written code.
;   _ThreadGetProcessID()   ; Returns Process ID given a Thread handle. Vista/2008+ req'd.
;   _ThreadGetPriority()    ; Gets the Thread priority
;   _ThreadSetPriority()    ; Sets the Thread priority.
;   _ThreadGetAffinityMask() ; Wrapper for _ThreadSetAffinityMask() that quickly sets a thread's affinity to a value (default = 1)
;                           ; and back to its original affinity state again.
;                           ; NOTE that the better/safer method would be to pass _ProcessGetAffinityMask() as 2nd param
;                           ; and even BETTER - use the 'Undocumented' function _ThreadUDGetAffinityMask()
;   _ThreadSetAffinityMask() ; Sets the Affinity Mask for the given Thread. Returns previous Affinity Mask in @extended
;   _ThreadGetTimes()       ; Returns Thread Creation, Exit, Kernel/User-mode Times [<_WinTimeFunctions.au3> is helpful here)
;   _ThreadWaitForExit()    ; Waits for a Thread to exit, with optional Timeout
;   _ThreadStillActive()    ; Checks to see if a Thread is still active (running)
;   _ThreadGetExitCode()    ; Gets the exit code of a Thread that has terminated.
;                           ; NOTE: 0x103 may mean 'still active' if not a possible exit code.
;                           ; Use _ThreadWaitForExit or _ThreadStillActive to make sure
;   _ThreadSuspend()        ; Suspends a given Thread, or increases the 'suspend count'
;   _ThreadWow64Suspend()   ; "" "", but for 32-bit threads running on a 64-bit O/S (Vista/2008+ only)
;                           ; NOTE: in testing, works same as _ThreadSuspend() for both 32-bit and 64-bit processes!
;   _ThreadResume()         ; Resumes a given Thread, or decreases the 'suspend count' if >1
;   _ThreadTerminate()      ; Terminates a Thread. *** NOT RECOMMENDED ***
;                           ; Use only as a last resort, or if certain that terminating the Thread won't have repercussions.
;   _ThreadCloseHandle()    ; Closes a Thread handle (and invalidates it)
;   _ThreadGetWinThreadID() ; Returns the Thread ID # that Created the given Window (also returns Process ID# in @extended)

_ThreadListFunctions.au3

; Wrapper Functions:
;   _ThreadList()       ; just a simple wrapper for _ProcessListThreads()
;   _ThreadExists()     ; uses _ProcessListThreads() to determine if a Thread # exists

_ThreadUndocumented.au3

; Main Functions:
;   _ThreadUDGetThreadID()      ; Retrieves the Thread ID for a given Thread handle. Unneccessary for properly written code.
;   _ThreadUDGetProcessID()     ; Retrieves the Process ID for a given Thread.
;   _ThreadUDGetAffinityMask()  ; Retrieves the Affinity Mask for a given Thread.
;   _ThreadUDGetStartAddress()  ; Retrieves the Start Address of the given Thread
;
; Wrapper Functions:
;   _ThreadUDIsWow64()          ; Determines if the Thread is running in Wow64 (needs Process functions to Query this)
;
; Extra Wrapper Functions:
;   _ThreadUDIs32Bit()      ; Returns True if Thread is 32-bit (makes _ThreadUDIsWow64() use more simpler)
;   _ThreadUDIs64Bit()      ; Returns True if Thread is 64-bit (makes _ThreadUDIsWow64() use more simpler)

_ThreadUndocumentedList.au3

; Main (Wrapper) Functions:
;   _ThreadUDIsSuspended()      ; Returns True/False if a given Thread ID is Suspended.
;                               ; NOTE: It is recommended to call this function with a Process ID as well
;                               ;   Additionally: This function will increase the size of stripped Obfuscated code
;                               ; due to additional functions it includes as options to getting the Process ID #

_ThreadUDGetTEB.au3

; Functions:
;   _ThreadUDGetTEB()   ; Returns the full TEB/TIB structure for a Thread (fully defined in UDF)

_ThreadContext.au3

; Functions:
;   _ThreadGetContext()         ; Returns a Context structure for the given Thread
;   _ThreadGetWow64Context()    ; '' same - but for 32-bit Processes on a 64-bit O/S
;   _ThreadSetContext()         ; Changes the Context for a Thread based on the given structure
;   _ThreadSetWow64Context()    ; '' same - but for 32-bit Processes on a 64-bit O/S

DLL Functions UDF's

_DLLFunctions.au3

; Already-Loaded DLL/Main .EXE Functions:
;   _DLL_GetLoadedLibraryHandle()   ; Gets the handle for an already-loaded DLL (or base .EXE)
;   _DLL_GetModuleFilename()        ; Gets the full pathname for the given DLL handle
;   _DLL_ForcePermanentLoad()       ; Forces the given DLL to be permanently loaded (handle, address, or string allowed)
;                                   ; XP/2003+ O/S required
;   _DLL_GetHandleFromAddress()     ; Gets the base DLL or main .EXE module handle from a given address
;                                   ; XP/2003+ O/S required (there is an alternative in _ProcessListFunctions.au3 though)
;
; Main DLL Load/Get-Address Functions:
;   _DLL_LoadLibrary()      ; Loads a DLL (or increments DLL-load count), returns a handle to it
;   _DLL_FreeLibrary()      ; Frees/Releases the DLL (and memory) as loaded by _DLL_LoadLibrary()
;                           ; (or decrements DLL-load count)
;   _DLL_GetProcAddress()   ; Returns a pointer to the procedure address of a function within the given DLL
;
; Wrapper Functions:
;   _DLL_GetBaseAndProcAddresses()  ; Gets the Base DLL address and the address of any # of passed functions
;                                   ; (Loading/Freeing [if needed] of DLL is handled within.)
;   _DLL_GetBaseAndProcAddress()    ; Gets the Base DLL address and a single function address
;                                   ; (uses _DLL_GetBaseAndProcAddresses)

_DLLInjection.au3

; Functions:
;   _DLLInject()    ; Injects a DLL into the given Process
;   _DLLUnInject()  ; UnInjects (or decrements ref. count) of a DLL in given Process

DriverList.au3 UDF:

; _DriverList() ; Returns a list of Drivers that were loaded by the O/S

This is now a very comprehensive suite. Most everything a programmer or user would find useful is included. If by chance you can think of *any* other (useful) functions to add to this project, however, let me know.

For those that need to measure a Process's CPU Usage, please see my PDH Performance Counters UDF, another comprehensive UDF suite.

Special note: For most all _Process* functions that require a 'QUERY' info handle, use the constant $PROCESS_QUERY_LIMITED_INFO, which is set based on O/S. There's only one exception to this that I can think of: _ProcessMemoryVirtualQuery() which requires full Query access no matter what O/S (0x400). Thread* functions can make use of 2 constants which are set based on O/S - $THREAD_QUERY_LIMITED_INFO and $THREAD_SET_LIMITED_INFO. Experiment with the GUI's on Vista+ O/S's to see what's the minimum req's.

Download the Source and/or GUI Exe's from my site

Optional addition: Special NomadMemory UDF designed to work with ProcessFunctions:

NomadMemoryPF.au3

Ascend4nt's AutoIT Code License agreement:

While I provide this source code freely, if you do use the code in your projects, all I ask is that:

  • If you provide source, keep the header as I have put it, OR, if you expand it, then at least acknowledge me as the original author, and any other authors I credit
  • If the program is released, acknowledge me in your credits (it doesn't have to state which functions came from me, though again if the source is provided - see #1)
  • The source on it's own (as opposed to part of a project) can not be posted unless a link to the page(s) where the code were retrieved from is provided and a message stating that the latest updates will be available on the page(s) linked to.
  • Pieces of the code can however be discussed on the threads where Ascend4nt has posted the code without worrying about further linking.
UPDATES:

6/8/2011:

New:

  • _ProcessUDGetPEB.au3, _ThreadUDGetTEB.au3 -> both return fully filled out Structures for PEB or TEB
  • _ThreadContext.au3 - yes, I decided to add it in. There's some usefulness from a debug/inspection standpoint
  • _DriverList.au3 - Returns information about drivers loaded by the O/S (which don't show up in process lists!)
Added:
  • _ProcessesWinList() - multiple processes with the same name? This will get all the windows (_ProcessListFunctions UDF)
  • Functions for new modules: _ProcessUDGetPEB, _ThreadUDGetTEB, _ThreadGetContext, _ThreadGetWow64Context,

    _ThreadSetContext, _ThreadSetWow64Context, _DriverList

  • New examples: ProcessMemoryReducer.au3, DriverList.au3, DLLInjectionExample (stripped out of the _DLLInjection UDF)
  • Support modules for the GUI's
Changed:
  • Most 'List' functions now allow an 'everything that does NOT match criteria' flag [+8] (excludes matches)
  • Misc. tweaks in certain UDF's: slimmed code, pointers to Process memory can be numerical/string,
  • 'Test' GUI's - 'System' process is now allowed (though good luck getting much information on it). Also, new functions added, some minor fixes & tweaks.
Fixed:
  • _ProcessWinList() - 'Alt-Tab'-only windows was returning some 'non-Alt-tab' windows
  • _RemoteMsgBox() - Proper cleanup if error
9-3-2010:

Brand New:

  • _DLLFunctions.au3 - DLL/.EXE functions - Load/Free DLL, Get Base Address/Handle, Get Proc Addresses, etc
  • Complete Threads UDF's suite!!; Misc. other UDF's + a GUI and examples!
Added:
  • _ProcessWaitForInputIdle() - waits for a Process with a GUI to initialize and become ready for input.
  • _ProcessGetModuleBaseAddress() - added new parameter allowing the function to return a Wow64 module address if >1 match
  • _ProcessGetModuleByAddress() - allows one to see what module a given address belongs to
  • _ProcessUDIsSuspended() - utilizes _ProcessUDListEverything()
  • _ProcessUDListModules() - alternative to _ProcessListModules(), using undocumented functions
  • _ProcessUDGetModuleBaseAddress() - uses the above, same functionality as _ProcessGetModuleBaseAddress()
  • _ProcessUDGetModuleByAddress() - uses the above, same functionality as _ProcessGetModuleByAddress()
  • _ProcessUDGetSubSystemInfo() - determine if Process is a Native System Process, a CUI, or GUI
  • Internal function: __PFEnforcePID() - shortens/simplifies code a bit
  • _ProcessCreateRemoteThread.au3 with important new function:

    _ProcessCreateRemoteThread() - example included

  • _ProcessDLLProcFunctions.au3 - gets external Process's API Proc Addresses (and DLL Base address)
  • Precompiled&Optimized 32&64-bit Executables included.
Changed:
  • ProcessFunctionsTest updated:

    - all functions now included with full examples, PID# appended to 'Self',

    'Safety' MsgBoxes, Compiled version limited bit-mode switching (*x64.exe), and misc. small changes

    Added optimum compile mode - use this to decrease size & squeeze more performance out of the program

    - Integration with ThreadFunctionsTest GUI, reliance on some Thread functions.

  • _ProcessMemoryFree() - now takes a pointer as a reference, and if MEM_RELEASE (and successful), invalidates the pointer
Fixed:
  • TestProcessFunctions: Get SEDEBUG Privilege function) was returning True even when it failed to work
  • _ProcessUDGetStrings -> Unicode string lengths are in bytes (mistakenly assumed it was in chars) - fixed
7-3-2010:

Added:

  • _ProcessTerminate (_ProcessFunctions UDF)
  • _ProcessUDSuspend (_ProcessUndocumented UDF)*
  • _ProcessUDResume (_ProcessUndocumented UDF)*
*Win2000 w/o Service Packs does not support Process Suspend/Resume

Changed:

  • TestProcessFunctions UDF updated to use new functions
  • _ProcessListThreads array size/redimming adjusted for better performance
6-12-2010:

Added:

  • _ProcessUDGetHeaps() ; a faster way to get basic heap handle/counts
  • Example: TestProcessListProperties (for comparison with PsaltyDS's _ProcessListProperties)
  • <_ProcessUndocumentedList.au3> module, currently with only one (very important) function: _ProcessUDListEverything(). It's all in it's name, haha. This is where you can get all kinds of info about Processes on your PC without having Admin privileges or worrying about bit-modes. Inspired by Manko's _WinAPI_ThreadsnProcesses()
Changed:
  • _ProcessListThreads: Now allows the filter to be a Thread ID if 2nd param is True:

    _ProcessListThreads($vFilterID=-1,$bThreadFilter=False)

  • GUI: Added function definitions, rewording of a few things,

    _ProcessListThreads() now cycles twice - once for ALL processes, then again for selected Process

Fixed:
  • Not all returns were consistent in @error situations in <_ProcessFunctions.au3>.
6-9-2010:

Added:

  • _ProcessMemoryAlloc (same functionality as _MemVirtualAllocEx(), but using the _Process* standard call/return structure)
  • _ProcessMemoryFree (same functionality as _MemVirtualFreeEx(), '' '')
  • _ProcessMemoryVirtualQuery() - find out information regarding Process memory
  • _ProcessMemoryVirtualProtect() - alter protection type of Process memory
  • GUI: Extra functions added, extra examples.
Changed:
  • _ProcessReadMemory renamed to _ProcessMemoryRead, for consistency's sake
  • _ProcessWriteMemory renamed to _ProcessMemoryWrite, '' ''
Fixed:
  • GUI: Error in logic for certain access requirements
6-5-2010: GUI changes:
  • Made dropdown list read-only, forced auto-sort of processes (by name).
  • Changed List type of outputs to popup in listviews (using _ArrayDisplay).
  • Fixed issue if module is compiled.
  • Minor output changes.
  • Fixed access requirements missing for selected function on Windows 2000 O/S

Edited by Ascend4nt
Link to post
Share on other sites
  • Replies 43
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Process + Thread + DLL Functions UDFs Fully tested on O/S's from Windows 2000 -> Windows 7, in both 32-bit and 64-bit modes. *Note: the dropdown box in the GUI has issues in Windows 2000 - workar

What the heck - for people using NomadMemory still, I've attached a special version of NomadMemory to the 1st post. Its untested but should work the way the old one did. (see the UDF for documentatio

Change that to 'OutputDebugStringA' (or 'OutputDebugStringW' with a 'wstr' parameter). Otherwise it causes a system error (check with _WinAPI_GetLastErrorMessage()). But yah, that's got nothing to d

Link to post
Share on other sites

Funkalicious bunch of goodies! :mellow:

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

Thanks everyone, hope it helps some :mellow: Any suggestions for improvements/additions are welcome.

Actually I have one thing I was thinking about the GUI interface - I should just put all those 'List' functions into _ArrayDisplay()'s, like I had originally. The only issue I thought was that it might bug people to have to constantly close those.. but now I'm just sitting there looking at the output (which sure takes it's sweet old time), and have to say it's just plain ugly and hard to read. Yeah, I think I'll have to change that behavior..

I could also allow users to input parameters for the functions, but that's just such a pain.. though I guess if enough people want it, I could come up with something..

Link to post
Share on other sites

Okay, since the GUI issues were bugging me, I decided to make small modifications to it:

Updates:

6-5-2010: GUI changes:

  • Made dropdown list read-only, forced auto-sort of processes (by name).
  • Changed List type of outputs to popup in listviews (using _ArrayDisplay).
  • Fixed issue if module is compiled.
  • Minor output changes.
  • Fixed access requirements missing for selected function on Windows 2000 O/S
*edit: added fix in GUI for Windows 2000 O/S's (last item). Sorry about that. Edited by Ascend4nt
Link to post
Share on other sites

Newly Updated:

6-9-2010:

Added:

  • _ProcessMemoryAlloc (same functionality as _MemVirtualAllocEx(), but using the _Process* standard call/return structure)
  • _ProcessMemoryFree (same functionality as _MemVirtualFreeEx(), '' '')
  • _ProcessMemoryVirtualQuery() - find out information regarding Process memory
  • _ProcessMemoryVirtualProtect() - alter protection type of Process memory
  • GUI: Extra functions added, extra examples.
Changed:

  • _ProcessReadMemory renamed to _ProcessMemoryRead, for consistency's sake
  • _ProcessWriteMemory renamed to _ProcessMemoryWrite, '' ''
Fixed:

  • GUI: Error in logic for certain access requirements
Link to post
Share on other sites

Updated. Awesome new _ProcessUDListEverything() function included (inspired by Manko's UDF) - see below for full changelog:

6-12-2010:

Added:

  • _ProcessUDGetHeaps() ; a faster way to get basic heap handle/counts
  • Example: TestProcessListProperties (for comparison with PsaltyDS's _ProcessListProperties)
  • <_ProcessUndocumentedList.au3> module, currently with only one (very important) function: _ProcessUDListEverything(). It's all in it's name, haha. This is where you can get all kinds of info about Processes on your PC without having Admin privileges or worrying about bit-modes. Inspired by Manko's _WinAPI_ThreadsnProcesses()
Changed:

  • _ProcessListThreads: Now allows the filter to be a Thread ID if 2nd param is True:

    _ProcessListThreads($vFilterID=-1,$bThreadFilter=False)

  • GUI: Added function definitions, rewording of a few things,

    _ProcessListThreads() now cycles twice - once for ALL processes, then again for selected Process

Fixed:

  • Not all returns were consistent in @error situations in <_ProcessFunctions.au3>.
Edited by Ascend4nt
Link to post
Share on other sites

thanks for the compliment. There's two places memory usage for a Process is available, one gives more info than the other - both can retrieve the basic 'Working Set Size' you need. Just look at a comparison of TestProcessListProperties and PsaltyDS's _ProcessListProperties (note that both need elevated privileges to return info for everything). There are a few differences in what is available, which is why I wrote the function (to show the differences). One of the shortcomings of the functions I've written is that you cannot get the command line from a 64-bit process when run in 32-bit mode (you can get this via WMI though).

Also, i covered CPU usage in the first post. Here:

Right now the only thing I can say that is truly lacking is a measure of CPU Usage - but that kind of functionality requires repeated calculations on System + Process times. My suggestion is, if you need this - either use WMI functions (unreliable in my experience), or my PDH Performance Counters UDF.

Edited by Ascend4nt
Link to post
Share on other sites
  • 2 weeks later...

After tossing this around for a while, I decided I might as well fill out the Process functions UDF with Suspend, Resume, and Termination functions.

UPDATES:

7-3-2010:

Added:

  • _ProcessTerminate (_ProcessFunctions UDF)
  • _ProcessUDSuspend (_ProcessUndocumented UDF)*
  • _ProcessUDResume (_ProcessUndocumented UDF)*
*Win2000 w/o Service Packs does not support Process Suspend/Resume

Changed:

  • TestProcessFunctions UDF updated to use new functions
  • _ProcessListThreads array size/redimming adjusted for better performance
Link to post
Share on other sites

haha, thx KaFu. Don't know how you knew I updated the UDF before I posted about it.. ESP? :blink:

Link to post
Share on other sites
  • 4 weeks later...

Very nice UDF - small question.

I am using this to query for existence of a process opened by the user - it will be running on a terminal server. In my testing, it is returning "Domain Users" as the user instead of the actual user name. I assume I am missing something stupid. Here is just the snippet that matters that will return that. Additional info, yes my computer is added to the domain.

Run("cmd.exe")
$procOp = _ProcessOpen("cmd.exe", 0x20000, False)
$infoOwn = _ProcessGetOwner($procOp)
MsgBox (0, "", $infoOown)

In addition, if I get it to return the correct value, I assume I will need to query for multiple instances of a process name, load them into an array, and check each of them, right?

Thanks in advance for any help.

Link to post
Share on other sites

z0iid, thats pretty interesting. The SID stuff is still a bit confusing to me, so I'm not entirely sure what's going on, or what I should be looking for. Try using a 'debug' version of _ProcessGetOwner(), like below*, and let me know what displays in the Console Output box in ScITe (You can PM me or 'censor' it if you need to keep certain things private):

*edit: code removed, if z0iid still wants help, PM me

Edited by Ascend4nt
Link to post
Share on other sites
  • 1 month later...

Well, this has been long in coming. But the wait was well worth it, I assure you ;).

I've now tackled just about everything I want to with Processes, Threads (new), and DLL (new) functions. I've bundled special Binary code threads that work under 32-bit and 64-bit mode, as well as one for 'Wow64 mode' (injecting into a 32-bit Process from a 64-bit Process). So this is a fairly big and bold program (as far as I'm concerned :) )

The GUI's now have more features, and although the *GUI* code is messy to look at - it is very well tested. I've even put compiler directives to shrink the code down if you would like to recompile these programs (executables ARE included however - both 32 and 64-bit).

- It's not just a function playground, this here is a process manipulation suite! boo. yah -

Okay, having said all that nonsense, here's the update list:

9-3-2010:

Brand New:

  • _DLLFunctions.au3 - DLL/.EXE functions - Load/Free DLL, Get Base Address/Handle, Get Proc Addresses, etc
  • Complete Threads UDF's suite!!; Misc. other UDF's + a GUI and examples!
Added:

  • _ProcessWaitForInputIdle() - waits for a Process with a GUI to initialize and become ready for input.
  • _ProcessGetModuleBaseAddress() - added new parameter allowing the function to return a Wow64 module address if >1 match
  • _ProcessGetModuleByAddress() - allows one to see what module a given address belongs to
  • _ProcessUDIsSuspended() - utilizes _ProcessUDListEverything()
  • _ProcessUDListModules() - alternative to _ProcessListModules(), using undocumented functions
  • _ProcessUDGetModuleBaseAddress() - uses the above, same functionality as _ProcessGetModuleBaseAddress()
  • _ProcessUDGetModuleByAddress() - uses the above, same functionality as _ProcessGetModuleByAddress()
  • _ProcessUDGetSubSystemInfo() - determine if Process is a Native System Process, a CUI, or GUI
  • Internal function: __PFEnforcePID() - shortens/simplifies code a bit
  • _ProcessCreateRemoteThread.au3 with important new function:

    _ProcessCreateRemoteThread() - example included

  • _ProcessDLLProcFunctions.au3 - gets external Process's API Proc Addresses (and DLL Base address)
  • Precompiled&Optimized 32&64-bit Executables included.
Changed:

  • ProcessFunctionsTest updated:

    - all functions now included with full examples, PID# appended to 'Self',

    'Safety' MsgBoxes, Compiled version limited bit-mode switching (*x64.exe), and misc. small changes

    Added optimum compile mode - use this to decrease size & squeeze more performance out of the program

    - Integration with ThreadFunctionsTest GUI, reliance on some Thread functions.

  • _ProcessMemoryFree() - now takes a pointer as a reference, and if MEM_RELEASE (and successful), invalidates the pointer
Fixed:

  • TestProcessFunctions: Get SEDEBUG Privilege function) was returning True even when it failed to work
  • _ProcessUDGetStrings -> Unicode string lengths are in bytes (mistakenly assumed it was in chars) - fixed
Link to post
Share on other sites

The functionality is there, you just need to know how to use it. The GUI's give you pretty much everything you need to use this code right. The function headers are more detailed of course..

Reading/writing to a pointer is no different than reading or writing any other piece of data. However, you must make sure you have the ability to read or write to the given address (_ProcessMemoryVirtualQuery) before using the next pointer for subsequent passes of reading/writing.

You won't see me posting an example of it, because I won't be posting anything related to game cheating/hacking.

However, you reminded me - its not a bad idea to give an optional 'datatype' parameter for Read/Write functions, to make reading simple elements (like pointers) alot easier. The problem with that is certain datatypes are architecture-specific and people can easily pass the wrong # of bytes to the function (4 vs. 8 bytes for 32 and 64-bit pointers, for example). Simple enough to resolve though in the main code (one global variable can be set ala '$PTR_SIZE')... but I digress.

I've done some pointer dereferencing myself using my code, but that was in the interest of seeing where code pointers get parked after a 'Suspend'. (Suspend usually parks a thread on a 'C3' (return code), which then leads one to check the Stack for the return address, and if there's another return pointed to by that address, and so forth). Maybe a bit above people's heads, but fun stuff to do. (unfortunately I haven't included the required Context functions to do that stuff in this release.. maybe in the future if I can think of a legiit. use people might have for it)

Link to post
Share on other sites

Alright, no problem. Another question: What about Reading/Writing to registers? That would be quite useful for many people. I would do it myself but I'm afraid I don't know much about how to do it in ANY language.

Edit:: I found how, but I'm not sure how to go about converting it to AutoIt. I would love to help create this if at all possible.

http://msdn.microsoft.com/en-us/library/ms679362%28VS.85%29.aspx

#include <windows.h> 
#include <process.h> 
#include <stdio.h> 
#include <assert.h> 
 
void mythreadfunc(void *data) 
{ 
... 
 
_exitthread(); 
} 
 
void changeThreadState() 
{ 
HANDLE thread = (HANDLE)_beginthread( mythreadfunc, 0, NULL ); 
CONTEXT context; 
BOOL success; 
 
SuspendThread(thread); 
 
// get context 
context.ContextFlags = (CONTEXT_FULL); 
success = GetThreadContext(thread, &context); 
assert(success); 
printf( "eax=%08X, ebx=%08X, ecx=%08X\n", 
context.Eax, context.Ebx, context.Ecx ); 
 
// change context (dangerous, can crash program) 
context.Eax = 0x1234BBBB; 
context.Ecx = 0x2468ABCD; 
success = SetThreadContext(thread, &context); 
assert(success); 
 
ResumeThread(thread); 
 
// the resumed thread should see different values of eax, and ecx 
}
Edited by darkjohn20
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By DevMode
      welcome
      I need help dealing with a C++ DLL
      Specify that I need help with how to use this function
      struct libusb_device; typedef struct libusb_context libusb_context; ssize_t LIBUSB_CALL libusb_get_device_list(libusb_context *ctx,libusb_device ***list); My problem is how to deal with "libusb_device ***list"
      my code 
      $libusb_device = DllStructCreate("PTR") Func libusb_init() $Var = DllCall($libusb0, "ptr", "libusb_init",'ptr',$_libusb_device_handle_Ptr) If @error Then Return False Return $Var[1] EndFunc Func libusb_get_device_list() MsgBox(0,VarGetType($_libusb_device_handle_Ptr),$_libusb_device_handle_Ptr) $Var = DllCall($libusb0, "int", "libusb_get_device_list","ptr",$_libusb_device_handle_Ptr,"ptr*",POINTER(POINTER($libusb_device))) $Error = @error If $Error Then Return False MsgBox(0,VarGetType($Var),$Error&@CRLF&$Var) _ArrayDisplay($Var) Return $Var[1] EndFunc  
      Thank you
      iLibUSB.dll iLibUSB_32.dll libusb.h
    • By bobflumox
      Hi all,
      My programming knowledge is very basic.
      I have an old script that creates shares and assign permissions. It normally registers SetAcl.ocx if necessary and creates an object to assign permissions.
      The command that registers SetAcl was apparently working fine under Windows 7 but is not working under Windows 10.
      RunWait("regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) As I'm logged in as admin, I changed this command to :
      RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) It seems to terminate correctly but the script still doesn't work as expected.
      To check that, I've created that small script :
      Local $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object not created. Registering SetAcl.ocx" & @CRLF) Local $result = RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE); Use of my admin username to elevate CMD ConsoleWrite("Return code : " & $result & @CRLF) ConsoleWrite("Creating object" & @CRLF) $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object creation failed." & @CRLF) EndIf EndIf It tries to register SetAcl.ocx, return code 0 seems to be fine but still can't use SetAcl.
      But if I go to CMD as admin, run the regsvr32 command and restart my script, it can create the object without issue.
      I know my poor knowledge makes me miss something. Anyone can help me figure this out ?
    • By jguinch
      Hello.
      I did create these few functions several months ago. I post here, if it can interest someone.
      These functions based on WMI queries allow you to manage printers : add / delete printer, driver, port, or obtain configuration, set default printer ... I let you discover it with the code.

       
      Here is the list of the available functions :
      _Printmgr_AddLocalPort
      _Printmgr_AddLPRPort
      _PrintMgr_AddPrinter
      _PrintMgr_AddPrinterDriver
      _PrintMgr_AddTCPIPPrinterPort
      _PrintMgr_AddWindowsPrinterConnection
      _PrintMgr_CancelAllJobs
      _Printmgr_EnumPorts
      _PrintMgr_EnumPrinter
      _PrintMgr_EnumPrinterConfiguration
      _PrintMgr_EnumPrinterDriver
      _PrintMgr_EnumPrinterProperties
      _PrintMgr_EnumTCPIPPrinterPort
      _Printmgr_Pause
      _Printmgr_PortExists
      _Printmgr_PrinterExists
      _Printmgr_PrinterSetComment
      _Printmgr_PrinterSetDriver
      _Printmgr_PrinterSetPort
      _Printmgr_PrinterShare
      _Printmgr_PrintTestPage
      _PrintMgr_RemoveLocalPort
      _PrintMgr_RemoveLPRPort
      _PrintMgr_RemovePrinter
      _PrintMgr_RemovePrinterDriver
      _PrintMgr_RemoveTCPIPPrinterPort
      _PrintMgr_RenamePrinter
      _Printmgr_Resume
      _PrintMgr_SetDefaultPrinter
       
      And some examples :
      #include <Array.au3> #include "PrintMgr.au3" _Example() Func _Example() ; Remove a printer called "My old Lexmark printer" : _PrintMgr_RemovePrinter("My old Lexmark printer") ; Remove the driver called "Lexmark T640" : _PrintMgr_RemovePrinterDriver("Lexmark T640") ; Remove the TCP/IP printer port called "TCP/IP" _PrintMgr_RemoveTCPIPPrinterPort("MyOLDPrinterPort") ; Add a driver, called "Samsung ML-451x 501x Series", and driver inf file is ".\Samsung5010\sse2m.inf" _PrintMgr_AddPrinterDriver("Samsung ML-451x 501x Series", "Windows NT x86", @ScriptDir & "\Samsung5010", @ScriptDir & "\Samsung5010\sse2m.inf") ; Add a TCP/IP printer port, called "MyTCPIPPrinterPort", with IPAddress = 192.168.1.10 and Port = 9100 _PrintMgr_AddTCPIPPrinterPort("MyTCPIPPrinterPort", "192.168.1.10", 9100) ; Add a printer, give it the name "My Printer", use the driver called "Samsung ML-451x 501x Series" and the port called "MyTCPIPPrinterPort" _PrintMgr_AddPrinter("My Printer", "Samsung ML-451x 501x Series", "MyTCPIPPrinterPort") ; Set the printer called "My Printer" as default printer _PrintMgr_SetDefaultPrinter("My Printer") ; Connect to the shared printer "\\192.168.1.1\HPDeskjetColor") _PrintMgr_AddWindowsPrinterConnection("\\192.168.1.1\HPDeskjetColor") ; List all installed printers Local $aPrinterList = _PrintMgr_EnumPrinter() _ArrayDisplay($aPrinterList) ; List all printers configuration Local $aPrinterConfig = _PrintMgr_EnumPrinterConfiguration() _ArrayDisplay($aPrinterConfig) ; List all installed printer drivers Local $aDriverList = _PrintMgr_EnumPrinterDriver() _ArrayDisplay($aDriverList) ; Retrieve the printer configuration for the printer called "Lexmark T640" $aPrinterConfig = _PrintMgr_EnumPrinterConfiguration("Lexmark T640") _ArrayDisplay($aPrinterConfig) ; Add a local printer port (for a file output) _PrintMgr_AddLocalPort("c:\temp\output.pcl") ; Remove the local port _PrintMgr_RemoveLocalPort("c:\temp\output.pcl") EndFunc ;==>_Example Download link :
      PrintMgr.au3
      PrintMgr_Example.au3
    • By Gowrisankar
      Dear members of the forum,
      I'm working on a project in which I have to use Image recognition technique. 
      Due to client restrictions, I couldn't use AutoIt for this project. 
      Is there a way to use this DLL "ImageSearchDLL.dll" (which is used to do image recognition steps in AutoIt) in VB.Net to achieve the same result? 
      I have used this DLL few years before and got good results. If there is a latest version of this DLL and if you can share it, that will be helpful too.
      Any guidance is deeply appreciated.
    • By DesireDenied
      Hey guys,
      I having some hard times getting false-positive, probably because I am trying to execute my AutoUpdater.
      Here is my code:
       
      Global $iUpdateTimer = 0 While 1 checkUpdates(10) WEnd Func checkUpdates($iDelay = 10) $iDelay = $iDelay * 1000 * 60 If TimerDiff($iUpdateTimer) > $iDelay Then ConsoleWrite('checking for updates...' & @CRLF) $iUpdateTimer = TimerInit() If FileExists('AutoUpdater.exe') Then ShellExecuteWait('AutoUpdater.exe') ; this is the line which cause my problem EndIf EndFunc And AutoUpdater code:
      #include <MsgBoxConstants.au3> #include <FileConstants.au3> Global $sExecName = 'test.exe' Global $sUpdatePath = @UserProfileDir &'\desktop\AnyAppName\update\'& $sExecName Global $sUserPath = @UserProfileDir &'\desktop\AnyAppName\'& $sExecName Global $sCopyright = 'someUniqueStringHere' If Not FileExists($sUpdatePath) Then Exit 0 If FileGetVersion($sUpdatePath, $FV_LEGALCOPYRIGHT) <> $sCopyright Then Exit 0 ; checking if we really want to update and execute the file If FileGetVersion($sUpdatePath) > FileGetVersion($sUserPath) Then $iResponse = MsgBox(BitOR($MB_YESNO, $MB_ICONQUESTION),'AnyAppName', 'There is an update available, would you like to update?') If $iResponse == $IDYES Then If ProcessExists($sExecName) Then ProcessClose($sExecName) Sleep(500) EndIf FileCopy($sUpdatePath, $sUserPath, $FC_OVERWRITE) Sleep(3000) ShellExecute($sUserPath) Exit 1 EndIf EndIf Exit 0 I am not trying to ask, why is my code is getting recognized as false-positive, because this is quite obvious, but is there any other way to get things done without running external process?
       

×
×
  • Create New...