www.pudn.com > getadmin.zip > Psapi.cpp
#include
DWORD PsGetProcessIdFromModuleName(LPCTSTR szName);
extern "C"{
DWORD __stdcall NtQuerySystemInformation(DWORD,DWORD,DWORD,DWORD);
DWORD __stdcall NtQueryInformationProcess(DWORD,DWORD,DWORD,DWORD,DWORD);
DWORD __stdcall RtlNtStatusToDosError(DWORD);
}
#pragma warning( disable : 4035 )
DWORD __declspec(naked) __stdcall
EnumProcesses(DWORD* ProcessesId,
DWORD SizeofProcessesIds/*sizeof ProcessesId*/,
DWORD* done)
{
__asm{
; S u b r o u t i n e
;EnumProcesses proc , pProcessesId: DWORD,
; sizeofProcessesId :DWORD,
; pDone: DWORD
mov eax, fs:0
push ebp
mov ebp, esp
push 0FFFFFFFFh
push 731B3448h
push 731B2E38h
push eax
mov fs:0, esp
sub esp, 14h ; Integer Subtraction
push ebx
push esi
push edi
mov esi, 8000h
xor edi, edi ; Logical Exclusive OR
mov [ebp-18h], esp
loc_731B2B37: ; CODE XREF: EnumProcesses+61.j
push esi
push edi
call dword ptr LocalAlloc ; Indirect Call Near Procedure
mov [ebp-1Ch], eax
cmp eax, edi ; Compare Two Operands
jz loc_731B2C12 ; Jump if Zero (ZF=1)
push edi
push esi
push eax
push 5
call NtQuerySystemInformation ; Indirect Call Near Procedure
cmp eax, 0C0000004h ; Compare Two Operands
jnz short loc_731B2B6D ; Jump if Not Zero (ZF=0)
push dword ptr [ebp-1Ch]
call dword ptr LocalFree ; Indirect Call Near Procedure
add esi, 8000h ; Add
jmp short loc_731B2B37 ; Jump
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_731B2B6D: ; CODE XREF: EnumProcesses+50.j
test eax, eax ; Logical Compare
jge short loc_731B2B84 ; Jump if Greater or Equal (SF=OF)
push eax
call RtlNtStatusToDosError ; Indirect Call Near Procedure
push eax
call dword ptr SetLastError ; Indirect Call Near Procedure
jmp loc_731B2C12 ; Jump
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_731B2B84: ; CODE XREF: EnumProcesses+65.j
xor esi, esi ; Logical Exclusive OR
mov edx, [ebp+0Ch]
shr edx, 2 ; Shift Logical Right
xor edi, edi ; Logical Exclusive OR
mov ecx, [ebp+8]
loc_731B2B91: ; CODE XREF: EnumProcesses+AB.j
mov eax, [ebp-1Ch]
add eax, esi ; Add
cmp edi, edx ; Compare Two Operands
jnb short loc_731B2BAF ; Jump if Not Below (CF=0)
mov dword ptr [ebp-4], 0
mov ebx, [eax+44h]
mov [ecx+edi*4], ebx
inc edi ; Increment by 1
mov dword ptr [ebp-4], 0FFFFFFFFh
loc_731B2BAF: ; CODE XREF: EnumProcesses+8E.j
mov eax, [eax]
add esi, eax ; Add
test eax, eax ; Logical Compare
jnz short loc_731B2B91 ; Jump if Not Zero (ZF=0)
mov esi, 1
mov [ebp-4], esi
lea ecx, ds:0[edi*4] ; Load Effective Address
mov eax, [ebp+10h]
mov [eax], ecx
mov dword ptr [ebp-4], 0FFFFFFFFh
push dword ptr [ebp-1Ch]
call dword ptr LocalFree ; Indirect Call Near Procedure
mov eax, esi
jmp short loc_731B2C14 ; Jump
loc_731B2C12: ; CODE XREF: EnumProcesses+3A.j
; EnumProcesses+75.j
xor eax, eax ; Logical Exclusive OR
loc_731B2C14: ; CODE XREF: EnumProcesses+D3.j
mov ecx, [ebp-10h]
pop edi
mov fs:0, ecx
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 0Ch ; Return Near from Procedure
}
//;EnumProcesses endp
}
DWORD __declspec(naked) __stdcall
EnumProcessModules(HANDLE hProcess,
HMODULE* hModule /*array*/,
DWORD SizeofhModule/* sizeof(hModule) */,
DWORD* done)
{
__asm
{
; S u b r o u t i n e
mov eax, fs:0
push ebp
mov ebp, esp
push 0FFFFFFFFh
push 731B3178h
push 731B2E38h
push eax
mov fs:0, esp
sub esp, 78h ; Integer Subtraction
lea eax, [ebp-40h] ; Load Effective Address
push ebx
push esi
push edi
mov [ebp-18h], esp
push 0
push 18h
push eax
push 0
push dword ptr [ebp+8]
call NtQueryInformationProcess ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jge short loc_731B15BF ; Jump if Greater or Equal (SF=OF)
push eax
call RtlNtStatusToDosError ; Indirect Call Near Procedure
push eax
call dword ptr SetLastError ; Indirect Call Near Procedure
jmp loc_731B169E ; Jump
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_731B15BF: ; CODE XREF: EnumProcessModules+3B.j
push 0
lea eax, [ebp-28h] ; Load Effective Address
push 4
push eax
mov eax, [ebp-3Ch]
add eax, 0Ch ; Add
push eax
push dword ptr [ebp+8]
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz loc_731B169E ; Jump if Zero (ZF=1)
mov esi, [ebp-28h]
push 0
add esi, 14h ; Add
push 4
lea eax, [ebp-1Ch] ; Load Effective Address
push eax
push esi
push dword ptr [ebp+8]
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz loc_731B169E ; Jump if Zero (ZF=1)
mov eax, [ebp+10h]
xor edi, edi ; Logical Exclusive OR
shr eax, 2 ; Shift Logical Right
cmp esi, [ebp-1Ch] ; Compare Two Operands
mov [ebp-24h], eax
jz short loc_731B1657 ; Jump if Zero (ZF=1)
mov ebx, [ebp+0Ch]
loc_731B1612: ; CODE XREF: EnumProcessModules+E6.j
mov eax, [ebp-1Ch]
push 0
sub eax, 8 ; Integer Subtraction
push 48h
lea ecx, [ebp-88h] ; Load Effective Address
push ecx
push eax
push dword ptr [ebp+8]
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz short loc_731B169E ; Jump if Zero (ZF=1)
cmp edi, [ebp-24h] ; Compare Two Operands
jnb short loc_731B1649 ; Jump if Not Below (CF=0)
mov dword ptr [ebp-4], 0
mov eax, [ebp-70h]
mov [ebx], eax
mov dword ptr [ebp-4], 0FFFFFFFFh
loc_731B1649: ; CODE XREF: EnumProcessModules+C5.j
add ebx, 4 ; Add
inc edi ; Increment by 1
mov eax, [ebp-80h]
mov [ebp-1Ch], eax
cmp esi, eax ; Compare Two Operands
jnz short loc_731B1612 ; Jump if Not Zero (ZF=0)
loc_731B1657: ; CODE XREF: EnumProcessModules+9E.j
mov eax, 1
mov [ebp-4], eax
lea edx, ds:0[edi*4] ; Load Effective Address
mov ecx, [ebp+14h]
mov [ecx], edx
mov dword ptr [ebp-4], 0FFFFFFFFh
jmp short loc_731B16A0 ; Jump
loc_731B169E: ; CODE XREF: EnumProcessModules+4B.j
; EnumProcessModules+6A.j ...
xor eax, eax ; Logical Exclusive OR
loc_731B16A0: ; CODE XREF: EnumProcessModules+103.j
mov ecx, [ebp-10h]
pop edi
mov fs:0, ecx
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 10h ; Return Near from Procedure
}
//EnumProcessModules endp
}
__declspec(naked) sub_731B14A5()
{
__asm{
; S u b r o u t i n e
;sub_731B14A5 proc near ; CODE XREF: GetModuleFileNameExW+11.p
; GetModuleBaseNameW+11.p ...
push ebp
mov ebp, esp
sub esp, 20h ; Integer Subtraction
push ebx
lea eax, [ebp-20h] ; Load Effective Address
push esi
push edi
push 0
mov esi, [ebp+8]
push 18h
push eax
push 0
push esi
call NtQueryInformationProcess ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jge short loc_731B14D3 ; Jump if Greater or Equal (SF=OF)
push eax
call RtlNtStatusToDosError ; Indirect Call Near Procedure
push eax
jmp loc_731B1557 ; Jump
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_731B14D3: ; CODE XREF: sub_731B14A5+1F.j
cmp dword ptr [ebp+0Ch], 0 ; Compare Two Operands
mov edi, [ebp-1Ch]
jnz short loc_731B14F3 ; Jump if Not Zero (ZF=0)
push 0
lea eax, [ebp+0Ch] ; Load Effective Address
push 4
lea ecx, [edi+8] ; Load Effective Address
push eax
push ecx
push esi
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz short loc_731B155D ; Jump if Zero (ZF=1)
loc_731B14F3: ; CODE XREF: sub_731B14A5+35.j
push 0
lea eax, [ebp-8] ; Load Effective Address
push 4
add edi, 0Ch ; Add
push eax
push edi
push esi
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz short loc_731B155D ; Jump if Zero (ZF=1)
mov edi, [ebp-8]
push 0
add edi, 14h ; Add
push 4
lea eax, [ebp-4] ; Load Effective Address
push eax
push edi
push esi
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz short loc_731B155D ; Jump if Zero (ZF=1)
cmp [ebp-4], edi ; Compare Two Operands
jz short loc_731B1555 ; Jump if Zero (ZF=1)
mov ebx, [ebp+10h]
loc_731B152C: ; CODE XREF: sub_731B14A5+AE.j
mov eax, [ebp-4]
push 0
sub eax, 8 ; Integer Subtraction
push 48h
push ebx
push eax
push esi
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jz short loc_731B155D ; Jump if Zero (ZF=1)
mov eax, [ebp+0Ch]
cmp [ebx+18h], eax ; Compare Two Operands
jz short loc_731B1568 ; Jump if Zero (ZF=1)
mov eax, [ebx+8]
mov [ebp-4], eax
cmp eax, edi ; Compare Two Operands
jnz short loc_731B152C ; Jump if Not Zero (ZF=0)
loc_731B1555: ; CODE XREF: sub_731B14A5+82.j
push 6
loc_731B1557: ; CODE XREF: sub_731B14A5+29.j
call dword ptr SetLastError ; Indirect Call Near Procedure
loc_731B155D: ; CODE XREF: sub_731B14A5+4C.j
; sub_731B14A5+63.j ...
xor eax, eax ; Logical Exclusive OR
loc_731B155F: ; CODE XREF: sub_731B14A5+C8.j
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 0Ch ; Return Near from Procedure
loc_731B1568: ; CODE XREF: sub_731B14A5+A4.j
mov eax, 1
jmp short loc_731B155F ; Jump
;sub_731B14A5 endp
}
}
DWORD __declspec(naked) __stdcall GetModuleBaseNameW(HANDLE hProcess,HMODULE hMod,
WCHAR* szProcessName,
DWORD SizeofszProcessName/* sizeof szProcessName*/ )
{
__asm
{
; S u b r o u t i n e
push ebp
mov ebp, esp
sub esp, 48h ; Integer Subtraction
push esi
lea eax, [ebp-48h] ; Load Effective Address
push eax
push dword ptr [ebp+0Ch]
push dword ptr [ebp+8]
call sub_731B14A5 ; Call Procedure
test eax, eax ; Logical Compare
jnz short loc_731B1793 ; Jump if Not Zero (ZF=0)
xor eax, eax ; Logical Exclusive OR
jmp short loc_731B17CB ; Jump
loc_731B1793: ; CODE XREF: GetModuleBaseNameW+18.j
movzx esi, word ptr [ebp-1Ah] ; Move with Zero-Extend
mov eax, [ebp+14h]
add eax, eax ; Add
cmp esi, eax ; Compare Two Operands
jbe short loc_731B17A2 ; Jump if Below or Equal (CF=1 | ZF=1)
mov esi, eax
loc_731B17A2: ; CODE XREF: GetModuleBaseNameW+29.j
push 0
push esi
push dword ptr [ebp+10h]
push dword ptr [ebp-18h]
push dword ptr [ebp+8]
call dword ptr ReadProcessMemory ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jnz short loc_731B17BC ; Jump if Not Zero (ZF=0)
xor eax, eax ; Logical Exclusive OR
jmp short loc_731B17CB ; Jump
loc_731B17BC: ; CODE XREF: GetModuleBaseNameW+41.j
movzx eax, word ptr [ebp-1Ah] ; Move with Zero-Extend
cmp eax, esi ; Compare Two Operands
jnz short loc_731B17C7 ; Jump if Not Zero (ZF=0)
sub esi, 2 ; Integer Subtraction
loc_731B17C7: ; CODE XREF: GetModuleBaseNameW+4D.j
mov eax, esi
shr eax, 1 ; Shift Logical Right
loc_731B17CB: ; CODE XREF: GetModuleBaseNameW+1C.j
; GetModuleBaseNameW+45.j
pop esi
mov esp, ebp
pop ebp
retn 10h ; Return Near from Procedure
;GetModuleBaseNameW endp
}
}
DWORD __declspec(naked) __stdcall GetModuleBaseNameA(HANDLE hProcess,HMODULE hMod,
char* szProcessName,
DWORD SizeofszProcessName/* sizeof szProcessName*/ )
{
__asm
{
push ebx
push esi
mov esi, [esp+18h]
push edi
push ebp
lea eax, ds:0[esi*2] ; Load Effective Address
push eax
push 0
call dword ptr LocalAlloc ; Indirect Call Near Procedure
mov edi, eax
test edi, edi ; Logical Compare
jnz short loc_731B17F4 ; Jump if Not Zero (ZF=0)
xor eax, eax ; Logical Exclusive OR
jmp short loc_731B1830 ; Jump
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
loc_731B17F4: ; CODE XREF: GetModuleBaseNameA+1C.j
push esi
push edi
push dword ptr [esp+20h]
push dword ptr [esp+20h]
call GetModuleBaseNameW ; Call Procedure
mov ecx, eax
cmp eax, esi ; Compare Two Operands
mov ebx, eax
jnb short loc_731B180E ; Jump if Not Below (CF=0)
lea ecx, [ebx+1] ; Load Effective Address
loc_731B180E: ; CODE XREF: GetModuleBaseNameA+37.j
xor ebp, ebp ; Logical Exclusive OR
push ebp
push ebp
push esi
push dword ptr [esp+28h]
push ecx
push edi
push ebp
push ebp
call dword ptr WideCharToMultiByte ; Indirect Call Near Procedure
test eax, eax ; Logical Compare
jnz short loc_731B1827 ; Jump if Not Zero (ZF=0)
xor ebx, ebx ; Logical Exclusive OR
loc_731B1827: ; CODE XREF: GetModuleBaseNameA+51.j
push edi
call dword ptr LocalFree ; Indirect Call Near Procedure
mov eax, ebx
loc_731B1830: ; CODE XREF: GetModuleBaseNameA+20.j
pop ebp
pop edi
pop esi
pop ebx
retn 10h ; Return Near from Procedure
;GetModuleBaseNameA endp
}
}
DWORD PsGetProcessIdFromModuleName(LPCTSTR szName)
{
DWORD ProcessesId[1024],cProcesses,done;
DWORD pid;
HMODULE hMod;
HANDLE hProcess;
char szProcessName[MAX_PATH];
unsigned i;
if(!EnumProcesses(ProcessesId,sizeof(ProcessesId),&done))
{
return (DWORD)-1;
}
cProcesses = done / sizeof(DWORD);
for(i=2;i