XProfan

- Seite 4 -

Sebastian
König

Nächster Versuch

: Mit einer Größe von 24 Byte (= sizeof(PROCESS_BASIC_INFORMATION)) klappt es mit ProcessBasicInformation - ist das besser?

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

100 Punkte!

Sebastian
König

Ok - hatte ich fast befürchtet... So wie ich das sehe bleibt da zur weiteren Suche nur PebBaseAddress übrig. In Reserved1 und Reserved2 stehen scheinbar für alle Prozesse die gleichen Werte und die ID kennt man ja sowieso

. Reserved3 ist scheinbar die ID des Eltern-Prozesses, auch ganz nett... (Die Beschreibung der Struktur habe ich glücklicherweise im Platform SDK gefunden.)

PebBaseAddress zeigt auf eine PEB-Struktur. Eine Beschreibung dafür habe ich in winternl.h gefunden - ganz schön viele Elemente und so gut wie alle als Reserved gekennzeichnet :--/

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

Nochmals 100 Punkte für PEB!

Sebastian
König

Ich schreibe einfach nochmal den aktuellen Stand meiner Bemühungen: Ich suche im Moment in dem Array Reserved3[59] nach Werten, die mich weiter bringen.

Fast alle Einträge sind 0, lediglich Reserved3[14] und Reserved3[26] sehen interessant aus. Von Reserved3[14] kann ich nicht lesen - offenbar ist das ein direkter Wert, vielleicht ein Handle. (Das Öffnen mit ZwQueryDirectoryObject() klappt allerdings nicht, habe ich als erstes versucht.)

Was unter Reserved3[26] steht, sieht dagegen schon interessanter aus - zum Beispiel (die ersten 5 LongInts):

1024 | 2147348820 | 64 | 2147248548 | 0 | ...

Den ersten und dritten halte ich auf Grund der speziellen Werte für irgendwelche Flags, der zweite und vierte sind wahrscheinlich Zeiger auf weitere Daten.

Ein bischen ist das ganze schon wie ein Herumtasten im Dunkeln ohne genau zu wissen, was man sucht...

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

Kompilieren Markieren Separieren

Frank
Abbing

Der Stand meiner Arbeit von heute morgen. Zur Anzeige wird die Listview.dll benötigt.
Der Code ist Enh-Code des XPIA, damit es alle testen können.

Ich weiss, das war nicht die Aufgabenstellung. Aber für Try&Error auf fremdem Terrain fehlt mir echt die Lust...

DECLARE XPIA_#,XPIA$,EXPIA&,TEXT$,NUMBER&,SNAPSHOT&,LVDLL&,LISTVIEW&,X&,Y&,CLV1#,CLV2#,CLVALL#,LVITEM#
DIM XPIA_#,6656
CLEAR XPIA_#
LONG XPIA_#,0=9460301,3,4,65535,184,0,64,0,0,0,0,0,0,0,0,184,247078670,-855002112,1275181089,1750344141,1881174889,1919381362,1663069537,1869508193,1700929652,1853190688,544106784,542330692,1701080941,168627502,36,0,1542594224
LONG XPIA_#,132=144474100,144474100,144474100,143548168,144474102,143614074,144474090,1751345490,144474100,0,0,0,0,17744,131404,1160510844,0,0,554565856,201654539,5632,512,0,4236,4096,12288,268435456,4096,512,4,0,4,0,16384,512
LONG XPIA_#,272=0,2,1048576,4096,1048576,4096,0,16,9568,105,9172,100,0,0,0,0,0,0,12288,140,0,0,0,0,0,0,0,0,0,0,0,0,4096,60,0,0,0,0,0,0,1297301837,12851,5577,4096,5632,512,0,0,0,-536870880,1818587694,25455,166,12288,512,6144,0
LONG XPIA_#,500=0,0,1107296320,9510,9496,9484,0,9332,9374,9422,9406,9346,9388,0,9532,0,9448,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,-1192457387,1,836297,1407717226,-16777214,93259893,268439612,-1895008769,1064965,276168464
LONG XPIA_#,692=272893327,1979650048,1208323860,-15728624,93263989,268439628,-1893960193,1069061,544603920,273941903,1979650048,1476759332,-15728624,93268085,268439644,-1892911617,1073157,813039376,274990479,1979650048,1745194804
LONG XPIA_#,776=-15728624,93272181,268439660,-1891863041,1077253,1081474832,276039055,1438846976,-997987189,-62535684,0,-40984,-1010200321,-2081649835,1170734276,508,-11868160,7012351,2112360298,-1560281087,268439676,325846471
LONG XPIA_#,864=19402752,1818755072,1343225875,94184,20965632,905904128,268440436,275251306,-402653180,338,1083555,67135504,-731381760,1779433495,-974630912,184549377,-972458560,1561605,904593424,1561704,20375568,2023948288,1745879056
LONG XPIA_#,956=268440464,75752,2013604096,-15728624,1079309,-736785136,51380247,1079317,-2000670192,-2009727230,-401604592,226,-2140667798,-15728624,1063989,23128080,-731381760,-15728613,1274933,15394832,905904128,268439612
LONG XPIA_#,1044=80360,-2069673984,-1928331248,1823765,-2076836080,1779433488,905925120,268439612,73704,466905088,905908224,268440448,45032,-736785152,-15728613,1082421,1375824400,272381439,-169340928,1744830464,268442580,327169535
LONG XPIA_#,1132=-2048389120,-16777216,1082421,1744988688,268440464,272381439,-840429568,-1929379840,1561621,-2076836080,1779433488,905925123,268439612,46056,325871616,905908224,268439676,12776,264275200,-83579,2083913727,-401604592
LONG XPIA_#,1220=6,-1026965453,637468676,268439568,270542335,637472768,268439572,270804479,637472768,268439580,270018047,637472768,268439604,1408011093,1166759766,209554184,125157387,805816166,2034035456,755484166,-1186473737
LONG XPIA_#,1304=429496730,334231435,-503850869,344834699,735183762,818118874,-2092490872,-394854152,-352319546,109727498,126363530,994453128,1609724663,-1026991266,637468680,268439560,268707327,637472768,268439552,271328767
LONG XPIA_#,1384=-859041792,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,1784=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,2200=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,2616=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,3032=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,3448=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,3864=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,4280=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,4696=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,5112=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,5528=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9288,0,0,9434,4112,9324,0,0,9462,4148,9272,0,0,9518,4096,9316,0,0,9556,4140,0,0,0,0,0,9510,9496,9484,0,9332,9374,9422,9406,9346,9388,0,9532,0,9448,0,1816330266,1214608239,1818521185
LONG XPIA_#,5760=4784229,1634038339,1867801972,1701342319,842231916,1885433427,1953458291,30474240,1852141647,1668248144,7566181,1917845982,1936024431,1177695091,1953722985,31457280,1668248144,863204197,2019905074,46071924,1920234348
LONG XPIA_#,5844=1097753964,1701511168,1818586738,1680749107,27756,1699152177,1937331060,1869377347,1937047666,842232421,1819042862,1684471808,775041897,7105636,1699151918,1852394612,29541,1699938394,1702119796,2019906669,4522100
LONG XPIA_#,5928=1702119763,1766588525,1769370739,1680766821,27756,1699151884,1685015924,1181052021,1315269737,1164275041,16760,1885434736,1818504809,108,0,1160510844,0,9628,1,2,2,9608,9616,9624,4412,4391,9653,9664,65536,1952794463
LONG XPIA_#,6048=1668248144,1232302949,1936680558,1752065375,1819042862,1952794368,1668248144,7566181,1147496532,1935766625,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4096,140,816656548,817836214,819015880,820195546,821375212,822554878,823734544
LONG XPIA_#,6180=827863330,828846430,831074680,832909715,834089389,835137980,835924429,836973017,838152687,839201279,840643088,841429537,842674736,843788864,844771921,845820516,847000181,848114306,849097363,850145958,852505279
LONG XPIA_#,6264=853291734,854078178,854864622,861549396,862335840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
LONG XPIA_#,6600=0,0,0,0,0,0,0,0,0,0,0,0,0,0
XPIA$=$TEMPDIR+"/_GetProcessInfos_enh.dll"
FILEMODE 1
ASSIGN #1,XPIA$
OPENRW #1
BLOCKWRITE #1,XPIA_#,0,6656
CLOSERW #1
DISPOSE XPIA_#
DIM CLV1#,256
DIM CLV2#,64
DIM CLVALL#,1400
DIM LVITEM#,292
DEF CREATELISTVIEW(6) !"LISTVIEW","CreateListview"
DEF SHOWLISTVIEW(5) !"LISTVIEW","ShowListview"
DEF ICOLUMN(4) !"LISTVIEW","IColumn"
DEF SITEM(3) !"LISTVIEW","SItem"
DEF INITMESSAGES(1) !"LISTVIEW","InitMessages"
DEF ASORTLISTVIEW(3) !"LISTVIEW","ASortListview"
DEF READFILEQUICK(4) !"LISTVIEW","ReadFileQuick"
DEF CSVTOLISTVIEW(4) !"LISTVIEW","CsvToListview"
DEF SWAPLINES(3) !"LISTVIEW","SwapLines"
DEF GETSELECTED(2) !"LISTVIEW","GetSelected"
DEF GETSELECTEDDBCLK(2) !"LISTVIEW","GetSelectedDbClk"
DEF GETTABOFFSETS(2) !"LISTVIEW","GetTabOffsets"
DEF GETLINES(1) !"LISTVIEW","GetLines"
DEF GETCOLUMNS(1) !"LISTVIEW","GetColumns"
DEF GETNEEDEDMEMORY(2) !"LISTVIEW","GetNeededMemory"
DEF GETALLSELECTED(2) !"LISTVIEW","GetAllSelected"
DEF GETNULLOFFSET(1) !"LISTVIEW","GetNullOffset"
DEF LISTVIEWTOCSV(4) !"LISTVIEW","ListviewToCsv"
DEF WRITEFILEQUICK(4) !"LISTVIEW","WriteFileQuick"
DEF CREATEIMAGELIST(2) !"LISTVIEW","CreateImageList"
DEF SETIMAGELIST(2) !"LISTVIEW","SetImageList"
DEF SETICON(3) !"LISTVIEW","SetIcon"
DEF SETICONSFROMMEM(4) !"LISTVIEW","SetIconsFromMem"
DEF SETICONSWITH(4) !"LISTVIEW","SetIconsWith"
DEF GETSELECTEDLINE(1) !"LISTVIEW","GetSelectedLine"
DEF SETINDEX(1) !"LISTVIEW","SetIndex"
DEF REGISTER(1) !"LISTVIEW","Register"
DEF GETLINETEXT(3) !"LISTVIEW","GetLineText"
DEF GETCOLUMNWIDTH(2) !"LISTVIEW","GetColumnWidth"
DEF CLOSEMESSAGES(1) !"LISTVIEW","CloseMessages"
DEF SETCOLUMNSFROMMEM(3) !"LISTVIEW","SetColumnsFromMem"
DEF CRYPTMEM(4) !"LISTVIEW","CryptMem"
DEF DBFTOCSV(5) !"LISTVIEW","DbfToCsv"
DEF SELECTLINE(3) !"LISTVIEW","SelectLine"
DEF SEARCHTEXT(7) !"LISTVIEW","SearchText"
DEF LISTVIEWTODBF(4) !"LISTVIEW","ListviewToDbf"
DEF COPYCOLUMNTO(4) !"LISTVIEW","CopyColumnTo"
DEF GETINDEX(0) !"LISTVIEW","GetIndex"
DEF EXCHANGESEPARATOR(5) !"LISTVIEW","ExchangeSeparator"
DEF COPYLINETO(4) !"LISTVIEW","CopyLineTo"
DEF GETCHECKED(3) !"LISTVIEW","GetChecked"
DEF SETCHECKBOXSTATE(3) !"LISTVIEW","SetCheckboxState"
DEF GETCHECKBOXSTATE(2) !"LISTVIEW","GetCheckboxState"
DEF ENABLEEDITS(2) !"LISTVIEW","EnableEdits"
DEF SORTMANUAL(3) !"LISTVIEW","SortManual"
DEF FILELISTTOCSV(6) !"LISTVIEW","FilelistToCsv"
DEF SETITEMTEXT(4) !"LISTVIEW","SetItemText"
DEF GETITEMTEXT(4) !"LISTVIEW","GetItemText"
DEF EXAMINECOLUMN(2) !"LISTVIEW","ExamineColumn"
DEF SETCOLUMNSORT(3) !"LISTVIEW","SetColumnSort"
DEF GETCOLUMNUPDATE(2) !"LISTVIEW","GetColumnUpdate"
DEF SETCOLUMNUPDATE(2) !"LISTVIEW","SetColumnUpdate"
DEF RAISECOLUMNS(4) !"LISTVIEW","RaiseColumns"
DEF MIXRGBS(2) !"LISTVIEW","MixRGBs"
DEF SETBACKIMAGE(3) !"LISTVIEW","SetBackImage"
DEF PRINTLISTVIEW(13) !"LISTVIEW","PrintListview"
DEF AREICONSPRESENT(1) !"LISTVIEW","AreIconsPresent"
DEF ARECHECKBOXESPRESENT(1) !"LISTVIEW","AreCheckboxesPresent"
DEF ERASELISTVIEW(1) !"LISTVIEW","EraseListview"
DEF GETCONTROLPARAS(1) !"LISTVIEW","GetControlParas"
DEF GETOWNCONTROLPARAS(4) !"LISTVIEW","GetOwnControlParas"
DEF SETSTYLE(1) !"LISTVIEW","SetStyle"
DEF GETREALCOLUMNINDEX(2) !"LISTVIEW","GetRealColumnIndex"
DEF CHECKIFMARKED(1) !"LISTVIEW","CheckIfMarked"
DEF SELECTCOLUMNEDITS(2) !"LISTVIEW","SelectColumnEdits"
DEF GETVAR(1) !"LISTVIEW","GetVar"
DEF SETICONMODE(1) !"LISTVIEW","SetIconMode"
DEF MARKIFCHECKED(1) !"LISTVIEW","MarkIfChecked"
DEF SETFILELISTFILTER(1) !"LISTVIEW","SetFilelistFilter"
DEF SETFILELISTNOFILTER(1) !"LISTVIEW","SetFilelistNoFilter"
DEF ADDITEMVALUES(4) !"LISTVIEW","AddItemValues"
DEF RAISELINE(4) !"LISTVIEW","RaiseLine"
DEF GETCOLUMNNAME(3) !"LISTVIEW","GetColumnName"
DEF SETCOLUMNNAME(3) !"LISTVIEW","SetColumnName"
DEF SETICONCOLUMN(1) !"LISTVIEW","SetIconColumn"
DEF GETICON(3) !"LISTVIEW","GetIcon"
DEF SETVAR(2) !"LISTVIEW","SetVar"
DEF PRINTCOLUMNS(1) !"LISTVIEW","PrintColumns"
DEF GETITEMTEXTSASINTEGER(3) !"LISTVIEW","GetItemTextsAsInteger"
DEF GETITEMTEXTSASFLOAT(3) !"LISTVIEW","GetItemTextsAsFloat"
DEF GETEDGEINTEGERS(4) !"LISTVIEW","GetEdgeIntegers"
DEF GETEDGEFLOATS(4) !"LISTVIEW","GetEdgeFloats"
DEF GETFLOAT(3) !"LISTVIEW","GetFloat"
DEF DELETEDOUBLEITEMS(2) !"LISTVIEW","DeleteDoubleItems"
DEF SETCOLUMNALIGNMENT(3) !"LISTVIEW","SetColumnAlignment"
DEF GETALLCHECKBOXSTATES(2) !"LISTVIEW","GetAllCheckboxStates"
DEF SETALLCHECKBOXSTATES(2) !"LISTVIEW","SetAllCheckboxStates"
DEF GETDLLVERSION(0) !"LISTVIEW","GetDllVersion"
DEF SETLINENUMBERS(3) !"LISTVIEW","SetLineNumbers"
DEF ENABLEDRAGDROP(2) !"LISTVIEW","EnableDragDrop"
DEF DELETESPACELINES(2) !"LISTVIEW","DeleteSpaceLines"
DEF GETDRAGDROPPARAS(1) !"LISTVIEW","GetDragDropParas"
DEF CONVERTDATAS(3) !"LISTVIEW","ConvertDatas"
DEF FORBIDSCROLLMESSAGE(1) !"LISTVIEW","ForbidScrollMessage"
DEF EXCHANGEBYTES(4) !"LISTVIEW","ExchangeBytes"
DEF SETPRINTATTRIBUTES(5) !"LISTVIEW","SetPrintAttributes"
DEF SETLINEHEIGHT(2) !"LISTVIEW","SetLineHeight"
DEF ASORTLISTVIEWEX(4) !"LISTVIEW","ASortListviewEx"
DEF GETLASTKEY(2) !"LISTVIEW","GetLastKey"
DEF SETCOLUMNSWIDTHLIMITS(2) !"LISTVIEW","SetColumnsWidthLimits"

PROC INSERTCOLUMN

    PARAMETERS CLV1&,CLV1$,CLV2&,CLV3&
    STRING CLV1#,0=CLV1$
    ICOLUMN(CLV1&,CLV1#,CLV2&,CLV3&)

ENDPROC

PROC AUTOSORTLISTVIEW

    CLEAR CLV2#
    LONG CLV2#,0=@&(2)
    LONG CLV2#,4=@&(3)
    LONG CLV2#,8=@&(4)
    LONG CLV2#,12=@&(5)
    LONG CLV2#,16=@&(6)
    LONG CLV2#,20=@&(7)
    LONG CLV2#,24=@&(8)
    LONG CLV2#,28=@&(9)
    LONG CLV2#,32=@&(10)
    LONG CLV2#,36=@&(11)
    LONG CLV2#,40=@&(12)
    LONG CLV2#,44=@&(13)
    LONG CLV2#,48=@&(14)
    LONG CLV2#,52=@&(15)
    ASORTLISTVIEW(@&(1),CLV2#,INT(SUB(%PCOUNT,1)))

ENDPROC

PROC SETITEM

    CLEAR CLV2#
    CLEAR CLVALL#
    STRING CLVALL#,0=@$(2)
    LONG CLV2#,0=CLVALL#
    STRING CLVALL#,100=@$(3)
    LONG CLV2#,4=CLVALL#+100
    STRING CLVALL#,200=@$(4)
    LONG CLV2#,8=CLVALL#+200
    STRING CLVALL#,300=@$(5)
    LONG CLV2#,12=CLVALL#+300
    STRING CLVALL#,400=@$(6)
    LONG CLV2#,16=CLVALL#+400
    STRING CLVALL#,500=@$(7)
    LONG CLV2#,20=CLVALL#+500
    STRING CLVALL#,600=@$(8)
    LONG CLV2#,24=CLVALL#+600
    STRING CLVALL#,700=@$(9)
    LONG CLV2#,28=CLVALL#+700
    STRING CLVALL#,800=@$(10)
    LONG CLV2#,32=CLVALL#+800
    STRING CLVALL#,900=@$(11)
    LONG CLV2#,36=CLVALL#+900
    STRING CLVALL#,1000=@$(12)
    LONG CLV2#,40=CLVALL#+1000
    STRING CLVALL#,1100=@$(13)
    LONG CLV2#,44=CLVALL#+1100
    STRING CLVALL#,1200=@$(14)
    LONG CLV2#,48=CLVALL#+1200
    STRING CLVALL#,1300=@$(15)
    LONG CLV2#,52=CLVALL#+1300
    SITEM(@&(1),CLV2#,SUB(%PCOUNT,2))

ENDPROC

DEF @CREATENEWIMAGELIST(5) !"comctl32.dll","ImageList_Create"
DEF @GETSYSTEMMETRICS(1) !"user32.dll","GetSystemMetrics"
DEF @DESTROYIMAGELIST(1) !"comctl32.dll","ImageList_Destroy"
DEF @LOADICON(2) !"user32.dll","LoadIconA"
DEF @ADDICONTOIMAGELIST(2) !"comctl32.dll","ImageList_AddIcon"
DEF DESTROYICON(1) ! "USER32.DLL","DestroyIcon"
DEF @GETSELECTEDCOUNT(1) @SENDMESSAGE (@&(1),4146,0,0)
DEF @DELETECOLUMN(2) @SENDMESSAGE (@&(1),$101C,@%(2),0)
DEF @DELETEITEM(2) @SENDMESSAGE (@&(1),$1008,@%(2),0)
DEF @DELETEALLITEMS(1) @SENDMESSAGE (@&(1),4105,0,0)
DEF @GETITEMSTATE(3) @SENDMESSAGE (@&(1),4140,@%(2),@%(3))
DEF @SETCOLUMNWIDTH(3) @SENDMESSAGE (@&(1),4126,@%(2),@%(3))
DEF @GETLVTXTCOLOR(1) @SENDMESSAGE (@&(1),$1023,0,0)
DEF @GETLVTXTBKCOLOR(1) @SENDMESSAGE (@&(1),$1025,0,0)
DEF @GETLVBKCOLOR(1) @SENDMESSAGE (@&(1),$1000,0,0)
DEF @UPDATE(1) @SENDMESSAGE (@&(1),4138,-1,0)

PROC ADDPROGRAMICON

    PARAMETERS NAME$,LHANDLE&,IL&
    DECLARE HICON&
    CLEAR LVITEM#
    STRING LVITEM#,0=NAME$
    HICON&=LOADICON(LHANDLE&,LVITEM#)
    ADDICONTOIMAGELIST(IL&,HICON&)
    DESTROYICON(HICON&)
    RETURN

ENDPROC

DEF GETSYSCOLOR(1) !"USER32","GetSysColor"
LVDLL&=USEDLL("Listview.dll")
WINDOWSTYLE 26+512
WINDOW 0,0-800,600
CLS GETSYSCOLOR(15)
USEFONT "MS Sans Serif",13,0,0,0,0
SETDIALOGFONT 1
X&=MIXRGBS(GETSYSCOLOR(15),$00FFFFFF)
X&=MIXRGBS(X&,$00FFFFFF)
LISTVIEW&=CREATELISTVIEW(%HWND,%HINSTANCE,0,X&,-1,$20)
INSERTCOLUMN LISTVIEW&,"Prozess-ID",80,0
INSERTCOLUMN LISTVIEW&,"Anzahl Threads",100,0
INSERTCOLUMN LISTVIEW&,"Prozess Datei", 140,0
INSERTCOLUMN LISTVIEW&,"Start-Verzeichniss", 280,0
SHOWLISTVIEW(LISTVIEW&,0,0,790,570)
INITMESSAGES(%HWND)
AUTOSORTLISTVIEW LISTVIEW&,2,2,1,1
EXTERNAL(XPIA$,"TheDatas")
EXTERNAL(XPIA$,"GetProcess",LISTVIEW&)

WHILE 1

    WAITINPUT

    IF %KEY=2

        BREAK

    ENDIF

ENDWHILE

DISPOSE CLV1#
DISPOSE CLV2#
DISPOSE CLVALL#
DISPOSE LVITEM#
END

Hier der originale Code:
Kompilieren Markieren Separieren

 {$cleq}
Declare text$,number&,snapshot&,lvdll&,listview&,x&,y&
 $I Listview_Funktionen.inc
Def GetSysColor(1) !"USER32","GetSysColor"
lvdll&=usedll("Listview.dll")
WindowStyle 26+512
Window 0,0-800,600
Cls GetSysColor(15)
UseFont "MS Sans Serif",13,0,0,0,0
SetDialogFont 1
x&=MixRGBs(GetSysColor(15),$00FFFFFF)
x&=MixRGBs(x&,$00FFFFFF)
listview&=CreateListView(%hwnd,%hinstance,0,x&,-1,$20)
InsertColumn listview&,"Prozess-ID",80,0    Spalten bilden
InsertColumn listview&,"Anzahl Threads",100,0
InsertColumn listview&,"Prozess Datei", 140,0
InsertColumn listview&,"Start-Verzeichniss", 280,0
ShowListView(listview&,0,0,790,570)
InitMessages(%hwnd)
AutoSortListview listview&,2,2,1,1

AsmStart TheDatas()

    .data
    ;---------------------------------------------------------------------------]
    x               DD      0
    snap            DD      0
    leer            DD      0
    lines           DD      0
    aprocess        DD      0
    .data?
    WinProcess      PROCESSENTRY32  <>
    Datafind        WIN32_FIND_DATA <>
    hSnapshot       DD              ?
    Buffer          DB              255 DUP(?)
    Process         DB              255 DUP(?)
    DName           DB              1024 DUP(?)
    nurso           DB              1024 DUP(?)
    nurso2          DB              1024 DUP(?)
    .code
    nop

AsmEnd

AsmStart GetProcess(listview&)

    invoke  CreateToolhelp32Snapshot, TH32CS_SNAPALL , 0
    mov     snap, eax
    mov     [WinProcess.dwSize], sizeof PROCESSENTRY32
    invoke  Process32First, eax, offset WinProcess
    jmp     _GetRunningApps
    _Loop:
    invoke OpenProcess,PROCESS_QUERY_INFORMATION+PROCESS_VM_READ,0,[WinProcess.th32ProcessID]
    mov    aprocess,eax
    invoke GetModuleFileNameEx, eax, 0, addr DName, 1024

    .if eax==0

        mov DName,0

    .else

        invoke lstrlen,addr DName
        mov x,eax
        invoke lstrlen,offset WinProcess.szExeFile
        sub x,eax
        dec x
        lea edx,DName
        add edx,x
        xor al,al
        mov [edx],al

    .endif

    invoke CloseHandle, aprocess
    Scall SItem,para1,offset leer,0
    invoke dwtoa,WinProcess.th32ProcessID,addr nurso
    Scall GetLines,para1
    dec eax
    mov lines,eax
    lea edx,nurso
    Scall SetItemText,para1,edx,0,lines
    invoke dwtoa,WinProcess.cntThreads,addr nurso
    lea edx,nurso
    Scall SetItemText,para1,edx,1,lines
    invoke dwtoa,WinProcess.cntThreads,addr nurso
    Scall SetItemText,para1,offset WinProcess.szExeFile,2,lines
    lea edx,DName
    Scall SetItemText,para1,edx,3,lines
    invoke  Process32Next, snap, offset WinProcess
    _GetRunningApps:
    test    eax, eax
    jnz     _Loop
    invoke  CloseHandle, snap
    xor     eax, eax

AsmEnd

While 1

    WaitInput
    Case %key=2:BREAK

EndWhile

 $I Listview_Dispose.inc
End

Listview.dll

83 kB

Hochgeladen:

10.10.2006

Ladeanzahl:

Herunterladen

ss.jpg

82 kB

Hochgeladen:

10.10.2006

Ladeanzahl:

Herunterladen

[quote:294ed74e8a=Sebastian König]Ich schreibe einfach nochmal den aktuellen Stand meiner Bemühungen: Ich suche im Moment in dem Array Reserved3[59] nach Werten, die mich weiter bringen.[/quote:294ed74e8a]
Du bist an der falschen Stelle. Was im PEB steht, verrät Microsoft selbst nicht. Suche nach anderen Quellen, dann wirds einfacher...

@Frank: Ein unbekanntes Terrain ist nur solange unbekannt, bis man die richtige Dokumentation dazu gefunden hat - und die habe ich. Wenn nahe genug an der Lösung gekratzt wird, werde ich allen, die sich hier beteiligt haben (und daran Interesse haben), diese Infos zukommen lassen.

Noch ein Hinweis:
Die Lösung liegt innerhalb der ersten 15 Members des PEB.

Sebastian
König

[quote:f7ea51f57e]1. Nochmals 100 Punkte für PEB!

2. Du bist an der falschen Stelle. Was im PEB steht, verrät Microsoft selbst nicht. Suche nach anderen Quellen, dann wirds einfacher...[/quote:f7ea51f57e]
Beide Aussagen zusammen verwirren mich jetzt ein wenig...

So sieht PEB lauf Platform-SDK aus:

typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[229];
PVOID Reserved3[59];
ULONG SessionId;
} PEB, *PPEB;

Die einzigen nicht-reserved Elemente sind also BeingDebugged und SessionId. Ersteres hilft nicht weiter (denke ich) und SessionId war bei allen Prozessen, mit denen ich es probiert habe, immer 0. Abgesehen davon bräuchte man zum Ermitteln der SessionId auch nich unbedingt ZwQueryInformationProcess, da es ja ProcessIdToSessionId gibt...

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

Wie gesagt, MS verrät da nicht alles. Der PEB hat über 50 Members.

Sebastian
König

[quote:29b2851165]Wie gesagt, MS verrät da nicht alles. Der PEB hat über 50 Members. [/quote:29b2851165]Meinst Du damit jetzt die ganzen Elemente in dem dem Reserved3-Array oder noch weitere nach SessionId?

Ich dachte eigentlich, man könnte das ganze jetzt lösen, ohne Google zu bemühen...

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

Hast Recht, in meiner Version sind die Arrays aufgeschlüsselt. Das was du suchst, dürfte also innerhalb des Arrays Reserved2 liegen. Ohne eine bessere Dokumentation kommst du da nicht weiter - und die kommt nicht von Microsoft.

Suche mal im Internet nach PEB ReadImageFileExecOptions.