*** Great work on the SDK ToniPB ***
Structures from: https://github.com/ToniPB/PureBasic_Win ... /ntdll.pbi
The following script works on a 32bit process, but not (yet) on a 64bit process, but maybe someone here already has a fix?
I believe it has to do with the PROCESS_BASIC_INFORMATION structure, and possibly Offset's:
Debugging the GetPBI(hProcess) procedure you see that pbi\PebBaseAddress returns 0 for 64bit process'.
Code: Select all
Prototype.b protoIsWow64Process(hProcess, Wow64Process.b)
Global IsWow64Process.protoIsWow64Process
Structure UNICODE_STRING
Length.w
MaximumLength.w
Buffer.i
EndStructure
Structure RTL_DRIVE_LETTER_CURDIR
Flags.w
Length.w
TimeStamp.l
DosPath.UNICODE_STRING
EndStructure
Structure RTL_USER_PROCESS_PARAMETERS
MaximumLength.l
Length.l
Flags.l
DebugFlags.l
ConsoleHandle.i
ConsoleFlags.i
StdInputHandle.i
StdOutputHandle.i
StdErrorHandle.i
CurrentDirectoryPath.UNICODE_STRING
CurrentDirectoryHandle.i
DllPath.UNICODE_STRING
ImagePathName.UNICODE_STRING
CommandLine.UNICODE_STRING
Environment.i
StartingPositionLeft.l
StartingPositionTop.l
Width.l
Height.l
CharWidth.l
CharHeight.l
ConsoleTextAttributes.l
WindowFlags.l
ShowWindowFlags.l
WindowTitle.UNICODE_STRING
DesktopName.UNICODE_STRING
ShellInfo.UNICODE_STRING
RuntimeData.UNICODE_STRING
DLCurrentDirectory.RTL_DRIVE_LETTER_CURDIR[$20]
EndStructure
Structure PEB
InheritedAddressSpace.b
ReadImageFileExecOptions.b
BeingDebugged.b
Spare.b
Mutant.i
ImageBaseAddress.i
*LoaderData.PEB_LDR_DATA
*ProcessParameters.RTL_USER_PROCESS_PARAMETERS
SubSystemData.i
ProcessHeap.i
FastPebLock.i
*FastPebLockRoutine.PEBLOCKROUTINE
*FastPebUnlockRoutine.PEBLOCKROUTINE
EnvironmentUpdateCount.l
KernelCallbackTable.i
EventLogSection.i
EventLog.i
*FreeList.PEB_FREE_BLOCK
TlsExpansionCounter.l
TlsBitmap.i
TlsBitmapBits.l[$2]
ReadOnlySharedMemoryBase.i
ReadOnlySharedMemoryHeap.i
ReadOnlyStaticServerData.i
AnsiCodePageData.i
OemCodePageData.i
UnicodeCaseTableData.i
NumberOfProcessors.l
NtGlobalFlag.l
Spare2.b[$4]
CriticalSectionTimeout.LARGE_INTEGER
HeapSegmentReserve.l
HeapSegmentCommit.l
HeapDeCommitTotalFreeThreshold.l
HeapDeCommitFreeBlockThreshold.l
NumberOfHeaps.l
MaximumNumberOfHeaps.l
ProcessHeaps.i
GdiSharedHandleTable.i
ProcessStarterHelper.i
GdiDCAttributeList.i
LoaderLock.i
OSMajorVersion.l
OSMinorVersion.l
OSBuildNumber.l
OSPlatformId.l
ImageSubsystem.l
ImageSubSystemMajorVersion.l
ImageSubSystemMinorVersion.l
GdiHandleBuffer.l[$22]
PostProcessInitRoutine.l
TlsExpansionBitmap.l
TlsExpansionBitmapBits.b[$80]
SessionId.l
EndStructure
Structure PROCESS_BASIC_INFORMATION
ExitStatus.i
*PebBaseAddress.PEB
AffinityMask.i
BasePriority.i
UniqueProcessId.i
InheritedFromUniqueProcessId.i
EndStructure
Procedure ShowError()
dwMessageId = GetLastError_()
If dwMessageId
*lpBuffer = AllocateMemory(255)
FormatMessage_(#FORMAT_MESSAGE_FROM_SYSTEM, #Null, dwMessageId, #Null, *lpBuffer, MemorySize(*lpBuffer), #Null)
Debug "-- Error: " + Str(dwMessageId) + " - " + PeekS(*lpBuffer)
FreeMemory(*lpBuffer)
EndIf
EndProcedure
Procedure.b AdjustProcessPrivilege()
Protected Result.b = #False
If OpenProcessToken_(GetCurrentProcess_(), #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @TokenHandle)
lpLuid.LUID
If LookupPrivilegeValue_(#Null, #SE_DEBUG_NAME, @lpLuid)
NewState.TOKEN_PRIVILEGES
With NewState
\PrivilegeCount = 1
\Privileges[0]\Luid\LowPart = lpLuid\LowPart
\Privileges[0]\Luid\HighPart = lpLuid\HighPart
\Privileges[0]\Attributes = #SE_PRIVILEGE_ENABLED
EndWith
Result = AdjustTokenPrivileges_(TokenHandle, #False, @NewState, SizeOf(TOKEN_PRIVILEGES), @PreviousState.TOKEN_PRIVILEGES, @ReturnLength)
EndIf
CloseHandle_(TokenHandle)
EndIf
ProcedureReturn Result
EndProcedure
Procedure GetPBI(hProcess)
Protected Result = #Null
#ProcessBasicInformation = 0
Protected pbi.PROCESS_BASIC_INFORMATION
If Not NtQueryInformationProcess_(hProcess, #ProcessBasicInformation, @pbi, SizeOf(pbi), @ReturnLength)
If pbi\PebBaseAddress
Result = pbi\PebBaseAddress
EndIf
EndIf
ProcedureReturn Result
EndProcedure
Procedure GetPEB(hProcess, PebBaseAddress, OffSet)
Protected Result = #Null
Protected peb.PEB
If ReadProcessMemory_(hProcess, PebBaseAddress + OffSet, @peb, SizeOf(PEB), #Null)
If peb\ProcessParameters
Result = peb\ProcessParameters
EndIf
EndIf
ProcedureReturn Result
EndProcedure
Procedure.s GetCMD(hProcess, ProcessParameters, OffSet)
Protected Result.s = ""
Protected rtl.RTL_USER_PROCESS_PARAMETERS
If ReadProcessMemory_(hProcess, ProcessParameters + OffSet, @rtl, SizeOf(rtl), #Null)
If rtl\CommandLine\Buffer
*CmdLine = AllocateMemory(rtl\CommandLine\MaximumLength)
If ReadProcessMemory_(hProcess, rtl\CommandLine\Buffer, *CmdLine, rtl\CommandLine\MaximumLength, #Null)
Result = PeekS(*CmdLine, rtl\CommandLine\MaximumLength, #PB_Unicode)
EndIf
FreeMemory(*CmdLine)
EndIf
EndIf
ProcedureReturn Result
EndProcedure
Procedure GetProcessList()
hSnapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, #Null)
If hSnapshot
ProcEntry.PROCESSENTRY32
ProcEntry\dwSize = SizeOf(PROCESSENTRY32)
If Process32First_(hSnapshot, @ProcEntry)
While Process32Next_(hSnapshot, @ProcEntry)
AdjustProcessPrivilege()
dwProcessId = ProcEntry\th32ProcessID
hProcess = OpenProcess_(#PROCESS_QUERY_INFORMATION | #PROCESS_VM_READ, #False, dwProcessId)
If hProcess
kernel32 = OpenLibrary(#PB_Any, "kernel32.dll")
If IsLibrary(kernel32)
IsWow64Process = GetFunction(kernel32, "IsWow64Process")
IsWow64Process(hProcess, @Wow64Process)
CloseLibrary(kernel32)
EndIf
Protected pbi.PROCESS_BASIC_INFORMATION
pbi\PebBaseAddress = GetPBI(hProcess)
; If Wow64Process : OffSet = 0 : Else : OffSet = OffsetOf(PROCESS_BASIC_INFORMATION\PebBaseAddress) : EndIf
Protected peb.PEB
peb\ProcessParameters = GetPEB(hProcess, pbi\PebBaseAddress, OffSet)
; If Wow64Process : OffSet = 0 : Else : OffSet = OffsetOf(RTL_USER_PROCESS_PARAMETERS\CommandLine) : EndIf
CommandLine.s = GetCMD(hProcess, peb\ProcessParameters, OffSet)
If CommandLine : Debug CommandLine : Else : ShowError() : EndIf
CloseHandle_(hProcess)
EndIf
Wend
EndIf
CloseHandle_(hSnapshot)
EndIf
EndProcedure
GetProcessList()
