The Code which isn't working onyl windows xp

08/06/2014 19:35 oguzhane#1
Hi to all !

I have made a code which can enumerate module names associated threads.
But there is a problem in windows xp. When i enumarate modules dll names return NULL.

IN WINDOWS XP LIKE THAT :
Code:
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls : 
Karacabay-Scan : Dlls :
IN WINDOWS 8 , WINDOWS 7 , WIN 8.1
Code:
Karacabay-Scan : Dlls : D:\TEMIZ METIN2 - HS CALISMA\giris.exe
Karacabay-Scan : Dlls : D:\TEMIZ METIN2 - HS CALISMA\giris.exe
Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll
Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll
Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll
Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll
Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll
Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll
Karacabay-Scan : Dlls : C:\Windows\system32\mswsock.dll
And here is my source :
Code:
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define ThreadQuerySetWin32StartAddress 9
typedef NTSTATUS (WINAPI *NTQUERYINFOMATIONTHREAD)(HANDLE, LONG, PVOID, ULONG, PULONG);

BOOL MatchAddressToModule(__in DWORD dwProcId, __out_bcount(MAX_PATH) LPTSTR lpstrModule, __in DWORD dwThreadStartAddr, __out_opt PDWORD pModuleStartAddr) // by Echo
{
    BOOL bRet = FALSE;
	HANDLE hSnapshot;
	MODULEENTRY32 moduleEntry32;

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPALL, dwProcId);

	moduleEntry32.dwSize = sizeof(MODULEENTRY32);
	moduleEntry32.th32ModuleID = 1;

	if(Module32First(hSnapshot, &moduleEntry32)){
	    if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){
           
			 wcscpy(lpstrModule, moduleEntry32.szExePath);
    //convert from wide char to narrow char array
   
			
	    }else{
            while(Module32Next(hSnapshot, &moduleEntry32)){
                if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){
                   wcscpy(lpstrModule, moduleEntry32.szExePath);
					

                    break;
                }
            }
	    }
    }

    if(pModuleStartAddr) *pModuleStartAddr = (DWORD)moduleEntry32.modBaseAddr;
	CloseHandle(hSnapshot);

	return bRet;
}

DWORD WINAPI GetThreadStartAddress(__in HANDLE hThread) // by Echo
{
    NTSTATUS ntStatus;
    DWORD dwThreadStartAddr = 0;
    HANDLE hPeusdoCurrentProcess, hNewThreadHandle;
    NTQUERYINFOMATIONTHREAD NtQueryInformationThread;

    if((NtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), ("NtQueryInformationThread")))){
        hPeusdoCurrentProcess = GetCurrentProcess();
        if(DuplicateHandle(hPeusdoCurrentProcess, hThread, hPeusdoCurrentProcess, &hNewThreadHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
            ntStatus = NtQueryInformationThread(hNewThreadHandle, ThreadQuerySetWin32StartAddress, &dwThreadStartAddr, sizeof(DWORD), NULL);
            CloseHandle(hNewThreadHandle);
            if(ntStatus != STATUS_SUCCESS){
				return 0;
			}
        }

    }

    return dwThreadStartAddr;
}

int threadmodules()
{
 HANDLE hSnapshot, hThread;
    THREADENTRY32 threadEntry32;
    DWORD dwModuleBaseAddr, dwThreadStartAddr;
    TCHAR lpstrModuleName[MAX_PATH] = {0};
	CHAR moduleget[MAX_PATH] = {0};
    if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, GetCurrentProcessId())) == INVALID_HANDLE_VALUE) return 0;

    threadEntry32.dwSize = sizeof(THREADENTRY32);
    threadEntry32.cntUsage = 0;

    if(Thread32First(hSnapshot, &threadEntry32)){
        if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){
			hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID);
			dwThreadStartAddr = GetThreadStartAddress(hThread);
			MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr);
				std::wstring aaa  (lpstrModuleName);
				std::string mystr (aaa.begin() , aaa.end());

				fstream textfile;
					textfile.open ("mgm.log", ios::out | ios::app);
					textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl;

				CloseHandle(hThread);
		}
		while(Thread32Next(hSnapshot, &threadEntry32)){
			if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){
				hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID);
				dwThreadStartAddr = GetThreadStartAddress(hThread);
				MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr);
				std::wstring aaa  (lpstrModuleName);
				std::string mystr (aaa.begin() , aaa.end());

				fstream textfile;
					textfile.open ("mgm.log", ios::out | ios::app);
					textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl;

				CloseHandle(hThread);
			}
        }
    }

	CloseHandle(hSnapshot);
	return 0;
}
08/06/2014 19:51 th0rex#2
That's not your code. [Only registered and activated users can see links. Click Here To Register...]. Learn the language and make your own version and then maybe ask a real question not something like "Why does it not work please fix so i can c&p some more". You just made it write to a file instead of the console.
08/06/2014 19:57 oguzhane#3
Quote:
Originally Posted by omitma View Post
That's not your code. [Only registered and activated users can see links. Click Here To Register...]. Learn the language and make your own version and then maybe ask a real question not something like "Why does it not work please fix so i can c&p some more". You just made it write to a file instead of the console.
if you don't want to help just fuck off :) i want help only not discussions about my subject.