The Code which isn't working onyl windows xp
I have made a code which can enumerate module names associated threads.
But there is a problem in windows xp. When i enumarate modules dll names return NULL.
IN WINDOWS XP LIKE THAT :
Code:
Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls : Karacabay-Scan : Dlls :
Code:
Karacabay-Scan : Dlls : D:\TEMIZ METIN2 - HS CALISMA\giris.exe Karacabay-Scan : Dlls : D:\TEMIZ METIN2 - HS CALISMA\giris.exe Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll Karacabay-Scan : Dlls : C:\Windows\SYSTEM32\ntdll.dll Karacabay-Scan : Dlls : C:\Windows\system32\mswsock.dll
Code:
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define ThreadQuerySetWin32StartAddress 9
typedef NTSTATUS (WINAPI *NTQUERYINFOMATIONTHREAD)(HANDLE, LONG, PVOID, ULONG, PULONG);
BOOL MatchAddressToModule(__in DWORD dwProcId, __out_bcount(MAX_PATH) LPTSTR lpstrModule, __in DWORD dwThreadStartAddr, __out_opt PDWORD pModuleStartAddr) // by Echo
{
BOOL bRet = FALSE;
HANDLE hSnapshot;
MODULEENTRY32 moduleEntry32;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPALL, dwProcId);
moduleEntry32.dwSize = sizeof(MODULEENTRY32);
moduleEntry32.th32ModuleID = 1;
if(Module32First(hSnapshot, &moduleEntry32)){
if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){
wcscpy(lpstrModule, moduleEntry32.szExePath);
//convert from wide char to narrow char array
}else{
while(Module32Next(hSnapshot, &moduleEntry32)){
if(dwThreadStartAddr >= (DWORD)moduleEntry32.modBaseAddr && dwThreadStartAddr <= ((DWORD)moduleEntry32.modBaseAddr + moduleEntry32.modBaseSize)){
wcscpy(lpstrModule, moduleEntry32.szExePath);
break;
}
}
}
}
if(pModuleStartAddr) *pModuleStartAddr = (DWORD)moduleEntry32.modBaseAddr;
CloseHandle(hSnapshot);
return bRet;
}
DWORD WINAPI GetThreadStartAddress(__in HANDLE hThread) // by Echo
{
NTSTATUS ntStatus;
DWORD dwThreadStartAddr = 0;
HANDLE hPeusdoCurrentProcess, hNewThreadHandle;
NTQUERYINFOMATIONTHREAD NtQueryInformationThread;
if((NtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), ("NtQueryInformationThread")))){
hPeusdoCurrentProcess = GetCurrentProcess();
if(DuplicateHandle(hPeusdoCurrentProcess, hThread, hPeusdoCurrentProcess, &hNewThreadHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
ntStatus = NtQueryInformationThread(hNewThreadHandle, ThreadQuerySetWin32StartAddress, &dwThreadStartAddr, sizeof(DWORD), NULL);
CloseHandle(hNewThreadHandle);
if(ntStatus != STATUS_SUCCESS){
return 0;
}
}
}
return dwThreadStartAddr;
}
int threadmodules()
{
HANDLE hSnapshot, hThread;
THREADENTRY32 threadEntry32;
DWORD dwModuleBaseAddr, dwThreadStartAddr;
TCHAR lpstrModuleName[MAX_PATH] = {0};
CHAR moduleget[MAX_PATH] = {0};
if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, GetCurrentProcessId())) == INVALID_HANDLE_VALUE) return 0;
threadEntry32.dwSize = sizeof(THREADENTRY32);
threadEntry32.cntUsage = 0;
if(Thread32First(hSnapshot, &threadEntry32)){
if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID);
dwThreadStartAddr = GetThreadStartAddress(hThread);
MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr);
std::wstring aaa (lpstrModuleName);
std::string mystr (aaa.begin() , aaa.end());
fstream textfile;
textfile.open ("mgm.log", ios::out | ios::app);
textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl;
CloseHandle(hThread);
}
while(Thread32Next(hSnapshot, &threadEntry32)){
if(threadEntry32.th32OwnerProcessID == GetCurrentProcessId()){
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry32.th32ThreadID);
dwThreadStartAddr = GetThreadStartAddress(hThread);
MatchAddressToModule(GetCurrentProcessId(), lpstrModuleName, dwThreadStartAddr, &dwModuleBaseAddr);
std::wstring aaa (lpstrModuleName);
std::string mystr (aaa.begin() , aaa.end());
fstream textfile;
textfile.open ("mgm.log", ios::out | ios::app);
textfile<< "Karacabay-Scan : " <<"Dlls : "<< mystr.c_str()<< endl;
CloseHandle(hThread);
}
}
}
CloseHandle(hSnapshot);
return 0;
}
. Learn the language and make your own version and then maybe ask a real question not something like "Why does it not work please fix so i can c&p some more". You just made it write to a file instead of the console.
i want help only not discussions about my subject.
