Re: Do we need a device driver to enumerate processes?

From: tani (no email)
Date: 12/15/04

• Next message: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Previous message: Gary Nebbett: "Re: detecting cached credentials on NT/2K/XP/03"
• In reply to: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Next in thread: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Reply: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Reply: Slava M. Usov: "Re: Do we need a device driver to enumerate processes?"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 15 Dec 2004 15:55:51 -0000

I am trying to figure out why someone actually used assembly
to do it. It was back in 1998 for nt4. Was there an issue back
then regarding enumerating process. Here ia an extract of
the source for NT4:

Psapi.cpp
----------

DWORD __declspec(naked) __stdcall
   EnumProcesses(DWORD* ProcessesId,
      DWORD SizeofProcessesIds/*sizeof ProcessesId*/,
      DWORD* done)
{
 __asm{

; S u b r o u t i n e
;EnumProcesses proc , pProcessesId: DWORD,
; sizeofProcessesId :DWORD,
; pDone: DWORD

                mov eax, fs:0
  push ebp
  mov ebp, esp
  push 0FFFFFFFFh
  push 731B3448h
  push 731B2E38h
  push eax
                mov fs:0, esp
  sub esp, 14h ;
  push ebx
  push esi
  push edi
  mov esi, 8000h
  xor edi, edi ;
  mov [ebp-18h], esp

loc_731B2B37: ;
  push esi
  push edi
  call dword ptr LocalAlloc ;
  mov [ebp-1Ch], eax
  cmp eax, edi ;
  jz loc_731B2C12 ;
  push edi
  push esi
  push eax
  push 5
  call NtQuerySystemInformation ;
  cmp eax, 0C0000004h ;
  jnz short loc_731B2B6D ;
  push dword ptr [ebp-1Ch]
  call dword ptr LocalFree ;
  add esi, 8000h ;
  jmp short loc_731B2B37 ;

loc_731B2B6D: ;
  test eax, eax ;
  jge short loc_731B2B84 ;
  push eax
  call RtlNtStatusToDosError ;
  push eax
  call dword ptr SetLastError ;
  jmp loc_731B2C12 ;

loc_731B2B84: ;
  xor esi, esi ;
  mov edx, [ebp+0Ch]
  shr edx, 2 ;
  xor edi, edi ;
  mov ecx, [ebp+8]

loc_731B2B91: ;
  mov eax, [ebp-1Ch]
  add eax, esi ;
  cmp edi, edx ;
  jnb short loc_731B2BAF ;
  mov dword ptr [ebp-4], 0
  mov ebx, [eax+44h]
  mov [ecx+edi*4], ebx
  inc edi ;
  mov dword ptr [ebp-4], 0FFFFFFFFh

loc_731B2BAF: ;
  mov eax, [eax]
  add esi, eax ;
  test eax, eax ;
  jnz short loc_731B2B91 ;
  mov esi, 1
  mov [ebp-4], esi
  lea ecx, ds:0[edi*4] ;
  mov eax, [ebp+10h]
  mov [eax], ecx
  mov dword ptr [ebp-4], 0FFFFFFFFh
  push dword ptr [ebp-1Ch]
  call dword ptr LocalFree ;
  mov eax, esi
  jmp short loc_731B2C14 ;

loc_731B2C12: ;
     ;
  xor eax, eax

loc_731B2C14:
  mov ecx, [ebp-10h]
  pop edi
                mov fs:0, ecx
  pop esi
  pop ebx
  mov esp, ebp
  pop ebp
  retn 0Ch
 }
//;EnumProcesses endp
}

• Next message: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Previous message: Gary Nebbett: "Re: detecting cached credentials on NT/2K/XP/03"
• In reply to: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Next in thread: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Reply: Don Burn: "Re: Do we need a device driver to enumerate processes?"
• Reply: Slava M. Usov: "Re: Do we need a device driver to enumerate processes?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint