Re: Do we need a device driver to enumerate processes?

From: Don Burn (burn_at_stopspam.acm.org)
Date: 12/15/04 

Date: Wed, 15 Dec 2004 11:19:43 -0500

Someone thought they were being clever. Fix it to C using the sample in the
link, and try not to hire the idiot again. 

-- 
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
<tani >> wrote in message news:%23MrAe6r4EHA.1452@TK2MSFTNGP11.phx.gbl...
> I am trying to figure out why someone actually used assembly
> to do it. It was back in 1998 for nt4. Was there an issue back
> then regarding enumerating process. Here ia an extract of
> the source for NT4:
>
> Psapi.cpp
> ----------
>
> DWORD __declspec(naked) __stdcall
>    EnumProcesses(DWORD* ProcessesId,
>       DWORD SizeofProcessesIds/*sizeof ProcessesId*/,
>       DWORD* done)
> {
>  __asm{
>
> ;  S u b r o u t i n e
> ;EnumProcesses proc ,  pProcessesId: DWORD,
> ;   sizeofProcessesId :DWORD,
> ;   pDone: DWORD
>
>                 mov     eax,  fs:0
>   push ebp
>   mov ebp, esp
>   push 0FFFFFFFFh
>   push 731B3448h
>   push 731B2E38h
>   push eax
>                 mov      fs:0, esp
>   sub esp, 14h ;
>   push ebx
>   push esi
>   push edi
>   mov esi, 8000h
>   xor edi, edi ;
>   mov [ebp-18h], esp
>
> loc_731B2B37:    ;
>   push esi
>   push edi
>   call dword ptr LocalAlloc ;
>   mov [ebp-1Ch], eax
>   cmp eax, edi ;
>   jz loc_731B2C12 ;
>   push edi
>   push esi
>   push eax
>   push 5
>   call NtQuerySystemInformation ;
>   cmp eax, 0C0000004h ;
>   jnz short loc_731B2B6D ;
>   push dword ptr [ebp-1Ch]
>   call dword ptr LocalFree ;
>   add esi, 8000h ;
>   jmp short loc_731B2B37 ;
>
> loc_731B2B6D:    ;
>   test eax, eax ;
>   jge short loc_731B2B84 ;
>   push eax
>   call RtlNtStatusToDosError ;
>   push eax
>   call dword ptr SetLastError ;
>   jmp loc_731B2C12 ;
>
> loc_731B2B84:    ;
>   xor esi, esi ;
>   mov edx, [ebp+0Ch]
>   shr edx, 2  ;
>   xor edi, edi ;
>   mov ecx, [ebp+8]
>
> loc_731B2B91:    ;
>   mov eax, [ebp-1Ch]
>   add eax, esi ;
>   cmp edi, edx ;
>   jnb short loc_731B2BAF ;
>   mov dword ptr [ebp-4], 0
>   mov ebx, [eax+44h]
>   mov [ecx+edi*4], ebx
>   inc edi  ;
>   mov dword ptr [ebp-4], 0FFFFFFFFh
>
> loc_731B2BAF:    ;
>   mov eax, [eax]
>   add esi, eax ;
>   test eax, eax ;
>   jnz short loc_731B2B91 ;
>   mov esi, 1
>   mov [ebp-4], esi
>   lea ecx, ds:0[edi*4] ;
>   mov eax, [ebp+10h]
>   mov [eax], ecx
>   mov dword ptr [ebp-4], 0FFFFFFFFh
>   push dword ptr [ebp-1Ch]
>   call dword ptr LocalFree ;
>   mov eax, esi
>   jmp short loc_731B2C14 ;
>
> loc_731B2C12:    ;
>      ;
>   xor eax, eax
>
> loc_731B2C14:
>   mov ecx, [ebp-10h]
>   pop edi
>                 mov      fs:0, ecx
>   pop esi
>   pop ebx
>   mov esp, ebp
>   pop ebp
>   retn 0Ch
>  }
> //;EnumProcesses endp
> }
>

Relevant Pages

  • Re: Macro2D
    ... õ1, eax", 0 ... db "push striIIi", NL ... db ".2: cmp edi, ebp", NL ... db ".4: mov eax, edi", NL ...
    (alt.lang.asm)
  • One RosAsm Pre-parser
    ... cmp eax 0 | ja L0<< ... mov ecx, D ...
    (alt.lang.asm)
  • Re: Macro2D
    ... mov, eax ... cmp eax, -1 ... push STD_INPUT_HANDLE ...
    (alt.lang.asm)
  • ascii to st0
    ... push IDC_ARROW ... cmp eax, 0 ... mov ebp, esp ... cmp dword @Message, WM_CLOSE ...
    (alt.lang.asm)
  • Re: Insert a byte
    ... push ebx ... mov ebx, dword ... cmp dword, 0 ... ..e0: xor eax, eax ...
    (alt.lang.asm)