markyrocks Posted January 14, 2020 Share Posted January 14, 2020 (edited) The tool takes a "snapshot" of your system. Then you scroll through the pages of information like a book. Its broken down into sections heaps, modules, threads and processes. The only limitation is it only has the same rights as the user so if you're running as a base level user you're not going to get as much info as a person running as admin. Also you can only obtain information about the modules loaded into the memory of the calling process. This is pretty standard across all calls for module information. As you can clearly see from the example a user needs to use the CreateToolhelp32Snapshot_onit at the beginning of their code. It builds all the structs and sets the size of the struct to the first value of the structure. Then call xxxx32first() to initiatialize the group then every subsequent call is made to xxxx32next(). The displays are exactly that displays to demonstrate its working. How you harvest and use the information is up to you. The sample is just a sample the main functions that make it work live in the 32Snapshot.AU3 that is attached. Last but not least what makes this useful vs the built in calls for processlist(), _winapi_Enummodule() etc is that this returns more information. Instead of just the name and pid of a process it returns information about the base address, parent processes, how many threads all types of stuff. UPDATE v1.0 There were issues i just found with the modules part of the script. Should be fixed now Update: Its all fixed up seems to be operating correctly let me know otherwise. If you are using any of the 32W functions let me know how theyr working. I couldn't test those. But ever edit that was made to their counterpart were made to the 32W UPDATE Edit edit there was a logic issue in the newly posted sample script $bool[0][0] will never be false if its an array. needs to be $bool[0][1]<>0 Its fixed in the latest sample as of the time i press this button. UPDATE!!!!!!!!!!!!!!!!!!! wasnt able to get information on the processes and I was wondering if autoit.exe was set to run as admin even tho the script was set to require admin.... the fact that the autoit.exe was not set to run as admin i wasn't getting all the info. . New file uploaded. Should be perfect this time . This is my wrapper on the Toolhelp32snapshot functions available on the kernel32.dll. I'm super stoked on it. Probably the best thing I've ever written. Looking for some testers. I'd also like to note if you're not getting the expected results it is possible that it's a bug in the script it is also possible that you have virus protection running or not running scite as admin or some other privileges issue. That's about as far as I can go on that subject. https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ expandcollapse popup;~ ============================================================================================================================================================================================================================= ;~ Title Description Author:$MarkyRocks!! ;~ ========================================================================================================================================================================================================================================== ;~ CreateToolhelp32Snapshot($Flags,$ProcessID ) Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes. ;~ ======================================================================================================================================================================================================================================== ;~ Heap32First($hSnapShot) Retrieves information about the first block of a heap that has been allocated by a process. ;~ ================================================================================================================================================================================================================================================ ;~ ===================================================================================================================================================================================================================================================== ;~ Heap32Next($hSnapShot) Retrieves information about the next block of a heap that has been allocated by a process. ;~ ================================================================================================================================================================================================================================================== ;~ Module32First($hSnapShot) Retrieves information about the first module associated with a process. ;~ ======================================================================================================================================================================================================================================================== ;~ Module32FirstW($hSnapShot) Retrieves information about the first module associated with a process. ;~ ================================================================================================================================================================================================================================================== ;~ Module32Next($hSnapShot) Retrieves information about the next module associated with a process or thread. ;~ ================================================================================================================================================================================================================================================== ;~ Module32NextW($hSnapShot) Retrieves information about the next module associated with a process or thread. ;~ ================================================================================================================================================================================================================================================== ;~ Process32First($hSnapShot) Retrieves information about the first process encountered in a system snapshot. ;~ ================================================================================================================================================================================================================================================== ;~ Process32FirstW($hSnapShot) Retrieves information about the first process encountered in a system snapshot. ;~ ================================================================================================================================================================================================================================================== ;~ Process32Next($hSnapShot) Retrieves information about the next process recorded in a system snapshot. ;~ ================================================================================================================================================================================================================================================== ;~ Process32NextW($hSnapShot) Retrieves information about the next process recorded in a system snapshot. ;~ ================================================================================================================================================================================================================================================== ;~ Thread32First($hSnapShot) Retrieves information about the first thread of any process encountered in a system snapshot. ;~ ================================================================================================================================================================================================================================================== ;~ Thread32Next($hSnapShot) Retrieves information about the next thread of any process encountered in the system memory snapshot. ;~ ================================================================================================================================================================================================================================================== ;~ Toolhelp32ReadProcessMemory($th32ProcessID,$lpBaseAddress,$lpBuffer,$cbRead,$lpNumberOfBytesRead) Copies memory allocated to another process into an application-supplied buffer. ;~ ================================================================================================================================================================================================================================================== ;~ CreateToolHelp32Snapshot_OnInit() Builds the structs gets things ready !!!!!!!!!!Must Be Ran on Start of your code ;~ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ;~ CreateToolHelp32Snapshot_OnExit() Release Memory resources SHOULD Be automatic but it can't hurt to run it anyways ;===================================================================================================================================================================================================================================================== ;~ CreateToolhelp32Snapshot($flags,$iPID) Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes. ;~ ;~ Returns a Handle to the Snapshot of the system or Exit on fail Markyrocks ;~====================================================================================================================================================================================================================================================== Spoiler expandcollapse popup_CreateToolHelp32Snapshot_OnInit() $hSnapShot=_CreateToolHelp32Snapshot($TH32CS_SNAPALL,@AutoItPID) _SnapShotModule32() _SnapshotModule32W() _SnapshotHeap32() _SnapshotProcess32() _SnapshotThread32() _CreateToolHelp32Snapshot_OnExit() func _SnapShotModule32() $bool=_Module32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool,"ModFirst") do $bool2=_Module32Next($hSnapShot) if IsArray($bool2) Then _ArrayDisplay($bool2,"ModNext") EndIf Until $bool2=False EndIf EndFunc func _SnapshotModule32W() $bool=_Module32FirstW($hSnapshot) if IsArray($bool) Then do $bool2=_Module32NextW($hSnapShot) if IsArray($bool2) and $bool2[0][1]<>0 Then _ArrayDisplay($bool2,"ModNextW") EndIf Until $bool2=False EndIf EndFunc func _SnapshotHeap32() $bool=_Heap32First($hSnapShot) if IsArray($bool) Then _ArrayDisplay($bool,"HeapFirst") do $bool2=_Heap32Next($hSnapShot) if IsArray($bool2) and $bool2[0][1]<>0 Then _ArrayDisplay($bool2,"HeapNext") EndIf Until $bool2=False EndIf EndFunc func _SnapshotProcess32() $bool=_Process32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool,"ProcFirst") do $bool2=_Process32Next($hSnapShot) if IsArray($bool2) Then _ArrayDisplay($bool2,"ProcNext") EndIf Until $bool2=False EndIf EndFunc func _SnapshotProcess32W() $bool=_Process32FirstW($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool,"ProcFirstW") do $bool2=_Process32NextW($hSnapShot) if IsArray($bool2) and $bool2[0][1]<>0 Then _ArrayDisplay($bool2,"ProcNextW") EndIf Until $bool2=False EndIf EndFunc func _SnapshotThread32() $bool=_Thread32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool,"ThreadFirst") do $bool2=_Thread32Next($hSnapShot) if IsArray($bool2) and $bool2[0][1]<>0 Then _ArrayDisplay($bool2,"ThreadNext") EndIf Until $bool2=False EndIf EndFunc just a sample of how it works. The include is attached for download 32Snapshot.au3 Edited January 17, 2020 by markyrocks UPDATE v1.0 argumentum and seadoggie01 1 1 Spoiler "I Believe array math to be potentially fatal, I may be dying from array math poisoning" Link to comment Share on other sites More sharing options...
markyrocks Posted January 14, 2020 Author Share Posted January 14, 2020 (edited) I've found some mistakes in the header and in the description of a few functions. The header in this post is the most up to date. Any function that has "list" in it is ##INTERNAL##!! Also in the description of either the _CreatHelpTool32Snapshot_OnIt() or _OnExit() may say something to the effect of being automatic. That is currently not the case. Making it automatic was giving me weird issues at the time that may or may not have been related to the #autoitregisteronstart and or OnAutoitExitRegister() Edit I'm having editing issues..... Edited January 15, 2020 by markyrocks Spoiler "I Believe array math to be potentially fatal, I may be dying from array math poisoning" Link to comment Share on other sites More sharing options...
argumentum Posted January 14, 2020 Share Posted January 14, 2020 I changed the example to speed it up: Spoiler expandcollapse popup_CreateToolHelp32Snapshot_OnInit() $hSnapShot=_CreateToolHelp32Snapshot($TH32CS_SNAPALL,'') $bool=_Heap32First($hSnapShot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Heap32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Module32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Module32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Module32FirstW($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Module32NextW($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Process32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Process32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Process32FirstW($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Process32NextW($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Thread32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Thread32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf MsgBox('','','done') _CreateToolHelp32Snapshot_OnExit() and it just gets lost I guess. PROCESS_ID = 0 forever ☹️ markyrocks 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
markyrocks Posted January 14, 2020 Author Share Posted January 14, 2020 (edited) 1 hour ago, argumentum said: I changed the example to speed it up: Reveal hidden contents expandcollapse popup_CreateToolHelp32Snapshot_OnInit() $hSnapShot=_CreateToolHelp32Snapshot($TH32CS_SNAPALL,'') $bool=_Heap32First($hSnapShot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Heap32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Module32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Module32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Module32FirstW($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Module32NextW($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Process32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Process32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Process32FirstW($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Process32NextW($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf $bool=_Thread32First($hSnapshot) if IsArray($bool) Then _ArrayDisplay($bool) do $bool2=_Thread32Next($hSnapShot) if IsArray($bool2) Then If Int($bool2[1][1]) Then _ArrayDisplay($bool2) EndIf Until $bool2=False EndIf MsgBox('','','done') _CreateToolHelp32Snapshot_OnExit() and it just gets lost I guess. PROCESS_ID = 0 forever ☹️ That's what I meant by the infinite loop. I'm wondering if that data just keeps cycling if its able to get it all. I think some of the other well I'm fairly certain other groups of data are either incomplete or just not able to grab them at the second it wants it. For whatever reason I had the module32next() fail but if I force it to continue I was still able to pull some information from it. It may have something to do with the data types in the struct tags. Those structs are finicky and it seems like int,char,ptr are the most reliable. Might simplify the tag to see if I can get more. Byte is seems to be most reliable but casting an int into a byte and trying to pull it back out as a binarytostring seems to break things. (Not in this just structs in general) Edit: ya the example I wrote isn't the greatest I will admit. It was just kinda quick and dirty. It was like 3am and I was just trying to get to some testing. I had a couple issues to iron out, just wanted to get it to the point where it was working and actually returning data. I been working all day so I really haven't been able to play with it. EDIT::!! I'd also like to point out in regards to some values that are either returning 0 or nothing at all, that some of the structs have values in the description that say as much. I just wasn't able to get down to the nitty gritty and let that fact be know in the script. I did cut some off if they were at the end of the struct. Edited January 14, 2020 by markyrocks argumentum 1 Spoiler "I Believe array math to be potentially fatal, I may be dying from array math poisoning" Link to comment Share on other sites More sharing options...
markyrocks Posted January 15, 2020 Author Share Posted January 15, 2020 Ok I figured I would post and update. I went through everything with a fine tooth comb. The _Thread32 funcs there was a math problem in there that was causing the data to not make sense. I was having issues with the struct sizes not being correct to hold the data, I had issues with all kinds of stuff. All Fixed up. Theres error handling in there now. When it gets to the end of a group of pages a msg displays saying that its at the end and the loop exits. I even added in some extra checks to the sample code. The ony other thing I can add is I was getting an error message about the functionsW but i assume thats bc im running on 32 autoit and i believe theyre 64 bit functions. I Updated the sample code and the new much better working .au3 has been uploaded. But in conclusion IT WORKS!!!!!!!!!!!!!!!!!!!!!!!!!!!! argumentum 1 Spoiler "I Believe array math to be potentially fatal, I may be dying from array math poisoning" Link to comment Share on other sites More sharing options...
seadoggie01 Posted January 16, 2020 Share Posted January 16, 2020 I'm confused. What is this? There's only updates in the original post... maybe post an explanation at the beginning and add the updates (in chronological order) after. After reading a bit closer (I'm just a little ADD ), I see that it's a wrapper for Toolhelp32snapshot functions, but I've literally never heard of this. A super brief explanation would still be nice All my code provided is Public Domain... but it may not work. Use it, change it, break it, whatever you want. Spoiler My Humble Contributions:Personal Function Documentation - A personal HelpFile for your functionsAcro.au3 UDF - Automating Acrobat ProToDo Finder - Find #ToDo: lines in your scriptsUI-SimpleWrappers UDF - Use UI Automation more Simply-erKeePass UDF - Automate KeePass, a password managerInputBoxes - Simple Input boxes for various variable types Link to comment Share on other sites More sharing options...
markyrocks Posted January 16, 2020 Author Share Posted January 16, 2020 (edited) 1 hour ago, seadoggie01 said: I'm confused. What is this? There's only updates in the original post... maybe post an explanation at the beginning and add the updates (in chronological order) after. After reading a bit closer (I'm just a little ADD ), I see that it's a wrapper for Toolhelp32snapshot functions, but I've literally never heard of this. A super brief explanation would still be nice Lol. I figured it better that I put the updates at the top for people who have been following along this whole time. So that they're easier to see. The description is in the header with where all the functions are listed. That and theres a link that takes you to the official description. The tool takes a "snapshot" of your system. Then you scroll through the pages of information like a book. Its broken down into sections heaps, modules, threads and processes. The only limitation is it only has the same rights as the user so if you're running as a base level user you're not going to get as much info as a person running as admin. Also you can only obtain information about the modules loaded into the memory of the calling process. This is pretty standard across all calls for module information. As you can clearly see from the example a user needs to use the CreateToolhelp32Snapshot_onit at the beginning of their code. It builds all the structs and sets the size of the struct to the first value of the structure. Then call xxxx32first() to initiatialize the group then every subsequent call is made to xxxx32next(). The displays are exactly that displays to demonstrate its working. How you harvest and use the information is up to you. I honestly haven't even used it for any constructive purpose. Just to get it working right but it is working right. Also like I said about enabling admin to get the full benefits, enable admin on scite and the autoit.exe inside that autoit root directory. The reason I decided to build this is bc it seems like a popular tool amongst c++ guys and I was kinda jealous when I realized this didn't exist in autoit. I've been playing around with structs alot lately and it seemed doable. Here we are 4 days later and it's done. Even though this wasn't a unique formula I used to get here the end result is something that wasn't possible b4. The fact that I could do something to benefit the whole community was a big motivator. Also I learned alot alone the way. Soon I'll be thinking in 1s and 0s Edit also I forgot to add that you can change the flag on the CreateToolhelp32Snapshot($flag,$ipid) And have it only return certain information. Or By only calling functions to specific groups. The sample may seem kinda strange bc i broke it up into functions, it was kinda a mess b4. Eventually I'll migrate them into the main file. It's been an evolution. The sample is not the main udf. It's just a sample. Edited January 16, 2020 by markyrocks seadoggie01 1 Spoiler "I Believe array math to be potentially fatal, I may be dying from array math poisoning" Link to comment Share on other sites More sharing options...
argumentum Posted January 17, 2020 Share Posted January 17, 2020 Spoiler Global Const $TH32CS_INHERIT = 0x80000000 Global Const $TH32CS_SNAPHEAPLIST = 0x00000001 Global Const $TH32CS_SNAPMODULE = 0x00000008 Global Const $TH32CS_SNAPMODULE32 = 0x00000010 Global Const $TH32CS_SNAPPROCESS = 0x00000002 Global Const $TH32CS_SNAPTHREAD = 0x00000004 Global Const $TH32CS_SNAPALL = BitOR($TH32CS_SNAPHEAPLIST, $TH32CS_SNAPMODULE, $TH32CS_SNAPPROCESS, $TH32CS_SNAPTHREAD) nicer looking Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
markyrocks Posted January 17, 2020 Author Share Posted January 17, 2020 2 hours ago, argumentum said: Reveal hidden contents Global Const $TH32CS_INHERIT = 0x80000000 Global Const $TH32CS_SNAPHEAPLIST = 0x00000001 Global Const $TH32CS_SNAPMODULE = 0x00000008 Global Const $TH32CS_SNAPMODULE32 = 0x00000010 Global Const $TH32CS_SNAPPROCESS = 0x00000002 Global Const $TH32CS_SNAPTHREAD = 0x00000004 Global Const $TH32CS_SNAPALL = BitOR($TH32CS_SNAPHEAPLIST, $TH32CS_SNAPMODULE, $TH32CS_SNAPPROCESS, $TH32CS_SNAPTHREAD) nicer looking To each their own. I actually am fond of the way it is. A newb sees that bitor() with all that hex and it really blows their mind. I think it adds an air of credibility. Lol. A few years ago I'd see something like that and be completely astonished. I will say I been looking at some of the code you post... you're a beast. Clearly you're mind operates more like a computer than a human. I say that with the utmost respect and complement. Spoiler "I Believe array math to be potentially fatal, I may be dying from array math poisoning" Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now