StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POListing Windows Processes and Modules
text
Body
copied!<p>So I've been messing around with Windows API lately, and I've encountered an issue that I need a little assistance with. Actually, to be precise, there are two issues.</p> <p>I will first show the code and then explain the difficulties that I am experiencing:</p> <pre><code>#pragma once #pragma comment(lib, "Psapi.lib") #include <stdlib.h> #include <stdio.h> #include <Windows.h> #include <TlHelp32.h> #include <Psapi.h> void ProcessError(DWORD error); int main() { FILE* file = fopen("C:\\Users\\Administrator\\Desktop\\processes.txt", "w"); DWORD count, i, modulesCount; WCHAR buffer[128] = {0}; HMODULE modules[128] = {0}; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); PROCESSENTRY32 pEntry; pEntry.dwSize = sizeof(PROCESSENTRY32); count = 0; if(snapshot != INVALID_HANDLE_VALUE) { if(!Process32First(snapshot, &pEntry)) { ProcessError(GetLastError()); CloseHandle(snapshot); ExitProcess(EXIT_FAILURE); } do { HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pEntry.th32ProcessID); GetModuleFileNameEx(hProc, NULL, (LPWSTR)memset(buffer, 0, 128), 128); fwprintf(file, L"-------------------------------------------------------\n"); fwprintf(file, L"%s\t pid: %d\n", pEntry.szExeFile, pEntry.th32ProcessID); fwprintf(file, L"%s\n", buffer); if(hProc != INVALID_HANDLE_VALUE) { if(EnumProcessModules(hProc, (HMODULE*)memset(modules, 0, 128), 128, &modulesCount)) { modulesCount = modulesCount <= 128 ? modulesCount : 128; for(i = 0; i < modulesCount; ++i) { GetModuleFileName(modules[i], (LPWSTR)memset(buffer, 0, 128), 128); if(wcslen(buffer) > 0) { fwprintf(file, L"\t\t0x%X Module: %s\n", modules[i], buffer); } } } else { ProcessError(GetLastError()); } CloseHandle(hProc); } else { ProcessError(GetLastError()); } count++; } while(Process32Next(snapshot, &pEntry)); fwprintf(file, L"Process count: %d\n", count); } else { ProcessError(GetLastError()); CloseHandle(snapshot); ExitProcess(EXIT_FAILURE); } fclose(file); CloseHandle(snapshot); ExitProcess(EXIT_SUCCESS); } void ProcessError(DWORD error) { printf("Error in thread 0x%X, code: 0x%X\n", GetThreadId(GetCurrentThread()), error); } </code></pre> <p>So, the first issue has to do with the following:</p> <pre><code>if(EnumProcessModules(hProc, (HMODULE*)memset(modules, 0, 128), 128, &modulesCount)) </code></pre> <p>Sometimes I get an INVALID_HANDLE error, and I don't really know why. The Process handle is not invalid, nor is any other parameter passed to the function. If somebody could explain to me or at least point me in some direction (which is more preferred solution, since I am more interested to learn :D) it would do me good.</p> <p>Second is that for some reason, when I enumerate process' modules and GetModuleFileName() it also includes the location of the current process. </p> <p>I would get the following when I write to the file:</p> <blockquote> <pre><code>TuneUpUtilitiesApp32.exe pid: 2744 D:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe 0x76F60000 Module: C:\Windows\SYSTEM32\ntdll.dll 0x75FE0000 Module: C:\Windows\system32\kernel32.dll 0x75370000 Module: C:\Windows\system32\KERNELBASE.dll 0x761A0000 Module: C:\Windows\system32\USER32.dll 0x770D0000 Module: C:\Windows\system32\GDI32.dll 0x77130000 Module: C:\Windows\system32\LPK.dll 0x76EC0000 Module: C:\Windows\system32\USP10.dll 0x75F20000 Module: C:\Windows\system32\msvcrt.dll 0x755D0000 Module: C:\Windows\system32\ADVAPI32.dll 0x75590000 Module: C:\Windows\SYSTEM32\sechost.dll 0x757D0000 Module: C:\Windows\system32\RPCRT4.dll 0x77120000 Module: C:\Windows\system32\PSAPI.DLL 0x755B0000 Module: C:\Windows\system32\IMM32.DLL 0x75670000 Module: C:\Windows\system32\MSCTF.dll 0x10000000 Module: C:\Windows\system32\guard32.dll 0x750D0000 Module: C:\Windows\system32\VERSION.dll 0x750C0000 Module: C:\Windows\system32\fltlib.dll 0x0 Module: C:\Users\Administrator\documents\visual studio 2010\Projects\FunWithWindowsAPI\Release\FunWithWindowsAPI.exe 0x0 Module: C:\Users\Administrator\documents\visual studio 2010\Projects\FunWithWindowsAPI\Release\FunWithWindowsAPI.exe 0x0 Module: C:\Users\Administrator\documents\visual studio 2010\Projects\FunWithWindowsAPI\Release\FunWithWindowsAPI.exe 0x0 Module: C:\Users\Administrator\documents\visual studio 2010\Projects\FunWithWindowsAPI\Release\FunWithWindowsAPI.exe 0x0 Module: C:\Users\Administrator\documents\visual studio 2010\Projects\FunWithWindowsAPI\Release\FunWithWindowsAPI.exe 0x0 Module: C:\Users\Administrator\documents\visual studio 2010\Projects\FunWithWindowsAPI\Release\FunWithWindowsAPI.exe </code></pre> </blockquote> <p>It literally does that for every process that I can extract modules from. Any help would be much appreciated!</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload