---( toolhelp functions by mort[MATRiX] )----------------------------------- This article is for educational purpose only and I AM NOT responsibille for anything nor my english, nor myself,...anyway, enjoy it... .xxx ---------------------------------------------------------------------------- Well, this article wont be the teoretical one (i luv my english:). I think using toolhelp is easy so i will describe the APIs belonging to it without some fuckin' teoretical stuff (lame, lame, lame :)). So, if we have acces to Toolhelp functions (not in win NT4), u can get the stuff of proceses, modules, threads and heaps running right now in system. Nice,...now, a little theory:))). There's 'something' called snapshot in system. MSDN says: "A snapshot is a read-only copy of the current state of one or more of the following lists that reside in system memory: proceses, threads, modules and heaps." And thats true :))). So if u get handle of snapshot u want, u can see eg. right running processes in system and get their full paths. Nice,...all for theory XXXX). | | '--------------------------------------------------------------------------' To get snapshot handle use CreateToolhelp32Snapshot API: .--------------------------<<---------------------------' '---. |push process ID ;NULL for current process | |push flags ' |call CreateToolhelp32Snapshot '----------------------------- returns : handle of current snapshot -1 if fail -> use GetLastError to check it flags - TH32CS_SNAPHEAPLIST = 1 ;heap list in the snapshot will b incl. . TH32CS_SNAPPROCESS = 2 ;proces list in the snapshot will b incl.| TH32CS_SNAPTHREAD = 4 ;thread list in the snapshot will b incl.| TH32CS_SNAPMODULE = 8 ;module list in the snapshot will b incl.| TH32CS_SNAPALL = 1 | 2 | 4 | 8 ;aaaaaaall will b incl. | . TH32CS_INHERIT = 080000000h ;snapshot can be inherit ' | |Now, we have handle of snapshot we wanted (after our work it could be . |closed by CloseHandle API. | '---------------------------. | push snapshot handle <-' | call CloseHandle | '-------->.<--------------------------------------------------------------' | | ----------'---------------------------------- Imagine, we have process snapshot handle,... .-------------------------------------------------------------------------. |Going trought proccesses (and every snapshot stuff) is similar to going| 'trought files via FindFirstFile and FindNextFile. | | push PROCESSENTRY32 struc pointer | push snapshot HNDL | | call Process32First | ' .---------------------' |returns : TRUE - if succeds PROCESSENTRY32 contain data | |PROCESSENTRY32 struc | _size dd ? ;size of struc - must be set b4 calling | _usage dd ? ;process referencess - it lives until zero . | _processID dd ? ;PID | | _defaultHeapID dd ? ;ID of default process heap | | _moduleID dd ? ;MID :)) | | _threads dd ? ;executed threads number of process | | _parentProcessID dd ? ;PID of process which created the our one | | _priClassBase dd ? ;base priority of threads | | _flags dd ? ;reserved | | _exeFile db 255 dup(?) ;the best for end - full path of process! | |PROCESSENTRY32 ends | '--> | to get next process use: | | push PROCESSENTRY32 struc pointer | push snapshot HNDL | call Process32Next | .-------------<<--- | |returns : TRUE - if succeds PROCESSENTRY32 contains data | '-- | .There's one more API for process stuff via Toolhelp. It's: | | | |push read bytes to buffer ;ignored if NULL | |push read bytes from process | |push pointer to buffer | |push address to read from process | |push PID ;PID of process to read from | |call Toolhelp32ReadProcessMemory | | | |returns : TRUE if succeds | | | |address to read from process - this value is checked by system b4 read. | | So, if u have no access to read from, the func will fail... | | . | '----------------------------------->|<-----------------------------------' | | -------------------------------------'------<<<- Imagine, we have module snapshot handle,... .-------------------------------------------------------------------------. |This snapshot includes list of modules uses by each running process. | .-------------------------------< | |push MODULEENTRY32 struc pointer | push snapshot HNDL | call Module32First | .------------------------------<- | |push MODULEENTRY32 struc pointer | push snapshot HNDL ' call Module32Next .-----------------------------<-- |MODULEENTRY32 struc | _size dd ? ;size of struc - must be set b4 calling | _moduleID dd ? ;MID - in the context of owning process . | _processID dd ? ;PID of examined process | | _glblcntUsage dd ? ;global references on the module | | _proccntUsage dd ? ;process references on the module | | _modBaseAddr dd ? ;base module address in process context | | _modBaseSize dd ? ;size(B) of module | | _hModule dd ? ;module handle in process context | | _module db 255 + 1 dup(?) ;module name | | _exePath db 255 dup(?) ;module path | |MODULEENTRY32 ends . | | |--.----| | '------------------------------------------------>|<---|------------------' | '--< --------------------------------------------------' Imagine, we have heap snapshot handle,... .-------------------------------------------------------------------------. |Via this snapshot we are able to check heap of each running process. | |First we have to get the heap ID in process. This is done by: | | | |push HEAPLIST32 | |push snapshot HNDL | | |call Heap32ListFirst | | | ->----------' | |push HEAPLIST32 | |push snapshot HNDL | | |call Heap32ListNext | | | ->---------------' ' | |HEAPLIST32 struc | _size dd ? ;ouuuuuuuuuuuuuuuuuuuuuuuuuuch,..well, it's size,.. | _processID dd ? ;PID of owning process | _teapID dd ? ;heap identifier | _flags dd ? ;defined to HF32_DEFAULT = 1 |HEAPLIST32 ends | . |Well, by this APIs we get heapID which we need in next API: | | | |push heapID ;heap identifier returned from xListx APIs | |push PID ;PID of owning process | |push HEAPENTRY32 | |call Heap32First | '--------------<- | push HEAPENTRY32 | |call Heap32Next | '-------------<- | HEAPENTRY32 struc | _size dd ? ;need 2 b def. to structure size,...:<>) | _handle dd ? ;handle to block of heap | _address dd ? ;block starting linear address | . _blockSize dd ? ;size(B) of heap block | | _flags dd ? ;see below | | _lockCount dd ? ;count of locking by Global(Local)Lock APIs | | _resvd dd ? ;reserved | | _processID dd ? ;PID of process to examine | | _heapID dd ? ;heap ID in process context | 'HEAPENTRY32 ends | .------<<<- | |_flags - LF32_FIXED = 1 ;mem block has a fixed location | | LF32_FREE = 2 ;mem block is free | | LF32_MOVEABLE = 4 ;mem block can be moved | | | '---------------->..<-------------------------------------..--------------' .-----------------''--------------------------------------''-----. |Imagine, we have thread snapshot handle,... .-------------------' | .-------..-' |push THREADENTRY32 struc pointer | || |push snapshot HNDL .-----. .-----' || |call Thread32First | | | || '------. .--------' | | || |and| | | || .------' '--------------' '-----------. || |push THREADENTRY32 struc pointer | || |push snapshot HNDL | || |call Thread32Next | || | | || |returns same like the process ones,... | || | | || |THREADENTRY32 struc '-''----------------------. | _size dd ? ;size of struc - must be set b4 calling | | _usage dd ? ;thread referencess - it lives until zero | | _threadID dd ? ;identifier of the thread | | _ownerProcessID dd ? ;PID of process that owns thread | | _basePri dd ? ;initial priority level | | _deltaPri dd ? ;signed delta from base priority of thread| | _flags dd ? ;reserved | |THREADENTRY32 ends .. | '----------------------------->||<--------------------------------' || .closing || -------------------------------||------------------------------------------ Well, this is everything i found for Toolhelp. Well, for virii could be use mostly funcs which returns path and names of executed files. First time i saw this tex was in Cargo virus by LordJulus. It scans for executed procs. and save their names. Next time it scans, it compares the obtained names with the saved ones. If one left -> process shut down and we can infect it. This is one way, anyway there're more, there, somewhere out,...:) Thats all,...plz, feel free to contact me with any comments. mort[MATRiX] greet(s): LordJulus - I got the point from your article(s) and virii(s),... . |\ | |.--. -|-. | || |.--|| | | \ m o r|t . .-'-----'\._''--'-. '--[MATRiX]-------' [mort@matrixvx.org] \\\\\\\\\\\\\\\\\\