Module32First and Module32Next not working under Windows 7

[Guest tehgame]

Hello!

I tried to list modules of foreign processes with and without admin rights under Windows 7 Pro 64bit by using APIs Module32First, Module32Next and CreateToolhelp32Snapshot. It only works on my own process and like 10% of other the ones like Firefox. For the rest the Module32* APIs return FALSE.

Is this associated with the Windows 7 "protected processes" security model where even administrator can't use a debugger on every process?

While it makes injection to even notepad.exe impossible, is there a way around this besides not using Windows 7? I could not find a new tutorial on DLL-Injection in Windows 7.

[Aguila]

CreateToolhelp32Snapshot + Process32Next -> works fine on win 7 64bit

injecting 32bit dll in 32bit process -> works fine win7 64bit

injecting 32bit dll in 64bit process -> fail

CreateToolhelp32Snapshot + Module32First + 32bit process wants to read 64bit process -> probably fail

[Guest tehgame]

I found this after studying the MSDN a bit more precisely in consequence to your suggestion.

HANDLE WINAPI CreateToolhelp32Snapshot(

__in DWORD dwFlags,

__in DWORD th32ProcessID

);

...

If the specified process is a 64-bit process and the caller is a 32-bit process, this function fails and the last error code is ERROR_PARTIAL_COPY (299).

Source: http://msdn.microsoft.com/en-us/library/ms682489%28VS.85%29.aspx

Edited May 7, 2010 by tehgame

[z0hr]

To list 64-bit processes, the caller'd need to be a 64-bit process itself.

If so, you'll also need the flags to be TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32 to list either 64-bit and 32-bit modules inside of a 64-bit process.

There shouldn't be problems when listing 23-bit processes..

[mikky]

hi

i have a problem like the one described above.

i make my programs in masm. i make them on my pc on which i have installed windows xp 32 bit.

when i access the module32first/module32next on my pc, everything works great.

but when i access them on another pc that have windows7 on 32 bit, they don't work.

could the problem be that the program i want to find it's dll module base is on 64 bit? (if so is it possible for a 64bit program to run on 32 bit os?)

thanks.

next is the routine that retrieves the module base of a dll:

GetModuleBaseAddress proc iProcID:DWORD, DLLName:DWORD

LOCAL hSnap:DWORD

LOCAL xModule:MODULEENTRY32

invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, iProcID

mov hSnap,eax

mov xModule.dwSize, sizeof xModule

invoke Module32First, hSnap, addr xModule

test eax, eax

jnz getdll

mov eax, 0

ret

getdll:

invoke Module32Next, hSnap, addr xModule

test eax, eax

jnz checkdll

mov eax, 0

ret

checkdll:

invoke lstrcmpi, DLLName, addr xModule.szModule

test eax, eax

jnz getdll

mov eax, xModule.modBaseAddr

ret

GetModuleBaseAddress endp

how can i make that code work on windows7??

thank you

[atom0s]

hi

i have a problem like the one described above.

i make my programs in masm. i make them on my pc on which i have installed windows xp 32 bit.

when i access the module32first/module32next on my pc, everything works great.

but when i access them on another pc that have windows7 on 32 bit, they don't work.

could the problem be that the program i want to find it's dll module base is on 64 bit? (if so is it possible for a 64bit program to run on 32 bit os?)

thanks.

next is the routine that retrieves the module base of a dll:

<code snipped>

how can i make that code work on windows7??

thank you

You must compile the application as a 64bit application in order for it to be able to obtain information about the 64bit processes using that API. And no, you cannot run 64bit applications on a 32bit machine, it wont run. Also you need to close the handle that you opened with CreateToolhelp32Snapshot in your code.