tlhelp32.h File Reference

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	tagHEAPLIST32
struct	tagHEAPENTRY32
struct	tagPROCESSENTRY32W
struct	tagPROCESSENTRY32
struct	tagTHREADENTRY32
struct	tagMODULEENTRY32W
struct	tagMODULEENTRY32

Macros
#define	HF32_DEFAULT   1
#define	HF32_SHARED   2
#define	LF32_FIXED   0x1
#define	LF32_FREE   0x2
#define	LF32_MOVEABLE   0x4
#define	MAX_MODULE_NAME32   255
#define	TH32CS_SNAPHEAPLIST   0x1
#define	TH32CS_SNAPPROCESS   0x2
#define	TH32CS_SNAPTHREAD   0x4
#define	TH32CS_SNAPMODULE   0x8
#define	TH32CS_SNAPALL   (TH32CS_SNAPHEAPLIST|TH32CS_SNAPPROCESS|TH32CS_SNAPTHREAD|TH32CS_SNAPMODULE)
#define	TH32CS_INHERIT   0x80000000

Typedefs
typedef struct tagHEAPLIST32	HEAPLIST32
typedef struct tagHEAPLIST32 *	PHEAPLIST32
typedef struct tagHEAPLIST32 *	LPHEAPLIST32
typedef struct tagHEAPENTRY32	HEAPENTRY32
typedef struct tagHEAPENTRY32 *	PHEAPENTRY32
typedef struct tagHEAPENTRY32 *	LPHEAPENTRY32
typedef struct tagPROCESSENTRY32W	PROCESSENTRY32W
typedef struct tagPROCESSENTRY32W *	PPROCESSENTRY32W
typedef struct tagPROCESSENTRY32W *	LPPROCESSENTRY32W
typedef struct tagPROCESSENTRY32	PROCESSENTRY32
typedef struct tagPROCESSENTRY32 *	PPROCESSENTRY32
typedef struct tagPROCESSENTRY32 *	LPPROCESSENTRY32
typedef struct tagTHREADENTRY32	THREADENTRY32
typedef struct tagTHREADENTRY32 *	PTHREADENTRY32
typedef struct tagTHREADENTRY32 *	LPTHREADENTRY32
typedef struct tagMODULEENTRY32W	MODULEENTRY32W
typedef struct tagMODULEENTRY32W *	PMODULEENTRY32W
typedef struct tagMODULEENTRY32W *	LPMODULEENTRY32W
typedef struct tagMODULEENTRY32	MODULEENTRY32
typedef struct tagMODULEENTRY32 *	PMODULEENTRY32
typedef struct tagMODULEENTRY32 *	LPMODULEENTRY32

Functions
BOOL WINAPI	Heap32First (LPHEAPENTRY32, DWORD, DWORD)
BOOL WINAPI	Heap32ListFirst (HANDLE, LPHEAPLIST32)
BOOL WINAPI	Heap32ListNext (HANDLE, LPHEAPLIST32)
BOOL WINAPI	Heap32Next (LPHEAPENTRY32)
BOOL WINAPI	Module32First (HANDLE, LPMODULEENTRY32)
BOOL WINAPI	Module32FirstW (HANDLE, LPMODULEENTRY32W)
BOOL WINAPI	Module32Next (HANDLE, LPMODULEENTRY32)
BOOL WINAPI	Module32NextW (HANDLE, LPMODULEENTRY32W)
BOOL WINAPI	Process32First (HANDLE, LPPROCESSENTRY32)
BOOL WINAPI	Process32FirstW (HANDLE, LPPROCESSENTRY32W)
BOOL WINAPI	Process32Next (HANDLE, LPPROCESSENTRY32)
BOOL WINAPI	Process32NextW (HANDLE, LPPROCESSENTRY32W)
BOOL WINAPI	Thread32First (HANDLE, LPTHREADENTRY32)
BOOL WINAPI	Thread32Next (HANDLE, LPTHREADENTRY32)
BOOL WINAPI	Toolhelp32ReadProcessMemory (DWORD, LPCVOID, LPVOID, SIZE_T, SIZE_T *)
HANDLE WINAPI	CreateToolhelp32Snapshot (DWORD, DWORD)

Macro Definition Documentation

HF32_DEFAULT

#define HF32_DEFAULT   1

Definition at line 19 of file tlhelp32.h.

HF32_SHARED

#define HF32_SHARED   2

Definition at line 20 of file tlhelp32.h.

LF32_FIXED

#define LF32_FIXED   0x1

Definition at line 21 of file tlhelp32.h.

LF32_FREE

#define LF32_FREE   0x2

Definition at line 22 of file tlhelp32.h.

LF32_MOVEABLE

#define LF32_MOVEABLE   0x4

Definition at line 23 of file tlhelp32.h.

MAX_MODULE_NAME32

#define MAX_MODULE_NAME32   255

Definition at line 24 of file tlhelp32.h.

TH32CS_INHERIT

#define TH32CS_INHERIT   0x80000000

Definition at line 30 of file tlhelp32.h.

TH32CS_SNAPALL

#define TH32CS_SNAPALL   (TH32CS_SNAPHEAPLIST|TH32CS_SNAPPROCESS|TH32CS_SNAPTHREAD|TH32CS_SNAPMODULE)

Definition at line 29 of file tlhelp32.h.

TH32CS_SNAPHEAPLIST

#define TH32CS_SNAPHEAPLIST   0x1

Definition at line 25 of file tlhelp32.h.

TH32CS_SNAPMODULE

#define TH32CS_SNAPMODULE   0x8

Definition at line 28 of file tlhelp32.h.

TH32CS_SNAPPROCESS

#define TH32CS_SNAPPROCESS   0x2

Definition at line 26 of file tlhelp32.h.

TH32CS_SNAPTHREAD

#define TH32CS_SNAPTHREAD   0x4

Definition at line 27 of file tlhelp32.h.

Typedef Documentation

HEAPENTRY32

typedef struct tagHEAPENTRY32 HEAPENTRY32

HEAPLIST32

typedef struct tagHEAPLIST32 HEAPLIST32

LPHEAPENTRY32

typedef struct tagHEAPENTRY32* LPHEAPENTRY32

LPHEAPLIST32

typedef struct tagHEAPLIST32* LPHEAPLIST32

LPMODULEENTRY32

static LPMODULEENTRY32

Definition at line 36 of file toolhelp.c.

LPMODULEENTRY32W

typedef struct tagMODULEENTRY32W* LPMODULEENTRY32W

LPPROCESSENTRY32

static LPPROCESSENTRY32

Definition at line 38 of file toolhelp.c.

LPPROCESSENTRY32W

typedef struct tagPROCESSENTRY32W* LPPROCESSENTRY32W

LPTHREADENTRY32

static LPTHREADENTRY32

Definition at line 40 of file toolhelp.c.

MODULEENTRY32

typedef struct tagMODULEENTRY32 MODULEENTRY32

MODULEENTRY32W

typedef struct tagMODULEENTRY32W MODULEENTRY32W

PHEAPENTRY32

typedef struct tagHEAPENTRY32* PHEAPENTRY32

PHEAPLIST32

typedef struct tagHEAPLIST32* PHEAPLIST32

PMODULEENTRY32

typedef struct tagMODULEENTRY32* PMODULEENTRY32

PMODULEENTRY32W

typedef struct tagMODULEENTRY32W* PMODULEENTRY32W

PPROCESSENTRY32

typedef struct tagPROCESSENTRY32* PPROCESSENTRY32

PPROCESSENTRY32W

typedef struct tagPROCESSENTRY32W* PPROCESSENTRY32W

PROCESSENTRY32

typedef struct tagPROCESSENTRY32 PROCESSENTRY32

PROCESSENTRY32W

typedef struct tagPROCESSENTRY32W PROCESSENTRY32W

PTHREADENTRY32

typedef struct tagTHREADENTRY32* PTHREADENTRY32

THREADENTRY32

typedef struct tagTHREADENTRY32 THREADENTRY32

Function Documentation

CreateToolhelp32Snapshot()

HANDLE WINAPI CreateToolhelp32Snapshot	(	DWORD	,
		DWORD
	)

Definition at line 1255 of file toolhelp.c.

{
  PRTL_DEBUG_INFORMATION HeapDebug, ModuleDebug;
  PVOID ProcThrdInfo;
  SIZE_T ProcThrdInfoSize;
  NTSTATUS Status;
  HANDLE hSnapShotSection = NULL;

  if(th32ProcessID == 0)
  {
    th32ProcessID = GetCurrentProcessId();
  }

  /*
   * Get all information required for the snapshot
   */
  Status = TH32CreateSnapshot(dwFlags,
                              th32ProcessID,
                              &HeapDebug,
                              &ModuleDebug,
                              &ProcThrdInfo,
                              &ProcThrdInfoSize);
  if(!NT_SUCCESS(Status))
  {
    BaseSetLastNTError(Status);
    return NULL;
  }

  /*
   * Create a section handle and initialize the collected information
   */
  Status = TH32CreateSnapshotSectionInitialize(dwFlags,
                                               th32ProcessID,
                                               HeapDebug,
                                               ModuleDebug,
                                               ProcThrdInfo,
                                               &hSnapShotSection);

  /*
   * Free the temporarily allocated memory which is no longer needed
   */
  TH32FreeAllocatedResources(HeapDebug,
                             ModuleDebug,
                             ProcThrdInfo,
                             ProcThrdInfoSize);

  if(!NT_SUCCESS(Status))
  {
    BaseSetLastNTError(Status);
    return NULL;
  }

  return hSnapShotSection;
}

Referenced by _DoDLLInjection(), fill_process(), GetProcessID(), IntGetImageBase(), IsBlockFromHeap(), PrintBugreport(), and ShutdownProcessTree().

Heap32First()

BOOL WINAPI Heap32First	(	LPHEAPENTRY32	,
		DWORD	,
		DWORD
	)

Definition at line 489 of file toolhelp.c.

{
  PRTL_DEBUG_INFORMATION DebugInfo;
  PRTL_HEAP_INFORMATION Heap;
  PRTLP_HEAP_ENTRY Block, LastBlock;
  ULONG i;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lphe, sizeof(HEAPENTRY32));

  DebugInfo = RtlCreateQueryDebugBuffer(0,
                                        FALSE);
  if (DebugInfo == NULL)
  {
    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
    return FALSE;
  }

  Status = RtlQueryProcessDebugInformation(th32ProcessID,
                                           RTL_DEBUG_QUERY_HEAPS | RTL_DEBUG_QUERY_HEAP_BLOCKS,
                                           DebugInfo);

  if (NT_SUCCESS(Status))
  {
    Status = STATUS_NO_MORE_FILES;

    for (i = 0;
         i != DebugInfo->Heaps->NumberOfHeaps;
         i++)
    {
      Heap = &DebugInfo->Heaps->Heaps[i];

      if ((ULONG_PTR)Heap->BaseAddress == th32HeapID)
      {
        lphe->hHandle = (HANDLE)Heap->BaseAddress;
        lphe->dwAddress = 0;
        lphe->dwBlockSize = 0;
        lphe->dwFlags = 0;
        lphe->dwLockCount = 0;
        lphe->dwResvd = 0;
        lphe->th32ProcessID = th32ProcessID;
        lphe->th32HeapID = (ULONG_PTR)Heap->BaseAddress;

        Block = (PRTLP_HEAP_ENTRY)Heap->Entries;
        LastBlock = Block + Heap->NumberOfEntries;

        while (Block != LastBlock && (Block->Flags & PROCESS_HEAP_UNCOMMITTED_RANGE))
        {
          lphe->dwResvd++;
          lphe->dwAddress = (ULONG_PTR)((ULONG_PTR)Block->Address + Heap->EntryOverhead);
          Block++;
        }

        if (Block != LastBlock && lphe->dwResvd != 0)
        {
          lphe->dwBlockSize =  Block->Size;

          if (Block->Flags & 0x2F1) /* FIXME */
            lphe->dwFlags = LF32_FIXED;
          else if (Block->Flags & 0x20) /* FIXME */
            lphe->dwFlags = LF32_MOVEABLE;
          else if (Block->Flags & 0x100) /* FIXME */
            lphe->dwFlags = LF32_FREE;

          Status = STATUS_SUCCESS;
        }

        break;
      }
    }
  }

  RtlDestroyQueryDebugBuffer(DebugInfo);

  if (!NT_SUCCESS(Status))
  {
    BaseSetLastNTError(Status);
    return FALSE;
  }

  return TRUE;
}

Referenced by IsBlockFromHeap().

Heap32ListFirst()

BOOL WINAPI Heap32ListFirst	(	HANDLE	,
		LPHEAPLIST32
	)

Definition at line 669 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lphl, sizeof(HEAPLIST32));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->HeapListCount > 0)
    {
      LPHEAPLIST32 Entries = (LPHEAPLIST32)OffsetToPtr(Snapshot, Snapshot->HeapListOffset);
      Snapshot->HeapListIndex = 1;
      RtlCopyMemory(lphl, &Entries[0], sizeof(HEAPLIST32));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Heap32ListNext()

BOOL WINAPI Heap32ListNext	(	HANDLE	,
		LPHEAPLIST32
	)

Definition at line 723 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lphl, sizeof(HEAPLIST32));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->HeapListCount > 0 &&
       Snapshot->HeapListIndex < Snapshot->HeapListCount)
    {
      LPHEAPLIST32 Entries = (LPHEAPLIST32)OffsetToPtr(Snapshot, Snapshot->HeapListOffset);
      RtlCopyMemory(lphl, &Entries[Snapshot->HeapListIndex++], sizeof(HEAPLIST32));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Heap32Next()

BOOL WINAPI Heap32Next

(

LPHEAPENTRY32

)

Definition at line 578 of file toolhelp.c.

{
  PRTL_DEBUG_INFORMATION DebugInfo;
  PRTL_HEAP_INFORMATION Heap;
  PRTLP_HEAP_ENTRY Block, LastBlock;
  BOOLEAN FoundUncommitted = FALSE;
  ULONG i;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lphe, sizeof(HEAPENTRY32));

  DebugInfo = RtlCreateQueryDebugBuffer(0,
                                        FALSE);
  if (DebugInfo == NULL)
  {
    SetLastError(ERROR_NOT_ENOUGH_MEMORY);
    return FALSE;
  }

  Status = RtlQueryProcessDebugInformation(lphe->th32ProcessID,
                                           RTL_DEBUG_QUERY_HEAPS | RTL_DEBUG_QUERY_HEAP_BLOCKS,
                                           DebugInfo);

  if (NT_SUCCESS(Status))
  {
    Status = STATUS_NO_MORE_FILES;

    for (i = 0;
         i != DebugInfo->Heaps->NumberOfHeaps;
         i++)
    {
      Heap = &DebugInfo->Heaps->Heaps[i];

      if ((ULONG_PTR)Heap->BaseAddress == lphe->th32HeapID)
      {
        if (++lphe->dwResvd < Heap->NumberOfEntries)
        {
          lphe->dwFlags = 0;

          Block = (PRTLP_HEAP_ENTRY)Heap->Entries + lphe->dwResvd;
          LastBlock = (PRTLP_HEAP_ENTRY)Heap->Entries + Heap->NumberOfEntries;

          while (Block < LastBlock && (Block->Flags & PROCESS_HEAP_UNCOMMITTED_RANGE))
          {
            lphe->dwResvd++;
            lphe->dwAddress = (ULONG_PTR)((ULONG_PTR)Block->Address + Heap->EntryOverhead);
            FoundUncommitted = TRUE;
            Block++;
          }

          if (Block < LastBlock)
          {
            if (!FoundUncommitted)
              lphe->dwAddress += lphe->dwBlockSize;

            lphe->dwBlockSize =  Block->Size;

            if (Block->Flags & 0x2F1) /* FIXME */
              lphe->dwFlags = LF32_FIXED;
            else if (Block->Flags & 0x20) /* FIXME */
              lphe->dwFlags = LF32_MOVEABLE;
            else if (Block->Flags & 0x100) /* FIXME */
              lphe->dwFlags = LF32_FREE;

            Status = STATUS_SUCCESS;
          }
        }

        break;
      }
    }
  }

  RtlDestroyQueryDebugBuffer(DebugInfo);

  if (!NT_SUCCESS(Status))
  {
    BaseSetLastNTError(Status);
    return FALSE;
  }

  return TRUE;

}

Referenced by IsBlockFromHeap().

Module32First()

BOOL WINAPI Module32First	(	HANDLE	,
		LPMODULEENTRY32
	)

Definition at line 777 of file toolhelp.c.

{
  MODULEENTRY32W me;
  BOOL Ret;

  CHECK_PARAM_SIZEA(lpme, sizeof(MODULEENTRY32));

  me.dwSize = sizeof(MODULEENTRY32W);

  Ret = Module32FirstW(hSnapshot, &me);
  if(Ret)
  {
    lpme->th32ModuleID = me.th32ModuleID;
    lpme->th32ProcessID = me.th32ProcessID;
    lpme->GlblcntUsage = me.GlblcntUsage;
    lpme->ProccntUsage = me.ProccntUsage;
    lpme->modBaseAddr = me.modBaseAddr;
    lpme->modBaseSize = me.modBaseSize;
    lpme->hModule = me.hModule;

    WideCharToMultiByte(CP_ACP, 0, me.szModule, -1, lpme->szModule, sizeof(lpme->szModule), 0, 0);
    WideCharToMultiByte(CP_ACP, 0, me.szExePath, -1, lpme->szExePath, sizeof(lpme->szExePath), 0, 0);
  }

  return Ret;
}

Referenced by IntGetImageBase().

Module32FirstW()

BOOL WINAPI Module32FirstW	(	HANDLE	,
		LPMODULEENTRY32W
	)

Definition at line 810 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lpme, sizeof(MODULEENTRY32W));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->ModuleListCount > 0)
    {
      LPMODULEENTRY32W Entries = (LPMODULEENTRY32W)OffsetToPtr(Snapshot, Snapshot->ModuleListOffset);
      Snapshot->ModuleListIndex = 1;
      RtlCopyMemory(lpme, &Entries[0], sizeof(MODULEENTRY32W));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Referenced by Module32First().

Module32Next()

BOOL WINAPI Module32Next	(	HANDLE	,
		LPMODULEENTRY32
	)

Definition at line 864 of file toolhelp.c.

{
  MODULEENTRY32W me;
  BOOL Ret;

  CHECK_PARAM_SIZEA(lpme, sizeof(MODULEENTRY32));

  me.dwSize = sizeof(MODULEENTRY32W);

  Ret = Module32NextW(hSnapshot, &me);
  if(Ret)
  {
    lpme->th32ModuleID = me.th32ModuleID;
    lpme->th32ProcessID = me.th32ProcessID;
    lpme->GlblcntUsage = me.GlblcntUsage;
    lpme->ProccntUsage = me.ProccntUsage;
    lpme->modBaseAddr = me.modBaseAddr;
    lpme->modBaseSize = me.modBaseSize;
    lpme->hModule = me.hModule;

    WideCharToMultiByte(CP_ACP, 0, me.szModule, -1, lpme->szModule, sizeof(lpme->szModule), 0, 0);
    WideCharToMultiByte(CP_ACP, 0, me.szExePath, -1, lpme->szExePath, sizeof(lpme->szExePath), 0, 0);
  }

  return Ret;
}

Referenced by IntGetImageBase().

Module32NextW()

BOOL WINAPI Module32NextW	(	HANDLE	,
		LPMODULEENTRY32W
	)

Definition at line 897 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lpme, sizeof(MODULEENTRY32W));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if((Snapshot->ModuleListCount > 0) &&
       (Snapshot->ModuleListIndex < Snapshot->ModuleListCount))
    {
      LPMODULEENTRY32W Entries = (LPMODULEENTRY32W)OffsetToPtr(Snapshot, Snapshot->ModuleListOffset);
      RtlCopyMemory(lpme, &Entries[Snapshot->ModuleListIndex++], sizeof(MODULEENTRY32W));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Referenced by Module32Next().

Process32First()

BOOL WINAPI Process32First	(	HANDLE	,
		LPPROCESSENTRY32
	)

Definition at line 951 of file toolhelp.c.

{
  PROCESSENTRY32W pe;
  BOOL Ret;

  CHECK_PARAM_SIZEA(lppe, sizeof(PROCESSENTRY32));

  pe.dwSize = sizeof(PROCESSENTRY32W);

  Ret = Process32FirstW(hSnapshot, &pe);
  if(Ret)
  {
    lppe->cntUsage = pe.cntUsage;
    lppe->th32ProcessID = pe.th32ProcessID;
    lppe->th32DefaultHeapID = pe.th32DefaultHeapID;
    lppe->th32ModuleID = pe.th32ModuleID;
    lppe->cntThreads = pe.cntThreads;
    lppe->th32ParentProcessID = pe.th32ParentProcessID;
    lppe->pcPriClassBase = pe.pcPriClassBase;
    lppe->dwFlags = pe.dwFlags;

    WideCharToMultiByte(CP_ACP, 0, pe.szExeFile, -1, lppe->szExeFile, sizeof(lppe->szExeFile), 0, 0);
  }

  return Ret;
}

Referenced by PrintBugreport().

Process32FirstW()

BOOL WINAPI Process32FirstW	(	HANDLE	,
		LPPROCESSENTRY32W
	)

Definition at line 984 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lppe, sizeof(PROCESSENTRY32W));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->ProcessListCount > 0)
    {
      LPPROCESSENTRY32W Entries = (LPPROCESSENTRY32W)OffsetToPtr(Snapshot, Snapshot->ProcessListOffset);

      Snapshot->ProcessListIndex = 1;
      RtlCopyMemory(lppe, &Entries[0], sizeof(PROCESSENTRY32W));
      Ret = TRUE;
    }
    else
    {

      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Referenced by _DoDLLInjection(), fill_process(), GetProcessID(), Process32First(), and ShutdownProcessTreeHelper().

Process32Next()

BOOL WINAPI Process32Next	(	HANDLE	,
		LPPROCESSENTRY32
	)

Definition at line 1040 of file toolhelp.c.

{
  PROCESSENTRY32W pe;
  BOOL Ret;

  CHECK_PARAM_SIZEA(lppe, sizeof(PROCESSENTRY32));

  pe.dwSize = sizeof(PROCESSENTRY32W);

  Ret = Process32NextW(hSnapshot, &pe);
  if(Ret)
  {
    lppe->cntUsage = pe.cntUsage;
    lppe->th32ProcessID = pe.th32ProcessID;
    lppe->th32DefaultHeapID = pe.th32DefaultHeapID;
    lppe->th32ModuleID = pe.th32ModuleID;
    lppe->cntThreads = pe.cntThreads;
    lppe->th32ParentProcessID = pe.th32ParentProcessID;
    lppe->pcPriClassBase = pe.pcPriClassBase;
    lppe->dwFlags = pe.dwFlags;

    WideCharToMultiByte(CP_ACP, 0, pe.szExeFile, -1, lppe->szExeFile, sizeof(lppe->szExeFile), 0, 0);
  }

  return Ret;
}

Referenced by PrintBugreport().

Process32NextW()

BOOL WINAPI Process32NextW	(	HANDLE	,
		LPPROCESSENTRY32W
	)

Definition at line 1073 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lppe, sizeof(PROCESSENTRY32W));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->ProcessListCount > 0 &&
       Snapshot->ProcessListIndex < Snapshot->ProcessListCount)
    {
      LPPROCESSENTRY32W Entries = (LPPROCESSENTRY32W)OffsetToPtr(Snapshot, Snapshot->ProcessListOffset);
      RtlCopyMemory(lppe, &Entries[Snapshot->ProcessListIndex++], sizeof(PROCESSENTRY32W));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Referenced by _DoDLLInjection(), fill_process(), GetProcessID(), Process32Next(), and ShutdownProcessTreeHelper().

Thread32First()

BOOL WINAPI Thread32First	(	HANDLE	,
		LPTHREADENTRY32
	)

Definition at line 1127 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lpte, sizeof(THREADENTRY32));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->ThreadListCount > 0)
    {
      LPTHREADENTRY32 Entries = (LPTHREADENTRY32)OffsetToPtr(Snapshot, Snapshot->ThreadListOffset);
      Snapshot->ThreadListIndex = 1;
      RtlCopyMemory(lpte, &Entries[0], sizeof(THREADENTRY32));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Thread32Next()

BOOL WINAPI Thread32Next	(	HANDLE	,
		LPTHREADENTRY32
	)

Definition at line 1181 of file toolhelp.c.

{
  PTH32SNAPSHOT Snapshot;
  LARGE_INTEGER SOffset;
  SIZE_T ViewSize;
  NTSTATUS Status;

  CHECK_PARAM_SIZE(lpte, sizeof(THREADENTRY32));

  SOffset.QuadPart = 0;
  ViewSize = 0;
  Snapshot = NULL;

  Status = NtMapViewOfSection(hSnapshot,
                              NtCurrentProcess(),
                              (PVOID*)&Snapshot,
                              0,
                              0,
                              &SOffset,
                              &ViewSize,
                              ViewShare,
                              0,
                              PAGE_READWRITE);
  if(NT_SUCCESS(Status))
  {
    BOOL Ret;

    if(Snapshot->ThreadListCount > 0 &&
       Snapshot->ThreadListIndex < Snapshot->ThreadListCount)
    {
      LPTHREADENTRY32 Entries = (LPTHREADENTRY32)OffsetToPtr(Snapshot, Snapshot->ThreadListOffset);
      RtlCopyMemory(lpte, &Entries[Snapshot->ThreadListIndex++], sizeof(THREADENTRY32));
      Ret = TRUE;
    }
    else
    {
      SetLastError(ERROR_NO_MORE_FILES);
      Ret = FALSE;
    }

    NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)Snapshot);
    return Ret;
  }

  BaseSetLastNTError(Status);
  return FALSE;
}

Toolhelp32ReadProcessMemory()

BOOL WINAPI Toolhelp32ReadProcessMemory	(	DWORD	,
		LPCVOID	,
		LPVOID	,
		SIZE_T	,
		SIZE_T *
	)

Definition at line 1235 of file toolhelp.c.

{
  HANDLE hProcess = OpenProcess(PROCESS_VM_READ, FALSE, th32ProcessID);
  if(hProcess != NULL)
  {
    BOOL Ret = ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, cbRead, lpNumberOfBytesRead);
    CloseHandle(hProcess);
    return Ret;
  }

  return FALSE;
}