Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
4.1k views
in Technique[技术] by (71.8m points)

c++ - CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, PID) returns INVALID_HANDLE_VALUE

The code:

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
using namespace std;

DWORD GetPID(const char* ProcessName) {...}

MODULEENTRY32 GetModule(const char* moduleName, unsigned long long ProcessID) {
    MODULEENTRY32 modEntry = { 0 };
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, ProcessID);

    cout << "Started looking for module " << moduleName << " with PID " << ProcessID << "..." << endl;

    if (hSnapshot == NULL || hSnapshot == INVALID_HANDLE_VALUE) {
        cout << GetLastError() << endl;
        cout << "Taking snapshot failed. 4" << endl << "Last error:" << GetLastError() << endl; ;
    }
    else {
        cout << "Modules snapshot had been took successfully!" << endl;
        cout << "Starting modulelist scan..." << endl;

        MODULEENTRY32 curr = { 0 };

        curr.dwSize = sizeof(MODULEENTRY32);
        if (Module32First(hSnapshot, &curr)) {
            do {
                if (!strcmp(curr.szModule, moduleName)) {
                    cout << "Found " << curr.szModule << " at " << curr.th32ModuleID << " (PID: " << curr.th32ProcessID << ")" << endl;
                    modEntry = curr;
                    break;
                }
                cout << "Found " << curr.szModule << " at " << curr.th32ModuleID << " (PID: " << curr.th32ProcessID << ")" << endl;
            } while (Module32Next(hSnapshot, &curr));
        }
        CloseHandle(hSnapshot);
    }
    return modEntry;
}
int main() {
     unsigned long long pid = GetPID("Process.exe");
     MODULEENTRY32 module = GetModule("process.exe", pid);
}

I always get INVALID_HANDLE_VALUE, no matter what PID is. The HANDLE ProcessesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL) is being called in GetPID and works perfect. But if we will set ProcessID = 0, the output:

Started looking for module Process.exe with PID 0...
Modules snapshot had been took successfully!
Starting modulelist scan...
Found MCBEBot.exe at 1 (PID: 13180)
Found ntdll.dll at 1 (PID: 13180)
Found KERNEL32.DLL at 1 (PID: 13180)
Found KERNELBASE.dll at 1 (PID: 13180)
Found ucrtbase.dll at 1 (PID: 13180)
Found MSVCP140.dll at 1 (PID: 13180)
Found VCRUNTIME140.dll at 1 (PID: 13180)
Found VCRUNTIME140_1.dll at 1 (PID: 13180)
Found sechost.dll at 1 (PID: 13180)
Found RPCRT4.dll at 1 (PID: 13180)

What is wrong? How to get a real module snapshot by PID? Why am I getting INVALID_HANDLE_VALUE? I tried to swith between x86 and x64 - did not help.

Function GetPID() returns right PID.

I will appreciate any help!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I had rebuilt the code, this helped!

MODULEENTRY32 GetModule(const char* ModuleName, unsigned long long ProcessID) {
    HANDLE ModuleSnapshot = INVALID_HANDLE_VALUE;
    MODULEENTRY32 ModuleEntry;

    ModuleSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID);
    if (ModuleSnapshot == INVALID_HANDLE_VALUE) {cout << "Failed while snapshotting modules. 4" << endl; return ModuleEntry; system("pause");}
    ModuleEntry.dwSize = sizeof(MODULEENTRY32);
    cout << "Sanning for modules on PID " << ProcessID << "..." << endl;

    Module32First(ModuleSnapshot, &ModuleEntry);
    while (true) {
        cout << "Found module: "" << ModuleEntry.szModule << "" at " << ModuleEntry.th32ModuleID <<" (PID: " << ModuleEntry.th32ProcessID << ")" << endl;
        if (!strcmp(ModuleEntry.szModule, ModuleName) && ModuleEntry.th32ModuleID == 1) {break;}
        Module32Next(ModuleSnapshot, &ModuleEntry);
    }

    CloseHandle(ModuleSnapshot);
    return ModuleEntry;
}

P. S. while (true) {...} construction is rather dangerous, do not use that!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...