Microsoft changed the WIN32_FIND_DATA declaration and added 3 new properties - winapi

The current microsoft docmentation shows the following declaration for the WIN32_FIND_DATA structure:
typedef struct _WIN32_FIND_DATAA {
DWORD dwFileAttributes;
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;
DWORD nFileSizeHigh;
DWORD nFileSizeLow;
DWORD dwReserved0;
DWORD dwReserved1;
CHAR cFileName[MAX_PATH];
CHAR cAlternateFileName[14];
DWORD dwFileType;
DWORD dwCreatorType;
WORD wFinderFlags;
} WIN32_FIND_DATAA, *PWIN32_FIND_DATAA, *LPWIN32_FIND_DATAA;
My personal knowledge of the declaration is:
typedef struct _WIN32_FIND_DATA {
DWORD dwFileAttributes;
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;
DWORD nFileSizeHigh;
DWORD nFileSizeLow;
DWORD dwReserved0;
DWORD dwReserved1;
TCHAR cFileName[MAX_PATH];
TCHAR cAlternateFileName[14];
} WIN32_FIND_DATA, *PWIN32_FIND_DATA, *LPWIN32_FIND_DATA;
Microsoft added these 3 new properties:
DWORD dwFileType;
DWORD dwCreatorType;
WORD wFinderFlags;
The current Microsoft documentation don't have any description for these properties.
Does anyone have some information about the new properties?
Some other questions:
Which declaration should a dev use now? The old or new style?
What about the backward compatibility with older Windows versions?

Related

get processor architecture in MQL

i use GetNativeSystemInfo from windows api but when i use structure like microsoft i can not get parameter correctly
at the first i use this structure:
struct _SYSTEM_INFO {
union DUMMYUNIONNAME {
int dwOemId;
struct DUMMYSTRUCTNAME {
int wProcessorArchitecture;
int wReserved;
};
};
int dwPageSize;
int lpMinimumApplicationAddress;
int lpMaximumApplicationAddress;
int dwActiveProcessorMask;
int dwNumberOfProcessors;
int dwProcessorType;
int dwAllocationGranularity;
int wProcessorLevel;
int wProcessorRevision;
};
but i can not access to wProcessorArchitecture parameter.
also i have trying to edit structucture like this :
struct _SYSTEM_INFO
{
int dwOemId;
uint wProcessorArchitecture;
ulong wReserved;
int dwPageSize;
ulong lpMinimumApplicationAddress;
ulong lpMaximumApplicationAddress;
ulong dwActiveProcessorMask;
int dwNumberOfProcessors;
int dwProcessorType;
int dwAllocationGranularity;
ulong wProcessorLevel;
ulong wProcessorRevision;
};
now, when i get wProcessorArchitecture parameter, it return 4096, but microsoft msdn says that it return parameter like this :
9
5
12
6
0
can anyone help me?
this is my entire code in MQL5:
struct _SYSTEM_INFO
{
uint dwOemId;
uint wProcessorArchitecture;
ulong wReserved;
uint dwPageSize;
ulong lpMinimumApplicationAddress;
ulong lpMaximumApplicationAddress;
ulong dwActiveProcessorMask;
uint dwNumberOfProcessors;
uint dwProcessorType;
uint dwAllocationGranularity;
ulong wProcessorLevel;
ulong wProcessorRevision;
};
#import "kernel32.dll"
void GetNativeSystemInfo(_SYSTEM_INFO &lpSystemInfo);
#import
int OnInit()
{
_SYSTEM_INFO hos;
GetNativeSystemInfo(hos);
Alert(hos.wProcessorArchitecture);
}

Try the following:
struct _SYSTEM_INFO
{
uint wProcessorArchitecture;
uint wReserved;
uint dwPageSize;
ulong lpMinimumApplicationAddress;
ulong lpMaximumApplicationAddress;
ulong dwActiveProcessorMask;
uint dwNumberOfProcessors;
uint dwProcessorType;
uint dwAllocationGranularity;
uint wProcessorLevel;
uint wProcessorRevision;
};
#import "kernel32.dll"
void GetNativeSystemInfo(_SYSTEM_INFO &lpSystemInfo);
#import
int OnInit()
{
_SYSTEM_INFO hos;
GetNativeSystemInfo(hos);
Alert(hos.wProcessorArchitecture);
}

Windows Cmd Hook not working

i am trying to hook the CreateProcess under cmd.exe.
i manage to inject the dll the the cmd process but after the injection the dll process detach message receive and i fail to hook the createprocess function call.
i am using easyhook.
my code:
#include <windows.h>
#include <Shlwapi.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <easyhook.h>
BOOL WINAPI myCreateProcess(
_In_opt_ LPCTSTR lpApplicationName,
_Inout_opt_ LPTSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCTSTR lpCurrentDirectory,
_In_ LPSTARTUPINFO lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
){
OutputDebugString(L"\n !!!!!! In CreateProcess HOOK\n !!!!!!!!");
return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCommandLine, lpStartupInfo, lpProcessInformation);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
BOOL bErrorFlag = FALSE;
DWORD dwBytesToWrite = (DWORD)strlen(DataBuffer);
DWORD dwBytesWritten = 0;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook
// Install the hook
NTSTATUS result = LhInstallHook(
GetProcAddress(GetModuleHandle(TEXT("kernel32")), "CreateProcessW"),
myCreateProcess,
NULL,
&hHook);
if (FAILED(result))
{
OutputDebugString(L"!!!!!!!!!!!FAIL!!!!!!!!");
return 1;
}
ULONG ACLEntries[1] = { 0 };
LhSetInclusiveACL(ACLEntries, 1, &hHook);
OutputDebugString(L"!!!!!!!!!!!!Injection Succeed!!!!!!!!!!!!");
break;
}
case DLL_THREAD_ATTACH:{
OutputDebugString(L"!!!!!!!!!!!!dll thread attach!!!!!!!!!!!!");
break;
}
case DLL_THREAD_DETACH:
{
OutputDebugString(L"!!!!!!!!!!!!dll thread Detach!!!!!!!!!!!!");
break;
}
case DLL_PROCESS_DETACH:
{
OutputDebugString(L"!!!!!!!!!!!!dll process Detach!!!!!!!!!!!!");
break;
}
}
}
i receive the "Injection Succeed" message and right after the "dll process Detach" message .
any ideas?

try changing :
LhSetInclusiveACL(ACLEntries, 1, &hHook);
to :
LhSetExclusiveACL(ACLEntries, 1, &hHook);

Unformat value after using WinApi (Automation) function VarFormat (oleaut32.dll)?

Is it possible to unformat value which was formatted with VarFormat function (oleaut32.dll)?
Function description:
HRESULT VarFormat(
_In_ LPVARIANT pvarIn,
_In_opt_ LPOLESTR pstrFormat,
_In_ int iFirstDay,
_In_ int iFirstWeek,
_In_ ULONG dwFlags,
_Out_ BSTR *pbstrOut
);

Can you define nested structs/unions in Ruby Fiddle?

I'm using Fiddle to make some Win32 system calls. However, I'm not finding any documentation on how one can define a signature to a struct that contains nested structs or unions.
Is this at all possible? Is there any examples anywhere? All I find is references to how to declare flat structs with basic types.
Example struct:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366798(v=vs.85).aspx
typedef struct _PROCESS_HEAP_ENTRY {
PVOID lpData;
DWORD cbData;
BYTE cbOverhead;
BYTE iRegionIndex;
WORD wFlags;
union {
struct {
HANDLE hMem;
DWORD dwReserved[3];
} Block;
struct {
DWORD dwCommittedSize;
DWORD dwUnCommittedSize;
LPVOID lpFirstBlock;
LPVOID lpLastBlock;
} Region;
};
} PROCESS_HEAP_ENTRY, *LPPROCESS_HEAP_ENTRY;

How to detect if SendMessage() API is called

I have the first program (written in Win32 API) using a lot of SendMessage() API; it's already done and works.
The problem is I want to write a second one that can detect SendMessage() is called in the first program and if possible, capture its data (HANDLE, WPARAM, LPARAM...)
Does anyone know solution for this problem?
The DLLStudy.dll:
EDIT: ok, this is what I have so far.
#include <windows.h>
#define SIZE 6
typedef int (WINAPI *pMessageBoxW)(HWND, LPCWSTR, LPCWSTR, UINT);
int WINAPI MyMessageBoxW(HWND, LPCWSTR, LPCWSTR, UINT);
void BeginRedirect(LPVOID);
pMessageBoxW pOrigMBAddress = NULL;
BYTE oldBytes[SIZE] = {0};
BYTE JMP[SIZE] = {0};
DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL, "Test", "OK", MB_OK);
pOrigMBAddress = (pMessageBoxW)
GetProcAddress(GetModuleHandle(L"user32.dll"), "MessageBoxW");
if(pOrigMBAddress != NULL)
BeginRedirect(MyMessageBoxW);
break;
case DLL_PROCESS_DETACH:
memcpy(pOrigMBAddress, oldBytes, SIZE);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void BeginRedirect(LPVOID newFunction)
{
BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3};
memcpy(JMP, tempJMP, SIZE);
DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5);
VirtualProtect((LPVOID)pOrigMBAddress, SIZE,
PAGE_EXECUTE_READWRITE, &oldProtect);
memcpy(oldBytes, pOrigMBAddress, SIZE);
memcpy(&JMP[1], &JMPSize, 4);
memcpy(pOrigMBAddress, JMP, SIZE);
VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);
}
int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uiType)
{
VirtualProtect((LPVOID)pOrigMBAddress, SIZE, myProtect, NULL);
memcpy(pOrigMBAddress, oldBytes, SIZE);
int retValue = MessageBoxW(hWnd, lpText, lpCaption, uiType);
memcpy(pOrigMBAddress, JMP, SIZE);
VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL);
return retValue;
}
The Injector.cpp
#include <windows.h>
#include <iostream>
using namespace std;
char const Path[]="DLLStudy.dll";
int main(int argc, char* argv)
{
HANDLE hWnd, hProcess, AllocAdresse, hRemoteThread;
DWORD PID;
hWnd = FindWindow(0,"Notepad");
GetWindowThreadProcessId((HWND)hWnd, &PID);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, PID);
AllocAdresse = VirtualAllocEx(hProcess, 0, sizeof(Path), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, (void*)AllocAdresse, (void*)Path, sizeof(Path), 0);
hRemoteThread=CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"), AllocAdresse, 0, 0);
WaitForSingleObject(hRemoteThread, INFINITE);
VirtualFreeEx(hProcess, AllocAdresse, sizeof(Path), MEM_DECOMMIT);
CloseHandle(hProcess);
}
EDIT 2: Well, I've managed to make it work. So how to get data from SendMessage() if it is called?

You need to use CreateRemoteThread to inject a DLL into the first application. In the DLL's entrymain, you'd write code to remap the external call to SendMessage to your own SendMessageX which can then tell your other application when SendMessage is being called, and then pass the original call to the WIN32 subsystem.

Resources