I found that on Vista+ systems to connect to the new LPC ports aka ALPC you have to use new functions set:
NtAlpcAcceptConnectPort NtAlpcCancelMessage NtAlpcConnectPort NtAlpcCreatePort NtAlpcCreatePortSection NtAlpcCreateResourceReserve NtAlpcCreateSectionView NtAlpcCreateSecurityContext NtAlpcDeletePortSection etc....
I was doing an intensive search but did not found any code examples from which i can learn how to use these functions.
So if someone have code examples or have application that is using them so i can reverse it please share.
Related
I am trying to monitor Windows API calls. I have read about it and found there is no easier way to monitor API calls system wide than by using kernel drivers. I was wondering if there is any other method to do this system wide? Also if anyone knows of some tutorial on how to monitor API calls using kernel drivers?
I have looked at Microsoft detours and other hooking options but they don't provide for system wide hooking. Also there are other methods which only work for user32.dll
Kernel drivers, who have access to all processes and system calls, are one method for monitoring Windows API calls system-wide. However, there are alternative methods, such as the following:
ETW (Event Tracing for Windows) - ETW is a high-performance event tracing framework for monitoring various system events, including API calls.
Performance Monitoring Counters can track various system performance metrics, such as API call counts and performance.
Inline Hooking - Another technique for monitoring API calls is inline hooking, which involves overwriting the first few instructions of an API function to redirect execution to a custom handler.
The Windows Driver Kit (WDK) documentation, which provides a comprehensive guide on writing and deploying kernel drivers in Windows, contains a tutorial on monitoring API calls using kernel drivers.
It is important to note that monitoring API calls can have security implications because it requires access to system-level data and functions. It is advised to use these techniques with caution and to put proper security measures in place.
Here are some resources that you can use to learn more about Windows API call monitoring:
Event Tracing for Windows (ETW) - https://docs.microsoft.com/en-us/windows/win32/etw/
Windows Driver Kit (WDK) - https://docs.microsoft.com/en-us/windows-hardware/drivers/
Windows System Programming, 4th Edition by Johnson M. Hart - This book provides a comprehensive guide to Windows system programming, including a chapter on kernel-mode programming, which covers the basics of kernel drivers.
Inline Hooking - https://www.codeproject.com/Articles/2082/API-hooking-revealed
Windows API Hooking Techniques - https://www.codeproject.com/Articles/2050/Windows-API-Hooking-Techniques
These resources should provide a good starting point for learning about Windows API call monitoring.
Concerning the use of ETW for monitoring API calls, it is possible that some API calls are not emitted by the system by default and must be enabled manually. If you can't find the API calls you want in the ETW trace, try configuring the trace to include the provider that exposes the events for the desired API calls. To get an output from a crypto provider in ETW, enable it and start a trace session to collect the events emitted by the provider.
here are some online references for getting started with ETW and crypto providers:
Windows Driver Kit (WDK) - ETW:
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/etw/
MSDN - CryptoAPI:
https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptoapi
MSDN - How to Trace Cryptographic Operations with Event Tracing for Windows (ETW):
https://docs.microsoft.com/en-us/windows/win32/etw/how-to-trace-cryptographic-operations-with-etw
Code Project - Using Event Tracing for Windows (ETW) to Debug Applications:
https://www.codeproject.com/Articles/1000189/Using-Event-Tracing-for-Windows-ETW-to-Debug-App
I am programming an activation code for my application, I need to provide the key file with information about the licensed computer, I need to retrieve information about some devices like processor ID and DiskDrive Serial number, and the BIOS Serial as well ,, and so on with some devices, but these are the major ones.
I need to combine the method with another application programmed by another language so I cannot use WMI, but I can use winapi.
is there a way to fetch the physical data using winapi?if so, then how?
If you are able to call Windows API functions, then you can use WMI. After all, the WMI interface is part of the Windows API.
Take a look at the Win32_BIOS class and the PROCESSOR_POWER_INFORMATION structure.
Accessing motherboard information without WMI seems not to be doable with current means. Here you can find a similar question:
Access Motherboard information without using WMI
I'm developing an app for filtering network connections from clients to my server (deny or allow to connect to my server).
I'm researching and found some resources like Windows Firewall API.
But I don't know if it's necessary for me or not.
What's the best API or solution to resolve it?
Thank so much.
regards,
Why don't you use an already-developed and proven app in the first place? If you really want to develop a filtering layer then what you need is a Filter driver and more specifically NDIS filter . A sample solution can be found here. But unless you are absolutely sure what you are doing and what you want to achieve I'd strongly suggest that you stick to an off-the-shelf solution - any firewall will be decent, or even a linux machine in front of your server with appropriate iptables rules.
Since you are working in a windows operating system. You would have to make use of Windows Filtering Platform as seen in the documentation on https://msdn.microsoft.com/en-us/library/aa366510.aspx
Drivers like TDS,LSP, and NDIS are all deprecated.
The programming language is C++. In my experience, it was a desktop application with the GUI in WxWidget and writing the filtering network connections hooks into the user mode.
There are two Filtering Layer Identifiers (Run-time Filtering Layer Identifiers and Management Filtering Layer Identifiers ), i made used of the earlier being that its more effective.
Should you need more assistance let me know.
I want to develop one driver so i have create one service and one .sys file for driver to be display now i do not know how to attach that two file or how to register my driver to windows.
so just tell me the step which i should follow.
Thanks and hoping for positive response.
You can load driver by using StartService API. And you can also use ZwLoadDriver. It's a native API. You can find more information about them in MSDN.
Depends on the driver you write. If it's a device driver it's automatically loaded once the system needs it for the previously defined device classes.
For drivers which don't need devices you need a special driver service. See this CodeProject example - section "Dynamically Loading and Unloading the Driver"
Basically the most straightforward is using the following apis (in that order). I think it should be pretty straight forward.
http://msdn.microsoft.com/en-us/library/ms684323%28v=VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/ms682450%28v=VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/ms686321%28v=VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/ms682028%28v=VS.85%29.aspx
Right now, my application is using the c-ares asynchronous DNS resolver library on Windows below cURL, and I have users complaining that it behaves differently from other windows apps. One particular user said that "other applications are using the Microsoft DNS client" and experiences no problems.
cURL itself has an asynchronous DNS implementation that uses getaddrinfo() in a thread. My guess is that would be equivalent behavior to using the "DNS Client" and its host of functions (e.g. DnsQuery?)
So, dear Lazyweb, I ask if there is a tangible difference between the behavior of getaddrinfo() vs. using the actual Dns* APIs from the Win32 API.
Looking at the sources it seems ares actually implements the dns protocol for querying host names (and doesn't directly call getaddrinfo) - I'd expect that to miss out on things like WINS lookups, and god knows what other kind of stuff windows can do to look up names.
The easiest way to do DNS queries on Windows is to use DNSQuery (and derivated functions, utf8, wbytes, ansi). Unless you need asynchronous resolution, in this case I would recommend to keep using c-ares or other similar API.
I'm not sure about WINS or other windows specific resolution (not part of DNS specs) not being covered by c-ares. It would help if you can give us some examples, maybe we can get them implemented in c-ares as well.