I've been looking over the following VB code:
http://www.codeproject.com/KB/vb/toggleNetworkConn.aspx
If you look under "The Methods", you'll see that he does a test to see whether or not the shell item verb is either "En&able" or "Disa&ble" - it looks pretty obvious that these are the same text strings that are listed in the right-click context menu in Network Connections. The obvious problem with this approach (as pointed out by someone in the comments on CodeProject as well) is that this is English-specific; depending on what language the OS is running, it's going to use different words. The programmers response was to potentially use the index of the verb, but this is arguably worse than the original solution, since you would then be performing some arbitrary operation if it wasn't the correct command (and I don't believe it's guaranteed to be in a particular order in the verb list).
So my question, is it possible to get from the system (via some call or the registry) the OS-language specific text for Enable and Disable? I've searched the registry for both strings without any success, but I thought someone with more multi-language experience might have the answer. Also, I'm not using VB (I'll be using C++) so don't worry about doing it in any particular language - API calls or pseudo code is fine. I also need the solution to work on both XP and Vista (and hopefully Windows 7 as well). Thanks!
It looks like the text for the verbs might be handled via Registry String Redirection. You'll need to identify the CLSID for the connections component. I poked around but didn't find any verbs registered for the network connections CLSIDs I came across though...
The closest thing I've found is part of IShellFolder, specifically GetCommandString() which returns a universal string describing an action - in this case it literally returns "enable" or "disable". The problem with this particular API is while it works, it doesn't actually return anything on XP - apparently while it's available on older OSs, it's really only useful on Vista or greater.
Related
I'm building a Haskell command-line application in Windows 10, and am trying to debug an issue around the Windows 260-character file path limitation by tracing system calls and seeing which ones fail.
I've used procmon (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) for this, which seems quite nice, but although it displays many related log entries, I was surprised to find that it doesn't display an entry for the particular CreateFileW call that actually exceeds 260 chars and crashes my application.
I briefly tried Win32 API Monitor (https://www.apimonitor.com) but couldn't make heads or tails of it; it seems better suited to attaching to already-running GUI applications than command-line applications that need to be launched in a particular directory, etc.
Is there a better alternative to these, or a better approach?
#RemyLebeau's comment was the one I needed:
"I was surprised to find that it doesn't display an entry for the
particular CreateFileW call that actually exceeds 260 chars and
crashes my application"
Because there is nothing for it to log. The call likely gets rejected at the higher level API layer, when the input data is first
validated, long before it reaches the file system layer. Procmon logs
lower level activity, not higher level APIs. Tools like API Monitor
are what you are looking for. If you are having trouble with it, ask a
new question about that.
My eventual solution to the problem that inspired this was to upgrade from base-4.11 to base-4.12 which handles windows paths > 260 chars better.
I don't think I'd even need the registry switch anymore.
Is it possible to get a file's UID (owner) on Windows? I tried to use FileInfo.Sys(), but it only works on Linux. I'm really stumped on this one and can't figure out how to get the UID.
The first problem is that file systems native to Windows which supports file/directory ownership do not have the concept of "owner UID" simply because Windows users have no UIDs either.
The security of the Windows NT line or kernels is implemented using the so-called "access control lists" (ACLs), and security principals (such as users) are identified using the so-called "security identifiers" (SIDs). A SID is a variable-length multi-field data structure usually passed around as a byte array.
Another complication is that a file on an ACL-enabled Windows file system might have no owner at all (and no ACL attached to it as well); this is rare but possible.
So... If the part of explanation stating "there's no such thing as the entry owner's UID on Windows filesystem" is OK for you, this is all there is to it.
If not, and you actually wanted to ask "how do I get security information for an entry on a Windows filesystem?", the question gets more complicated.
AFAIK the stock standard library shipped with Go does not have the necessary wrappers around the relevant bits of the Win32 API. So to implement this, you'll need to either wrap them yourself (it's not that hard, after all) or try to find a helper package.
I have an application, which displays me some data. I need to attach to this app's process, find the data I need in memory (one single number, actually), and save it somewhere. This application doesn't seem to use standard windows controls, so things aren't going to be as simple as reading controls data using AutoIt or something similar.
Currently I'm a self-learner database guy and have quite shallow knowledge about windows apps debugging. Not even sure if I asked my question correctly enough.
So, can you give me some starter guidelines about, say, what should I read first, and general directions I should work on?
Thanks.
To read memory of other application you need to open the process with respect of OpenProcess with at least PROCESS_VM_READ access rights and then use ReadProcessMemory to read any memory address from the process. If you are an administrator or have debug privilege you will be able to open any process with maximal access rights, you need only to enable SeDebugPrivilege before (see for example http://support.microsoft.com/kb/131065).
If you don't know a much about the memory of the destination process you can just enumerate the memory blocks with respect of VirtualQueryEx (see How does one use VirtualAllocEx do make room for a code cave? as an example where I examine the program code. The program data you can examine in the same way).
The most practical problem which I see is that you ask your question in too general way. If you explain more what kind of the data you are looking for I could probably suggest you a better way. For example if you could see the data somewhere you could examine the corresponding windows and controls with respect of Spy++ (a part of Visual Studio Tools). The most important are the class of windows (or controls) and the messages which will be send at the moment when the most interesting window are displayed. You can also use Process Monitor to trace all file and registry access at the time when the windows with the interesting information will be displayed. At least at the beginning you should examine the memory of the process with ReadProcessMemory at the moment when the data which you are looking for are displayed on the window.
If you will have no success in your investigations I'd recommend you to insert in your question more information.
My primary advice is: try to find any other method of integration than this. Even if you succeed, you'll be hostage to any kinds of changes in the target process, and possibly in the Windows O/S. What you are describing is behaviour most virus scanners should flag and hinder: if not now, then in the future.
That said, you can take a look at DLL injection. However, it sounds as if you're going to have to debug the heck out of the target process at the disassembly level: otherwise, how are you going to know what memory address to read?
I used to know the windows debugging API but it's long lost memory. How about using ollydbg:
http://www.ollydbg.de/
And controlling that with both ollydbg script and autoit?
Sounds interesting... but very difficult. Since you say this is a 'one-off', what about something like this instead?
Take a screenshot of this application.
Run the screenshot through an OCR program
If you are able to read the text you are looking for in a predictable way, you're halfway there!
So now if you can read a OCR'd screenshot of your application, it is a simple matter of writing a program that does the following:
Scripts the steps to get the data on the screen
Creates a screenshot of the data in question
Runs it through an OCR program like Microsoft Office Document Imaging
Extracts the relevant text and does 'whatever' with it.
I have done something like this before with pretty good results, but I would say it is a fragile solution. If the application changes, it stops working. If the OCR can't read the text, it stops working. If the OCR reads the wrong text, it might do worse things than stop working...
As the other posters have said, reaching into memory and pulling out data is a pretty advanced topic... kudos to you if you can figure out a way to do that!
I know this may not be a popular answer, due to the nature of what this software is used for, but programs like CheatEngine and ArtMoney allow you to search through all the memory reserved by a process for a given value, then refine the results till you find the address of the value you're looking for.
I learned this initially while trying to learn how to better protect my games after coming across a trainer for one of them, but have found the technique occasionally useful when debugging.
Here is an example of the technique described above in use: https://www.youtube.com/watch?v=Nv04gYx2jMw&t=265
I must intercept execution in very big application in many places.
What programs I can use to do this? What techniques exists for this problems?
Manually reverse engineering and adding hooks is maybe not optimal solution for this problem, because application is very big and some part of application can be updated in some time, i think with some tools or good practices for this problem i can do this faster, anyone know how to do?
Anybody help me?
seeing as the tools part has been covered, here is something for the techniques.
Depending what it is you need to hook and whether or not there is protection invloved, there are a few methods:
Relative call/jmp patching in the virtualized binary: this is the simplest, but also a lot of work if you can't automatically find all references to a function, this probably won't work in this cause due to your criteria.
IAT/EAT hooking: this is use for imports(IAT) and exports(EAT), great if your targeting a known importted/exported set of API functions. a good example of this can be found here or here
Hot-Patching: Windows XP SP2 introduced something called "hot-patching" (used for realtime system function updates), where all its (the WinAPI) functions start with a 'mov edi,edi', allowing a relative jump to be patched into the free space created above every hot-patchable function(one can do it too). this is generally used for programs that checksum there IAT's or have other funny forms of protection, more info can be found here and here
Code-Caving: capturing execution flow by placing redirections in arbitrary code space. see here, here or here
VFT/COM Redirection: basically overwriting entries in a objects virtual function table, useful for OOP/COM based applications. see this
There are a lot of 3rd party libraries, most famous would probably be MS Detours, one can also look at APIHijack or a mini-hook engine.
Ofcourse nothing can substitute for the initial poking you'll need to do with a debugger like ollydbg, but knowing the method your gonna use can drastically short them amount time time spent poking around
Some details on what exactly you need to do (e.g. how do you determine where to break) would be nice. Depending on your situation, something like Pin might work.
I suggest using Deviare API Hook. It's the easiest way you can do what you need. It has some COM objects that you can use to hook an application from a different process. In your process you get full parameter information and you can use it in any programming language (I'm using C# and it works like a charm).
If you need to intercept registry API I suggest using Deviare to debug what you need to intercept but then you will have to make your own hooks, otherwise, you'll find performance issues.
You can do API Hooking if you are interested in intercepting method calls.
Or use some disassembler like softice or ollydbg or win32dasm.
OK, the Windows dev platform I have is a Windows XP box and a copy of Visual C++ 6.0. I'm trying to create or modify security descriptors for a service. My initial thought from other answers (and some reading) was that I should use ConvertStringSecurityDescriptorToSecurityDescriptor to setup my security descriptor.
Except...my install of VC++ 6.0 lacks the headers for this function (sddl.h according to MSDN).
Can anyone point me to other APIs for creating/modifying Security Descriptors? I'd be happy if I could walk through an existing one (I can QueryServiceObjectSecurity) and just eliminate certain users, but I can't figure out how to do that just looking at MSDN.
Alternately, if someone could point me in the direction of how to call this function without proper headers, that would be fine.
Obvious answer rebuttal: I can (and will) make an attempt to get IT to install a newer version of VC++ on my system, but the last time I asked IT about anything significant it took 7 weeks for them to respond. Since I'd like to get this done in the next week or two, I think IT is not going to fix this question for me in a timely manner.
In theory, you don't need a newer compiler, just an updated SDK. In reality, VC++ 6 is old enough that it may have trouble parsing the headers for a current SDK though.
As an alternative to that, you could declare pointers to the correct types of functions in your code, then use LoadLibrary and GetProcAddress to get the addresses of the correct functions, then call the functions via those pointers.
As an aside, however, I'd point out that I doubt what you've envisioned will work. I've never tried to do exactly what you're trying, so it's always possible I'm wrong, but every time I've done anything manipulating security descriptors, DACLs, SACLs, or anything similar in Windows, the code's ended up considerably longer and more complex than it initially seemed like it should. Even something extremely trivial generally requires at least a couple hundred lines of code...
You could check out the DCOMPerm sample, it has handles the DACL/ACE and other structures you are going to run into - thats where i started when i created a set of classes to handle this for our COM installations - and as #jerry coffin said it ended up being a lot of code.
You'll have to download the SDK to get the sample.