Language: C
OS: Windows
My application is framed with nt level apis and has to manipulate file and directory handles.
On a Zwopenfile or zwcreate file, I get a HANDLE as a result. Usually the values for the HANDLE are like 0x00000024, 28,2c... etc.
When I cast it as a LPBYTE to view the contents. Visual studio shows "Expression could not be evaluated". I understood from that the HANDLE returned from create/open file apis are not pointers to a memory location. However, windows uses the value and performing file operations.
Ntquerydirectory object supplies me the infomation about handles. However, how windows have implemented this functionality is unknown.
Can anyone throw light on it.
That's a so-called "opaque value" which means "it's completely up to Windows how it is done inside. For example, it could be an index in some global table that is not accessible directly to your program - Windows just knows how to get there and you shouldn't even think of doing it.
Handles are stored in a table accessible only from kernel code. If you are interested in how Windows kernel works, you may find Mark Russinovitch blog or driver development interesting.
The last book I know of that was a good reference for this kind of stuff was Inside Windows 2000 by Mark E. Russinovitch and David A. Solomon. While clearly out of date, a lot of that book is still relevant. Google for "Inside Windows 7" for links to videos of talks by Russinovitch and some other books that I can't vouch for, but seem on topic.
HANDLE is actually a pointer to a struct that contains various fields, often they point to some kernel object. HANDLES are generally used when programming in C to have a notion of object oriented programming.
When debugging with WinDbg you have an extension called !handle that can display various information about a given handle.
The book Windows Internals (by Mark Russinovich) goes into great detail about this and many other Windows' mechanisms.
Perhaps you will find this discussion useful: What is a Windows Handle?
Also check out this blog post by Mark: http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx. It contains alot of information which could help you answer your question.
Related
I stumbled across some interesting documentation regarding PICK programming:
http://www.d3ref.com/?token=flash.basic
It says FlashBASIC is a compiled, instead of interpreted, version of PICK programs that are interoperable with PICK. This is great. I am curious about how it describes Object code:
converts Pick/BASIC source code into a list of binary instructions
called object code.
Is this object code interoperable with other languages? Or is it limited to the PICK & Universe operating environment? In other words could a C program call a FlashBASIC program?
This is helpful in defining the C version, but cannot find any clear definition of the FlashBasic version:
What's an object file in C?
You're asking a few different questions which I'll try to answer.
Here is an article I wrote that might help your understanding of FlashBASIC. In short, where traditional MV BASIC is compiled and then run by assembler, the Flash compiler is C and generates an object module that sits below the standard BASIC object in frame space. At runtime that code is then interpreted by a C runtime. For our purposes here, there is no C interface, this is just an internal mechanism for getting code to run faster.
Note from the above that this is Not related to the "What's an object file in C?" topic because object modules in D3 are stored in D3 frames, completely unrelated to common OS-level object modules.
Now about C calling Pick - in your case D3: You can use the CP library - the docs are in the same area as the link you cited. Rather than binding with the database itself, you can also use your code in a client/server mode with the MVSP library if you're using Managed C (.NET). Or you can use any common web service client mechanism in C and setup D3 as a web service server with a number of technologies including MVST, mv.NET, Java, or C/C++.
I know that response is rather vague but you're asking a question which has been discussed at-length in forums over a period of years. If you ask a more specific question you'll get a specific answer. Feel free to refine your query in a comment and we can focus the answer.
Also note that you tagged this question as "u2". If you are really using the U2 variant of MV/Pick (Universe or Unidata) then the reference to the D3 docs was misleading and none of the above applies, as they do this differently in U2 and there is no FlashBASIC there. I know, you're confused. Let's work it out...
Yep, Flash BASIC just translates to C, is compiled, and resulting object files are dynamically loaded and linked, then run from the Pick OS. The feature of C programs running and interacting with BASIC was certainly possible, but we did not implement that feature.
I have been already googling and looking arond in here already.
I found no similar question/answer regarding this topic.
I also think,this is not possible. But I could be wrong.
History :
Out if simple interest I just started to study an good old fashioned book by g. hoglund. It is called rootkits - subverting the windows kernel.
I just wanted to learn more about windows internals, but most important for me was, that I would like to get started somewhere to develop drivers and also learn about the history of driver development.
Status:
I decided and already started to write a nice ui tool with win32 api to load, register and unload my "out of the tutorial "legacy nt drivers for wxp on my virtual machine.
Now I also thought about the possibility, not only to select a driver and load it to see its debug outputs, but also issue some commands, to invoke the major functions.
And I saw : You can define more than one device inside the source file(s).( this is surely not widely used, but it is possible ).
Question:
I would like to know, whether anybody ever made an attempt to read any of the DeviceObjects declared globally inside the .sys file and if this person succeeded.
THX in advance.
I'm looking for a quick guide to basic dll hooking in windows with C, but all the guides I can find are either not C, or not windows.
(The DLL is not part of windows, but a third party program)
I understand the principle, but I don't know how to go about it.
I have pre-existing source code in C++ that shows what I need to hook into, but I don't have any libraries for C, or know how to hook from scratch.
The detours license terms are quite restrictive.
If you merely want to hook certain functions of a DLL it is often cheaper to use a DLL-placement attack on the application whose DLL you want to hook. In order to do this, provide a DLL with the same set of exports and forward those that you don't care about and intercept the rest. Whether that's C or C++ doesn't really matter. This is often technically feasible even with a large number of exports but has its limitations with exported data and if you don't know or can't discern the calling convention used.
If you must use hooking there are numerous ways including to write a launcher and rewrite the prepopulated (by the loader) IAT to point to your code while the main thread of the launched application is still suspended (see the respective CreateProcess flag). Otherwise you are likely going to need at least a little assembly knowledge to get the jumps correct. There are plenty of liberally licensed disassembler engines out there that will allow you to calculate the proper offsets for patching (because you don't want to patch the middle of a multi-byte opcode, for example).
You may want to edit your question again to include what you wrote in the comments (keyword: "DLL hooking").
loading DLLs by LoadLibrary()
This is well known bad practice.
You might want to look up "witch" or "hctiw", the infamous malware dev. there's a reason he's so infamous - he loaded DLLs with LoadLibrary(). try to refrain from bad practice like that.
So, some background: I'm using a memory scanner called cheat engine to get real-time values for game stats (e.g. hp, mana, exp) in a non open-source video game that I'm trying to make a bot for.
For my bot to effectively use this information, I need to get it from cheat engine (or any memory scanner with similar functionality) to my bot code in a timely manner.
Now, one obvious way to do that would be to save all of the information to a file and then load the file in my bot code, but since this data needs updating about every half second or so, that isn't a real solution.
What I really need is either a terribly convenient memory scanner that allows you to use the information you uncover as a set of variables in some programming language (preferably java, c, or matlab), or a way to access the memory addresses found in one of the above languages.
This latter option should hopefully be doable, as cheat engine gives the memory address, controlling process ID, and data type.
This question doesn't have an easy answer. As far as I can tell you are very new to this area, so what you really need is a proper introduction to the subject, and for that I recommend reading Exploiting Online Games: Cheating Massively Distributed Systems.
It's an awesome book and it shows in a detailed manner how game hacks work, and it dedicates an entire chapter on how to build bots.
If you want to write an application to read/write data to those memory addresses you need to investigate functions like ReadProcessMemory() and WriteProcessMemory(). Whatever language you to choose to implement your bot needs to provide access to the Windows API. This is needed because you have to manipulate another process' memory space.
There are lots of tutorials out there that shows how to do this using C and C++, since they are the preferred languages to do this kind of stuff. Another option is to use a macro tool if you want something simple to play the game for you.
Modern computer games implement their own anti-cheat mechanisms to make it a little more difficult for people like you (and me). And since this book presents attack and defense techniques I recommend it to anyone interested on how to exploit computer games. The book is fully loaded with code examples.
I'm sorry for not providing more information but I was criticized once in the past for helping people with your curiosity and I would also never do a better job than the authors of the book explaining how to do this stuff.
Try using the Lua interface to get what you need.
Here's an example (I have not tried it, but I'm assuming it works....)
http://forum.cheatengine.org/viewtopic.php?t=530047
You can probably use COM with a script in Lua (with LuaCOM) on one side and Matlab or C on the other
You would need to use a debugging library to do that. You would set a watchpoint on your variable's location, and when it triggers, you would get its value.
scanmem does that for Linux.
Unfortunately, many closed-source games go to great lengths to avoid the use of debuggers, so this won't probably work on your game.
Have you tried Visual VM?
http://visualvm.java.net/download.html
Cheat Engine is open source, so what you do is look in the source code of Cheat Engine, and look how the memory dump thing works.
However, it is highly non-trivial to monitor a live process that you are not controlling, so unless you are a black hat code wizard, level 11, I suspect that it won't work.
Even if You say You want to look at a few integers that you can guess looking at memory dump, it is a lot harder to find that area programmatically, consistently, while possibly retracking every so often as the data may be copied or moved when the state of the program changes.
Also read this encouraging citation from Cheat Engines FAQ:
Q:Will Cheat Engine work on online games?
A:Most of the time, no
But anyway, try it - it sounds fun and I am sure you will learn something, and there is always a chance that you'll make it work :-)
This is my first embedded project, so bear with my ignorance. I've been asked to implement Remote NDIS over USB, using the ColdFire USB-Lite stack by CMX. I've been searching for a long time now, and can't find any clear documentation for this stack.
It comes with some woefully documented sample code and the only useful resource I've been able to find online is this Application Note (PDF) by Eric Gregori.
What I really want is an explanation of all the functions in the API. I can work out how to use them. Does this exist? Can someone point me to it?
EDIT: Nevermind.
After tracing the execution across 14 half-documented source files (from the example program) and scrutinizing a bunch of undocumented variables and buffers, and doing a diff between corresponding files in different projects, I think I finally get it. So I guess stackoverflow.com taught me patience... or something.
The link you referred to doesn't work for me, but the name of the file made me look at the Freescale pages, and if that's not the document you intended to link to, it might be the documentation you need.