class CheckClass {
public:
VOID Bypass() {
DWORD START = (DWORD)GetModuleHandle(NULL);
DWORD OFFSET = START + 0x1000;
MEMORY_BASIC_INFORMATION MemoryInformation;
CCLOCATION = Utility.FindPatternInMemory((unsigned
char*)OFFSET, MemoryInformation.RegionSize + OFFSET, (unsigned
char*)"\xCC\xCC\xCC\xCC", "xxxx");
AddVectoredExceptionHandler(1, CallHandle);
}
};
Basically, MEMORY_BASIC_INFORMATION MemoryInformation, throws an error unintialized local Variable 'MemoryInformation'
How could I fix that? Thanks in advance.
Related
So trying to hook a OpenVR method "ITrackedDeviceServerDriver::GetPose" but i'm getting access violations when my custom hooked method returns out (I think something is wrong with calling convention but idk enough about what x64 asm expects).
All other methods I hook in "ITrackedDeviceServerDriver" work fine. Only "GetPose" fails.
Class thats being hooked looks like:
class ITrackedDeviceServerDriver
{
public:
virtual EVRInitError Activate( uint32_t unObjectId ) = 0;
virtual void Deactivate() = 0;
virtual void EnterStandby() = 0;
virtual void *GetComponent( const char *pchComponentNameAndVersion ) = 0;
virtual void DebugRequest( const char *pchRequest, char *pchResponseBuffer, uint32_t unResponseBufferSize ) = 0;
virtual DriverPose_t GetPose() = 0;
};
Object thats larger than ptr & gets returned from method that crashes
struct DriverPose_t
{
double poseTimeOffset;
vr::HmdQuaternion_t qWorldFromDriverRotation;
double vecWorldFromDriverTranslation[ 3 ];
vr::HmdQuaternion_t qDriverFromHeadRotation;
double vecDriverFromHeadTranslation[ 3 ];
double vecPosition[ 3 ];
double vecVelocity[ 3 ];
double vecAcceleration[ 3 ];
vr::HmdQuaternion_t qRotation;
double vecAngularVelocity[ 3 ];
double vecAngularAcceleration[ 3 ];
ETrackingResult result;
bool poseIsValid;
bool willDriftInYaw;
bool shouldApplyHeadModel;
bool deviceIsConnected;
};
Example of how I'm hooking the virtual methods:
typedef DriverPose_t(__thiscall* GetPose_Org)(ITrackedDeviceServerDriver* thisptr);
GetPose_Org GetPose_Ptr = nullptr;
DriverPose_t __fastcall GetPose_Hook(ITrackedDeviceServerDriver* thisptr)
{
DriverPose_t result = GetPose_Ptr(thisptr);// works
//result.deviceIsConnected = true;
return result;// after return I get access violation crash
}
void TestHook(ITrackedDeviceServerDriver *pDriver)
{
MEMORY_BASIC_INFORMATION mbi;
ZeroMemory(&mbi, sizeof(MEMORY_BASIC_INFORMATION));
void** vTable = *(void***)(pDriver);
VirtualQuery((LPCVOID)vTable, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &mbi.Protect);// unlock
Activate_Ptr = (Activate_Org)vTable[0];
vTable[0] = &Activate_Hook;// Hook!
Deactivate_Ptr = (Deactivate_Org)vTable[1];
vTable[1] = &Deactivate_Hook;// Hook!
EnterStandby_Ptr = (EnterStandby_Org)vTable[2];
vTable[2] = &EnterStandby_Hook;// Hook!
GetPose_Ptr = (GetPose_Org)vTable[5];
vTable[5] = &GetPose_Hook;// Hook!
VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &mbi.Protect);// lock
}
So why is "GetPose" the only method that fails after it returns out?
How can I fix the calling convention on "GetPose" to work with registers correctly?
as already noted in comments
__thiscall and __fastcall are not the same calling convention
even for x64. for x86 this is obvious - __thiscall - pass first parameter (this) via Ecx register, and next parameters via stack (i skip now float/double parameters case). __fastcall - 1-first via Ecx, 2-second via Edx, and next via stack
in case x64 (again let assume that no float/double parameters) - first 4 parameters via Rcx, Rdx, R8, R9 and next in stack. so look like x64 have single and common calling convention (no difference between __stdcall, __fastcall, __cdecl, __thiscall)
but exist question about implicit parameters. say in case __thiscall - the first parameter - this is implicit parameter, always passed as first parameter via Ecx/Rcx
and now case when function try "return" object. really on any platform function can return something only via cpu registers. it finite count, and only several of it can be used for return value store.
say on x86(x64) - for return value can be used: AL, AX, EAX, RAX, DAX:EAX, RDX:RAX
so function can return only something that have size - 1, 2, 4, 8 (and 16 for x64)
if function try "return" object with another size - this is impossible do direct, compiler need transform your code. for example if you write function:
DriverPose_t GetPose(ITrackedDeviceServerDriver* thisptr)
{
DriverPose_t pos = ...;
return pos;
}
and call
DriverPose_t pos = GetPose(thisptr);
compiler (of course this already implementation details, different compilers can do this in different ways !) can transform this to
void GetPose(DriverPose_t *ppos, ITrackedDeviceServerDriver* thisptr)
{
DriverPose_t pos = ...;
*ppos = pos;
}
and call to
DriverPose_t pos;
GetPose(&pos, thisptr);
so here pointer to object passed to function as first ,hidden/implicit, parameter. but in case member function, still exist another hidden/implicit, parameter - this, which always passed as first, as result hidden/implicit, parameter for return value moved to second place !
struct ITrackedDeviceServerDriver
{
DriverPose_t GetPose()
{
DriverPose_t pos = ...;
return pos;
}
};
and call
ITrackedDeviceServerDriver obj;
DriverPose_t pos = obj.GetPose();
can be transformed to
struct ITrackedDeviceServerDriver
{
void GetPose(DriverPose_t *ppos)
{
DriverPose_t pos = ...;
*ppos = pos;
}
};
and call to
ITrackedDeviceServerDriver obj;
DriverPose_t pos;
obj.GetPose(&pos);
so real signature of function, if "uncover" this parameter is
void ITrackedDeviceServerDriver::GetPose(ITrackedDeviceServerDriver* this, DriverPose_t *ppos)
{
DriverPose_t pos = ...;
*ppos = pos;
}
and call
ITrackedDeviceServerDriver obj;
DriverPose_t pos;
GetPose(&obj, &pos);
so compare
void ITrackedDeviceServerDriver::GetPose(ITrackedDeviceServerDriver* this, DriverPose_t *ppos);
and
void GetPose(DriverPose_t *ppos, ITrackedDeviceServerDriver* thisptr);
you implement
DriverPose_t GetPose_Hook(ITrackedDeviceServerDriver* thisptr);
which will be transformed by compiler to
void GetPose_Hook(DriverPose_t* ,ITrackedDeviceServerDriver* thisptr);
but really you need implement next hook:
void GetPose_Hook(ITrackedDeviceServerDriver* thisptr, DriverPose_t* );
you confuse first and second parameters. however i think not need change object vtable at all, instead need return proxy object to client. possible and very generic implementation for COM interface hooks, but it too long for post here. for your case can be done next example of hook:
struct DriverPose_t
{
int x, y, z;
};
struct __declspec(novtable) IDemoInterface
{
virtual DriverPose_t GetPose() = 0;
virtual ULONG GetComponent( const char * pchComponentNameAndVersion ) = 0;
virtual void Delete() = 0;
};
class DemoObject : public IDemoInterface
{
ULONG v;
DriverPose_t pos;
virtual DriverPose_t GetPose()
{
DbgPrint("%s<%p>\n", __FUNCTION__, this);
return pos;
}
virtual ULONG GetComponent( const char * pchComponentNameAndVersion )
{
DbgPrint("%s<%p>(%s)\n", __FUNCTION__, this, pchComponentNameAndVersion);
return v;
}
virtual void Delete()
{
delete this;
}
public:
DemoObject(ULONG v, int x, int y, int z) : v(v)
{
pos.x = x, pos.y = y, pos.z = z;
DbgPrint("%s<%p>\n", __FUNCTION__, this);
}
virtual ~DemoObject()
{
DbgPrint("%s<%p>\n", __FUNCTION__, this);
}
};
class Hook_DemoInterface : public IDemoInterface
{
IDemoInterface* pItf;
virtual DriverPose_t GetPose()
{
DriverPose_t pos = pItf->GetPose();
DbgPrint("%s<%p>=<%d, %d, %d>\n", __FUNCTION__, this, pos.x, pos.y, pos.z);
return pos;
}
virtual ULONG GetComponent( const char * pchComponentNameAndVersion )
{
ULONG v = pItf->GetComponent(pchComponentNameAndVersion);
DbgPrint("%s<%p>(%s)=%u\n", __FUNCTION__, this, pchComponentNameAndVersion);
return v;
}
virtual void Delete()
{
delete this;
}
public:
Hook_DemoInterface(IDemoInterface* pItf) : pItf(pItf)
{
DbgPrint("%s<%p>\n", __FUNCTION__, this);
}
~Hook_DemoInterface()
{
pItf->Delete();
DbgPrint("%s<%p>\n", __FUNCTION__, this);
}
};
BOOL CreateDemoIface(IDemoInterface** ppItf)
{
if (DemoObject* pObj = new DemoObject (1, -1, 2, 3))
{
*ppItf = pObj;
return TRUE;
}
return FALSE;
}
BOOL Hook_CreateDemoIface(IDemoInterface** ppItf)
{
IDemoInterface* pItf;
if (CreateDemoIface(&pItf))
{
if (Hook_DemoInterface* pObj = new Hook_DemoInterface(pItf))
{
*ppItf = pObj;
return TRUE;
}
*ppItf = pItf;
return TRUE;
}
return FALSE;
}
void UseIface(IDemoInterface* pItf)
{
ULONG v = pItf->GetComponent("some string");
DriverPose_t pos = pItf->GetPose();
DbgPrint("v=%u, pos<%d, %d, %d>\n", v, pos.x, pos.y, pos.z);
}
void test()
{
IDemoInterface* pItf;
if (CreateDemoIface(&pItf))
{
UseIface(pItf);
pItf->Delete();
}
if (Hook_CreateDemoIface(&pItf))
{
UseIface(pItf);
pItf->Delete();
}
}
instead hook object vtable - hook (if possible) object creation CreateDemoIface - replace it to self Hook_CreateDemoIface which return proxy object.
debug output
DemoObject::DemoObject<0000012C31E08F70>
DemoObject::GetComponent<0000012C31E08F70>(some string)
DemoObject::GetPose<0000012C31E08F70>
v=1, pos<-1, 2, 3>
DemoObject::~DemoObject<0000012C31E08F70>
DemoObject::DemoObject<0000012C31E08F70>
Hook_DemoInterface::Hook_DemoInterface<0000012C31DFAA10>
DemoObject::GetComponent<0000012C31E08F70>(some string)
Hook_DemoInterface::GetComponent<0000012C31DFAA10>(some string)=1
DemoObject::GetPose<0000012C31E08F70>
Hook_DemoInterface::GetPose<0000012C31DFAA10>=<-1, 2, 3>
v=1, pos<-1, 2, 3>
DemoObject::~DemoObject<0000012C31E08F70>
Hook_DemoInterface::~Hook_DemoInterface<0000012C31DFAA10>
My goal is to understand stack unwinding in 64-bit PE32+ executable format in Windows, or how the following API can calculate addresses of a function prologue, body, epilogue, etc.:
CONTEXT context = {0};
RtlCaptureContext(&context);
DWORD64 ImgBase = 0;
RUNTIME_FUNCTION* pRTFn = RtlLookupFunctionEntry(context.Rip, &ImgBase, NULL);
_tprintf(L"Prologue=0x%p\n", (void*)(ImgBase + pRTFn->BeginAddress));
I know that the information on the offsets of all non-leaf functions used by the linker is included in the PE32+ header in the exceptions directory. So I tried to write my own function to parse it. I got to this point where I got stumped:
//INFO -- must be compiled as x64 only!
void GetFunctionTable(BYTE* lpBaseAddress, size_t szImageSz)
{
if(lpBaseAddress)
{
if(szImageSz > sizeof(IMAGE_DOS_HEADER))
{
IMAGE_DOS_HEADER* pDOSHeader = (IMAGE_DOS_HEADER*)lpBaseAddress;
if(pDOSHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
IMAGE_NT_HEADERS* pNtHeader = (IMAGE_NT_HEADERS*)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew);
PIMAGE_DATA_DIRECTORY pDataDirectories = NULL;
if(pNtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
//64-bit image only
IMAGE_NT_HEADERS64* pHdr64 = (IMAGE_NT_HEADERS64*)pNtHeader;
IMAGE_OPTIONAL_HEADER64* pIOH64 = &pHdr64->OptionalHeader;
pDataDirectories = pIOH64->DataDirectory;
IMAGE_DATA_DIRECTORY* pExceptDir = &pDataDirectories[IMAGE_DIRECTORY_ENTRY_EXCEPTION];
if(pExceptDir->VirtualAddress &&
pExceptDir->Size)
{
IMAGE_RUNTIME_FUNCTION_ENTRY* pRFs = (IMAGE_RUNTIME_FUNCTION_ENTRY*)
GetPtrFromRVA64(pExceptDir->VirtualAddress, pNtHeader, lpBaseAddress);
//'pRFs' = should point to an array of RUNTIME_FUNCTION structs
// but in my case it points to an empty region of memory with all zeros.
}
}
}
}
}
}
with the following helper functions:
PIMAGE_SECTION_HEADER GetEnclosingSectionHeader64(DWORD_PTR rva, PIMAGE_NT_HEADERS64 pNTHeader)
{
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
unsigned int i;
for ( i=0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ )
{
if ( (rva >= section->VirtualAddress) &&
(rva < (section->VirtualAddress + section->Misc.VirtualSize)))
return section;
}
return 0;
}
LPVOID GetPtrFromRVA64(DWORD rva, const void* pNTHeader, const void* imageBase)
{
PIMAGE_SECTION_HEADER pSectionHdr;
INT_PTR delta;
pSectionHdr = GetEnclosingSectionHeader64( rva, (PIMAGE_NT_HEADERS64)pNTHeader );
if ( !pSectionHdr )
return 0;
delta = (INT_PTR)(pSectionHdr->VirtualAddress - pSectionHdr->PointerToRawData);
return (PVOID) ( (BYTE*)imageBase + rva - delta );
}
So I'm testing it on the self executable:
HMODULE hMod = ::GetModuleHandle(NULL);
MODULEINFO mi = {0};
if(::GetModuleInformation(::GetCurrentProcess(), hMod, &mi, sizeof(mi)))
{
GetFunctionTable((BYTE*)hMod, mi.SizeOfImage);
}
But the problem is that inside my GetFunctionTable when I try to look up the function table mapped in memory in the IMAGE_DIRECTORY_ENTRY_EXCEPTION directory, I'm getting a pointer (i.e. IMAGE_RUNTIME_FUNCTION_ENTRY*) to an empty region of memory. I must be not translating the rva address correctly.
So anyone who knows how PE32+ header is mapped in memory, can please show what am I doing wrong there?
I need to port an old project to the latest visual studio but it has some very awful code in it that I don't know how to resolve.
if have this function:
void CBuffer::AddData( LPBYTE lpData, u_long uDataSize, u_long &uRemnant )
{
int cb;
LPBYTE ptr = GetWritableBuffer( (int *)&cb );
cb = ( cb < uRemnant? cb: uRemnant );
ASSERT( ptr + cb <= m_lpBufMax );
memcpy( (void*)ptr, &lpData[uDataSize - uRemnant], cb );
m_pTail = ptr + cb;
uRemnant -= cb;
}
which prompts
buffer.cpp(90): warning C4458: declaration of 'cb' hides class member
here int cb overwrite u_long cb defined by the class CBuffer.
Is there a way to tell which cb should be used after this?
LPBYTE ptr = GetWritableBuffer( (int *)&cb );
Local variables always shadow class member variables or global variables. So, in this method, always the local variable int cb is used.
I'd like to ask, how could I locate a specific (exported) function inside a DLL. For example I'd like to locate ReadProcessMemory inside Kernel32. I wouldn't like to rely on Import table, I'd like to locate different APIs based on their addresses what I get with a custom function.
I tried to make a small research on VA, RVA & File offsets, but I didn't succeed. Here's an example which I tried, but it isn't working (returns 0 in all cases):
DWORD Rva2Offset(DWORD dwRva, UINT_PTR uiBaseAddress)
{
WORD wIndex = 0;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_NT_HEADERS pNtHeaders = NULL;
pNtHeaders = (PIMAGE_NT_HEADERS) (uiBaseAddress + ((PIMAGE_DOS_HEADER) uiBaseAddress)->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER) ((UINT_PTR) (&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
if (dwRva < pSectionHeader[0].PointerToRawData)
return dwRva;
for (wIndex = 0; wIndex < pNtHeaders->FileHeader.NumberOfSections; wIndex++)
{
if (dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData))
return (dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData);
}
return 0;
}
Could you help me how could I accomplish this simple task?
Thank you.
P.s.: I'm not sticking to the function above, both if you can point out what's the problem, or give a better source would be awesome.
This gives you the relative virtual address
uintptr_t baseAddr = (uintptr_t)GetModuleHandle("nameOfExe.exe");
uintptr_t relativeAddr = functionAddress - baseAddr;
This converts relative virtual address to File offset:
DWORD RVAToFileOffset(IMAGE_NT_HEADERS32* pNtHdr, DWORD dwRVA)
{
int i;
WORD wSections;
PIMAGE_SECTION_HEADER pSectionHdr;
pSectionHdr = IMAGE_FIRST_SECTION(pNtHdr);
wSections = pNtHdr->FileHeader.NumberOfSections;
for (i = 0; i < wSections; i++)
{
if (pSectionHdr->VirtualAddress <= dwRVA)
if ((pSectionHdr->VirtualAddress + pSectionHdr->Misc.VirtualSize) > dwRVA)
{
dwRVA -= pSectionHdr->VirtualAddress;
dwRVA += pSectionHdr->PointerToRawData;
return (dwRVA);
}
pSectionHdr++;
}
return (-1);
}
I am writing a code for thread handling in C++. One instance of a Thread has a pointer to PCB structure and in the constructor of the Thread I just call myPCB = new PCB(name, stackSize, timeSlice, this). It was all working just fine until I tried to make an array of pointers to Thread.
When I just make a pointer to thread and initialized it with new Thread(name, stackSize, timeSlice) the name in PCB of that Thread is appointed correctly.
But when I try it with an array of pointers all the PCBs have the same value for name variable.
I have checked and they are all diffrent PCBs (their IDs are diffrent). Their names get properly initialized in the constructor, but somewhere between the end of the constructor of the Nth and the end of the (N+1)th all names get the same value, that of N+1.
PCB constructor:
PCB::PCB(TName namee, StackSize stackSizee, Time timeSlicee,Thread *threadd){
status = begging;
id = genID++;
if(namee) name = namee;
else name = "Thread"+id;
createStack(stackSizee);
thread = threadd;
timeSlice = timeSlicee;
System::numberOfThreads++;
System::allPCBQueue.add(this);
waitingMe = new Queue();
waitingFor = 0;
semaphore = 0;
sleepTime = -1;
}
void PCB::createStack(StackSize stackSize){
intOff;
if(stackSize > maxStack) stack = new char[maxStack];
else stack = new char[stackSize];
newSS = FP_SEG(stack + stackSize);
newSP = FP_OFF(stack + stackSize);
asm{
mov oldSS, ss
mov oldSP, sp
mov ss, newSS
mov sp, newSP
push ax; push bx; push cx; push dx; push es; push ds; push si; push di; push bp
mov newSP, sp
mov newSS, ss
mov sp, oldSP
mov ss, oldSS
}
stackPointer = MK_FP(newSS, newSP);
intOn;
}
I figure its something with createStack() but I don't know what. All help is appreciated.
*Note: I currently don't have constant access to the internet so please don't get angry if I don't reply fastly. I will try to check on this question as much as I can.
EDITED:
PCB class definition:
class PCB
{
static ID genID;
char *stack;
void *stackPointer;
Thread *thread;
TName name;
ID id;
Time timeSlice, sleepTime;
Status status;
Queue *waitingMe;
PCB* waitingFor;
KernelSem* semaphore;
friend class Thread;
// static unsigned newSS, newSP, oldSS, oldSP;
public:
static StackSize maxStack;
PCB(TName name, StackSize stackSize, Time timeSlice,Thread *thread);
~PCB(void);
void runThread();
ID getID(){
return id;
}
TName getName(){
return name;
}
void setStatus(Status status){
this->status = status;
}
Status getStatus(){
return status;
}
int getEnding(){
if(status == ending) return 1;
return 0;
}
int getBegging(){
if(status == begging) return 1;
return 0;
}
void createStack(StackSize stackSize);
void* getStackPointer(){
return stackPointer;
}
void setStack(void *newStackPointer){
stackPointer = newStackPointer;
}
Time getTimeSlice(){return timeSlice;}
Time getSleepTime(){return sleepTime;}
void decrementSleepTime(){sleepTime--;}
void setSemaphore(KernelSem* kersem){this->semaphore = kersem;}
void resetSemphore(){this->semaphore = 0;}
Thread* getThread(){return thread;}
};
Code where this happens:
Producer **pro = new Producer*[N];
for (i=0; i<N; i++){
producerName[8]='0'+i;
pro[i] = new Producer(buff, producerName ,'0'+i, TIME_SLICE);
pro[i]->start();
}
It's the part of a test file that I got with this assignment. It mustn't be changed. But it is regular.
I have put
allPCBQueue->listAll()
after
pro[i] = new Producer(buff, producerName ,'0'+i, TIME_SLICE);
and I always get that all of the names are same. allPCBQueue is a simple list of PCBs
if(namee) name = namee;
else name = "Thread"+id; <<< Doesn't do what you think it does.
"Thread" is a char *, adding a number to it will give you the pointer + offset.
You don't want to SWITCH to your new stack until AFTER you have created it. Instead of using push to store, just use something like this:
stackPointer = MK_FP(newSS, newSP);
unsigned *sp = reinterpret_cast<unsigned *>(stackPointer);
*--sp = 0; // AX
*--sp = 0; // BX
*--sp = 0; // CX
*--sp = 0; // DX
*--sp = default_ds; // You'll have to dig this out with some inline assembler
*--sp = default_es; // You'll have to dig this out with some inline assembler
*--sp = 0; // SI
*--sp = 0; // DI
*--sp = 0; // BP
stackPointer = reinterpret_cast<void *>(sp);
[Of course, it would be easier to just make stackpointer a pointer to int in the first place].
Since the thread is starting from scratch, values of AX, BX, etc, doesn't matter. ES/DS may matter depending on what memory model you are using. Not pushing onto the stack also means you don't have to disable interrupts for this part - always a bonus.
Unfortunately, your code isn't showing what you are doing with "array of PCB's", so I can't say what' wrong there. And I'm sure someone says this should be a comment, not an answer, since it doesn't actually answer your question - but formatting code in comments is nearly hopeless...
Edit:
I'm guessing that "producername" is a local variable in your code that creates the threads. This won't work, but I think it's a bit difficult to dictate that the caller must ensure that the name stays forever, so I think what you should do is:
if(namee)
{
size_t len = strlen(namee);
char *name_buf = new char[len+1];
strcpy(name_buf, namee);
name = name_buf;
}
else
{
// Make up some random name here.
}
The code was
name = namee
or
this->name = namee
I just made it
strcpy(name, namee)
and it works now.