I'm a beginner with C++. In my code, I am trying to get a list of the updates installed on the machine.
In my machine 1, I'm using Windows 7, and the code work perfectly. But in machine 2, using Windows 7 too, I get the error.
I don't understand enough to know what actually needs fixing, or how to fix it.
My program stops working with the below code, and displays this error:
unhandled exception system.NullReferenceException object reference not set to an instance
try
{
HRESULT hr;
hr = CoInitialize(NULL);
IUpdateSession* iUpdate;
IUpdateSearcher* searcher;
ISearchResult* results;
BSTR criteria = SysAllocString(L"IsInstalled=0 or IsHidden=1 or IsPresent=1");
hr = CoCreateInstance(CLSID_UpdateSession, NULL, CLSCTX_INPROC_SERVER, IID_IUpdateSession, (LPVOID*)&iUpdate);
hr = iUpdate->CreateUpdateSearcher(&searcher);
//wcout << L"Searching for updates ..." << endl;
hr = searcher->Search(criteria, &results);
SysFreeString(criteria);
switch (hr)
{
case S_OK:
//wcout << L"List of applicable items on the machine:" << endl;
break;
case WU_E_LEGACYSERVER:
wcout << L"No server selection enabled" << endl;
case WU_E_INVALID_CRITERIA:
wcout << L"Invalid search criteria" << endl;
}
IUpdateCollection *updateList;
IUpdate *updateItem;
LONG updateSize = 0;
LONG totalKB = 0;
results->get_Updates(&updateList);
updateList->get_Count(&updateSize);
if (updateSize == 0)
{
//wcout << L"No updates found" << endl;
}
for (LONG i = 0; i < updateSize; i++)
{
IStringCollection *KBCollection;
BSTR updateName;
LONG KBCount;
updateList->get_Item(i, &updateItem);
updateItem->get_Title(&updateName);
USES_CONVERSION;
//outputFile << W2A(CString(updateName)) << " --- ";
updateItem->get_KBArticleIDs(&KBCollection);
KBCollection->get_Count(&KBCount);
for (int i = 0; i<KBCount; i++)
{
BSTR KBValue;
totalKB += 1;
KBCollection->get_Item(i, &KBValue);
USES_CONVERSION;
//std::string strk = streamkb.str();
file << "{" << endl;
std::stringstream ss;
ss << W2A(CString("KB")) << W2A(CString(KBValue));
std::string s = ss.str();
list2.push_back(s);
file << "\"Correctif" << totalKB << "\": \"" << W2A(CString("KB")) << W2A(CString(KBValue)) << "\"" << endl;
file << "}," << endl;
}
}
::CoUninitialize();
}
catch (const std::exception & ex)
{
}
Related
Trying to write code to change the registry keys with c++ after endless amount of time I reached this point but this code still does not edit the registry even when running as admin
to change the registry 4 functions are needed according to this question which I used and every single one of them returns a zero which means that the function completed without errors but still no values are changed in the registry gui
the SecurityHealth strartup service is running on my machine and has the path %windir%\system32\SecurityHealthSystray.exe and type REG_EXPAND_SZ
I even tried creating a new entry similar to the SecurityHealth and still nothing is changed
I am compiling as admin and running as admin
HKEY open_reg()
{
int result;
LPCSTR lpSubKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
HKEY hKey;
result = RegOpenKeyExA(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_QUERY_VALUE|KEY_WRITE|KEY_READ|KEY_SET_VALUE, &hKey);
if ( result != 0)
{
cout << " Failed to open registry. - [ "<< result<< "]" <<endl;
}
else
{
cout << "Found registry key. - [" << result<<"]" << endl;
}
return hKey;
}
HKEY find_reg_value(HKEY handle)
{
LPCSTR lpValueName = "SecurityHealth";
DWORD BufferSize = TOTALBYTES;
DWORD cbData;
int dwRet;
PPERF_DATA_BLOCK PerfData = (PPERF_DATA_BLOCK) malloc( BufferSize );
cbData = BufferSize;
cout << "\nRetrieving the data..." << endl;
dwRet = RegQueryValueExA( handle,
lpValueName,
NULL,
NULL,
(LPBYTE) PerfData,
&cbData );
if ( dwRet == 0 )
{
cout << "Successfully quered [" << dwRet << "]"<<endl;
}
else
{
cout << "Failed to query Error code : [" << dwRet << "]"<<endl;
}
return handle;
}
void set_reg_value(HKEY handle)
{
int result;
LPCSTR lpValueName = "SecurityHealth";
std::string file = "C:\\Windows\\System32\\cmd.exe";
const char * sth = file.c_str();
unsigned char m_Test[file.size()];
strcpy((char*)m_Test, sth);
DWORD DATA_SIZE = file.size()+1;
result = RegSetValueExA(handle,lpValueName,0,REG_EXPAND_SZ,m_Test,DATA_SIZE);
if ( result == 0 )
{
cout << "Successfully changed value [" << result << "]"<<endl;
}
else
{
cout << "Failed to change value Error code : [" << result << "]"<<endl;
}
RegCloseKey (handle);
}
int main()
{
cout << "testing windows registry " << endl;
HKEY reg_handle = open_reg();
HKEY handler = find_reg_value(reg_handle);
set_reg_value(handler);
system("PAUSE");
return 0;
}
the compiled exe output in the terminal
testing windows registry
Found registry key. - [0]
Retrieving the data...
Successfully quered [0]
Successfully changed value [0]
Press any key to continue . . .
Compiled with g++ regutil.cpp
I suspect you are compiling as a 32-bit program but looking at a 64-bit registry. Switch to compiling as 64-bit instead. (There is a 32-bit registry instead, which can be found buried within the 64-bit hives but you likely want to change the actual 64-bit version).
every single one of them returns a zero which means that the function completed without errors but still no values are changed in the registry GUI
The only way that can happen is if either:
You are not updating the GUI after making the changes.
you are modifying a different area of the Registry then you are viewing, ie if you are modifying the 32bit Registry but viewing the 64bit Registry, or vice versa. Read up about the Registry Redirector, Registry Keys Affected by WOW64 and Accessing an Alternate Registry View on MSDN for more details about working with the 32bit and 64bit Registry views.
That being said, there are a number of other mistakes in your code.
Try something more like this instead:
HKEY open_reg()
{
HKEY hKey = NULL;
int result = RegOpenKeyExA( HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0,
KEY_QUERY_VALUE | KEY_SET_VALUE /* | KEY_WOW64_(32|64)KEY if needed */,
&hKey );
if ( result != 0 )
{
cout << " Failed to open Registry, Error " << result << endl;
return NULL;
}
else
{
cout << "Opened Registry key" << endl;
return hKey;
}
}
void query_reg_value(HKEY handle)
{
DWORD cbBuffer = TOTALBYTES;
std::vector<char> buffer(cbBuffer);
cout << "\nRetrieving the data..." << endl;
int result = RegQueryValueExA( handle,
"SecurityHealth",
NULL,
NULL,
reinterpret_cast<LPBYTE>(buffer.data()),
&cbBuffer );
if ( result == 0 )
{
cout << "Successfully quered: ";
while (cbBuffer != 0 && buffer[cbBuffer-1] == '\0') --cbBuffer; // ignore null terminator(s)
cout.write(buffer.data(), cbBuffer);
cout << endl;
}
else
{
cout << "Failed to query, Error " << result << endl;
}
}
void set_reg_value(HKEY handle)
{
std::string file = "C:\\Windows\\System32\\cmd.exe";
int result = RegSetValueExA( handle,
"SecurityHealth",
0,
REG_EXPAND_SZ,
reinterpret_cast<LPCBYTE>(file.c_str()),
file.size()+1);
if ( result == 0 )
{
cout << "Successfully changed value" << endl;
}
else
{
cout << "Failed to change value, Error " << result << endl;
}
}
int main()
{
cout << "testing Windows Registry" << endl;
HKEY hKey = open_reg();
if (hKey) {
query_reg_value(hKey);
set_reg_value(hKey);
RegCloseKey(hKey);
}
system("PAUSE");
return 0;
}
However, it should be noted that only admin users have write access to HKLM keys by default, most users have read-only access. As such, it is not a good idea to open a key under HKLM for both reading and writing at the time same, unless you know what you are doing. You should open a key for reading only, read from it, and close it. Same for writing. For instance:
HKEY open_reg(bool isWriting)
{
HKEY hKey = NULL;
int result = RegOpenKeyExA( HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0,
(isWriting ? KEY_SET_VALUE : KEY_QUERY_VALUE) /* | KEY_WOW64_(32|64)KEY if needed */,
&hKey );
if ( result != 0 )
{
cout << " Failed to open Registry, Error " << result << endl;
return NULL;
}
else
{
cout << "Opened registry key" << endl;
return hKey;
}
}
void query_reg_value()
{
HKEY hKey = open_reg(false);
if (!hKey) return;
DWORD cbBuffer = TOTALBYTES;
std::vector<char> buffer(cbBuffer);
cout << "\nRetrieving the data..." << endl;
int result = RegQueryValueExA( hKey,
"SecurityHealth",
NULL,
NULL,
reinterpret_cast<LPBYTE>(buffer.data()),
&cbBuffer );
if ( result == 0 )
{
cout << "Successfully quered: ";
while (cbBuffer != 0 && buffer[cbBuffer-1] == '\0') --cbData; // ignore null terminator(s)
cout.write(buffer.data(), cbBuffer);
cout << endl;
}
else
{
cout << "Failed to query, Error " << result << endl;
}
RegCloseKey(hKey);
}
void set_reg_value()
{
HKEY hKey = open_reg(true);
if (!hKey) return;
std::string file = "C:\\Windows\\System32\\cmd.exe";
int result = RegSetValueExA( hKey,
"SecurityHealth",
0,
REG_EXPAND_SZ,
reinterpret_cast<LPCBYTE>(file.c_str()),
file.size()+1);
if ( result == 0 )
{
cout << "Successfully changed value" << endl;
}
else
{
cout << "Failed to change value, Error " << result << endl;
}
RegCloseKey(hKey);
}
int main()
{
cout << "testing Windows Registry" << endl;
query_reg_value();
set_reg_value();
system("PAUSE");
return 0;
}
The task of getting the PID of the process that I'm starting, CreateProcess() ProcessInformation.dwProcessId does a great job of this, but in my case, the process that I start opens the child processes and then closes, and I need to get all the PIDs that creates the process I am opening.
I found this code, it receives the child PIDs but they do not match the final Firefox window, what am I doing wrong
Source:
CreateProcess returns handle different than launched Chrome.exe
Update 1
After Drake Wu - MSFT comment, I used the following code
int test(const wchar_t* programPath) {
HANDLE Job = CreateJobObject(nullptr, nullptr);
if (!Job) {
std::cout << "CreateJobObject, error " << GetLastError() << std::endl;
return 0;
}
HANDLE IOPort = CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 1);
if (!IOPort) {
std::cout << "CreateIoCompletionPort, error " << GetLastError() << std::endl;
return 0;
}
JOBOBJECT_ASSOCIATE_COMPLETION_PORT Port;
Port.CompletionKey = Job;
Port.CompletionPort = IOPort;
if (!SetInformationJobObject(Job,
JobObjectAssociateCompletionPortInformation,
&Port, sizeof(Port))) {
std::cout << "SetInformation, error " << GetLastError() << std::endl;
return 0;
}
PROCESS_INFORMATION ProcessInformation;
STARTUPINFOW StartupInfo = { sizeof(StartupInfo) };
LPWSTR szCmdline = const_cast<LPWSTR>(programPath);
if (!CreateProcessW(
programPath,
nullptr,
nullptr,
nullptr,
FALSE,
CREATE_SUSPENDED,
nullptr,
nullptr,
&StartupInfo,
&ProcessInformation))
{
std::cout << "CreateProcess, error " << GetLastError() << std::endl;
return 0;
}
std::cout << "PID: " << ProcessInformation.dwProcessId << std::endl;
if (!AssignProcessToJobObject(Job, ProcessInformation.hProcess)) {
std::cout << "Assign, error " << GetLastError() << std::endl;
return 0;
}
ResumeThread(ProcessInformation.hThread);
CloseHandle(ProcessInformation.hThread);
CloseHandle(ProcessInformation.hProcess);
DWORD CompletionCode;
ULONG_PTR CompletionKey;
LPOVERLAPPED Overlapped;
while (GetQueuedCompletionStatus(IOPort, &CompletionCode, &CompletionKey, &Overlapped, INFINITE))
{
switch (CompletionCode)
{
case JOB_OBJECT_MSG_NEW_PROCESS:
std::cout << "New PID: " << (int)Overlapped << std::endl;
break;
case JOB_OBJECT_MSG_EXIT_PROCESS:
std::cout << "Exit PID: " << (int)Overlapped << std::endl;
break;
case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO:
std::cout << "JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO" << std::endl;
break;
default:
break;
}
if (CompletionCode == JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO)
break;
}
std::cout << "All done" << std::endl;
}
and I got the following results:
standart Firefox
test(L"C:\\Program Files\\Mozilla Firefox\\firefox.exe");
portable edition Firefox
test(L"D:\\FirefoxPortable\\FirefoxPortable.exe");
As before, PIDs are incorrectly returned. In the case of the portable version, the process hangs on the while loop, in the case of the standard version of firefox, GetQueuedCompletionStatus() returns JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO. Why am I getting the wrong result?
Update 2
I ran Visual Studio as an administrator and, but on standard startup everything displays correctly
I tested that the process of Firefox is not new and exit in order(the pid obtained by CreateProcess will exit), and your code will not receive the new Firefox process if there is any new process created later.
You could use swtich-case statement, the following sample work for me:
int openProgram(const wchar_t* programPath) {
HANDLE Job = CreateJobObject(nullptr, nullptr);
if (!Job) {
std::cout << "CreateJobObject, error " << GetLastError() << std::endl;
return 0;
}
HANDLE IOPort = CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 1);
if (!IOPort) {
std::cout << "CreateIoCompletionPort, error " << GetLastError() << std::endl;
return 0;
}
JOBOBJECT_ASSOCIATE_COMPLETION_PORT Port;
Port.CompletionKey = Job;
Port.CompletionPort = IOPort;
if (!SetInformationJobObject(Job,
JobObjectAssociateCompletionPortInformation,
&Port, sizeof(Port))) {
std::cout << "SetInformation, error " << GetLastError() << std::endl;
return 0;
}
PROCESS_INFORMATION ProcessInformation;
STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
LPTSTR szCmdline = _tcsdup(programPath);
if (!CreateProcessW(
nullptr,
szCmdline,
nullptr,
nullptr,
FALSE,
CREATE_SUSPENDED,
nullptr,
nullptr,
&StartupInfo,
&ProcessInformation))
{
std::cout << "CreateProcess, error " << GetLastError() << std::endl;
return 0;
}
std::cout << "PID: " << ProcessInformation.dwProcessId << std::endl;
if (!AssignProcessToJobObject(Job, ProcessInformation.hProcess)) {
std::cout << "Assign, error " << GetLastError() << std::endl;
return 0;
}
ResumeThread(ProcessInformation.hThread);
CloseHandle(ProcessInformation.hThread);
CloseHandle(ProcessInformation.hProcess);
DWORD CompletionCode;
ULONG_PTR CompletionKey;
LPOVERLAPPED Overlapped;
while (GetQueuedCompletionStatus(IOPort, &CompletionCode, &CompletionKey, &Overlapped, INFINITE))
{
switch (CompletionCode)
{
case JOB_OBJECT_MSG_NEW_PROCESS:
std::cout << "New PID: " << (int)Overlapped << std::endl;
break;
case JOB_OBJECT_MSG_EXIT_PROCESS:
std::cout << "Exit PID: " << (int)Overlapped << std::endl;
break;
case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO:
std::cout << "JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO" << std::endl;
break;
default:
break;
}
if (CompletionCode == JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO)
break;
}
std::cout << "All done" << std::endl;
}
Result:
I'm setting a program to create a COM connection from an ocx file.
I'm using visual studio 2019 with debug x86. It correctly generate the .tlh and .tli files.
My failed tests:
Use visualtudio 2017 and 2019
Use CoCreateInstance:
IMachine* machine = NULL;
// this gives the same error:
HRESULT hr2 = CoCreateInstance(CLSID_Machine, NULL, CLSCTX_INPROC_SERVER,
IID_IMachine,
reinterpret_cast<LPVOID*>(&machine));
Replace CLSID_Machine by the _uuidof(IMachine)
Replace CLSID_Machine by the LPCWSTR clsidString
This is a part of my code:
#import "lib.ocx" no_namespace , named_guids
HRESULT hr1 = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
try {
if (SUCCEEDED(hr1))
{
IMachinePtr machineCUPtr;
HRESULT hr2 = machineCUPtr.CreateInstance(CLSID_Machine, NULL,
CLSCTX_INPROC_SERVER); //Failure
if (FAILED(hr2))
{
std::cout << "Fail:" << hr2 << std::endl;
}
else {
std::cout << "Success: " << hr2 << std::endl;
}
}
else {
std::cout << "Fail CoInit: " << std::endl;
}
}
catch (_com_error& e)
{
std::cout << "COM ERROR catched " << std::endl;
std::cout << "Code = %08lx\n" << e.Error() << std::endl;
std::cout << "Meaning = %s\n" << e.ErrorMessage() << std::endl;
std::cout << "Source = %s\n" << (LPCSTR)e.Source() << std::endl;
std::cout << "Description = %s\n" << (LPCSTR)e.Description() << std::endl;
}
CoUninitialize();
}
I still have this error:
Exception raised to 0x00B20768 in myApp.exe : 0xC000000005 : Access
violation during execution at location 0x00B20768.
Edit:
'''
#include <iostream>
#import "libcom.ocx"
using namespace LIBCOM;
int main()
{
CoInitialize(NULL);
IMachinePtr machineCUPtr(__uuidof(Machine)); //Same error
machineCUPtr->MyMethod(parameters of the method);
CoUninitialize();
return 0;
}
''''
I need to receive screenshots from MS Mirror driver, but unexpectedly I noticed, that CreateDC() function returns NULL and GetLastError gives me Error#1801 ("The printer name is invalid")
extern "C" __declspec(dllexport) HDC InitDC() {
DWORD dwAttach = 0;
DEVMODE devmode;
// Make sure we have a display on this thread.
BOOL change = EnumDisplaySettings(NULL,
ENUM_CURRENT_SETTINGS,
&devmode);
LPCWSTR driverName = L"Microsoft Mirror Driver";
devmode.dmFields = DM_BITSPERPEL |
DM_PELSWIDTH |
DM_PELSHEIGHT |
DM_POSITION ;
devmode.dmSize = sizeof(DEVMODE);
devmode.dmDriverExtra = 0;
if (change)
{
// query all display devices in the system until we hit a primary
// display device. Using it get the width and height of the primary
// so we can use that for the mirror driver. Also enumerate the
// display devices installed on this machine untill we hit
// our favourate mirrored driver, then extract the device name string
// of the format '\\.\DISPLAY#'
DISPLAY_DEVICE dispDevice;
FillMemory(&dispDevice, sizeof(DISPLAY_DEVICE), 0);
dispDevice.cb = sizeof(DISPLAY_DEVICE);
LPCWSTR deviceName = NULL;
devmode.dmDeviceName[0] = '\0';
INT devNum = 0;
BOOL result;
DWORD cxPrimary = 0xFFFFFFFF;
DWORD cyPrimary = 0xFFFFFFFF;
// First enumerate for Primary display device:
while ((result = EnumDisplayDevices(NULL,
devNum,
&dispDevice,
0)) == TRUE)
{
wcout << "DriverName: " << dispDevice.DeviceString << endl;
wcout << "DevName: " << dispDevice.DeviceName << endl;
if (dispDevice.StateFlags & DISPLAY_DEVICE_PRIMARY_DEVICE)
{
// Primary device. Find out its dmPelsWidht and dmPelsHeight.
EnumDisplaySettings(dispDevice.DeviceName,
ENUM_CURRENT_SETTINGS,
&devmode);
cxPrimary = devmode.dmPelsWidth;
cyPrimary = devmode.dmPelsHeight;
wcout << "Selected Primary DevName (width, height): " << dispDevice.DeviceName << " (" << cxPrimary << "," << cyPrimary << ")" << endl << endl;
break;
}
devNum++;
}
// error check
if (!result)
{
wcout << "No " << driverName << " found " << endl;
exit(0);
}
if (cxPrimary == 0xffffffff || cyPrimary == 0xffffffff)
{
wcout << "cxPrimary or cyPrimary not valid" << endl;
exit(0);
}
// Enumerate again for the mirror driver:
devNum = 0;
while ((result = EnumDisplayDevices(NULL,
devNum,
&dispDevice,
0)) == TRUE)
{
LPCWSTR devString = dispDevice.DeviceString;
wcout << " devString: "<< devString << endl;
if (wcscmp(devString, driverName ) == 0) {
wcout << " Driver selected: "<< driverName << endl;
break;
}
devNum++;
}
// error check
if (!result)
{
wcout << "No " << driverName << " found " << endl;
exit(0);
}
wcout << "DevNum " << devNum << endl <<
"DeviceName: " << dispDevice.DeviceName << endl <<
"DeviceString: " << dispDevice.DeviceString << endl <<
"DeviceID: " << dispDevice.DeviceID << endl <<
"DeviceKey: " << dispDevice.DeviceKey << endl;
CHAR *deviceNum = new CHAR[MAX_PATH];
LPSTR deviceSub;
// Simply extract 'DEVICE#' from registry key. This will depend
// on how many mirrored devices your driver has and which ones
// you intend to use.
_wcsupr(&dispDevice.DeviceKey[0]);
deviceSub = (LPSTR)(wcsstr(&dispDevice.DeviceKey[0],
L"\\DEVICE"));
if (!deviceSub) {
printf("deviceSub - yes \n");
deviceNum[0] = (CHAR)(((string)("DEVICE0")).c_str());
}
else {
printf("!deviceSub \n");
deviceNum[0] = (CHAR)(((string)("DEVICE1")).c_str());
}
// Reset the devmode for mirror driver use:
FillMemory(&devmode, sizeof(DEVMODE), 0);
devmode.dmSize = sizeof(DEVMODE);
devmode.dmDriverExtra = 0;
devmode.dmFields = DM_BITSPERPEL |
DM_PELSWIDTH |
DM_PELSHEIGHT |
DM_POSITION;
//wcscpy( devmode.dmDeviceName, sizeof(devmode.dmDeviceName, L"mirror" );
deviceName = dispDevice.DeviceName;
StringCbCopy(devmode.dmDeviceName, sizeof(devmode.dmDeviceName), dispDevice.DeviceName);
wcout << "dmDeviceName: " << devmode.dmDeviceName << endl;
wcout << "deviceName: " << deviceName << endl;
wcout << "driverName: " << driverName << endl;
/* !!! THE PROBLEM IS HERE !!!*/
HDC hdc = CreateDC(driverName, deviceName, NULL, &devmode );
if ( hdc == NULL ) {
wcout << "CreateDC error: " << GetLastError() << endl;
return NULL;
}
return hdc;
}
return NULL;
}
Thanks for an assistance!
UPD1:
deviceName = "\\.\DISPLAYV1"
driverName = "Microsoft Mirror Driver"
devmode.dmDeviceName = "\\.\DISPLAYV1"
I'm trying to read the contents of a DLL from memory for some academic research. Specifically, the NTDSA.DLL library for the purpose of mutating specific instructions to simulate programming errors to force the system to fail. The failure will then be recorded to train machine learning algorithms to predict future failures (this is an attempt to generalize previously published research seen here).
I'm getting what I believe to be the base address in virtual memory of the lsass.exe process (which loads the target DLL) through the process outlined here. I'm then calling ReadProcessMemory with an allocated buffer and the handle to lsass obtained by calling OpenProcess with 'PROCESS_ALL_ACCESS' set. The ReadProcessMemory returns with error code 299 80% of the time (partial read) with zero bytes read. My assumption is that the area I'm trying to access is in use when the call is made. Fortunately, it will occasionally return the number of bytes I'm requesting. Unfortunately, the data returned does not match what is on disk when compared to the static DLL in the System32 directory.
So the question is, is ReadProcessMemory doing something funny with the address that I give it, or is my virtual address wrong? Is there another way to figure out where that DLL gets loaded into memory? Any thoughts? Any help or suggestions would be greatly appreciated.
Adding Code:
// FaultInjection.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <psapi.h>
#include <string>
#include <iostream>
#include <fstream>
#include <stdio.h>
#include <io.h>
#include <tchar.h>
using namespace std;
int _tmain(int argc, _TCHAR* argv[]) {
// Declarations
int pid = 0;
__int64* start_addr;
DWORD size_of_ntdsa;
DWORD aProcesses[1024], cbNeeded, cProcesses;
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
HMODULE hmods[1024];
unsigned int i;
// Get All pids
if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded)){
cout << "Failed to get all PIDs: " << GetLastError() << endl;
return -1;
}
// Find pid for lsass.exe
cProcesses = cbNeeded / sizeof(DWORD);
for (i = 0; i < cProcesses; i++) {
if (aProcesses[i] != 0) {
HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);
if (hProc != NULL) {
HMODULE hMod;
DWORD cbNeededMod;
if (EnumProcessModules(hProc, &hMod, sizeof(hMod), &cbNeededMod)) {
GetModuleBaseName(hProc, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
}
if (wstring(szProcessName).find(L"lsass.exe") != string::npos) {
pid = aProcesses[i];
}
CloseHandle(hProc);
}
}
}
cout << "lsass pid: " << pid << endl;
HANDLE h_lsass = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!h_lsass) {
cout << "Failed to open process (are you root?): " << GetLastError() << endl;
return -1;
}
// Get Process Image File Name
char filename[MAX_PATH];
if (GetProcessImageFileName(h_lsass, (LPTSTR)&filename, MAX_PATH) == 0) {
cout << "Failed to get image file name: " << GetLastError() << endl;
CloseHandle(h_lsass);
return -1;
}
// Enumerate modules within process
if (EnumProcessModules(h_lsass, hmods, sizeof(hmods), &cbNeeded)) {
for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {
TCHAR szModName[MAX_PATH];
if (GetModuleFileNameEx(h_lsass, hmods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) {
if (wstring(szModName).find(L"NTDSA.dll") != string::npos) {
_tprintf(TEXT("%s\n"), szModName);
MODULEINFO lModInfo = { 0 };
if (GetModuleInformation(h_lsass, hmods[i], &lModInfo, sizeof(lModInfo))){
cout << "\t Base Addr: " << lModInfo.lpBaseOfDll << endl;
cout << "\t Entry Point: " << lModInfo.EntryPoint << endl;
cout << "\t Size of image: " << lModInfo.SizeOfImage << endl;
start_addr = (__int64*)lModInfo.lpBaseOfDll;
size_of_ntdsa = lModInfo.SizeOfImage;
}
else {
cout << "Failed to Print enumerated list of modules: " << GetLastError() << endl;
}
}
} else {
cout << "Failed to Print enumerated list of modules: " << GetLastError() << endl;
}
}
}
else {
cout << "Failed to enum the modules: " << GetLastError() << endl;
}
// Ready to continue?
string cont = "";
cout << "Continue? [Y|n]: ";
getline(cin, cont);
if (cont.find("n") != string::npos || cont.find("N") != string::npos) {
CloseHandle(h_lsass);
return 0;
}
void* buf = malloc(size_of_ntdsa);
if (!buf) {
cout << "Failed to allocate space for memory contents: " << GetLastError() << endl;
CloseHandle(h_lsass);
return -1;
}
SIZE_T num_bytes_read = 0;
int count = 0;
if (ReadProcessMemory(h_lsass, &start_addr, buf, size_of_ntdsa, &num_bytes_read) != 0) {
cout << "Read success. Got " << num_bytes_read << " bytes: " << endl;
} else {
int error_code = GetLastError();
if (error_code == 299) {
cout << "Partial read. Got " << num_bytes_read << " bytes: " << endl;
} else {
cout << "Failed to read memory: " << GetLastError() << endl;
CloseHandle(h_lsass);
free(buf);
return -1;
}
}
if (num_bytes_read > 0) {
FILE *fp;
fopen_s(&fp, "C:\\ntdsa_new.dll", "w");
SIZE_T bytes_written = 0;
while (bytes_written < num_bytes_read) {
bytes_written += fwrite(buf, 1, num_bytes_read, fp);
}
fclose(fp);
cout << "Wrote " << bytes_written << " bytes." << endl;
}
CloseHandle(h_lsass);
free(buf);
return 0;
}
Code works as described minus my amateur mistake of sending the address of the variable I was using to store the address of the location in virtual memory of the target application. In above code, changed:
if (ReadProcessMemory(h_lsass, &start_addr, buf, size_of_ntdsa, &num_bytes_read) != 0) {
to
if (ReadProcessMemory(h_lsass, start_addr, buf, size_of_ntdsa, &num_bytes_read) != 0) {
Works like a charm. Thank you ssbssa for pointing out mistake, sorry for wasting anyone's time.