im new to c++ and im trying to byte pattern scann a remote process, but somehow it doesnt work for me.
the program just crashes when it executes the pattern finding function.
this is the scanning function im using:
bool VerifyAddress(HANDLE hProcess, DWORD dwAddress, PBYTE bMask, char *szMask)
{
PBYTE *pTemp = { 0 };
for (int i = 0; *szMask; ++szMask, ++bMask, ++i)
{
if (!ReadProcessMemory(hProcess, reinterpret_cast<LPCVOID>(dwAddress + i), &pTemp, 2048, 0))
return false;
if (*szMask == 'x' && reinterpret_cast<char*>(pTemp) != reinterpret_cast<char*>(*bMask))
return false;
}
return true;
}
DWORD ExternalFindPattern(HANDLE hProcess, PBYTE bMask, char *szMask)
{
for (DWORD dwCurrentAddress = 0x401000; dwCurrentAddress < 0x7FFFFFF; dwCurrentAddress++)
if (VerifyAddress(hProcess, dwCurrentAddress, bMask, szMask))
return dwCurrentAddress;
return -1;
}
and these are my parameters:
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID);
char* Pattern = "\x65\x6E\x64\x6D\x69\x73\x73\x69\x6F\x6E\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x0B\x00\x00\x00\x65\x6E\x64\x4D\x69\x73\x73\x69\x6F\x6E";
char* Mask = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
DWORD signAdress = ExternalFindPattern(hProc, (PBYTE)Pattern, Mask);
im sorry if this is a obvious nooby question, but im stuck for hours now and i just cant get it to work
Related
I am working on a encryption algo with c++ using WINAPI. My encryption works flawless and my decryption too untill the last chunk to be decrypted with final = TRUE. I got the NTE_BAD_DATA error.
PS : I manualy check the buffer and the decryption works fine untill the last CryptDecrypt.
If someone have an idea, kindly help me :)
Here is my code :
PVOID test(PVOID buffer, DWORD* length, PCHAR key_str2,bool isdecrypt) {
CHAR default_key[] = "3igcZhRdWq96m3GUmTAiv9";
CHAR* key_str = default_key;
size_t len = lstrlenA(key_str);
DWORD dwStatus = 0;
BOOL bResult = FALSE;
wchar_t info[] = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
HCRYPTPROV hProv;
if (!CryptAcquireContextW(&hProv, NULL, info, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
dwStatus = GetLastError();
CryptReleaseContext(hProv, 0);
return 0;
}
HCRYPTHASH hHash;
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
dwStatus = GetLastError();
CryptReleaseContext(hProv, 0);
return 0;
}
if (!CryptHashData(hHash, (BYTE*)key_str, len, 0)) {
DWORD err = GetLastError();
return 0;
}
HCRYPTKEY hKey;
if (!CryptDeriveKey(hProv, CALG_AES_128, hHash, 0, &hKey)) {
dwStatus = GetLastError();
CryptReleaseContext(hProv, 0);
return 0;
}
const size_t chunk_size = CHUNK_SIZE;
BYTE chunk[chunk_size] = { 0 };
DWORD out_len = 0;
BOOL isFinal = FALSE;
DWORD readTotalSize = 0;
DWORD inputSize = *length;
PVOID newBuff = VirtualAlloc(0, inputSize, MEM_COMMIT, PAGE_READWRITE);
while (true)
{
if (readTotalSize + chunk_size >= inputSize)
{
isFinal = TRUE;
memcpy(chunk, PVOID((DWORD)buffer + readTotalSize), inputSize - readTotalSize);
out_len = inputSize - readTotalSize;
}
else {
memcpy(chunk, PVOID((DWORD)buffer + readTotalSize), chunk_size);
out_len = chunk_size;
}
if (isdecrypt) {
if (!CryptDecrypt(hKey, NULL, isFinal, 0, chunk, &out_len)) {
int a = GetLastError();
break;
}
}
else {
if (!CryptEncrypt(hKey, NULL, isFinal, 0, chunk, &out_len, chunk_size)) {
break;
}
}
if (readTotalSize + chunk_size >= inputSize) {
memcpy(PVOID((DWORD)newBuff + readTotalSize), chunk, inputSize - readTotalSize);
readTotalSize += inputSize - readTotalSize;
}
else {
memcpy(PVOID((DWORD)newBuff + readTotalSize), chunk, chunk_size);
readTotalSize += chunk_size;
}
if (isFinal)
break;
memset(chunk, 0, chunk_size);
}
CryptReleaseContext(hProv, 0);
CryptDestroyKey(hKey);
CryptDestroyHash(hHash);
return newBuff;
}
You are not storing off the encryption the final block correctly.
The amount of data you pass into the encryption is in out_len, and the amount of data that is encrypted is put back into out_len. For a block cypher that doesn't matter for whole blocks, but your last block which is less than a whole block being passed into encryption probably creates a whole block of encrypted data.
This means that your encrypted data is probably a little larger than your plain text in the final block, but you make no effort to handle this so on when you decrypt you have an issue as you've dropped some of the encrypted data on the floor.
Use the value put into out_len by the encryption function to store off your data (as you overwrite your data stream you'll need to make sure there's space though)
Similar to C++ Windows - How to get process path from its PID but the reverse: How can I get a pid from a given path?
I am trying to write an update tool, and I want to see if the exe is in use. Then if it is in use, I want to wait for the process to exit. Therefore, I want to get the process PID belonging to the file.
Here is a quick and simple way to do what you are looking for. By using the QueryFullProcessImageName, you can do a quick check.
Things that can cause the following code not to work as desired:
If you do not have permissions to view a process, you will not be
able to see the information.
If the process is 64bit and you are running your application as 32 bit, you will see the process ID, but you can not open a process handle to it.
Example:
BOOL GetProcessName(LPTSTR szFilename, DWORD dwSize, DWORD dwProcID)
{
BOOLEAN retVal = FALSE;
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwProcID);
DWORD dwPathSize = dwSize;
if (hProcess == 0)
return retVal; // You should check for error code, if you are concerned about this
retVal = QueryFullProcessImageName(hProcess, 0, szFilename, &dwPathSize);
CloseHandle(hProcess);
return retVal;
}
BOOL IsProcessInUse(LPCTSTR process_name)
{
DWORD* pProcs = NULL;
DWORD dwSize = 0;
DWORD dwRealSize = 0;
TCHAR szCompareName[MAX_PATH + 1];
int nCount = 0;
int nResult = 0;
dwSize = 1024;
pProcs = new DWORD[dwSize];
EnumProcesses(pProcs, dwSize*sizeof(DWORD), &dwRealSize);
dwSize = dwRealSize / sizeof(DWORD);
for (DWORD nCount = 0; nCount < dwSize; nCount++)
{
ZeroMemory(szCompareName, MAX_PATH + 1 * (sizeof(TCHAR)));
if (GetProcessName(szCompareName, MAX_PATH, pProcs[nCount]))
{
if (_tcscmp(process_name, szCompareName) == 0)
{
delete[] pProcs;
return true;
}
}
}
delete[] pProcs;
return FALSE;
}
You would then use something simple like the following to test it:
if (IsProcessInUse(your_file))
AfxMessageBox(_T("The process is still running"));
else
AfxMessageBox(_T("The process has been closed"));
The above answers your indirect question. To answer your literal question, you would change the IsProcessInUse as follows:
DWORD GetNamedProcessID(LPCTSTR process_name)
{
DWORD* pProcs = NULL;
DWORD retVal = 0;
DWORD dwSize = 0;
DWORD dwRealSize = 0;
TCHAR szCompareName[MAX_PATH + 1];
int nCount = 0;
int nResult = 0;
dwSize = 1024;
pProcs = new DWORD[dwSize];
EnumProcesses(pProcs, dwSize*sizeof(DWORD), &dwRealSize);
dwSize = dwRealSize / sizeof(DWORD);
for (DWORD nCount = 0; nCount < dwSize; nCount++)
{
ZeroMemory(szCompareName, MAX_PATH + 1 * (sizeof(TCHAR)));
if (GetProcessName(szCompareName, MAX_PATH, pProcs[nCount]))
{
if (_tcscmp(process_name, szCompareName) == 0)
{
retVal = pProcs[nCount];
delete[] pProcs;
return retVal;
}
}
}
delete[] pProcs;
return 0;
}
One last important thing to note is the fact that this will only return a single instance (or PID) for a file, and this does not look for Modules that are used by process (so any DLL in use by process will not be identified, however, from the link you provided, you can see ways of utilizing that to get that level of functionality.
I'm currently working on a simple encryption/decryption system in C++ using the Windows API.
I believe I've been successful at getting CryptEncrypt() to work (AES_128) for encrypting a file.
But when I Use CryptDecrypt() to decrypt the file, the first 16 bytes are corrupted and then after 4000 bytes (which is the size of the chunks I'm pulling from ReadFile() and encrypting) is another chunk of corrupted bytes and so on. If I try to decrypt a file with a total length less than 4000 bytes, the decryption works perfectly.
I'm very confused about why this is happening. There are no errors at all.
Here is a snippet of my code (I have CryptEncrypt() and CryptDecrypt() right after each other to save me exporting the key and to make the testing faster):
DWORD bytesRead;
DWORD bytesWritten;
DWORD pointer = 0;
unsigned int blockSize = 4000;
void *fileBuffer = new unsigned char[4106];
bool EOF = false;
do
{
SetFilePointer(hFileOrginal,pointer,0,0);
ReadFile(hFileOrginal,fileBuffer,blockSize,&bytesRead,NULL);
if(bytesRead<blockSize)
{
EOF=true;
}
CryptEncrypt(aesKey,NULL,EOF,0,(BYTE *)fileBuffer,&bytesRead,(blockSize+16));
CryptDecrypt(aesKey,NULL,EOF,0,(BYTE *)fileBuffer,&bytesRead);
WriteFile(hTempFile,fileBuffer,bytesRead,&bytesWritten,NULL);
pointer +=bytesRead;
}
while(!EOF);
delete[] fileBuffer;
I would really appreciate any suggestions about whats going wrong.
EDIT: On a 4704 bytes file I got the following using breakpoints.
First ReadFile bytesread 4000
First CryptEncrypt bytesRead 4000
First CryptDecrypt bytesRead 4000
Second ReadFile bytesread 704
Second CryptEncrypt bytesread 720
Second CryptDecrupt bytesread 704
Everything seems good with that yet I still get a problem.
I'm using the enhanced crypto api (With verifycontext) with a generated a single AES key with the CRYPT_EXPORTABLE property
You are not doing any error handling at all. All of the API functions you are calling have return values and error codes, none of which you are checking.
You are also not managing bytesRead correctly. CryptEncrypt() modifies the variable you pass to it, which then affects your call to CreateDecrypt(), which also modifies it, and that then affects subsequent calls to SetFilePointer(), which you should not be calling in your loop to begin with. You are not validating that you have as many bytes as you are expecting, or that bytesRead ends up back at the original value that ReadFile() returned, so you may end up skipping bytes in the source file.
Try something more like this instead:
bool ReadFromFile(HANDLE hFile, void *Buffer, DWORD BufSize, DWORD *BytesRead)
{
if (BytesRead)
*BytesRead = 0;
LPBYTE pBuffer = (LPBYTE) Buffer;
DWORD dwRead;
while (BufSize > 0)
{
if (!ReadFile(hFile, pBuffer, BufSize, &dwRead, NULL))
return false;
if (dwRead == 0)
break;
pBuffer += dwRead;
BufSize -= dwRead;
if (BytesRead)
*BytesRead += dwRead;
}
return true;
}
bool WriteToFile(HANDLE hFile, void *Buffer, DWORD BufSize)
{
LPBYTE pBuffer = (LPBYTE) Buffer;
DWORD dwWritten;
while (BufSize > 0)
{
if (!WriteFile(hFile, pBuffer, BufSize, &dwWritten, NULL))
return false;
pBuffer += dwWritten;
BufSize -= dwWritten;
}
return true;
}
DWORD bytesRead;
const UINT blockSize = 4000;
LPBYTE fileBuffer = new BYTE[blockSize+16];
bool EOF;
if (SetFilePointer(hFileOrginal, 0, NULL, FILE_BEGIN) != 0)
{
errorCode = GetLastError();
...
}
else
{
do
{
if (!ReadFromFile(hFileOrginal, fileBuffer, blockSize, &bytesRead))
{
errorCode = GetLastError();
...
break;
}
EOF = (bytesRead < blockSize);
bytesEncrypted = bytesRead;
if (!CryptEncrypt(aesKey, NULL, EOF, 0, fileBuffer, &bytesEncrypted, blockSize+16))
{
errorCode = GetLastError();
...
break;
}
bytesDecrypted = bytesEncrypted;
if (!CryptDecrypt(aesKey, NULL, EOF, 0, fileBuffer, &bytesDecrypted))
{
errorCode = GetLastError();
...
break;
}
if (!WriteToFile(hTempFile, fileBuffer, bytesDecrypted))
{
errorCode = GetLastError();
...
break;
}
if (bytesDecrypted != bytesRead)
{
...
break;
}
}
while (!EOF);
}
delete[] fileBuffer;
I have the following in my CPP code which adds the current program into startup. I'm trying to modify the code to add a different program to startup, say I want to add a key so that "C:\mytime.exe" runs on startup. Could you please help me modify the code?
TCHAR szPath[MAX_PATH];
DWORD pathLen = 0;
pathLen = GetModuleFileName(NULL, szPath, MAX_PATH);
if (pathLen == 0)
{
return -1;
}
HKEY newValue;
if (RegOpenKey(HKEY_CURRENT_USER,
TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Run"),
&newValue) != ERROR_SUCCESS)
{
return -1;
}
DWORD pathLenInBytes = pathLen * sizeof(*szPath);
if (RegSetValueEx(newValue,
TEXT("My Program"),
0,
REG_SZ,
(LPBYTE)szPath,
pathLenInBytes) != ERROR_SUCCESS)
{
RegCloseKey(newValue);
return -1;
}
RegCloseKey(newValue);
return TRUE;
Simply replace this chunk of code:
pathLen = GetModuleFileName(NULL, szPath, MAX_PATH);
if (pathLen == 0)
{
return -1;
}
With this:
/* of course, use your own executable - make sure to not overflow the buffer! */
_tcscpy(szPath, _T("C:\\stackoverflow.exe"));
pathLen = _tcslen(szPath);
I am running into memory errors when I try to run my C++ program in Visual Studio 2012. I am thinking that this code is the cause (since when I remove it, it runs fine):
void GetMachineHash(CString &strHashHex) {
CMD5 cMD5;
BYTE *szHash = (BYTE*)malloc(48);
LPBYTE szMachineNameHash, szNetworkAddressHash, szVolumeIdHash;
TCHAR szMachineId[100];
DWORD nMachineIdLen = 100;
TCHAR szNetworkAddress[13];
IP_ADAPTER_INFO *pAdapterInfo, *pAdapter = NULL;
DWORD dwRetVal = 0;
ULONG ulOutBufLen = sizeof(IP_ADAPTER_INFO);
TCHAR szVolumeId[20];
TCHAR szVolumeName[MAX_PATH];
TCHAR szFileSystemName[MAX_PATH];
DWORD dwSerialNumber = 0;
DWORD dwMaxComponentLen = 0;
DWORD dwFileSystemFlags = 0;
ZeroMemory(szHash, 48);
ZeroMemory(szMachineId, 100);
ZeroMemory(szVolumeId, 20);
ZeroMemory(szVolumeName, MAX_PATH);
ZeroMemory(szFileSystemName, MAX_PATH);
ZeroMemory(szNetworkAddress, 13);
GetComputerName(szMachineId, &nMachineIdLen);
cMD5.Calculate(szMachineId);
szMachineNameHash = cMD5.Hash();
pAdapterInfo = (IP_ADAPTER_INFO *) malloc(sizeof(IP_ADAPTER_INFO));
if (pAdapterInfo == NULL) {
TRACE(_T("Error allocating memory needed to call GetAdaptersinfo()"));
szNetworkAddressHash = NULL;
}
// Make an initial call to GetAdaptersInfo to get the necessary size into the ulOutBufLen variable
if (GetAdaptersInfo(pAdapterInfo, &ulOutBufLen) == ERROR_BUFFER_OVERFLOW) {
free(pAdapterInfo);
pAdapterInfo = (IP_ADAPTER_INFO *)malloc(ulOutBufLen);
if (pAdapterInfo == NULL) {
TRACE(_T("Error allocating memory needed to call GetAdaptersinfo()"));
szNetworkAddressHash = NULL;
}
}
if ((dwRetVal = GetAdaptersInfo(pAdapterInfo, &ulOutBufLen)) == NO_ERROR) {
pAdapter = pAdapterInfo;
while (pAdapter) {
if (pAdapter->Type != MIB_IF_TYPE_LOOPBACK) {
_stprintf_s(szNetworkAddress, 13, _T("%.2X%.2X%.2X%.2X%.2X%.2X"),
pAdapter->Address[0],
pAdapter->Address[1],
pAdapter->Address[2],
pAdapter->Address[3],
pAdapter->Address[4],
pAdapter->Address[5]
);
break;
}
pAdapter = pAdapter->Next;
}
} else {
TRACE(_T("GetAdaptersInfo() call failed"));
szNetworkAddressHash = NULL;
}
cMD5.Calculate(szNetworkAddress);
szNetworkAddressHash = cMD5.Hash();
if (GetVolumeInformation(
NULL,
szVolumeName,
sizeof(szVolumeName),
&dwSerialNumber,
&dwMaxComponentLen,
&dwFileSystemFlags,
szFileSystemName,
sizeof(szFileSystemName))) {
_stprintf_s(szVolumeId, 20, _T("%lu"), dwSerialNumber);
}
cMD5.Calculate(szVolumeId);
szVolumeIdHash = cMD5.Hash();
// Calculate hash from hashes
memcpy(szHash, szMachineNameHash, 16);
memcpy(szHash+16, szNetworkAddressHash, 16);
memcpy(szHash+32, szVolumeIdHash, 16);
cMD5.Calculate(szHash, 48);
strHashHex.Preallocate(33);
strHashHex = cMD5.HexHash();
free(szHash);
free(pAdapterInfo);
return;
}
And then if I leave the function and just remove this code:
strHashHex.Preallocate(33);
strHashHex = cMD5.HexHash();
Then it will work fine as well. So I am wondering if that is the code that's causing the memory problems, and if it is, how can I fix it?
Here's the CMD5 class (which utilizes the Windows API to generate a MD5 sum):
class CMD5
{
public:
CMD5() {
if(CryptAcquireContext(&m_hCryptProv, NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_NEWKEYSET) == 0){
if(GetLastError() == NTE_EXISTS){
CryptAcquireContext(&m_hCryptProv, NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, 0);
}
}
}
~CMD5() {
if(m_hCryptProv)
CryptReleaseContext(m_hCryptProv, 0);
m_hCryptProv = NULL;
free(m_szHash);
}
bool Calculate(LPCTSTR szText) {
DWORD dwLen = sizeof(TCHAR) * _tcslen(szText);
DWORD dwHashLen;
DWORD dwHashLenSize = sizeof(DWORD);
if (CryptCreateHash(m_hCryptProv, CALG_MD5, 0, 0, &m_hHash)) {
if (CryptHashData(m_hHash, (const BYTE*)szText, dwLen, 0)) {
if (CryptGetHashParam(m_hHash, HP_HASHSIZE, (BYTE *)&dwHashLen, &dwHashLenSize, 0)) {
if(m_szHash = (BYTE*)malloc(dwHashLen)) {
if (CryptGetHashParam(m_hHash, HP_HASHVAL, (BYTE*)m_szHash, &dwHashLen, 0)) {
CryptDestroyHash(m_hHash);
}
}
}
}
}
return false;
}
bool Calculate(const LPBYTE szText, DWORD dwLen) {
DWORD dwHashLen;
DWORD dwHashLenSize = sizeof(DWORD);
if (CryptCreateHash(m_hCryptProv, CALG_MD5, 0, 0, &m_hHash)) {
if (CryptHashData(m_hHash, (const BYTE*)szText, dwLen, 0)) {
if (CryptGetHashParam(m_hHash, HP_HASHSIZE, (BYTE *)&dwHashLen, &dwHashLenSize, 0)) {
if(m_szHash = (BYTE*)malloc(dwHashLen)) {
if (CryptGetHashParam(m_hHash, HP_HASHVAL, (BYTE*)m_szHash, &dwHashLen, 0)) {
CryptDestroyHash(m_hHash);
}
}
}
}
}
return false;
}
LPBYTE Hash() const {
LPBYTE szHash = new BYTE[16];
ZeroMemory(szHash, 16);
memcpy(szHash, m_szHash, 16);
return szHash;
}
LPTSTR HexHash() const {
LPTSTR szBuf = new TCHAR[33];
ZeroMemory(szBuf, 33);
for (int i=0; i<16; i++)
_stprintf_s(szBuf+i*2, 33, _T("%02X"), m_szHash[i]);
szBuf[32]=0;
return szBuf;
}
private:
BYTE *m_szHash;
DWORD m_hHash;
HCRYPTPROV m_hCryptProv;
};
Also, the error I get from VS2012 is Critical error detected c0000374 and the call stack ends with a call to HeapAlloc() from _heap_alloc. Not sure if it matters but this code is being called in a DLL.
It looks like I was able to solve the memory allocation problems by changing the CMD5::HexHash() function to
void HexHash(CString &strHash) {
for (int i=0; i<16; i++)
strHash += StringFormat(_T("%02X"), m_szHash[i]);
return;
}
and call it via cMD5.HexHash(strHashHex);