I would need help with a problem. I have 2 processes running, one the Watchdog and the other a simple test process. I need process 2 to call code from the Watchdog, the reason I do this is to reduce the size of process 2. For example process 2 must call a function called "IsSafe" from the watchdog. The IsSafe function relies on other code belonging to Watchdog process and it will not be viable to rewrite this code for process 2. I have thought of ideas, please could you advise on which is the best solution and or give advice.
Idea One
Use Named pipes to communicate between processes and pass parameters and return values around.
Idea Two
Use Share Memory to share parameters and return values
Idea Three
Use windows messages, I honestly think this will not work
Idea Four
Somehow create a executable portion of shared memory and execute this code with a far jmp.
Please could you advise.
RPC was invented long ago. Then COM on top of that. In my opinion best forget your idea, but if you must, use COM.
By the way, to communicate between processes on the same Windows machine without COM, use mailslots.
Seems you forgot about them in you list.
Cheers & hth.,
Although putting the code in the process which needs to call it is good advice in general, in the particular case of a watchdog (also debugger and any other form of error handler) using separate processes is correct. You don't want the watchdog to fail due to an error in the main code, so it needs to be a separate process.
A named pipe would be ideal in this scenario, the TransactNamedPipe function is designed just for this.
A DLL is the standard implementation of idea 4. It's loaded in both address spaces, but shared in physical RAM. You don't need special tricks; it works everywhere and Windows will deal with any security issues for you.
It's also portable to most other Operating Systems, although they're generally called something else, e.g. .so on Linux.
All you really need is some IPC. For a lightweight and easy solution, simply define an application specific message with WM_APP and have a mapping from the wParam/lParam for parameters. If you find you need more than 8 bytes, you could use WM_COPYDATA instead.
Related
I want know what are the possible solutions to bypass a dll injection made by a rootkit everytime that any process is executed (where is used a global hook on WH_CALLWNDPROC message to detect this)?
Based in my case and also in this answer, i already know (and tested) of two alternatives that works 100% to bypass this, are they::
1. UnhookWindowsHookEx
2. Execute my process via other process, with flag DEBUG_ONLY_THIS_PROCESS using CreateProcess, to receive notifications of DLL loading, when this is detected i take the EntryPoint of dll and write something to that, then the dll is unloaded.
3. Other possible solution could be TLS callback like was said on answer linked above, but i don't know how implement (in code) to this purpose of anti dll injection. Someone know and could give a code example?
Thank you in advance by any suggestion/or others alternatives to bypass this way of dll injection.
EDITION:
I think that the 3rd possible solution enumerated above seems deserve
a attention. Then I'm searching by a answer with a code example about this: "A process can host a TLS callback, and then it will receive notifications of thread creation. That can intercept thread creation such as what is produced by CreateRemoteThread. If the thread start address is LoadLibrary(), then you have a good indication that someone is about to force-load a DLL." And then block the dll injection.
I think it's unnecessary to keep finding different alternatives, instead, use the alternatives you have already found, such as UnhookWindowsHookEx. If you want, just try out the TLS callback anyway.
In C you can create multi process application using fork() and you can then communicate using a FIFO pipe. I have learned that C++ only supports multi threaded applications and if you want a multi-process application you have to rely on fork().
But in C++ type checking is crucial so I can't just pipe objects through a pipe without any risks. You could cast to void* and ask sizeof and the send everything through a pipe to typecast it back to the original object.
So why does this feel so wrong? Is multi-process architecture not used in C++ or are there libraries or better ways of doing things. I have googled a little and the only thing you find is multithreaded C++ or multi-process C.
The reason for wanting more processes is that I want my application to be as robust as possible. If my web service crashes I want my main process to restart it. There is no way of doing this multithreaded since you never know if 1 thread hasn't corrupted memory in another thread so if you get an error in one thread you have to restart out of safety.
I assume by multiprocess programs you mean concurrently running two separate instances of a program with some shared data between them. Communicating between processes can be tricky. I have always gotten by with the pipe-typecasting method you described, or by using a local socket system to send data back and forth, however there do exist libraries for higher-level communication between processes, see boost.interprocess I would give that a look, and see if it can fit your needs.
As far as I understand your question right your main problem is passing data from one process to another via some kind of serial connection.
If this is the case and you are just passing flat data structures up and down the line there should be no problem using the method you already described. Just shot the whole bunch of bits down the line and cast to the corresponding type on the other end of the line. As far as you're only communicating with processes running on the same machine with executables generated by the same compiler and with same compiler switches there won't be any problem with byte-order, member alignment or whatever.
If on the other hand your data is more complex containing some kind of references to other objects lists of dynamic length or the like then you'll soon get into big trouble using the simple cast to void* and pump the data bit by bit strategy. So you'll definately need a more sophisticated approach at "serialization" and "deserialization" of your objects.
These ("serialization" and "deserialization") are the two terms you might want to investigate further on to find the approach that best fits your problem.
As you'll soon find out these are problems to which "solutions" are invented over and over again with such a zoo of standards like XDR used by sun RPC and ASN.1 to name just a few that it is hard to tell which one will best fit to your use case.
If you're going with C++ you might want to take a look at the solution the boost has to offer (see: http://www.boost.org/doc/libs/1_39_0/libs/serialization/doc/index.html)
Yet again - if it's just flat data structures you're passing back and forth don't bother with any overhead of that kind and just shoot the data down the line bit by bit.
I have a very simple interface which needs to communicate between processes. It's currently implemented in a very simple manner (all single proc):
bool GetFoo(struct Foo *outFoo);
bool GetBar(struct Bar *getBar);
Such as:
Foo foo;
if (!GetFoo(&foo))
{
ReportError();
}
GetFoo fills out the "Foo" data structure with pure data (that is, no pointers - it's purely blitable data).
I need to convert this in-process function call to be between two processes on the same machine (in this case it's always the same machine). Is there a commonly followed idiom for cross-process calls in C++ on Windows? Is there some kind of intra-process communication supported by Windows? Should I be using shared memory instead?
One note: I don't want to take a dependency on anything other than the Windows APIs if at all possible.
You have many choices, but in my personal experience the most popular/easy to use ones are: sockets & pipes.
See here for all IPC options available for Windows.
I'm not sure what the most common is -- to truly answer that we'd have to have some kind of polling. That said, the most flexible way would probably be to expose the methods via DCOM.
A common method would be RPC, it can be implemented in various ways for instance as Billy mentioned using COM` (or DCOM if the processes are residing on different machines).
Although you may want to think about not doing direct RPC calls and instead have a named pipe between your processes which is used for the communication.
There are a number of ways to communicate between processes on the same computer in Windows. Which one works best depends on the relationship between the two processes. Is one process expected to start the other? In that case an out-of-process COM server would probably work best, since you can restart the other process if it is not already running.
If performance is critical, then shared memory will give you the most control the speed of passing the data between your processes.
One thing to think about is the failure semantics of running multiple processes. What does the calling process do if the callee is not there?
I need to call a function (an LLVM JIT to be specific) from a C++ application. This call might fail or even signal abort() or exit(). How can I avoid or at least reduce effects on my host application? Someone suggested using fork(), however I need a solution for both windows and posix. Even if I would use fork() ... would it be possible for the two processes to communicate (pass some pointers around)?
You basically have to isolate the call that might fail spectacularly, so yes, you probably have to create a separate process for it. I'd actually be tempted to create a small executable just containing this particular call and the necessary supporting functionality and call that from your main executable. This gets you around the lack of fork() on Windows and allows you to use the same mechanisms to communicate.
You can't pass pointers around between processes as they're not sharing the same address space. What I would do is have the spawned process reading data from stdin and write to stdout with the controlling process piping data into the child's stdin and reading from the child's stdout. Basically the way a Unix (command line) filter works. Another alternative if you're passing around a lot of data would be to write/read to/from a file on disk (better, a RAM disk) and communicate that way, but unless you're talking a lot of data, that's overkill.
As Eugen pointed out in the comments, you can also use shared memory if you want to pass pointers around or another inter-process communication mechanism depending on how much data you need to pass around. That said, choose the simplest possible method as nested executables like these aren't that easy to debug in the first place.
Is there any way I can have a thread branch off into its own independent process? I know there's the CreateProcess function but as far as I can tell, you can only run external applications with it. Is what I'm asking for at all possible?
It is possible.
You could call CreateProcess with a dummy application and with the CREATE_SUSPENDED flag so it doesn't run immediately. Then you can use VirtualAllocEx to allocate memory space in the created process and WriteProcessMemory to write code and data into it. And then unsuspend the process to run it.
You can also use CreateRemoteThread to create a process running within the context of another existing process.
So what you want to do is possible, but it's really not a simple thing to do in a windows environment so you'd have to have a really good reason to want to do it.
That's not possible under Windows. On Posix platforms the desired effect could be achieved by fork()ing.