I need to get the protocol version of an application, and I don't know too much about the inner workings of detouring. I usually use a detour class written by a friend of mine (Not windows detour, as this works on win/linux) but im wondering if anyone can give me some insight on how to retrieve the value of a global pointer? I found a function which uses it, but the class I use only allows for you to rewrite functions, not access individual lines. Here is what the assembly looks like from IDA...
I need to get the value of "gpszVersionString_ptr"
http://www.ampaste.net/m57f13aba
Edit
Sorry, it lost formatting so i had to ampaste it.
if it's already a compiled binary. How about extracting the string using string pattern match?
For example you can read in the file char by char and search for the pattern:
Protocol version %i\nExe version %s
(%s)
Related
Is there a way to rename a win32 function like GetVolumeInformationW() using #define ?
For example:
#define abc(LPCWSTR a, LPWSTR b, ...) GetVolumeInformationW(Some argumments..)
Why do that? I want to hide the function name on debbuger programms like IDA, is there some way to did that?
Language: C++
There is no point in using #define for this, as this will have no effect on the contents of the binary executable. Using preprocessor macros will only affect what you as a programmer will see, but it won't affect what the compiler or linker will see. See this link for information on how the C++ preprocessor works and its relationship with the compiler/linker.
If you do not want the function to appear in the Import Table of your executable, then you can instead load the function dynamically using GetProcAddress. That way, a disassembler will probably be unable to determine which function the address is pointing to, when the function is being called. However, the disassembler will be able to see that you are using GetProcAddress for something, it just won't know what. Using the function GetProcAddress may make someone trying to crack your software suspicious, because that is a common thing to do if you are trying to hide something.
If you do not want the string GetVolumeInformationW to appear in cleartext in your executable file, then you can somehow encrypt or obfuscate it, for example store it in reverse and then reverse it back before passing it to GetProcAddress. This was just a very simple example of how it could be done. Using XOR (which is the ^ operator in C++) on every character with a certain key to encrypt, and then do the same thing again to decrypt, would probably be a better solution, as this would make the the encrypted text not be easily identifiable as text.
Is there a way to rename a win32 function like GetVolumeInformationW() using #define ?
No, macros do not serve that purpose. You could define a macro such that Win32 function names do not appear literally in your source code, other than in the macro definitions, but that does not rename the functions, nor even prevent the function names from appearing in your compiled object files, libraries, or executables.
It can't, because the Win32 API's function names are established by the platform headers and (especially) libraries. You're not rebuilding the platform libraries, only linking the existing ones to your own code, so your code has no alternative but to use the API's function names to call API functions.
Why do that? I want to hide the function name on debbuger programms like IDA, is there some way to did that?
Obfuscation is not a very effective defense technique. It is far more likely to make trouble for you, in the ordinary development of your software, than to present a major hurdle to a skilled adversary. You can obfuscate the names of your own functions if you nevertheless wish to do so, but no, you cannot change the names of platform API functions.
You'll be calling a function out of a shared DLL. Defines are strictly preprocessor.
What you want to do is create a hash function to hash the string "GetVolumeInformationW". As well as the name of the module thats in. For example "Kernel32.dll"
Get the PEB using the FS or GS register. Then go to the PEB_LDR_DATA list. Run each list entry and hash the DLL name against your Kernel32 hashed string. If the hashes match, you grab the base of the library in that same structure.
After this you will then trace the export table. And do the same thing you did above, where you compare each export name to the hashed "GetVolumeInformationW" string. When it's found, you will then call the address it's at using a function pointer.
This is the sole way to do it. Bonus points if the encrypted strings are stored on the stack. So when coding it do
char[] szKernel32 = 'K', 'e', 'r', 'n'.........;
Also, do not use GetProcAddress. It defeats the point of hiding, since anyone experienced with IDA will instantly search for GetProcAddress.
I am writing a program that will pre-fill out an email to be send with data. However, I want to display the email to the user before actually sending it. The display method included in the MailItem class for C++ requires a VARIANT variable. I'm relatively new to C++, so I've never dealt with a VARIANT variable before. From my research, I found this which explains what a Variant is.
When I declare a variant and use that for the parameter, I just get the error "Bad variable type." The code I used is below. I knew that wouldn't work, but I honestly don't know what to populate the variant with in order to get it to work. The site for the MailItem class says that the variant variable shouldn't be required, but my code won't compile without it. That site appears to be for Visual Basic, which doesn't help me working in C++.
VARIANT modal;
olMailItem.Display(modal);
Do any of you have any experience with this and can point me in the right direction? I appreciate it.
Just guessing, declare your variable to pass as something like this:
_variant_t modal(VARIANT_TRUE);// probably looking for a VARIANT_BOOL
Nice guess! I’ve tested the answer in the reaction above and it is indeed correct! “_variant_t modal(VARIANT_TRUE);”
You can use this in combination with the working example I’ve used about: automate Outlook by using C++ in Visual Studio. https://support.microsoft.com/en-us/kb/2575036
…
_variant_t modal(VARIANT_TRUE);
yourCMailItem.Display(modal); // The e-mail appears
…
I am aware that in Pro*C is possible to pass to a procedure either a host variable or a String literal:
dbms_pipe.purge(:pipe_name);
dbms_pipe.purge('pipe_name');
Is it possible to pass a method return to a Pro*C procedure? The following call don't work:
dbms_pipe.purge(pipe_name.c_str());
Late answer, but still:
First of all, Pro*C is quite dumb. It becomes even more dumb when switching from C to C++-Mode.
Your second example does not challenge Pro*C at all, because the string constant is just part of your sql-statement.
Your first example is just what it can do. You cannot access members of structs (But you can read in whole structs), call functions or whatever. The only way to deal with this is first to copy the result of the function call into a host-variable and then pass that to Pro*C. To find the Manual, try google search for "oracle pro*c developer guide". If you read it carefully, you will understand what you can do and what not...
I have a list of functions in a text file that I'd like to expose to LLVM for its execution engine at run time, I'm wondering if its possible to find pointers to the functions at runtime rather than hard code in all the GlobalMappings by hand as I'd probably like to add in more later. For example:
// File: InternalFunctions.txt
PushScreen
PopScreen
TopScreen
// File: ExposeEngine.cpp
// Somehow figure out the address of the function specified in a string
void* addy = magicAddress("PushScreen");
jit->addGlobalMapping(llvmfunction, addy);
If this is possible I love to know how to do it, as I am trying to write my game engine by jit-ing c++. I was able to create some results earlier, but I had to hard-code in the mappings. I noticed that Gtk uses something along the lines of what I'm asking. When you use glade and provide a signal handler, the program you build in c will automatically find the function in your executable referenced by the string provided in the glade file. If getting results requires me to look into this Gtk thing I'd be more than happy to, but I don't know what feature or part of the api deals with that - I've already tried to look it up. I'd love to hear suggestions or advice.
Yes, you can do this. Look at the man pages for dlopen() and dlsym(): these functions are standard on *nix systems and let you look up symbols (functions or variables) by name. There is one significant issue, which is that C++ function names are usually "mangled" to encode type information. A typical way around this is to define a set of wrapper functions in an extern "C" {} block: these will be non-member, C-style functions which can then call into your C++ code. Their names will not be mangled, making them easy to look up using dlsym().
This is a pretty standard way that some plugin architectures work. Or at least used to work, before everyone started using interpreted languages!
I have some code which is relatively big, but there is one part of it which uses something called CString (http://msdn.microsoft.com/en-us/library/aa300688%28v=vs.60%29.aspx) . Right now I am using the mingw compiler on eclipse and it doesnt seem to recognize it which makes sense. But I need to use the other part of the code. I know I can replace the CString with a const char * but there are several function like append which the code uses which are not defined. I was wondering whats the best way to port this code? Also there are other stdafx.h dependencies also like _T(). Whats the best approach I should take now?
There is a CString replacement over on CodeProject. I just googled for "CString alternative". I haven't looked at it but it should be easier to use that instead of std::string.