Visual Studio C++: inline assembly to C++

[flashcoder]

@TWell,

you code is failing on 32 bit version :(. See below:



My GetgSharedInfo() function is like this:

Code Select Expand


SHAREDINFO* GetgSharedInfo(){

SHAREDINFO* gSharedInfo=NULL;
HMODULE   huser32=NULL;

huser32=LoadLibrary(L"user32.dll");
if (huser32 == NULL)
{
printf("LoadLibrary faild\n");
return 0;
}

gSharedInfo = (SHAREDINFO*)GetProcAddress(huser32, "gSharedInfo");
if( gSharedInfo != NULL )
{
return gSharedInfo;
}

return NULL;
}


[TWell]

I don't have a Windows 7 32-bit, so i can't test it.
Under Windows x64 or WindowsXP it won't work.

[flashcoder]

I don't have a Windows 7 32-bit, so i can't test it.
Under Windows x64 or WindowsXP it won't work.

This was tested in a Windows 7 32-bit (phisycal computer and also in a Virtual Machine VmWare).

[TWell]

Thanks for the info.

[flashcoder]

@TWell,

Some times, *pHandle is empty, generating this error of Access Violation.

How solve?

[TWell]

As that cHandleEntries was wrong, try this instead

Code Select Expand

ULONG cHandleEntries = pSharedInfo->psi->cHandleEntries;another way

Code Select Expand

ULONG cHandleEntries = *(ULONG*)(*((BYTE**)pSharedInfo)+8);in test program

Code Select Expand

#ifdef _WIN64
if (*(ULONG*)(((BYTE*)gSharedInfo)+16) == 24) { // win64 Win 7 ->
EnumHandles(gSharedInfo);
}
#else
if (*(ULONG*)(((BYTE*)gSharedInfo)+8) == 18) { // win32 Win 7 ->
EnumHandles(gSharedInfo);
} else if (*(ULONG*)(((BYTE*)gSharedInfo)+16) == 24) { // win32 WOW64 Win 7 ->
EnumHandles3264(gSharedInfo);
}
#endif


[flashcoder]

@TWell,

I still have received Access Violation when tested in Windows 7 32 bit after last changes, but now in other place on code see:



Here is complete code:

Code Select Expand


// ConsoleApplication1.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int printf(const char * restrictformat, ...);

#define TYPE_HOOK 5

typedef struct _HANDLEENTRY64 {
ULONGLONG pHead;
ULONGLONG pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
} HANDLEENTRY64, *PHANDLEENTRY64;

typedef struct _SHAREDINFO64 {
ULONGLONG psi;
ULONGLONG aheList;
ULONG HeEntrySize;
ULONGLONG pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl;
ULONG_PTR DefWindowMsgs;
ULONG_PTR DefWindowSpecMsgs;
} SHAREDINFO64, *PSHAREDINFO64;

typedef struct _HOOK_
{
ULONGLONG Handle;
ULONG LockObj;
ULONGLONG ThreadInfo;
ULONGLONG Desktop1;
ULONGLONG Self;
ULONGLONG NextHook;
LONG HookType;
ULONGLONG FunctionAddress;
ULONG Flags;
ULONG ModuleHandle;
PVOID Hooked;
PVOID Desktop2;
} HOOK_, *PHOOK, **PPHOOK;

void EnumHandles3264(SHAREDINFO64 *pSharedInfo64)
{
struct _TEB* pTeb = NtCurrentTeb();
ULONGLONG offset = *(ULONGLONG*)(((BYTE*)pTeb) - 0x2000 + 0x800 + 0x28); // pTeb->Win32ClientInfo.ulClientDelta
ULONG cHandleEntries = *((ULONG *)((ULONG)pSharedInfo64->psi + 8));
HANDLEENTRY64 *Handle = (HANDLEENTRY64*)pSharedInfo64->aheList;
for (ULONG i = 0; i < cHandleEntries; ++i)
{
HANDLEENTRY64* pHandle = Handle++;
if (pHandle->bType != TYPE_HOOK) continue;
HOOK_* HookInfo = (HOOK_*)((UINT_PTR)pHandle->pHead - offset);
if (HookInfo)
{
printf("Found hook at %p", HookInfo);
printf(" Handle: %08llX %2d %d\n", HookInfo->Handle, HookInfo->HookType, HookInfo->Flags);
}
}
}

//|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

typedef struct _HOOK
{
HANDLE Handle;
ULONG LockObj;
PVOID ThreadInfo;
PVOID Desktop1;
PVOID Self;
PVOID NextHook;
LONG HookType;
PVOID FunctionAddress;
ULONG Flags;
ULONG ModuleHandle;
PVOID Hooked;
PVOID Desktop2;
ULONG bitField;
} HOOK, *PHHOOK, **PPHHOOK;

typedef struct _HANDLEENTRY {
PVOID pHead;
PVOID pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
} HANDLEENTRY, *PHANDLEENTRY;

typedef struct _SERVERINFO {
WORD   wRIPFlags;
WORD   wSRVIFlags;
WORD   wRIPPID;
WORD   wRIPError;
ULONG  cHandleEntries;
// incomplete
} SERVERINFO, *PSERVERINFO;

typedef struct _SHAREDINFO {
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize;
ULONG_PTR pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl;
ULONG_PTR DefWindowMsgs;
ULONG_PTR DefWindowSpecMsgs;
} SHAREDINFO, *PSHAREDINFO;

void EnumHandles(SHAREDINFO *pSharedInfo)
{
struct _TEB* pTeb = NtCurrentTeb();
#ifdef _WIN64
ULONGLONG offset = *(ULONGLONG*)(((BYTE*)pTeb) + 0x800 + 0x28); // pTeb->Win32ClientInfo.ulClientDelta
#else
ULONG offset = *(ULONG*)(((BYTE*)pTeb) + 0x6CC + 0x1C); // pTeb->Win32ClientInfo.ulClientDelta
#endif
ULONG cHandleEntries = pSharedInfo->psi->cHandleEntries;
HANDLEENTRY *Handle = (HANDLEENTRY*)pSharedInfo->aheList;
for (ULONG i = 0; i < cHandleEntries; ++i)
{
HANDLEENTRY* pHandle = Handle++;
if (pHandle->bType != TYPE_HOOK) continue;
HOOK* HookInfo = (HOOK*)((UINT_PTR)pHandle->pHead - offset);
if (HookInfo)
{
printf("Found hook at %p", HookInfo);
printf(" Handle: %08llX %2d %d\n", HookInfo->Handle, HookInfo->HookType, HookInfo->Flags);
}
}
}

PVOID GetgSharedInfo() {

PVOID gSharedInfo = NULL;
HMODULE   huser32 = NULL;

huser32 = LoadLibrary(L"user32.dll");
if (huser32 == NULL)
{
printf("LoadLibrary faild\n");
return gSharedInfo;
}

gSharedInfo = GetProcAddress(huser32, "gSharedInfo");
if (gSharedInfo != NULL)
{
return gSharedInfo;
}

return gSharedInfo;
}

int main()
{
#ifdef _WIN64
if (*(ULONG*)(((BYTE*)gSharedInfo) + 16) == 24) { // win64 Win 7 ->
EnumHandles(((SHAREDINFO*)GetgSharedInfo()));
}
#else
//if (*(ULONG*)(((BYTE*)GetgSharedInfo()) + 8) == 18) { // win32 Win 7 ->
EnumHandles(((SHAREDINFO*)GetgSharedInfo()));
//}
//else if (*(ULONG*)(((BYTE*)GetgSharedInfo()) + 16) == 24) { // win32 WOW64 Win 7 ->
//EnumHandles3264((SHAREDINFO64*)GetgSharedInfo());
//}
#endif
system("pause");

    return 0;
}




[TWell]

Please, give us output of this program from Windows 7 32-bit.

Code Select Expand

#define WIN32_LEAN_AND_MEAN
#include <windows.h>

int printf(const char * restrict format, ...);

typedef struct _SERVERINFO {
#ifdef _WIN64
DWORD64 dwSRVIFlags;
#else
    DWORD dwSRVIFlags;
#endif
ULONG  cHandleEntries;
// incomplete
} SERVERINFO, *PSERVERINFO;

typedef struct _SHAREDINFO {
// PVOID psi;
PSERVERINFO psi;
PVOID aheList;
ULONG HeEntrySize;
// incomplete
} SHAREDINFO, *PSHAREDINFO;

int main(void)
{
SHAREDINFO *pSharedInfo = (SHAREDINFO *)GetProcAddress(LoadLibraryA("user32"), "gSharedInfo");
printf("\nSharedInfo %ph\n", pSharedInfo);
printf("SharedInfo->psi->cHandleEntries %u\n", pSharedInfo->psi->cHandleEntries);
printf("SharedInfo->aheList %ph\n", pSharedInfo->aheList);
printf("SharedInfo->HeEntrySize %Xh\n", pSharedInfo->HeEntrySize);
// more test
ULONG ul;
#ifndef _WIN64
if (*(ULONG*)(((BYTE*)pSharedInfo)+8) == 18) {
ul = *(ULONG*)(((BYTE*)pSharedInfo->psi)+4); // OK
printf("cHandleEntries %u\n", ul);
ul = *(ULONG*)(*((BYTE**)pSharedInfo)+4); // another way
printf("cHandleEntries %u\n", ul);
printf("aheList %ph\n", *(ULONG*)(((BYTE*)pSharedInfo)+4));
} else
#endif
if (*(ULONG*)(((BYTE*)pSharedInfo)+16) == 24) { // win64 / win32 WOW64 Win 7 ->
ul = *(ULONG*)(((BYTE*)pSharedInfo->psi)+8); // OK
printf("cHandleEntries %u\n", ul);
ul = *(ULONG*)(*((BYTE**)pSharedInfo)+8); // another way
printf("cHandleEntries %u\n", ul);
printf("aheList %ph\n", *(ULONG*)(((BYTE*)pSharedInfo)+8));
}
return 0;
}EDIT: fix 32-bit test

[jj2007]

Win7-64:

Code Select Expand

SharedInfo 76bb04e0h
SharedInfo->psi->cHandleEntries 2389
gSharedInfo->aheList 00000000h
SharedInfo->HeEntrySize 4E0000h
cHandleEntries 2389
cHandleEntries 2389

[flashcoder]

Windows 7 32-bit



Windows 7 64-bit

[flashcoder]

@TWeel,

i already solved this trouble  ;).

HANDLEENTRY
SERVERINFO
SHAREDINFO

are wrongs for Windows 7 32-bit.

These structs of link below that are correct, see  WIN32K.SYS OBJECT HANDLE ADDRESSES on following link:

http://www.securitynewspaper.com/2017/02/22/revisiting-windows-security-hardening-kernel-address-protection/