News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

CreateProcessWithTokenW function, it seems to work in UNICODE mode

Started by Fraile, December 31, 2019, 10:41:43 PM

Previous topic - Next topic

Fraile

Hi Ramon, I encounter the following problem: the CreateProcessWithTokenW function, it seems to work in UNICODE mode. so I modified easy Code, and selected: check / uncheck the Build project as Unicode (Windows NT or later)

And in the code I added:

IFDEF APP_UNICODE

  Mov Eax, SizeOf MSi
Mov MSi.cb, Eax

Invoke CreateProcessWithTokenW, hToken, 0, TextAddrW ("D: \ MFTRead.exe"), 0, 0, 0, 0, Addr MSi, Addr Pinf

ENDIF

But it gives me a system error. I attached project under easy code.

This on vb.net 2010 works fine.


The application has to be run in administrator mode.

Am I doing something wrong with the easycode?

Thank you very much, regards.


rsala

Hi AsmAlmeria12,

Sorry for the inconveniences and thanks for attaching a sample project.

Please give me some time to see the problem and fix it.

Regards,

Ramon
EC coder

rsala

Hi,

There is no bug in Easy Code, the problem is that your project is a Masm project and Masm projects use the MASM32 SDK. The 'CreateProcessWithTokenW' function is not defined in any of the include/library files of the MASM32 SDK (it should be in the 'advapi32' files).

So the solution is "manually" calling the 'CreateProcessWithTokenW' function in the following way:

   ;============ The next line has to be commented ============
   ;Invoke CreateProcessWithTokenW, hToken, 0, TextAddrW("D:\MFTRead.exe"), 0, 0, 0, 0, Addr MSi, Addr Pinf

   Push Edi
   Push Esi
   ;Open the 'advapi32.dll' library
   Invoke LoadLibrary, TextStr("advapi32.dll")
   .If Eax
      ;Save the library handle in Edi
      Mov Edi, Eax

      ;Get the 'CreateProcessWithTokenW' function entry point
      Invoke GetProcAddress, Edi, TextStr("CreateProcessWithTokenW")
      .If Eax
         ;Save the function entry point in Esi
         Mov Esi, Eax

         ;Put the arguments into the stack
         Lea Eax, Pinf
         Push Eax
         Lea Eax, MSi
         Push Eax
         Push 0
         Push 0
         Push 0
         Push 0
         Push TextAddrW("D:\MFTRead.exe")
         Push 0
         Push hToken

         ;Call to 'CreateProcessWithTokenW' function
         Call Esi
      .EndIf
      ;Free the 'advapi32.dll' library
      Invoke FreeLibrary, Edi
   .EndIf
   Pop Esi
   Pop Edi

But take into account that the 'CreateProcessWithTokenW' function is included in Windows Vista (or Windows Server 2003) and later, so for any previous Windows system the 'GetProcAddress' call will return 0 because the 'CreateProcessWithTokenW' function will not be found, that is, this application will not work for any Windows version previous to Windows Vista (or Windows Server 2003).

Attached is your project (modified for working fine).

Regards and happy New Year!
EC coder

Fraile

Hi Ramon, happy new year. Thanks for your explanation. The case is that, if in easy code, I have the option marked: the Build project as Unicode (Windows NT or later).
It does not execute the function: Invoke GetProcAddress, Edi, TextStr ("CreateProcessWithTokenW"). If I uncheck, the option, if it enters, but the same error as before occurs.

The executable that produces easy code, I run in administrator mode, which is how it should work.

This project has really chopped me. Can you think of anything?

Thank you

Fraile

Hi Ramon, I have already achieved it! Investigating a little more. Attached modifications, in case someone can reuse the code. Thank you.

                     Invoke RtlZeroMemory, Addr MSi, SizeOf MSi
                     Invoke RtlZeroMemory, Addr Pinf, SizeOf Pinf

                       Mov Eax, SizeOf MSi
                     Mov MSi.cb, Eax

                     ;============ The next line has to be commented ============
                     ;Invoke CreateProcessWithTokenW, hToken, 0, TextAddrW("D:\MFTRead.exe"), 0, 0, 0, 0, Addr MSi, Addr Pinf

                     Push Edi
                     Push Esi
                     ;Open the 'advapi32.dll' library
                     Invoke LoadLibrary, TextStr("advapi32.dll")
                     .If Eax
                        ;Save the library handle in Edi
                        Mov Edi, Eax
                  
                        ;Get the 'CreateProcessWithTokenW' function entry point
                        Invoke GetProcAddress, Edi, TextStr("CreateProcessWithTokenW")
                        .If Eax
                           ;Save the function entry point in Esi
                           Mov Esi, Eax
                  
                           ;Put the arguments into the stack
                           Lea Eax, Pinf
                           Push Eax
                           Lea Eax, MSi
                           Push Eax
                           Push 0
                           Push 0
                           Push 0
                           Push TextAddrW("D:\MFTRead.exe")
                           Push 0
                           Push LOGON_WITH_PROFILE
                           Push hToken
                  
                           ;Call to 'CreateProcessWithTokenW' function
                           Call Esi

                           Invoke PasarADecimal, Eax

                        .EndIf
                        ;Free the 'advapi32.dll' library
                        Invoke FreeLibrary, Edi
                     .EndIf
                     Pop Esi
                     Pop Edi

rsala

Hi,

Happy New Year!

You should be aware of something. When you check the Build project as Unicode (Windows NT or later) option, the TextStr macro returns a Unicode string and the problem is that the GetProcAddress function only works with ANSI strings (it does not accept Unicode strings), so if the Build project as Unicode (Windows NT or later) option is checked, you should use the TextStrA macro when calling GetProcAddress:

Invoke GetProcAddress, Edi, TextStrA("CreateProcessWithTokenW")

That works perfectly well.

Regards,

Ramon

EC coder