HookTools
HookTools copied to clipboard
tigros
x86 support
hi, thank you for this nice project, do you have plans to port to x86 and wow?
I have tried some things:
/* Get the pointer to the CLIENTINFO struct. &TEB.Win32ClientInfo */
#ifdef _M_IX86
d->pvWin32ClientInfo = (void *)((char *)d->pvTeb + 0x6cc);
#else
//else
d->pvWin32ClientInfo = (void *)((char *)d->pvTeb + 0x800);
#endif
/* offsetof( struct CLIENTINFO, pDeskInfo ) */
if( ( G->prog->dwOSMajorVersion == 5 ) && ( G->prog->dwOSMinorVersion == 0 ) ) // win2k
offsetof_pDeskInfo = 20;
else // XP+
#ifdef _M_IX86
offsetof_pDeskInfo = 24;
#else
offsetof_pDeskInfo = 32;
#endif
but it is crashing, any idea how to solve the issue?
Hi,
Which OS are you using? so i'll start with that one. did you run it within debugger? should tell you where it's crashing usually.
@tigros I think it is crashing because I compiled as x86 and my OS is windows 7 x64, so it is running as WOW64, TEB is empty at 0x6cc and 0x800 offsets, I am going to debug it better and post results
i've just found out compiling as x86 isn't straight forward at all, did you make a bunch of changes to compile it?
started off with 1>snapshot.c(587): error C2440: 'function': cannot convert from 'int (__stdcall *)(const void *const ,const void *const )' to 'int (__cdecl *)(const void *,const void *)'
type errors so fixed those but now bunch unresolved external linker errors. just wondering if you went through all that?
thanks.
@tigros I am using Visual Studio 2015, it compiled just fine, this problem might be related to calling convention: right click .sln -> Configuration Properties -> C/C++ -> Advanced Change Calling convention to cdecl
ok that was v3, v2 doesn't get linker errors but still had to add a few __cdecl.
also git clone https://github.com/processhacker2/processhacker2.git would get you PH v3.
well it looks hopeless i have questions of my own like here https://social.msdn.microsoft.com/Forums/en-US/2b807d1b-fb7a-4863-807e-2e62277a8d10/changes-to-win32clientinfo?forum=windowsgeneraldevelopmentissues
if the OS was 32 bit should be straight forward.
good luck but might need a miracle :)
@tigros v15063.138 is windows 10 right? We can inspect changed undocumented structures using windbg, I am going to try to port it to x86
@tigros do you think we can solve it using symbol loading?
this code shows how to get not exported apis: https://bitbucket.org/NtQuery/pdb-getprocaddress/src/eebe9737d6de34261f6bec5b7b57ae973978c9e2/PDBReader/Source.cpp?at=master
yes if you can find another way of getting DeskInfo and ulClientDelta.
what about IntGetCurrentThreadDesktopWindow function in https://github.com/mirror/reactos/blob/master/reactos/win32ss/user/ntuser/desktop.c i wonder?
@tigros that was a great idea, but I think PsGetCurrentThreadWin32Thread is a kernel mode api isn't it?
we can use windbg to debug any process and get the offsets pvWin32ClientInfo of windows 10 redstone 2, the problem is, I don't have it installed
or we can try to download symbols from the program itself(using SymFromName())
I am going to try to code it, you are welcome to help 👍
ya i tried something like that couple weeks ago could get TEB struct but not pvWin32ClientInfo.
@tigros it is safe to call gethooks(); multiple times?
I am testing some things, calling gethooks() multiple times leaks memory?
How do I call it, traverse the list and release memory?
@tigros I am still trying to port it to x86, crash is solved, but something is still wrong, glbcurrent->desktop_hooks must be filled wrong some field of some structure, stil trying to find the error
there's free_snapshot_store in snapshot.c.
so you found deskinfo/clientdelta work around?
just saw there's no memory profiler in VS2015 under windows 7, needs at least 8.1, but do use vmware.
@tigros not yet, I'm downloading windows 10 redstone 2 for x86 the code I pasted is working good, we need to change numberOfHandles as well
@tigros I installed win10 redstone 2 v15063.250 and Win32ClientInfo is still at offset 0x800, but it looks like it is empty, very weird
i installed 15063.250 but still seeing same problem. what happens for you on this line? https://github.com/tigros/HookTools/blob/master/desktop.c#L296
here d->pDeskInfo->pvDesktopLimit is 0x0760 way off from d->pDeskInfo->pvDesktopBase = 0x9c889ef500000004
yep, it looks like microsoft cleared the table, not available anymore from usermode :(
just tried 15063.332 yesterday n still broke but non insider preview 10586.916 still works. might as well forget insider preview as far as this goes.
I installed 15063.332 x64 and it looks possible. There's no client delta because it seems they just give the mapped heap address now. To get the client delta would involve going in the HEAP and finding the actual kernel address (ie baseaddress) and then: actual kernel base address - mapped base address (I'm assuming) = client delta
Thanks Jay, I've looked into this with kernel debugging now that Creators update is more mainstream, had no luck at all, seems to me the data structures are totally changed so left in the dark, if anyone wants to shed light on those structures that'd be gr8!