Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 49

Thread: C++ programming for reversing

  1. #31
    that 1 isnt made for cmake i think because it misses
    CMakeLists.txt

    i tryed it with the highschoolsoftware leaked version instead of the zer0mem0ry one
    it comes with a batch file
    then you have a project file but vc2010 ask for a convert
    that means the actual file might not compile
    then its about to search for the right vc version at first but i dont have all the versions around at the moment

    so i went for the convert option
    but when i try to compile:
    /*
    1>NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\ml.exe"' : return code '0x1'
    1> Stop.
    1>NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\nmake.exe"' : return code '0x2'
    1>C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.MakeFile.Targets(38,5): error MSB3073: The command ""C:\WRK-v1.2\build.bat" x86 C:\WRK-v1.2\" exited with code -1.
    1>
    */

    saying nothing about error lines missing files it just say that

    NULL is just a other word for 0

    #define NULL 0

    with STATUS its a similiar problem

    "NTSTATUS Status;"
    typedef LONG NTSTATUS;

    PAGED_CODE();
    is a space holder it place nop�s

    paramter "PVCB"
    is here just search in the project file:

    "typedef struct _VCB"

    classical functions in the function info tells what the paramter is is for in inputs the function out is given out by this function

    what kewaitforsingleobject should do you find at ms page
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-kewaitforsingleobject

    yes that condistion is made

    IrpSp->Parameters.Create.Options >> 24) == FILE_OPEN
    this access options and right shifts >> 24
    if this is equal to "FILE_OPEN" aka 1 "#define FILE_OPEN 0x00000001" condition is meet


    to be more precise
    IrpSp->FileObject->FileName.Length == 0
    +
    IrpSp->Parameters.Create.Options
    +
    IrpSp->Parameters.Create.Options >> 24) == FILE_OPEN
    +
    IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE) == 0

    if not all are meet this this if statement is not taken

    &Vcb->Mutex
    that suppose to be a offset to the mutex in structure Vcb , that you given to this function
    it is coming from
    case IRP_MJ_CREATE:
    that being a major function in the driver

    but having cmake for a cmake file looks similiar error�s

  2. #32
    talking about the RawDispatch function
    it comes from the that major function

  3. #33
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    <<1a) How do we compile the entire project?

    Here is a requirement when using VC6++ to compile a driver project btw

    Code:
    /*
    
      defines.h - include file for main.cpp
    
    -------------------------------------------------------
      To compile a driver in MS Visual C++:
    
    1. Name the main file as *.c, or
    2. Name the main file as *.cpp and wrap the include
        for ntddk.h around an extern "C" declaration
    
      The following define takes care of both cases
    
     /TP compiler option: specifies a C++ source file
         allows variables to be defined outside of proc start
          
    -------------------------------------------------------
    */
    
    #ifdef __cplusplus  // C++ conversion
        extern "C" {
        #include <ntddk.h>
        }
    #else
        #include <ntddk.h>
    #endif
    As for the other

    IN, OUT, IN OUT is somewhat protocol to declare if the variable is used for input or output or both, used in both the function and declaration.

    Status = KeWaitForSingleObject()

    The return is an NTSTATUS code, that from the declaration of the function NTSTATUS KeWaitForSingleObject (

  4. #34
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    if (((IrpSp->FileObject == NULL) || ((IrpSp->FileObject->FileName.Length == 0) &&
    IrpSp->FileObject->RelatedFileObject == NULL)) &&
    ((IrpSp->Parameters.Create.Options >> 24) == FILE_OPEN) &&
    ((IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE) == 0)) {



    NTSTATUS
    RawCreate (
    IN PVCB Vcb,
    IN PIRP Irp,
    IN PIO_STACK_LOCATION IrpSp <<<<<<<<
    )


    IrpSp is a Pointer to IO_STACK_LOCATION
    IrpSp->FileObject ( is a pointer to FileObject so it checks if FileObject is NULL with NULL POINTER)
    IrpSp->FileObject->FileName.Length ( is a UINT2b or short so it checks if it is 0 (short can range betwween 0 and 65536)
    IrpSp->FileObject->RelatedFileObject is again a parameter so if the Pointer is NULL

    IrpSp->Parameters.Create.Options is a bit mask so >> checks the 24 th bit (it is not> (greater than) it is >> (shift operator)
    the High 8 bits are Disposition 0x00-ff7fff
    the low 24 bits are CreateOptions

    look at wdm.h or ms documentation

    IrpSp->Parameters.Create.Options Bitmask of flags that specify the options to be applied when creating or opening the file, as well as the action to be taken if the file already exists.

    The high 8 bits of this parameter correspond to the Disposition parameter to IoCreateFileSpecifyDeviceObjectHint.

    The low 24 bits of this member correspond to the CreateOptions parameter to IoCreateFileSpecifyDeviceObjectHint. File system filter and minifilter drivers that perform file scanning (such as antivirus programs) should pay particular attention to the FILE_COMPLETE_IF_OPLOCKED flag. If this flag is set, the filter must not block or otherwise delay the IRP_MJ_CREATE operation.


    i know it compiles clean and runs inborland c++ bcc101 and in the vc2008 minimal compiler package for python

    here is a bcc output (circa 1997 )

    Code:
    >mkdir test
    >cd test
    >copy \waxanim.cpp .
            1 file(s) copied.
            
    >..\bcc32c.exe waxanim.cpp
    Embarcadero C++ 7.20 for Win32 Copyright (c) 2012-2016 Embarcadero Technologies, Inc.
    waxanim.cpp:
    Turbo Incremental Link 6.75 Copyright (c) 1997-2016 Embarcadero Technologies, Inc. <<<<<<<<<<<<<<
    
    >dir
    \test
    
    01/10/2020  09:21 AM    <DIR>          .
    01/10/2020  09:21 AM    <DIR>          ..
    01/09/2020  01:17 AM             2,324 waxanim.cpp
    01/10/2020  09:21 AM           159,232 waxanim.exe
    01/10/2020  09:21 AM           131,072 waxanim.tds
                   3 File(s)        292,628 bytes
                   2 Dir(s)  149,482,000,384 bytes free
    
    \test>waxanim.exe
    slinky has 4 legs       slinky barks    slinky has a short tail         slinky is Pomeranian
    xxxxxxxxxxxxxxxxxxxxxxx
    dorkey has 4 legs       dorkey purrs    dorkey has a smely tail         dorkey is  mau
    
    \test>

  5. #35
    Quote Originally Posted by Elenil View Post
    /*
    1>NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\ml.exe"' : return code '0x1'
    1> Stop.
    1>NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\nmake.exe"' : return code '0x2'
    Skimming answers on Google, it seems that a return code: 1 means the path/environment is not set correctly. That could mean the compiler/linker can't find certain header files.

    Return code: 2 seems related to using an x64 switch on x32 code.

  6. #36
    Quote Originally Posted by blabberer View Post

    Code:
    if (((IrpSp->FileObject == NULL) || ((IrpSp->FileObject->FileName.Length == 0) &&
                                              IrpSp->FileObject->RelatedFileObject == NULL)) &&
            ((IrpSp->Parameters.Create.Options >> 24) == FILE_OPEN) &&
            ((IrpSp->Parameters.Create.Options & FILE_DIRECTORY_FILE) == 0)) {
            
            
            
            NTSTATUS
    RawCreate (
        IN PVCB Vcb,
        IN PIRP Irp,
        IN PIO_STACK_LOCATION IrpSp  <<<<<<<<
        )
    IrpSp is a Pointer to IO_STACK_LOCATION
    Is that what the P in PIO_STACK_LOCATION means...pointer? So they are defining pointer PIO_STACK_LOCATION and giving it the name IrpSP.

    I'm not used to seeing pointer specified in that manner. I'm used to the * or the ->. I have seen
    'char* pch' used. Would that P for pointer have been declared elsewhere, or does the compiler know? In other words, is capital P reserved for pointer?

    In that case, all of them are pointers, PVCB Vcb, and PIRP Irp.


    Quote Originally Posted by blabberer View Post
    IrpSp->FileObject ( is a pointer to FileObject so it checks if FileObject is NULL with NULL POINTER)
    I'm starting to get the drift of the distinction between NULL and 0. 0 is a number, although I don't think 0 is considered a number in math. Natural numbers seem to start at 1, or -1 and progress from there. In digital electronics, 0 is defined as a voltage ranging from 0 volts to about +0.2 volts. But what does 0 volts means, or 0 bananas, or 0 waxfords? Many people have dreamed about 0 waxfords but he seems to persist.

    A NULL space is theoretically empty although we could define a space with nothing in it and call it a null space. It seems then that a null pointer has been defined as a pointer that points nowhere. So, if a FileObject is NULL, with a NULL pointer, it suggests FileObject is an empty buffer, or similar with no address yet, and a defined pointer that does not yet point to it.

    In ASCII, the NULL character is 0. But that's real zero in an ASCII chart. ASCII 0 is 0x30. Also, there is the string terminator /0 which I think reads out in hex data as 00, not 30.

    Quote Originally Posted by blabberer View Post
    IrpSp->FileObject->FileName.Length ( is a UINT2b or short so it checks if it is 0 (short can range betwween 0 and 65536)
    I have never seen uint2b used in that form. Obviously, the u means unsigned, and I am guessing the b means binary. Does the 2 specify 2 binary bits in the integer? Or is that daft? I have come across references to uint using both uint2a and uint2b with no elboration on the difference.


    Quote Originally Posted by blabberer View Post
    IrpSp->Parameters.Create.Options is a bit mask so >> checks the 24 th bit (it is not> (greater than) it is >> (shift operator)
    Thanks for clarification, Elenil also pointed out the right bit shift. I knew that but read it incorrectly as 'greater than'. Combination of rust and brain damage.

    re the compilation, were you referring to compiling the code I presented? If so, it seems strange that ntsokrnl would be outputting data about dogs and cats.

  7. #37
    Quote Originally Posted by WaxfordSqueers View Post
    Skimming answers on Google, it seems that a return code: 1 means the path/environment is not set correctly. That could mean the compiler/linker can't find certain header files.

    Return code: 2 seems related to using an x64 switch on x32 code.
    that one is a big problem then not calling what files are missing (compiler laking of quality?), that would be a reason to not installed that compiler if that worked in the past
    the other problem target is set to win32 x86 dont see why it would ask me this

    what compiler blabls used by the way ? << , useally doesnt take a class as right-hand operand

  8. #38
    then int2b
    probaly wrote for 2 bytes aka 65535
    aka type short

    there was some kind of norm to give a better overview about the varibles or functions that are being used
    hungarian notation
    https://en.wikipedia.org/wiki/Hungarian_notation

    0 is often a identifier that this is not being used a lot of functions work if you dont give all the parameters

    in a 24 bit shift to right bits 25-31 are still being present, if the check is not for that 1 bit the higher bits can effect the result

    you not that directly wrong with the "<<" "operator" in cout that is to do something else of shl, but you got it about "<" ">" ">>" "<<"
    this can be a problem in templates as you might lose overview

    the ntoskrnl cant do that but since you use softice dbgprint might do it as far away solutions

  9. #39
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    when used with iostream::cin and iostream::cout << and >> are interpreted as extraction and insertion operators respectively

    they are not shift operators in this context

    there is a bit of history and legacy for choosing those symbols one being the unix shell redirection operators > >>

    Uint2B == unsigned int 2 BYTES == USHORT == WORD == unsigned short == unsigned word == UINT16

    NULL = (void *)0

    the P infront of structure is a microsoft specific notation for defining pointer

    typedef unsigned int *PINT

    theses are all defined somewhere right from the oldest stdio.h

    or better read the faq at comp.lang.c



    see a screenshot

    Name:  typedef.JPG
Views: 48
Size:  93.6 KB

  10. #40
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Windbg has some nice typedef output for stuctures, unions and enums doesn't it? It's a good visual in understanding how things are laid out I always found.

    Hey what's >pss ?

  11. #41
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    yes its output format is nice but people trying to lookup in headers get confused
    because Uint2B,Int2B,Ptr32,Uchar etc are not defined anywhere

    pss is a python rewrite of perl ack (ACK not AWK) which is a grep on steroids

    author
    github

    if you have python installed you can simply do

    pip install pss

    pss #define.*myCrap c:\ will search all SOURCE files recursively under the directory c:\

    SOURCE =c,cpp,cxx,java,py (configurable with exclusion,inclusion )

    basically
    pss #define.*myCrap c:\

    will be equivalent to

    grep -i "#define.*Mycrap" --include c,cpp,...... *

  12. #42
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    >pss is pretty cool. You can easily pipe the results to a file with > output.txt. One thing I like about Win10 is if you Right Click-Shift in an empty space in File Explorer you can open a command window at that directory level. That works well using pss. In XP and I think Win7 a command window like that was a registry hack.

    I usually use Notepad++ Find in Files to do word searches, which has the benefit of being able to open the file with a double click, but pss works pretty nice too. Thanks for the tip.

  13. #43
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    iirc w10 opens a powershell cmd window by default when doing shift+right-click

    you probably reconfigured it to open a cmd prompt

    (iirc w10 asks this question while installing during the phase
    when it asks several other questions like
    will you aloow sending crap of your pc to us for making compost

    (the shift+right-click behavior is there in w7 x86 don't know if it is there in w7-x64)

    yea pss is great but for windows you should try the microsoft vscode if you are on x64 it is light weight
    and rocks with integrated cmdshell .python interpretor, intellisense ,findinfiles ,themes ,plugins,git .auto completion and what not )

    code compile and debug all in one actually you can configure and auto start option for vcvars.bat so that when you start vscode you can directly start compiling

  14. #44
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Quote Originally Posted by blabberer View Post
    iirc w10 opens a powershell cmd window by default when doing shift+right-click

    you probably reconfigured it to open a cmd prompt
    You're probably right, I think I did something like this to add the command prompt in addition to the powershell prompt

    https://www.itprotoday.com/windows-10/add-open-command-window-here-windows-10-context-menu

  15. #45
    Quote Originally Posted by Kayaker View Post
    I usually use Notepad++ Find in Files to do word searches, which has the benefit of being able to open the file with a double click, but pss works pretty nice too. Thanks for the tip.
    Darn it, completely forgot about N++. Did not even know it had powerful search facilities.

    As I related in the other thread (XP on modern systems) about using a search/replace engine to replace references to partition D: with C: in the registry hives, I came across another issue that N++ S&R could not handle. For some reason, in the registry, they use path symbols like D:| and D?\ which N++ S&R cannot see for some reason, even when presented in unicode. I was using it remotely from W7 with my XP drive seen as another drive but the XP drive was not active.

    The only S&R engine that picked them up was the HxD hexeditor. I was able to get some of the D:| when they were in unicode using another S&R engine but N++ could not see any of the irregularities, even when I had the Software hive loaded in it remotely.

    The former is used frequently in the Installer section of HKCR\Installer\Assemblies with a key like:

    ***Note: all of following taken from W7 registry on my laptop. Remember, I had them all written as D:|Program Files, etc. on my XP drive.

    C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.7.2 Tools|aspnet_intern.exe

    Here's another from same sub-hive and there are about 100 keys of the same ilk:

    c:|Program Files (x86)|Microsoft Silverlight|5.1.50907.0|lv|Microsoft.VisualBasic.resources.dll

    Interestingly, the ASCII value for the pipe symbol '|' is 7C whereas the ASCII value of \ is 5C. With characters, one would be lower case and the other upper case. Is this Microsoft using | as a capital \ ?

    The other, with the '?' is used in HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components. The S-1-5-18 SID is a system SID. One of the key values in there is as follows:

    C?\Program Files (x86)\Cisco\Cisco PEAP Module\he-IL\CiscoEapPeap.dll.mui

    At first, I thought the ? was a mistake, maybe a data error where '?' had replaced ':'. However, it's the same on my laptop W7 registry. There are loads of them in different keys replacing the colon.

    The only S&R engine that picked them up was HxD. I was able to get some of the D:| when they were in unicode using another S&R engine but N++ could not see any of the irregularities, even when I had the Software hive loaded in it remotely.

Similar Threads

  1. ask a question about debuger programming
    By zqBugZ in forum The Newbie Forum
    Replies: 3
    Last Post: June 23rd, 2008, 09:50
  2. World of Warcraft "reversing" / bot programming
    By n00bster in forum The Newbie Forum
    Replies: 25
    Last Post: April 27th, 2006, 05:06
  3. Assembler programming
    By book in forum The Newbie Forum
    Replies: 28
    Last Post: March 28th, 2006, 10:58
  4. Teach yourself programming...
    By TBone in forum The Newbie Forum
    Replies: 1
    Last Post: April 12th, 2004, 18:29
  5. ATA programming
    By goatass in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 16th, 2002, 19:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •