how to hook fastprox.dll? #38
Comments
|
The second variation should work although, on my machine, the export is: BUT the is no definition of the function/class method on the default database so you have to: a) add the class/interface and rebuild the db or |
|
@mxmauro Can you give some more insight on rebuilding the DB? I added This corresponds to enum : bool { __the_value = false };I am on VS 2019. |
|
Hi @kunom , The database builder uses GCC-Xml to build the database. Might be the current version is not compatible with the new features introduced on VS 2019. I usually recommend to create a simple header file a copy there required api's and structs. Regards. |
|
Thanks @mxmauro. That's exactly what I thought: GCC-XML is pretty dated, and C++ has evolved quite a bit lately. But since no So, ignoring the obvious option to try to replace GCC-XML with its declared successor CastXML, I fell back to implementing parts of Microsoft's x64 calling convention by myself. This was new to me, but not too hard to achieve. The resulting code, if anyone is interested in (for @hooking.intercepts("fastprox.dll!?Next@CWbemObject@@UEAAJJPEAPEAGPEAUtagVARIANT@@PEAJ2@Z")
def handler(callInfo: hooking.CallInfoWrapper):
# (see https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nf-wbemcli-iwbemclassobject-next)
# HRESULT Next(
# [hidden] this,
# long lFlags,
# BSTR *strName,
# VARIANT *pVal,
# CIMTYPE *pType,
# long *plFlavor
# );
# fastprox.dll is not in the Deviare DB, so we have to manually extract the parameters
if callInfo.IsPreCall:
namePtrPtr = callInfo.RawIntParam(2) # resolves to Register(asmRegR8)
variantPtr = callInfo.RawIntParam(3) # resolves to Register(asmRegR9)
callInfo.IntercallData = (namePtrPtr, variantPtr)
else:
retval = callInfo.RawResult # resolves to Register(asmRegRax)
if retval:
return # non-success
namePtrPtr, variantPtr = callInfo.IntercallData
if not namePtrPtr or not variantPtr:
return # nothing to intepret
# [...] |
@kunom , Could you please explain more on how to change IWbemClassObject::Next output? As I figured out, it is not like Get@CWbemObject. Thanks |
|
@sadward Replace the three dots in my code above at the end of the My goal was to intercept the following powershell snippet I cannot follow you in how In hindsight, I would also propose to put some more effort into applying @mxmauro's instructions on how to rebuild the DB. That would save you from a lot of manual implementation work. # check the property name
memory = callInfo.Process().Memory()
namePtr = memory.SSizeTVal(namePtrPtr)
if not namePtr:
return
name = memory.ReadString(namePtr, False)
if name != "LastBootUpTime":
return
# parse the VARIANT value
# (see https://docs.microsoft.com/de-ch/windows/win32/api/oaidl/ns-oaidl-variant)
vt = memory.LongVal(variantPtr)
if vt != 8: # we receive 1=NULL and 8=String
return
valuePtr = memory.SSizeTVal(variantPtr + 8)
value = memory.ReadString(valuePtr, False) # e.g. "20200415075414.500000+120"
# adjust
if not value.startswith(lastBootTimeString):
newValue = lastBootTimeString + value[len(lastBootTimeString):]
memory.WriteString(valuePtr, newValue, False, False) |
|
Thanks @kunom. Based on https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nf-wbemcli-iwbemclassobject-next The order of the properties returned during the enumeration is not defined. Does this make any problem? I m sorry, could you please check your email. If did not receive, really appreciate it dropping an email to sadward110 at gmail |
hi
NktHook hook = _spyMgr.CreateHook("Fastprox.dll!CWbemObject::Get", (int)( eNktHookFlags.flgOnlyPreCall));not workingNktHook hook = _spyMgr.CreateHook("Fastprox.dll!?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z", (int)( eNktHookFlags.flgOnlyPreCall));not workhow else can???
thanks
The text was updated successfully, but these errors were encountered: