how to hook fastprox.dll? about deviare2 HOT 7 OPEN

The second variation should work although, on my machine, the export is: ?Get@CWbemObject@@UEAAJPEBGJPEAUtagVARIANT@@PEAJ2@Z

BUT the is no definition of the function/class method on the default database so you have to:

a) add the class/interface and rebuild the db or
b) use the raw parameters (analyze the stack on x86 and registers on x64)

from deviare2.

@mxmauro Can you give some more insight on rebuilding the DB? I added wbemcli.h to Database\HeaderBuilder\Base\headers.h and regenerated preprocessed64W.h, but even without, invoking build_db64.bat ..\HeaderBuilder\Base\output\preprocessed64W.h fails with a syntax error:

D:\ProjekteOS\Deviare2\Database\HeaderBuilder\Base\output\preprocessed64W.h:4439: error: expected identifier before ':' token

This corresponds to

enum : bool { __the_value = false };

I am on VS 2019.

from deviare2.

Hi @kunom ,

The database builder uses GCC-Xml to build the database. Might be the current version is not compatible with the new features introduced on VS 2019.

I usually recommend to create a simple header file a copy there required api's and structs.

Regards.

from deviare2.

Thanks @mxmauro. That's exactly what I thought: GCC-XML is pretty dated, and C++ has evolved quite a bit lately. But since no preprocessed64W.h (generated by HeaderBuilder) is committed to GIT and generation of that file on my machine is not compatible with the included GCC-XML, I don't see an option to "just add the required API's" somewhere.

So, ignoring the obvious option to try to replace GCC-XML with its declared successor CastXML, I fell back to implementing parts of Microsoft's x64 calling convention by myself. This was new to me, but not too hard to achieve.

The resulting code, if anyone is interested in (for IWbemClassObject::Next btw.):

    @hooking.intercepts("fastprox.dll!?Next@CWbemObject@@UEAAJJPEAPEAGPEAUtagVARIANT@@PEAJ2@Z")
    def handler(callInfo: hooking.CallInfoWrapper):
        # (see https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nf-wbemcli-iwbemclassobject-next)

        # HRESULT Next(
        #   [hidden] this,
        #   long    lFlags,
        #   BSTR    *strName,
        #   VARIANT *pVal,
        #   CIMTYPE *pType,
        #   long    *plFlavor
        # );

        # fastprox.dll is not in the Deviare DB, so we have to manually extract the parameters
        if callInfo.IsPreCall:
            namePtrPtr = callInfo.RawIntParam(2)  # resolves to Register(asmRegR8)
            variantPtr = callInfo.RawIntParam(3)   # resolves to Register(asmRegR9)

            callInfo.IntercallData = (namePtrPtr, variantPtr)
        else:
            retval = callInfo.RawResult  # resolves to Register(asmRegRax)
            if retval:
                return  # non-success

            namePtrPtr, variantPtr = callInfo.IntercallData
            if not namePtrPtr or not variantPtr:
                return  # nothing to intepret

             # [...]

from deviare2.

Thanks @mxmauro. That's exactly what I thought: GCC-XML is pretty dated, and C++ has evolved quite a bit lately. But since no preprocessed64W.h (generated by HeaderBuilder) is committed to GIT and generation of that file on my machine is not compatible with the included GCC-XML, I don't see an option to "just add the required API's" somewhere.

So, ignoring the obvious option to try to replace GCC-XML with its declared successor CastXML, I fell back to implementing parts of Microsoft's x64 calling convention by myself. This was new to me, but not too hard to achieve.

The resulting code, if anyone is interested in (for IWbemClassObject::Next btw.):

    @hooking.intercepts("fastprox.dll!?Next@CWbemObject@@UEAAJJPEAPEAGPEAUtagVARIANT@@PEAJ2@Z")
    def handler(callInfo: hooking.CallInfoWrapper):
        # (see https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nf-wbemcli-iwbemclassobject-next)

        # HRESULT Next(
        #   [hidden] this,
        #   long    lFlags,
        #   BSTR    *strName,
        #   VARIANT *pVal,
        #   CIMTYPE *pType,
        #   long    *plFlavor
        # );

        # fastprox.dll is not in the Deviare DB, so we have to manually extract the parameters
        if callInfo.IsPreCall:
            namePtrPtr = callInfo.RawIntParam(2)  # resolves to Register(asmRegR8)
            variantPtr = callInfo.RawIntParam(3)   # resolves to Register(asmRegR9)

            callInfo.IntercallData = (namePtrPtr, variantPtr)
        else:
            retval = callInfo.RawResult  # resolves to Register(asmRegRax)
            if retval:
                return  # non-success

            namePtrPtr, variantPtr = callInfo.IntercallData
            if not namePtrPtr or not variantPtr:
                return  # nothing to intepret

             # [...]

@kunom , Could you please explain more on how to change IWbemClassObject::Next output? As I figured out, it is not like Get@CWbemObject. Thanks

from deviare2.

@sadward Replace the three dots in my code above at the end of the else branch with the code below.

My goal was to intercept the following powershell snippet (Get-CimInstance -ClassName win32_operatingsystem).LastBootUptime, for which I was unable to find out the underlying win32 API.

I cannot follow you in how IWbemClassObject::Get() should be fundamentally different from IWbemClassObject::Next() (i.e. other than parameter ordering).

In hindsight, I would also propose to put some more effort into applying @mxmauro's instructions on how to rebuild the DB. That would save you from a lot of manual implementation work.

            # check the property name
            memory = callInfo.Process().Memory()
            namePtr = memory.SSizeTVal(namePtrPtr)
            if not namePtr:
                return
            name = memory.ReadString(namePtr, False)
            if name != "LastBootUpTime":
                return

            # parse the VARIANT value
            # (see https://docs.microsoft.com/de-ch/windows/win32/api/oaidl/ns-oaidl-variant)
            vt = memory.LongVal(variantPtr)
            if vt != 8:  # we receive 1=NULL and 8=String
                return

            valuePtr = memory.SSizeTVal(variantPtr + 8)
            value = memory.ReadString(valuePtr, False)  # e.g. "20200415075414.500000+120"

            # adjust
            if not value.startswith(lastBootTimeString):
                newValue = lastBootTimeString + value[len(lastBootTimeString):]
                memory.WriteString(valuePtr, newValue, False, False)

from deviare2.

Thanks @kunom. Based on https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nf-wbemcli-iwbemclassobject-next The order of the properties returned during the enumeration is not defined. Does this make any problem? I m sorry, could you please check your email. If did not receive, really appreciate it dropping an email to sadward110 at gmail

from deviare2.