Search found 46 matches

by Nico Bendlin
Tue Dec 15, 2015 8:51 am
Forum: madKernel
Topic: [native] RtlWow64CallFunction64
Replies: 18
Views: 55403

Re: [native] RtlWow64CallFunction64

Kuzya69 wrote:Excuse me, I didn't look at date of the message.
No need to apologize, many thanks for sharing this information.
by Nico Bendlin
Fri Jun 05, 2009 2:50 pm
Forum: madCodeHook
Topic: CreateProcessXXX hooking in Windows 7
Replies: 23
Views: 32064

If you are reading the RTL_USER_PROCESS_PARAMETERS you should care about RTL_USER_PROC_PARAMS_NORMALIZED in the Flags member. Depending on this flag the Buffers are absolute addresses or offsets from the start of the RTL_USER_PROCESS_PARAMETERS structure.
by Nico Bendlin
Fri Jun 05, 2009 8:21 am
Forum: madCodeHook
Topic: CreateProcessXXX hooking in Windows 7
Replies: 23
Views: 32064

Re: NtCreateUserProcess

mikec wrote:I have an initial implementation of it but it seems to make the OS very unstable and i suspect that my prototype is incorrect. Would you be prepared to share your prototype with me?
The prototype in the Windows Research Kernel (WRK) should be sufficient.
by Nico Bendlin
Thu May 28, 2009 7:16 am
Forum: madExcept
Topic: Big problem with DirectX (MadExcept crashes the application)
Replies: 11
Views: 11758

I assume that the implementation of IDirect3D9.CreateDevice() creates an internal worker thread (therefore he/she cannot tell how the thread function looks like).
by Nico Bendlin
Tue Apr 21, 2009 7:06 am
Forum: madExcept
Topic: Access Violation after closing program
Replies: 4
Views: 7179

An invalid object is freed in Controls.DoneControls on unit finalization (candidates: FlagControl, Application, Screen, Mouse, CanvasList).
by Nico Bendlin
Thu Mar 12, 2009 9:27 am
Forum: madCodeHook
Topic: Norton Internet Security Warning
Replies: 3
Views: 4827

Looks like one of the hosted services broadcasts/sends UPnP messages (search for "Simple Service Discovery Protocol" (SSDP)) and the stack walk includes your (not white-listed) module... ...there is not much you can do here. Besides telling the user that your module can be trusted. (you mi...
by Nico Bendlin
Thu Mar 05, 2009 8:53 am
Forum: madCodeHook
Topic: Mouse hook in and only 1 process
Replies: 2
Views: 4214

You should use the mentioned official API for this purpose. One of the biggest advantages is the included WOW64 support on 64-bit editions of Windows.
by Nico Bendlin
Thu Mar 05, 2009 8:48 am
Forum: madCodeHook
Topic: OutputDebugString replacement
Replies: 5
Views: 7932

Window handles are only valid inside a session (desktop). So the answer is no.
by Nico Bendlin
Thu Mar 05, 2009 8:45 am
Forum: madCodeHook
Topic: Possible bug with IPC comms in BDS 2009 with UnicodeString
Replies: 5
Views: 5298

In many APIs "Length" and "Size" are used for the same purpose.
However, because messageBuf isn’t typed, a "size in bytes" interpretation for messageLen makes sense.
by Nico Bendlin
Wed Mar 04, 2009 8:03 am
Forum: madCodeHook
Topic: Object info from handle (Iconic help :))
Replies: 3
Views: 5050

If you want to determine the object types of many handles, you might call NtQuerySystemInformation(SystemHandleInformation) or NtQuerySystemInformation(SystemExtendedHandleInformation) and use the ObjectTypeIndex to cache the results (note: do not assume that this index is the same as in NtQueryObje...
by Nico Bendlin
Wed Mar 04, 2009 7:46 am
Forum: madCodeHook
Topic: Possible bug with IPC comms in BDS 2009 with UnicodeString
Replies: 5
Views: 5298

Length() returns the number of elements in an array (WideChars in this case) - not the size in bytes.
Length(x) * sizeof(x[0]) is the size in bytes.
by Nico Bendlin
Mon Mar 02, 2009 12:16 pm
Forum: madCodeHook
Topic: Object info from handle (Iconic help :))
Replies: 3
Views: 5050

There are several ways to optimize the query for a large amount of handles. The following sample code retrieves the object type name for a single handle: {$ALIGN ON} {$MINENUMSIZE 4} type TNtStatus = LongInt; type PNtUnicodeString = ^TNtUnicodeString; TNtUnicodeString = record Length : Word; Maximum...
by Nico Bendlin
Fri Feb 13, 2009 3:19 pm
Forum: madExcept
Topic: madExcept error with FreeAndNil
Replies: 6
Views: 6682

vObj is an IInterface, not a TObject. However, you should not mix classes and interfaces.
by Nico Bendlin
Wed Feb 11, 2009 10:32 am
Forum: madKernel
Topic: [native] RtlWow64CallFunction64
Replies: 18
Views: 55403

madshi wrote:What is "turbo dispatching"?
Have a look at NcxNtApi.NtWow64QueryNativeSystemInformation in the NcxWOW64 project (link above).

edit: I'll update the workaround for NtQuerySystemInformation(SystemHandleInformation) in the NcxWOW64 project this weekend.
by Nico Bendlin
Wed Feb 11, 2009 9:00 am
Forum: madKernel
Topic: [native] RtlWow64CallFunction64
Replies: 18
Views: 55403

FYI: SystemExtendedHandleInformation is correctly emulated by WOW64 (at least on Windows Vista). However, the pointers are (of course) truncated to 32-bit (you need external 64-bit code or have to use Turbo Dispatching to retrieve the native pointers). // // SystemExtendedHandleInformation (64) // t...