Search found 10367 matches

by madshi
Wed Apr 07, 2021 8:11 am
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 254

Re: using RestoreCode with NtHookEngine

Oh wait, the documentation already says that:

// restores the original code of the API/function (only first 6 bytes)
by madshi
Wed Apr 07, 2021 8:08 am
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 254

Re: using RestoreCode with NtHookEngine

RestoreCode was created to undo simple "JMP trampoline" hooks which are either 5 or 6 bytes long. Restoring more than that is sort of dangerous. Let's assume there's 10 bytes of changed code. How do we know if that's 1 API which is 10 bytes long or 2 APIs which are 5 bytes long each? Furth...
by madshi
Wed Apr 07, 2021 6:57 am
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 254

Re: using RestoreCode with NtHookEngine

I've checked the code of WasCodeChanged(). It internally loads the first 16 bytes of code from harddisk, then applies relocation (if necessary). And then it checks if only the first (up to) 8 bytes of code have changed. If the hooking code that NtHookEngine writes is longer than 8 bytes, then WasCod...
by madshi
Tue Apr 06, 2021 1:03 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 254

Re: using RestoreCode with NtHookEngine

I'm not sure why it fails. RestoreCode is pretty simple. Here's how the code looks like (in Delphi): function RestoreCode(code: pointer) : bool; stdcall; var module : HMODULE; orgCode : int64; s1 : AnsiString; op : dword; begin result := false; if FindModule(code, module, s1) and WasCodeChanged(modu...
by madshi
Wed Mar 31, 2021 4:08 pm
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: Fastest way to IPC from a DLL to an EXE

I'm not sure why SendMessage is faster for you, that seems weird to me. However, I think you're testing all this within the same thread? It might make sense to use a separate thread to do the Post/SendMessage calls. That should be a better simulation about how this would perform across process bound...
by madshi
Wed Mar 31, 2021 9:07 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: inter-process callback possible?

Hehe, yes! I was a bit scared because I know that SendMessage() internally handles messages. So calling SendMessage() inside of a hook callback function can be a bad idea.
by madshi
Wed Mar 31, 2021 9:02 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: inter-process callback possible?

I was mainly worried about the alertable state of the thread calling PostMessage. But good to know it doesn't change the alertable state of any thread, thanks!
by madshi
Wed Mar 31, 2021 8:51 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: inter-process callback possible?

Yes, iconic is right, of course, about services. PostMessage may not work if the other process is a service. Considering abalonge talked about a script process, I thought it would be a normal user process. But it might not be. @iconic, calling PostMessage does not internally make the thread handle m...
by madshi
Wed Mar 31, 2021 6:53 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: inter-process callback possible?

A simple "callback" won't work across process boundaries. I think the easiest way to solve this is to simply use PostMessage(). It's surprisingly fast and very easy to use. E.g. in your DLL (when loaded inside of the script process) do: PostMessage(YourExesMainFormWindowHandle, WM_USER + 1...
by madshi
Tue Mar 30, 2021 4:30 pm
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: inter-process callback possible?

I think you need to work on understanding the concepts of process isolation better. IPC will not magically make your EXE's code available to another process. If you want to call your EXE's code in the context of another process then you first have to get the other process to load your EXE's code som...
by madshi
Tue Mar 30, 2021 12:50 pm
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 418

Re: inter-process callback possible?

A "function address of a delphi program" sounds like you're talking about code that is located in an EXE file? If so, no, you cannot easily make this available in other processes. Other processes would first have to load a module (DLL/EXE) file which contains the same code. Please understa...
by madshi
Wed Mar 24, 2021 6:47 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 22
Views: 1048

Re: Intel's CET Shadow Stack issue

The "hotfix" build seems to be stable. A big security company has tested it for their internal use and found no issues (so far), so I think the hotfix is probably good to go for release builds. I do plan to release an "official" new build soon(ish), but it's likely to be identica...
by madshi
Mon Mar 22, 2021 9:16 am
Forum: madExcept
Topic: Sentry.IO
Replies: 1
Views: 251

Re: Sentry.IO

Not to my knowledge, but of course not everyone tells me what they're doing internally. So maybe someone has?
by madshi
Fri Mar 19, 2021 2:11 pm
Forum: madExcept
Topic: MemoryLeaks 64 bit
Replies: 3
Views: 185

Re: MemoryLeaks 64 bit

By ignoring "AddKernelHandle" you're ignoring a lot more than just these specific memory leaks. Basically I think you're probably hiding all kernel handle leaks... :sorry: Sadly, the callstack seems to be pretty incomplete. I don't have a good idea how to help you right now, unfortunately.
by madshi
Fri Mar 19, 2021 10:18 am
Forum: madExcept
Topic: MemoryLeaks 64 bit
Replies: 3
Views: 185

Re: MemoryLeaks 64 bit

There are various ways how to hide leaks, but of course madExcept can only hide stuff if you're able to clearly communicate what it is you want to hide exactly. You can have a look at the various overloaded "HideLeak()" APIs here: http://help.madshi.net/madExceptUnit.htm#HideLeak Maybe one...