Hello,
first I want to say, that you’ve done a very good job, Madshi. You have created a very good and easy to use package.
But now to my problem:
I’m writing a tool, which should automatically analyse malware. And I’ve got to a point where I’ve to hook the WriteFile-Function. I want to transfer the filename to the main application, but I can’t use your SendIPCMessage Function, because this ends up in endless recursion.
I’ve also tried your MadCollectionBeta, which I’ve found in several other threads, but it didn’t solve the recursion problem.
Then I’ve found a suggestion, which makes the proposal to use a thread variable, that is used to distinguish between the original WriteFile-request and the SendIPCMessage-request… but this also didn’t work.
And then I’ve read about “shared memory”, and I think that is exactly the solution, which I prefer. The only problem is, that I don’t know, when the main application has to read out of the memory. All the examples I’ve found uses SendMessage to trigger the read… but this don’t work with services, apparently. I’ve read following example, but there is a lot of other stuff around, which is confusing me (e.g. the DLLEventHandle… do I really need it?):
viewtopic.php?t=1061&highlight=shared+memory
Is “WaitForSingleObject(ServerEventHandle, INFINITE);” the crucial line? I really don’t know how to trigger the read-operation of the main application. It would be very nice, if someone can give me a little advice or can show me a few lines of example code.
Sorry for my English… I hope you understood my concern.
Best regards and thank you in advance
Markus
shared memory (IPC)
-
- Posts: 2
- Joined: Sat Mar 31, 2007 11:56 pm
The latest madCodeHook version should "solve" the endless recursion, however, it's only available for commercial customers. Also the endless recursion is not really solved, but only detected and then worked around. The workaround should work, but it does cost a bit of performance, because the detection works only after a certain amount of recursion has occurred first.
Shared memory would be an alternative solution, but please note that this may make problems in Vista. The only reliable solution for IPC which I found to work well in Vista is using internal OS functions for IPC. The latest madCodeHook version does that in Vista.
Shared memory would be an alternative solution, but please note that this may make problems in Vista. The only reliable solution for IPC which I found to work well in Vista is using internal OS functions for IPC. The latest madCodeHook version does that in Vista.