wraithdu Posted August 6, 2013 Author Posted August 6, 2013 Output: _Security__OpenThreadToken failed with error description: An attempt was made to reference a token that does not exist. New attempt... >>> SUCCESS, $hToken = 0x00000000000001AC Basic info: HP laptop Win 7 Ultimate, x64 UAC enabled to default level MS Security Essentials AV Anything else in particular?
trancexx Posted August 6, 2013 Posted August 6, 2013 (edited) Output:_Security__OpenThreadToken failed with error description: An attempt was made to reference a token that does not exist. New attempt... >>> SUCCESS, $hToken = 0x00000000000001ACBasic info:HP laptopWin 7 Ultimate, x64UAC enabled to default levelMS Security Essentials AV Anything else in particular?Nope, that's it. edit* No wait, try 32 bit interpreter.You didn't want to say that you get crashes on exit.Either you like me so much and don't want to say something to upset or undermine me or you thought you are doing something wrong?I'm kidding . Does it crash on exit for you? Subrogation script I mean. Edited August 6, 2013 by trancexx ♡♡♡ . eMyvnE
wraithdu Posted August 6, 2013 Author Posted August 6, 2013 (edited) Huh, yeah now that you mention it, subrogation crashes on exit. If it did before, I missed it. Got like 80 windows open for a live event thing here at work. Oh and I'm not afraid to ask if I think I'm doing something wrong... I'm a bit out of my depth here. Just trying not to sound like an idiot Output for 32-bits: _Security__OpenThreadToken failed with error description: An attempt was made to reference a token that does not exist. New attempt... >>> SUCCESS, $hToken = 0x000001E4 Subrogation test: #AutoIt3Wrapper_UseX64=n Global $hDLL = _DllFromMemory(_BinDll("C:\Users\****\Desktop\Eraser.dll")) ConsoleWrite("err: " & @error & ", ret: " & $hDLL & @CRLF) If $hDLL Then $ret = DllCall($hDLL, "long", "_eraserInit@0") ConsoleWrite("init: " & $ret[0] & @CRLF) If $ret[0] = 0 Then $ret = DllCall($hDLL, "long", "_eraserEnd@0") ConsoleWrite("end: " & $ret[0] & @CRLF) EndIf DllClose($hDLL) EndIf Output (0 is success for the function calls) err: 0, ret: 2 init: 0 end: 0 !>09:04:26 AutoIt3.exe ended.rc:-1073741819 Edited August 6, 2013 by wraithdu
trancexx Posted August 6, 2013 Posted August 6, 2013 Huh, yeah now that you mention it, subrogation crashes on exit. If it did before, I missed it. Got like 80 windows open for a live event thing here at work. Oh and I'm not afraid to ask if I think I'm doing something wrong... I'm a bit out of my depth here. Just trying not to sound like an idiot Output for 32-bits:_Security__OpenThreadToken failed with error description: An attempt was made to reference a token that does not exist. New attempt... >>> SUCCESS, $hToken = 0x000001E4If you run subrogation script and let it crash for few times with that dll, and then close SciTE and repeat that few times you should get divine intervention by the system. It will try to compensate for the problems and all of the sudden there won't be any more crashes on exit.When that happens _Security__ImpersonateSelf() script will start printing different output (don't worry, you'll see what I mean). When and if that happens, and you'd want to know what happened I will explain. As well as how to get around the issues. ♡♡♡ . eMyvnE
wraithdu Posted August 6, 2013 Author Posted August 6, 2013 Hmm, no divine intervention yet, 30 runs maybe with multiple SciTE restarts. Even though my OS hates me... what was supposed to happen, and does this apply to Ward's and my version as well as the subrogation version? Not sure it matters, but this laptop belongs to a domain as well. I do have administrator rights however.
trancexx Posted August 6, 2013 Posted August 6, 2013 I just checked and you kind of need Windows 8 to see system stepping in. Does it crash if you comment out _WinAPI_FreeLibrary() call? It shouldn't. I looks like that dll has some internal reference counter and during DLL_PROCESS_DETACH it checks the ref count. Ward's or your method is unlikely to work ever with this dll because the module is never actually loaded, meaning it can't be found among loaded modules for the process. ♡♡♡ . eMyvnE
wraithdu Posted August 6, 2013 Author Posted August 6, 2013 It doesn't crash after I comment out the FreeLibrary call. Re: the ref count... hmmm. This sounds familiar to something - https://github.com/fancycode/MemoryModule/issues/4 That issue thread is about exception handling, but is the same idea of registering modules with the system. Is there a way to notify the system after manually loading the DLL that it is actually there, so it shows up as a loaded module? I'd have to imagine that issue might affect other DLLs as well.
trancexx Posted August 6, 2013 Posted August 6, 2013 It doesn't crash after I comment out the FreeLibrary call. Re: the ref count... hmmm. This sounds familiar to something - https://github.com/fancycode/MemoryModule/issues/4 That issue thread is about exception handling, but is the same idea of registering modules with the system. Is there a way to notify the system after manually loading the DLL that it is actually there, so it shows up as a loaded module? I'd have to imagine that issue might affect other DLLs as well. Yes, you can add manually loaded module to list of modules loaded by system's PE loader. ProgAndy (and me) had very succesful code for doing that. Unfortunatly hashing and other things that needed to be done are system specific, so there is no way of being certain it would work on all possible systems until you have tried them all. Don't ask for that code because it's gone on my side when I was moved from developer group to user group. There was not enough space for messages, and I haven't seen ProgAndy in ages. I can write the code again but knowing it wouldn't give you what you want I have no particular desire. But, if Ascend4nt knows how to list loaded modules without using system dll calls, then he could show you how to do that because differences are minimal, if you want to try. ♡♡♡ . eMyvnE
wraithdu Posted August 6, 2013 Author Posted August 6, 2013 It could be an interesting experiment if it can be done is some sort of platform / independent way, and could be implemented in AutoIt. I really do appreciate all the help and insight. I'm starting to feel like I'm badgering though, and wasting your time for what is really a niche kind of thing. Not a whole lot of ROI in business terms. I'm happy enough that we were able to find and fix the previous bugs, which should allow some additional DLLs to be used, so I'm good to let this die at this point. But if either you or Ascend4nt want to keep poking at it, I'm happy to do that too Keep the old brain working.
Ascend4nt Posted August 6, 2013 Posted August 6, 2013 (edited) ... I can write the code again but knowing it wouldn't give you what you want I have no particular desire. But, if Ascend4nt knows how to list loaded modules without using system dll calls, then he could show you how to do that because differences are minimal, if you want to try. Hrm, I do have a function that uses LDR_DATA and associated info in my Process functions UDF (_ProcessUDListModules function). The way it's written to work from any process requires ReadMemory calls and the like, but it could be done on the current process without any calls. I've done it in Assembly code to locate kernel32 and GetProcAddress (as I've hinted at), but I don't have any general module traversal code written in C, although it should be relatively straightforward. Still, you might want to have 2 calls that you'd want to use - LdrLockLoaderLock and LdrUnlockLoaderLock (in order to guarantee you have exclusive access - what trancexx hinted at earlier). I didn't do that with the AutoIt code because it requires either injected code, or remote threads created on Enter/LeaveCriticalSection functions, which is a bit iffy with external processes. *edit: really, you shouldn't need to lock the LoaderData critical section in an AutoIt program as you should be aware of when modules are being loaded or not. Unless the O/S does some other thing with that section..? Edited August 6, 2013 by Ascend4nt My contributions: Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFs | Process CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen) | Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery Wrappers/Modifications of others' contributions: _DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity) UDF's added support/programming to: _ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne) (All personal code/wrappers centrally located at Ascend4nt's AutoIT Code)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now