I'm patching connect() to redirect network traffic as part of a library (NetHooker) and this works well, but it depends on ws2_32.dll remaining the same and doesn't work if the syscall is used directly. So what I'm wondering is if there's a way to catch the syscall itself without a driver. Anyone know if this is possible?
Cody,
Instead of system call hooking, you might want to look into writing a layered service provider.
http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx
Cody, maybe you could take a look at http://research.microsoft.com/en-us/projects/detours/
Also, I wrote some code that, given the name of dll export will redirect it to another function pointer by patching the image in memory, let me know if you want the code.
Apart from Detours library, you might also take a look at easyhook library. Both libraries are designed to patch the image in memory.
Related
I'm looking for a way to output traces to a log file in my code, which runs on linux.
I don't want to include the printing information in the binary, in every place I deploy it.
It windows, I simply used WPP to trace without putting the actual traces strings in my binary.
How can this by achieved in Linux?
I'm not very familiar with Linux tools in this area, so maybe there is a better system. However, since nobody else has made any good suggestions, I'll make a suggestion. (Probably not a very good suggestion, but the best I can think of right now.)
In theory, you could continue to use wpp. Wpp is simply a template system. It scans the configuration and input files to create data structures. Then it runs a template, fills in the data values it got from the scan, producing the tmh files. You could create a new set of templates that would use Linux apis instead of Windows apis, and would record the message strings in a way that works with some other log decoder system.
I noticed this question only now and would like to add my two cents to the story just for a case. Personally, I truly appreciate Windows WPP Tracing and consider it probably the best engineering solution for practical development troubleshooting among similar tools.
It happened I extended WPP use to Unix-like platforms twice. We wanted to use strong sides of WPP concept in general and yet use it in a multi-platform pieces of code. This was not a porting but rather a wrapper to specific WPP use we configured on Windows. One time we had a web service to perform actual WPP pre-processing on Windows; it may sound a bit insane but it worked fine and effective within the local network. A wrapper script that was executed before each compilation sent a web request, got a processed file and post-processed the generated include file to make it suitable for Unix-like platforms. The second time we implemented a simplified WPP pre-processor of our own (we found yet additional use for it - we could generate the tracing statements differently for production and unit testing, for example). This was a harsh solution: you anyway need to use some physical tracing framework behind the wrapper on non-Windows platform (well, the first time we apparently implemented our own lower level).
I do not think the Linux world has a framework comparable to WPP. Once I even thought it could be a great idea to make an open source porting project for WPP. I am not sure it would be much requested though. I said it is a great engineering solution. But who wants to do dirty engineering work? Open source community prefer abstract object-oriented and generic solutions, streaming and less necessity in corresponding tools (WPP requires special management tools and OS support).Ease of code writing is the today's choice.
There could be Microsoft fault (or unwillingness) in the lack of WPP popularity too. They kept it as an internal framework that came out just by a case with Windows DDK because they have to offer some logging/tracing solution for driver developers. Nobody even noticed much that WPP is well suitable for the user-space code too. And WPP pre-processor for C#, for example, has never been exposed to public at all.
Nevertheless, I still think that WPP porting to Unix/Linux work can be a challenging, interesting and maybe even useful attempt. If someone decides to lead it. :)
I am writing a small tracing mechanism for academic purposes. This program tracks another process using ptrace and I need to compare different way to access its memory to retrieve information such as system call arguments.
Can you tell me where I can find a comprehensive list or just tell which different mechanisms exist.
Thank you.
I am working on a similar project. You can try Vmtrace or PageTrace
they provide withe the pages accessed by each process
Is there a Linux function that is equivalent to the InetIsOffline function in Windows (provided by url.dll) that can tell me whether the system is connected to the Internet, or do I have to cook up something myself?
The reason I ask is that I am an early-adopter of Lhogho. I found out how to do this in Windows and wanted to develop something to offer the same functionality in Linux.
You can talk to Network Manager over D-Bus to see if anything is connected, but other than that there's no specific way of doing so. And even NM isn't always accurate.
You could also parse some file under /proc/net/ such as /proc/net/if_inet6 or /proc/net/tcp
But why do you want to do that? If you want to check that some site is accessible, just access it programmatically (e.g. with libcurl).
And it does happen that some sites are inaccessible and others still work.
It might mean "do I have a default route?", or at least that would be a reasonable implementation, IMHO. So, just check the routing table (/proc/net/route) for it :).
That of course will not work with IPv6 (you would need to parse ipv6_route), but it's complicated to decide how that should be treated. Maybe Wine source code, or MSDN documentation can shed light on the matter.
I'd like to sandbox a native code and use hooking of WinAPI and system functions to block or allow this program to perform some operations like reading/writing files, modify Windows registry, using an Internet connection. Is it a good and secure way to do so? How difficult would it be for that program to bypass such a security layer?
I've checked your questions and they all are related to the task that seems to be invalid from the very beginning, and here's why: you are trying to secure one application and you are ready to reinvent the wheel for this. There exist several approaches (and many ready-made solutions) to solve your problem. So instead of coding you need to look at existing solutions.
The approaches are:
use Windows permissions to restrict
access of your application to
resources
take take VMWare or Parallels or
other virtualization platform and
run your program there
take sandboxing SDK (such as
BoxedApp) and "wrap" your
application.
+1 to Hans, however if you are really into it then I can recommend Easyhook. I have personally used it successfully in Win XP, Vista and 7. I don't know how bypassable it is but other alternatives do exist - madSHI hooks, and, if you want to go the official way, try Detours from Microsoft.
Antivirus apps try to solve nearly the same problem, without much success.
1. You'd never know how even most common operations can be used.
2. There're syscalls, so the program doesn't have to use winapi at all.
I need to automatically extract some random screenshots from Flash content (swf) in linux.
I will appreciate any advice on this.
Thanks in advance.
I don't think this is going to be easy, a guess at a possible implementation may be
Run a virtual X server such as Xvfb (this is easy)
Write a program which encapsulates the flash plugin, either by using a browser (for example Mozilla / xulrunner) or implementing the plugin interface directly and invoking the necessary logic. The Netscape plugin interface is documented.
Have some way of waiting for the SWF to fully load, including all sub-components; I don't know how easy it is to tell, as there may not be callbacks for this.
Wait until the flash has got to an interesting section (You may use some arbitrary criteria for this, either just time-based or content based)
Stop the flash (possibly just by suspending the thread etc), and snapshot the window / screen you're using.
If you've got a Xvfb server you can use whatever resolution you want and use the whole screen.