Hi,
warning - a newbie question -
I am coding an asm winlogon notification package as per (url wrapped)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
secauthn/security/creating_a_winlogon_notification_package.asp
All the examples are in C++/C# etc.. I started coding using MASM
since I do not know C and know (at least something about MASM). I
have 3 questions re the following:
There seems to be a requirement for a "LibMain" funtion for a DLL
to work ok. I copied the code below from a small assembler DLL that
works fine - and the code is straight forward -no problems understanding
what it does:
push 0
pop eax
LibMain PROC h:DWORD,r:DWORD,u:DWORD
mov eax,1
ret
LibMain ENDP
Question # 1 - Windows must require this - anyone know why ?
The C structure I am being passed looks like this:
void Event_Handler_Function_Name(
PWLX_NOTIFICATION_INFO pInfo
);
typedef struct _WLX_NOTIFICATION_INFO {
ULONG Size; ulong = 4 bytes
ULONG Flags; same
PWSTR UserName; pwstr = 4 bytes unicode
PWSTR Domain; same same
PWSTR WindowStation; same same
HANDLE hToken; same
HDESK hDesktop; ?? HDESK = 4 bytes
PFNMSGECALLBACK pStatusCallback; ?? 4 bytes
} WLX_NOTIFICATION_INFO, is this another 4 bytes ?
*PWLX_NOTIFICATION_INFO; 4 byte ppointer reference
Ok - since I only want to use the first 6 items I will take a chance that
the first 6 items have 4 byte pointers to them and simply allocate
more storage than I think I require (say 256 extra bytes)
Question # 2 - I am assuming 4 bytes for all the pointers above, but
what about the last 2 items (outside the "}" - are these also
4 byte pointers - or ??
Finally - assuming that the LibMain code above runs first and my code is
called next -
Mycode PROC h:DWORD,r:DWORD,u:DWORD
push ebp
mov ebp, esp
sub esp, 64
push ebx
push esi
push edi
Question # 3
At this point - Where in hell is the 4 byte "pInfo" that is supposed to be
passed to me ? Since this routine is called at logon time I have not found
a way to run this in Ollydbg or Windbg. I dont' seem to be getting the pInfo pointer in the stack - can it be passed in a register ???
My reading seems to indicate that typical Windows calling convention uses the stack. I would think that the single 4 byte pInfo passed to me would be on the stack at ebp or ebp+4 or ebp+8 or ebp+12.. My code is definiitely called - I get my event log written with garbage data.
Obviously I need to learn more about how Windows/C compilers work and
the resulting programs are used in Windows.
thanks for any help
.
warning - a newbie question -
I am coding an asm winlogon notification package as per (url wrapped)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
secauthn/security/creating_a_winlogon_notification_package.asp
All the examples are in C++/C# etc.. I started coding using MASM
since I do not know C and know (at least something about MASM). I
have 3 questions re the following:
There seems to be a requirement for a "LibMain" funtion for a DLL
to work ok. I copied the code below from a small assembler DLL that
works fine - and the code is straight forward -no problems understanding
what it does:
push 0
pop eax
LibMain PROC h:DWORD,r:DWORD,u:DWORD
mov eax,1
ret
LibMain ENDP
Question # 1 - Windows must require this - anyone know why ?
The C structure I am being passed looks like this:
void Event_Handler_Function_Name(
PWLX_NOTIFICATION_INFO pInfo
);
typedef struct _WLX_NOTIFICATION_INFO {
ULONG Size; ulong = 4 bytes
ULONG Flags; same
PWSTR UserName; pwstr = 4 bytes unicode
PWSTR Domain; same same
PWSTR WindowStation; same same
HANDLE hToken; same
HDESK hDesktop; ?? HDESK = 4 bytes
PFNMSGECALLBACK pStatusCallback; ?? 4 bytes
} WLX_NOTIFICATION_INFO, is this another 4 bytes ?
*PWLX_NOTIFICATION_INFO; 4 byte ppointer reference
Ok - since I only want to use the first 6 items I will take a chance that
the first 6 items have 4 byte pointers to them and simply allocate
more storage than I think I require (say 256 extra bytes)
Question # 2 - I am assuming 4 bytes for all the pointers above, but
what about the last 2 items (outside the "}" - are these also
4 byte pointers - or ??
Finally - assuming that the LibMain code above runs first and my code is
called next -
Mycode PROC h:DWORD,r:DWORD,u:DWORD
push ebp
mov ebp, esp
sub esp, 64
push ebx
push esi
push edi
Question # 3
At this point - Where in hell is the 4 byte "pInfo" that is supposed to be
passed to me ? Since this routine is called at logon time I have not found
a way to run this in Ollydbg or Windbg. I dont' seem to be getting the pInfo pointer in the stack - can it be passed in a register ???
My reading seems to indicate that typical Windows calling convention uses the stack. I would think that the single 4 byte pInfo passed to me would be on the stack at ebp or ebp+4 or ebp+8 or ebp+12.. My code is definiitely called - I get my event log written with garbage data.
Obviously I need to learn more about how Windows/C compilers work and
the resulting programs are used in Windows.
thanks for any help
.
I don't know if I can help much but here goes. Since you are trying to create a DLL have a look at Iczelion's tutorial number 17. You can find it easily enough with a google search for 'Iczelion.' Follow the steps in the tutorial to make a barebones functional DLL and go from there. Thats about all I can say with my limited knowledge.
Hm, the DllMain routine you posted is a bit foo. Here's the MSDN link that describes how DllMain works: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dllmain.asp .
You really ought to convert the C struct to a MASM struct, will make things easier for you - have a look at windows.inc to get an idea of how to do it. And indeed yes, all items are 32bit/4byte size since you're on win32. Note that the strings (PWSTR) are unicode.
WLX_NOTIFICATION_INFO and *PWLX_NOTIFICATION_INFO are just names for the structure - the one starting with P is a typename for pointer-to-the-structure.
Your code should look something like...
Note: the MSDN article doesn't specify what calling convention is used, so *perhaps* it's C and not STDCALL.
Now, what is this logon notify routine to be used for?
You really ought to convert the C struct to a MASM struct, will make things easier for you - have a look at windows.inc to get an idea of how to do it. And indeed yes, all items are 32bit/4byte size since you're on win32. Note that the strings (PWSTR) are unicode.
WLX_NOTIFICATION_INFO and *PWLX_NOTIFICATION_INFO are just names for the structure - the one starting with P is a typename for pointer-to-the-structure.
Your code should look something like...
MyNotificationRoutine PROC STDCALL USES EBX ESI EDI, pInfo:PTR WLX_NOTIFICATION_INFO
; do some stuff here
ret
MyNotificationRoutine ENDP
Note: the MSDN article doesn't specify what calling convention is used, so *perhaps* it's C and not STDCALL.
Now, what is this logon notify routine to be used for?
Thanks to Desp & f0dder
Found the tute from Iczelion & read the msdn article. fixed up my dllmain & dissasembled a symantec routine to get a concrete example of how a dll uses the dllmain code. STDcall - 12 bytes right to left
Yep - all that now fixed.
I have finished coding and testing a simple winlogon notify routine that simply writes out to the event log whenever any user uses their smart card. I volunteered to write this routine to be called since our MSGINA is from a commercial vendor and we had to make sure that we did not impact their very complex logon/logoff/change password routine. It works fine. If someone wants a copy of this code (I am sure someone like f0dder or others could do a better job writing it) - I will see if I can send it to their private email address.
thanks - I plan to learn more by writing code - the assembler language is easy - the mysteries of WINAPIs are a little less foggy now.
deros68
Found the tute from Iczelion & read the msdn article. fixed up my dllmain & dissasembled a symantec routine to get a concrete example of how a dll uses the dllmain code. STDcall - 12 bytes right to left
Yep - all that now fixed.
I have finished coding and testing a simple winlogon notify routine that simply writes out to the event log whenever any user uses their smart card. I volunteered to write this routine to be called since our MSGINA is from a commercial vendor and we had to make sure that we did not impact their very complex logon/logoff/change password routine. It works fine. If someone wants a copy of this code (I am sure someone like f0dder or others could do a better job writing it) - I will see if I can send it to their private email address.
thanks - I plan to learn more by writing code - the assembler language is easy - the mysteries of WINAPIs are a little less foggy now.
deros68
Why not post the results here? I'd like a copy if you don't feel like posting it in public anyway :)