Hi,

warning - a newbie question -

I am coding an asm winlogon notification package as per  (url wrapped)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
secauthn/security/creating_a_winlogon_notification_package.asp

All the examples are in C++/C# etc..  I started coding using MASM
since I do not know C and know (at least something about MASM). I
have 3 questions re the following:

There seems to be a requirement for a "LibMain" funtion for a DLL
to work ok.  I copied the code below from a small assembler DLL that
works fine - and the code is straight forward -no problems understanding
what it does:

push 0
pop eax
LibMain PROC h:DWORD,r:DWORD,u:DWORD
mov eax,1
ret
LibMain ENDP

Question # 1 - Windows must require this - anyone know why ?

The C structure I am being passed looks like this:

void Event_Handler_Function_Name(
  PWLX_NOTIFICATION_INFO pInfo
);

typedef struct _WLX_NOTIFICATION_INFO {
  ULONG Size;                  ulong =      4 bytes
  ULONG Flags;                same
  PWSTR UserName;          pwstr  =    4 bytes  unicode
  PWSTR Domain;              same                      same
  PWSTR WindowStation;  same                      same
  HANDLE hToken;            same
  HDESK hDesktop;                                ??  HDESK = 4 bytes
  PFNMSGECALLBACK pStatusCallback;    ??  4 bytes
} WLX_NOTIFICATION_INFO,              is this another  4 bytes ?
*PWLX_NOTIFICATION_INFO;            4 byte ppointer reference

Ok -  since I only want to use the first 6 items I will take a chance that
the first 6 items have 4 byte pointers to them and simply allocate
more storage than I think I require (say 256 extra bytes)

Question # 2 - I am assuming 4 bytes for all the pointers above, but
what about the last 2 items (outside the "}"  - are these also
4 byte pointers - or ??

Finally  - assuming that the LibMain code above runs first  and my code is
called next -

Mycode PROC  h:DWORD,r:DWORD,u:DWORD
push ebp
mov ebp, esp
sub esp, 64
push ebx
push esi
push edi

Question # 3
At this point - Where in hell is the 4 byte "pInfo" that is supposed to be
passed to me ?  Since this routine is called at logon time I have not found
a way to run this in Ollydbg or Windbg. I dont' seem to be getting the pInfo pointer in the stack - can it be passed in a register ???
My reading seems to indicate that typical Windows calling convention uses the stack.  I would think that the single  4 byte pInfo passed to me would be on the stack at  ebp  or ebp+4 or ebp+8 or ebp+12..  My code is definiitely called - I get my event log written with garbage data.

Obviously I need to learn more about how Windows/C compilers work and
the resulting programs are used in Windows.

thanks for any help

.
 
Posted on 2006-07-25 16:30:45 by deros68
I don't know if I can help much but here goes.  Since you are trying to create a DLL have a look at Iczelion's tutorial number 17.  You can find it easily enough with a google search for 'Iczelion.'  Follow the steps in the tutorial to make a barebones functional DLL and go from there.  Thats about all I can say with my limited knowledge.
Posted on 2006-07-26 00:28:03 by Desp
Hm, the DllMain routine you posted is a bit foo. Here's the MSDN link that describes how DllMain works: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dllmain.asp .

You really ought to convert the C struct to a MASM struct, will make things easier for you - have a look at windows.inc to get an idea of how to do it. And indeed yes, all items are 32bit/4byte size since you're on win32. Note that the strings (PWSTR) are unicode.

WLX_NOTIFICATION_INFO and *PWLX_NOTIFICATION_INFO are just names for the structure - the one starting with P is a typename for pointer-to-the-structure.

Your code should look something like...


MyNotificationRoutine  PROC STDCALL USES EBX ESI EDI, pInfo:PTR WLX_NOTIFICATION_INFO
    ; do some stuff here
    ret
MyNotificationRoutine  ENDP


Note: the MSDN article doesn't specify what calling convention is used, so *perhaps* it's C and not STDCALL.

Now, what is this logon notify routine to be used for?
Posted on 2006-07-26 02:33:54 by f0dder
Thanks to Desp & f0dder

Found the tute from Iczelion & read the msdn article.  fixed up my dllmain & dissasembled a symantec routine to get a concrete example of how a dll uses the dllmain code.  STDcall - 12 bytes right to left

Yep - all that now fixed.

I have finished coding and testing a simple winlogon notify routine that simply writes out to the event log whenever any user uses their smart card.  I volunteered to write this routine to be called since our MSGINA is from a commercial vendor and we had to make sure that we did not impact their very complex logon/logoff/change password  routine. It works fine. If someone wants a copy of this code (I am sure someone like f0dder or others could do a better job writing it) - I will see if I can send it to their private email address.

thanks - I plan to learn more by writing code - the assembler language is easy - the mysteries of WINAPIs are a little less foggy now. 

deros68 
Posted on 2006-08-28 18:10:50 by deros68
Why not post the results here? I'd like a copy if you don't feel like posting it in public anyway :)
Posted on 2006-08-29 01:08:01 by f0dder