About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
AlexIonescu
's Blog
Created: Wednesday, May 17 2006 14:57.58 CDT
Modified: Thursday, May 18 2006 14:38.00 CDT
Printer Friendly ...
Tips & Tricks Part 1 - Global Flags
Author:
AlexIonescu
# Views:
2833
Every week I'll post a low-level system tip, or trick, which I hope may come to use of you one day. This week's is partly thanks to a question asked to me by bluffer.
When I talked about checked builds earlier, I mentionned some of their amazing trace/debugging features. What I didn't mentio n is that retail builds do also have some of those features present, but disabled through the usage of Global Flags. These flags can be absolutely useful to your development progress, and it would be a shame not to take advantage of them. The full list is here:
http://technet2.microsoft.com/WindowsServer/en/Library/6a183942-57b1-45e0-8b4c-c546aa1b8c471033.mspx?mfr=true
Now the question arises, how do you enable them? In the past, it was possible to use ZwSetInformationSystem, but after Windows 2000, some of the user-mode flags are now masked out. Microsoft has always shipped a tool called gflags.exe, which presents a GUI in which many of the flags can be enabled. However, it's a pain to work with and it also seems that some flags don't "stick". You can also use WinDBG and the !gflag command, which does always work. Nevertheless, all these methods require you modifying the system manually. What if you wanted to send the program to someone, with a built-in DbgPrint hook and then analyze any output data yourself? Or have a program which sets some global flags?
Thankfully, there is a way, and that is to use the barely-documented Load Configuration Data Table:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/image_load_config_directory64_str.asp
The interesting member for us right now is GlobalFlagsSet.
This will allow your image, when loaded, to set any global
flags that it wants, as well as not affect the entire system, but only the process itself. Right then, now how to actually define this structure? Bluffer found the answer at this site:
http://msdn2.microsoft.com/en-US/library/9a89h429.aspx
The documentation applies to Safe SEH handler, so simply disregard that, but the important part is that defining a structure and calling _load_config_used will allow the MSC to link that into your executable. Simply define the member GlobalFlagsSet to what you need, and you're on your way!
--
UPDATE [18-May]
On the question of "Why not simply use the PEB?"
--
And how will you be modifying the PEB? Just like modifying NtGlobalFlags in the kernel, this will require manual editing. Sure, your process can do NtCurrentPeb()->GlobalFlags = WhateverYouNeed, but by then, you will already have lost the ability to use some important ones (for example, you won't get Loader Snaps (LDR messages) because you have already been loaded).
Another problem is that, in the unlikely event that the PEB offset gets changed (unlikely, but still possible), your program will break and require a recompile using a new structure. Using the PE structure (which is a standard), you can be sure that your program is backwards compatible. Additionnaly, it may even be supported on other operating systems which may emulate Windows (WINE, etc). They may not have a PEB, but since this PE structure is standardized, they can still read it and emulate your flag in another way.
Add New Comment
Comment:
There are
31,314
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}