OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Sunday, December 14 2008 18:35.08 CST

Modified: Monday, January 5 2009 10:05.35 CST

Printer Friendly ...

Windows Auxiliary API library - Internals

Author: Dreg

# Views: 5275

LoaderLock

The LoaderLock is used by some APIs as GetModuleHandle, and also when DllMain is executed, that is why we have
to be carefull when working with threads and dlls. Example

Thread A Loads a DLL, DllMain executes getchar()...

Thread B Calls GetModuleHandleA.

In this simple scenario, until the user doesnt press a key so getchar executes and the Thread A exits from DllMain and Thread B
will stand by.

Solutions

- Thread A checks with AuxUlibIsDLLSynchronizationHeld function that is blocking LoaderLock and does not execute calls that block the Thread.

- Thread B detects that some thread has blocked the LoaderLock and does not execute calls that use it. Aux Library does not support that way.

Internal Functions

[code]
BOOL Win9xCheckDllSynchronization( PBOOL in )
{
  * in = FALSE;

  return TRUE;
}
[code]

Is used for support of Win9x.

Global variables

[code]
AuxpUlibData_t          AuxpUlibData;
[code]

Structure that initiates AuxUlibInitialize and it will be used by the rest of functions

[code]
typedef struct AuxpUlibData_s
{
DWORD                          dwPlatformId;
DWORD                          dwMajorVersion;
DWORD                          dwMinorVersion;
SetSystemFileCacheSize_t       RtSetSystemFileCacheSize;
NtSetSystemInformation_t       RtNtSetSystemInformation;
PrivIsDllSynchronizationHeld_t RtPrivIsDllSynchronizationHeld;

} AuxpUlibData_t;
[code]

[code]
LONG                    AuxpInitState;
[code]

If the library has been initialized with AuxUlibInitialize value will be 1, otherwise 0.

[code]
LONG                    DLLSynchAPISafe;
[code]

[code]
HANDLE                 DllSynchronizationOwnerPtr;
[code]

[code]
++

Routine Description

    This routine must be successfully called by an application before any
    other routine in the library may be called. It serves to initialize any global
    state that may be required by other routines in the file.

    It is safe to call this routine in a multi-threaded environment.

Arguments

    None.

Return Value

    Boolean status. Error code available via GetLastError ().

--

BOOL WINAPI AuxUlibInitialize( VOID )
[code]

- If the library has ben initialized ( AuxpInitState == 1 ) will return TRUE straight away.

- Otherwise, the structure AuxpUlibData will initialize in this way

-. dwPlatformId, dwMajorVersion, dwMinorVersion will be equaled to the same fields, with the same values, of the structure OSVERSIONINFOW returned from GeVersionExw().

In case that GetVersionEw returns FALSE the initializing will fail and it will be GetLastError.

-. If the fields dwPlatformId are not valid VER_PLATFORM_WIN32_NT or VER_PLATFORM_WIN32_WINDOWS the initialization will fail and the Last error will be added to ERROR_NOT_SUPPORTED.

-. If dwPlatformId is different of VER_PLATFORM_WIN32_NT it will initialize RtPrivIsDllSynchronizationHeld = Win9xCheckDllSynchronization

-. It will be obtained with GetModuleHandleW kernel32.dll and only ntdll.dll will be obtained if dwPlatformId is VER_PLATFORM_WIN32_NT. In case that the call fails, the initialization will fail and the Last error will be added to ERROR_DLL_NOT_FOUND.

-. If dwPlatformId is equal to VER_PLATFORM_WIN32_NT

--. They will be obtained with GetProcAddress

---. RtSetSystemFileCacheSize =  GetProcAddress( kernel32.dll, SetSystemFileCacheSize );

If it fails for different reasons of GetLastError() == ERROR_PROC_NOT_FOUND, the initialization will fai and Last error will be added to GetLastError().

---. RtNtSetSystemInformation = GetProcAddress( ntdll.dll, NtSetSystemInformation );

If GetProcAddress fails, initialization will fail and Last error will be placed Last Error to ERROR_NOT_SUPPORTED.

---. RtPrivIsDllSynchronizationHeld = GetProcAddress( kernel32.dll, PrivIsDllSynchronizationHeld );

If GetProcAddress fails, and GetLastError() is different of ERROR_PROC_NOT_FOUND, initialization will fail and will be placed Last error to GetLastError().

- If everything went well AuxpInitState will be set to 1 with
[code]
InterlockedExchange( & AuxpInitState, 1 );
[code]

[code]
++

Routine Description

    This routine is used to set the current file system cache working set size. It
    requires that the caller has enabled the SE_INCREASE_QUOTA_PRIVILEGE
    in the currently active token prior to invoking this routine.

    This API is supported on Windows 2000 and later.

Arguments

    MinimumFileCacheSize - The minimum file cache size. Use (SIZE_T)-1 if
        the file cache is being flushed.

    MaximumFileCacheSize - The maximum file cache size. Use (SIZE_T)-1
        if the file cache is being flushed.

    Flags - Flags relevant to the file cache size adjustment. Currently this must
        be zero.

Return Value

    Boolean status. Error code available via GetLastError (). If the routine is
        invoked prior to invoking the initialization routine, the returned error code
        will be ERROR_INVALID_FUNCTION.

--

BOOL WINAPI AuxUlibSetSystemFileCacheSize
(
    IN SIZE_T MinimumFileCacheSize,
    IN SIZE_T MaximumFileCacheSize,
    IN DWORD Flags
);
[code]

- If the library was not initiated ( AuxpInitState == 0 ) will return FALSE and in the Last error ERROR_INVALID_FUNCTION.

- If the field RtSetSystemFileCacheSize has been initiated it will call SetSystemFileCacheSize with the arguments passed to the function and it will return what SetSystemFileCacheSize returns.

- If dwMajorVersion is lower than 5 (5 = Windows Server 2003, Windows XP, or Windows 2000) it will return FALSE and Last error to ERROR_NOT_SUPPORTED.

-If Flags value is not 0 it will return FALSE and in the Last error ERROR_INVALID_PARAMETER.

- We call RtNtSetSystemInformation in this way
RtNtSetSystemInformation( SystemFileCacheInformation, & system_information, sizeof( system_information ) )

If RtNtSetSystemInformation returns bigger or equal to 0 it will return TRUE.

- Otherwise, it will return FALSE and in Last error ERROR_INTERNAL_ERROR.

[code]
++

Routine Description

    This routine is used to determine whether or not the caller is executing
    code while holding a system synchronization primitive. Such a situation
    can arise when the OS temporarily calls into user-specified code as part
    of the DLL load procedure.

    A caller can benefit from this information by avoiding operations that
    could potentially lead to deadlocks, e.g., acquiring a process private lock.

    For example, consider the following case

        Thread A runs the THREAD_ATTACH routine for DLL X. This routine
            is invoked with OS DLL synchronization held. Suppose further that
            as part of this routine Thread A acquires some lock in DLL X (Lx).

        Thread B runs some code in DLL X that, while holding Lx, calls the OS
            library loader to, e.g. GetModuleHandle. As this routine acquires
            OS DLL synchronization, Thread B will deadlock with Thread A.

        This is an inherent limitation in the design of the OS loader as it
        performs such callouts as THREAD_ATTACH while holding loader
        synchronization. It can be partially ameliorated if Thread A detects
        that it is running with DLL synchronization held and only try-acquires
        other locks (such as Lx) that it may wish to take

Arguments

    SynchronizationHeld - Boolean value which indicates whether or not
        synchronization is held.

Return Value

    Boolean status. Error code available via GetLastError (). If the routine is
        invoked prior to invoking the initialization routine, the returned error code
        will be ERROR_INVALID_FUNCTION.

--

BOOL WINAPI AuxUlibIsDLLSynchronizationHeld( OUT PBOOL SynchronizationHeld );
[code]

- If DLLSynchAPISafe is equal to 1, PROC TRUE is executed

PROC TRUE

-. If the value that DllSynchronizationOwnerPtr is pointing is different to 0

--. TRUE is returned and were SynchronizationHeld is pointing

---. TRUE If the value were DllSynchronizationOwnerPtr is pointing (OwningThread de LoaderLock) is equal to GetCurrentThreadId().

---. FALSE Otherwise.

PROC TRUE

- If DLLSynchAPISafe is different than 1

--. If AuxpInitState is different than 1 it returns FALSE and in Last error ERROR_INVALID_FUNCTION.

--. If RtPrivIsDllSynchronizationHeld exists, we call to RtPrivIsDllSynchronizationHeld( SynchronizationHeld )  and returns what the call returns.

--. If DLLSynchAPISafe exists

---. If its different to 1 it returns FALSE and in Last error NOT_SUPPORTED.

---. Otherwise PROC TRUE is executed

--. Otherwise

---. If dwMajorVersion is minor than 5, DLLSynchAPISafe = 2 and returns FALSE and in Last error NOT_SUPPORTED.

---. Otherwise, DllSynchronizationOwnerPtr is initialized to the address were the field is OwningThread of LoaderLock
DllSynchronizationOwnerPtr = & NtCurrentTeb()-Peb-LoaderLock-OwningThread;

And we set DLLSynchAPISafe to 1 this way InterlockedExchange( & DLLSynchAPISafe, 1 );

At the end we call PROC TRUE.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit