As a hobby, I've been putting time into learning about binaries. I'm creating a program that does mostly what Ollydbg does. I figure taking on such a big project will teach me the all I want to know about PEs. Right now I'm working on a dialog that resembles Ollydbg's memory map and lists out the heaps and sections associated with each module but am running into some problems with access rights to system modules. I start off by opening a file and running it as a debuggee. I then
invoke OpenProcess,PROCESS_VM_READ,FALSE,AttachedPID
invoke ReadProcessMemory,eax,MemMapBaseAddress,offset MemMapMappingBuffer,1024h,offset MemMapNumberOfBytesWritten
invoke GetLastError
This works for about 30% of the modules that I tried to read from. The rest give me a 12B error, Only part of a ReadProcessMemory or WriteProcessMemory request was completed. One module that gives me this error is ntdll. So I did some researching and found that I probably don't have permissions to the section in memory I was trying to access. So I tried changing the protection of that bit of memory with
invoke OpenProcess,PROCESS_VM_READ,FALSE,AttachedPID
push eax
invoke VirtualProtectEx,eax,offset MemMapBaseAddress,1024h,PAGE_READWRITE,offset OldProtect
invoke GetLastError
pop eax
invoke ReadProcessMemory,eax,MemMapBaseAddress,offset MemMapMappingBuffer,1024h,offset MemMapNumberOfBytesWritten
invoke GetLastError
and I get an error 5, access denied, for VirtualProtectEx. I've tried running the program as the administrator as well and got the same results. Any idea about whats keeping me from reading the PE header of a module loaded as a debuggee?
You must run your executable as administrator and you may also need to adjust your token privelage to SeDebugPrivelage if you want full access to an external process's memory.
Related
Found this this post ISAPI web application hanging if FastReport.PrepareReport is called
It helped solving my problem partially. As well I´ve turned Wisiyng property to False on frxRichView. Since I'm retunrnig a base 64 string I've also tryed switched loading from StrToStream/LoadFromStream to LoadFromFile. The problem persist with multiple acess, 2 out of 10 process can finish loading my Pdf file. All the others requests hangs until timeout. Does anyone have an idea what else can I do? is there anyother way to retunr rtf format into Fastreport report Thanks.
I could only get time-out error using Selenium to test multiples request from the client side.
Update: I've figured that just having a TfrxRichView component in the report causes the hanging, it doesn't even need to have a rtf text on it. Replacing it to a memo all request are answered.
UPDATE: Got a answer from fast report and I wold like your opinion.
ok,
I had similar problems, and it is not easy to find out the reason, but maybe you can find your solution in between my considerations..
1) Stack Size
When ran in IIS your ISAPI is only a DLL called by a process, you are not the main process so you have to pay attention to stack dimension.
Normally a Delphi application have a default stack size of 1Mb, in ISAPI DLL you will have only 256Kb of stack.
Maybe you are facing a stack overflow exception.. it can explain why it does not occurr always but only in some circumstances..
2) Trapped Exception
In general you get some error during the preparation of report (aka all the job of working with data, expressions, variables, formulas etc etc..) can bring to a trapped exception. You may be unable to see it from outside but code execution was broken somwhere and report preparation had not finished.
3) MessageBoxes and/or standard Exceptions
when running in ISAPI you should not output anything to user interface,
maybe a message dialog (or an exception) can bring to unexpected behaviour.
4) Global Var
You should avoid global var because in ISAPI they will be common across threads
So, if you have sources, debug the application.. at first exception you should understand where is your problem..
If you have not sources.. chek the above list.. I hope you can find some useful information.
You have two ways to solve this:
1- Try to recreate this behavior while debugging your ISAPI DLL. If you are lucky, you can identify the thread that is hanging your application. Sometimes this is hard or even impossible to recreate.
2- If you have access to the hung ISAPI application instance, use a tool like SysInternals Process Explorer to create a minidump file. Your application must be built using full debug symbols and you should have the corresponding map file. With one (or more - even better) dump files obtained from your hung application plus the map file, you can use another tool, WinDbg to analyze it and find the cause. (Sometimes) WinDbg can show exactly which thread is hanging the whole application and the line of code that causes it.
If you have never done that, I must warn you that this kind of analysis is almost a gamble... You have to use several different tools with little
or no documentation, read heaps of technical info in various places. In the end, sometimes it works wonderfully and sometimes it fails miserably.
Because debugging ISAPI is not obvious, but also because I wanted to be able to switch easily between more different hosting solutions — and wanted to update my website on the fly without a restart of the web-server/service — I created xxm. It has a singular interface to the HTTP context, your DLL gets loaded by either a IIS ISAPI handler, or a HTTP.SYS handler, or an Apache httpd module, or for debugging locally you can just set xxmHttp.exe as host application to get IIS out of the way.
When attaching WinDbg to my ASP.NET MVC app and calling !ClrStack -a when an exception has occurred, I'm seeing no locals or params values. All I see is <NO DATA> appear.
Why is this happening? What settings in my project can I check?
I appreciate I can see the objects in quesiton via a !dso call and finding the objects I'm interesting in the output, but that's not a good solution for me, since I need to know exactly the objects being passed into a specific function - I don't want to spend ages picking eah object address and doing a !do on them.
The app is built in DEBUG mode. When viewing a stack, all the methods and types appear in the output, so I'm assuming there is no issue with symbols, though I'm willing to try any commands necessary to re-sync or update the symbols if required.
The CPU architecture is ANY CPU and we are running Windows Server 2008 R2 64-bit.
I tried using SOSEX's !mk !mframe and !mdv commands, to list param and locals, but they show <UNAVAILABLE>.
EDIT:
Here is an example of the type of output I'm seeing:
Why does this happen?
This happens for code optimized by the JIT compiler (your case) or release builds (by the compiler).
What settings in my project can I check?
Always check the symbol path and add Microsoft symbols if not done yet.
.symfix c:\debug\symbols
.reload
Next, check if WinDbg can find the symbols of your application using lm. It should show "private pdb symbols". If not, run
.sympath+ <path to your PDBs>
Other than that, SOSEX makes your life easier. Try the following:
!mk; *** Managed stack
!mframe <frame>; *** Switch to frame
!mdv; *** Dump values - This will at least give you the type
!mdv <frame>; *** Same as before but include !mframe
!mdso; *** Similar to !dso
It's a Delphi XE2 app. Pretty simple. Just calls CreateOleObject('Outlook.Application') and assigns the result to a Variant.
If the program is run as administrator it fails with "Server execution failed", but it works fine and I can get the version number back if I run as the logged in user (without elevated permissions).
Why is this? What is it about running as administrator that stops it from creating the object?
This error is due to a mismatch between the security contexts. Outlook is a singleton, so CreateOleObject will connect to the running instance of Outlook if it is available. COM system refuses to marshal calls between processes with different security contexts.
Either make sure Outlook is not running when calling CreateOleObject or make sure both processes run in the same security context.
You can also switch to Extended MAPI (which is a set of dlls loaded in-proc) used directly or through a wrapper (such as Redemption (I am its author) - its RDO family of objects roughly corresponds to the Namespace object in the Outlook Object Model.).
I created an application to watch my other applications and it run perfect while I'm debugging a console or vcl application.
When I try to watch a service application it give me some problems, I noticed that I got "Access denied" when I try to "OpenProcess(PROCESS_QUERY_INFORMATION, False, PID);".
But if open my watcher by Delphi IDE I don't have this problem.
Some one know what can it be ?
My intention is to open the process to get its GetProcessTimes, to check how much of memory it's consuming.
I know that procexp.exe from SysInternal can do it without problems, some one know how do they do it ?
Tks in advice.
Obs: In my machine I disabled the UAC and I executed the watcher as administrator.
New information:
I found that to access a service as want I do to other kind of application I must use OpenService. Now I can access it without problems, now I'll search a similar command of GetProcessTimes to it.
Resolved, I continue using OpenProcess but I used PROCESS_QUERY_LIMITED_INFORMATION (0x1000) to access it. The problem was just permission, using this I can access the process and use GetProcessTimes to get what I needed.
Tks all.
Is is possible to open a text file and read the contents while another application is updating the file, in such a way that it does not cause a lock conflict?
I need to monitor a log file from one application which is updated by another application each time an event occurs.
I do check if the file is in use before I try to read it, but that does not seem to work in all cases.
Thanks, Pieter
it depends on how the first app open that file.
i.e when calling CreateFile API to open a file, there is dwShareMode param which tells the api how to open it (if this was given 0, it can't be accessed from other applications IIRC).
otherwise there should be no problem with reading from that file.
if im not mistaken, to check if that file is being opened read only u can call
something like
CreateFile(pchar(fName), GENERIC_READ or GENERIC_WRITE, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0) ;
Download Process Monitor from Sysinternals.
Open the filter dialog and add a "path" filter for your log file.
Start the log-writing application (I'll call this "logwriter").
Look for and click on the event where logwriter does a CreateFile.
Under "Detail", it should have "Desired Access: Generic Write". And it should have "ShareMode: Read", which corresponds to FILE_SHARE_READ in the call to CreateFile. What it means is, "I, logwriter, permit others to read my file".
Now run your log-reading application ("logreader"), and do the same exercise.
The Detail should have "Desired Access: Generic Read". And it should have "ShareMode: Read, Write", which means, "I, logreader, permit others, including logwriter, to read and write to the log file".
Those are the most sensible values, I think, and they will prevent locking. Other combinations may be permissible. There is a table here.
Now, you haven't said what happens when it "does not seem to work in all cases". What to do next will really depend on the details. Hopefully the above will give you enough information to work out what is going wrong.
You won't get a lock conflict because the writing application is very unlikely to have locked the file. Doing what you suggest generally works without problems (it's what the UNIX tail -f command does) and those minor glitches that do occur can be ignored. I've written a couple of log monitoring apps in te past that worked like this, with no problems.
Try using FileSystemWatcher to get events when a file is updated.
A more delphi friendly link
Quite apart from getting the file sharing to work right which may be impossible depending on what the other program requests, some programs will close the file between accesses.
I have had success in the past with my program waiting for the file to become available, then quickly opening it, grabbing the needed data and closing it. At least in DOS an attempt to access a locked file caused a few retries, and I bumped up this setting, so that if the other program tried for the file while I had it they would simply be delayed and never see an error.
I was even able to update the file (I made sure NOT to close it in between!) without the other program ever knowing a thing.
Ugly as sin but we couldn't change the other program so it was the only way to get the job done. It was deployed in-house for years, I never heard a peep from the users of that system. It finally went away when the machinery the other program controlled was retired.
XpoLog will do the trick without changing your env or code, XpoLog log monitor
Avar is right - you are at the mercy of the writing program here. If they are locking the file, then there are a couple of things you can do:
1 - Check for a change in the "last modified" date time - if that changes, then you know something has happened.
2 - If the mod datetime did change, then (depending on the size of the file) it might be good enough to create a copy of the file and check that.
we use "Tail for win32",
i know its not delphi but it might be useful
http://tailforwin32.sourceforge.net/