A few weeks ago I wrote about hijacking threads. The principle was good, the code worked but the reason I needed it was flawed so the exercise was a failure. I assumed that it was likely to be a failure when I set out though, so it’s more a confirmation that I need to do things properly rather than hackily…
The idea was the try and outsmart the Windows program loader.
Jeremy D. Miller talks about how he dislikes the “I” prefix on interface names and how he’d prefer to ditch it in the same way he’s ditched most other hungarian notation. I’m all for ditching hungarian but I actually quite like the “I” prefix; though I no longer read it as “this is an interface” but simply “this is what I do”. In other words my interfaces, called things like IManageUsers simply clearly state what they do, classes that implement the interface manage users; the class definition is saying “I Manage Users”!
My API hooking currently relies on creating a block of memory in the target process to hold the string that you need to pass to LoadLibraryW() and then calling CreateRemoteThread() and passing the address of LoadLibraryW() as the thread start address and the address of our block of memory as the thread parameter. It works well and even allows you to know if the operation worked, by waiting for the remote thread to terminate and then examining its exit code.
Discovering and then fixing the problem that prevented my tools from running on themselves planted a seed of an idea in my mind. My APIHook library and any code that used it died horribly under leak testing tools such as Purify and BoundsChecker. I’d put it down to me trying to be too clever but not being clever enough and ignored it but it’s a pain to have code that you can’t polish.
One of the first things that I tried to do with the latest release of my TickShifter tool was to run it on itself. Of course, that didn’t work.
There are several reasons why the tool might have had problems running on itself but I thought I’d addressed most of them when I dealt with the issues around getting multiple copies of the tool running at the same time. The problems there were mostly around the names that I used for the named kernel objects that were required; the control program communicates with the dll that it injects so that it can control the dll’s operation and collect data.
As I mentioned a while back, I’ve been working on adding rudimentary GUIs to my debugging and testing tools. In fact, both the deadlock detection tool and the time shifting tool are both functional enough for real world use but the command line interfaces make them harder to use than they need to be. I’m not yet 100% sure of the form that the final GUI should take, but I’ve pressed on with my initial GUI development to produce a reasonably complete GUI for the cut down, demonstration tool, TickShifter.
Well, I figure that I’ve written about these debug tools that I’ve been working on for long enough. The time has come to make one available for other people to use and abuse. Given that I hope to sell some of these tools eventually I’ve decided not to give away early versions at present. Much as I will need feedback I think a properly structured beta program would be better for that.
Given all the publicity that this blog has received recently over my relationship break-up I thought it might be a good idea to give any new visitors a jumping off point into some of the more popular technical pieces. Believe it or not, this blog isn’t all about network snooping and infidelity. More often than not it’s about C++ on Windows, Test Driven Development and my opinions and whinges about software development issues.
I’ve fixed the MT-Blacklist problem and so comments and trackbacks are now working again.
My hosting provider has changed something in their perl instalation which means that MT-Blacklist (the thing that protects this blog from comment and trackback spam) is broken and not doing its job properly. I’ve located a fix but need my hosting provider to help me apply it. Until they do I’ve disabled comments so that I don’t have too much crap to clear up once the problem is over. Sorry for any inconvenience.
