c++ strcpynW to Ahk Topic is solved

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
Forum rules
Post Reply
whynotregister
Posts: 147
Joined: 05 Nov 2016, 22:42

c++ strcpynW to Ahk

22 Sep 2021, 22:31

NTSTATUS NTAPI NewLdrLoadDll(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG *Flags OPTIONAL,
IN UNICODE_STRING *ModuleFileName,
OUT PHANDLE *ModuleHandle)
{
TCHAR tmpPath[MAX_PATH];
lstrcpynW(tmpPath,ModuleFileName->Buffer,ModuleFileName->Length);
printf("[#] ModuleName : %ws\n", tmpPath);
//printf("[#] ModuleName : %wZ\n", *ModuleFileName);
NTSTATUS err=((PFLDRLOADDLL)OrgLdr)(NULL, Flags, ModuleFileName, ModuleHandle);
return err;
}

im currently practicing looking into LdrLoadDll using ahk.
So i trying to get ModuleFileName among LdrLoadDll parameters. To do this, I generally checked with StrGet(ModuleFileName,"UTF-16"),
but I couldn't do it normally, and when I looked up the above c++ code, I found that I had to use the lstrcpynW function separately.
How can I convert the red colored code in the code above to ahk?
Top
User avatar
thqby
Posts: 406
Joined: 16 Apr 2021, 11:18
Contact:
Contact thqby

Re: c++ strcpynW to Ahk

22 Sep 2021, 22:45

Code: Select all

buffer := NumGet(ModuleFileName, buffer_offset?, "ptr")
StrGet(buffer,"UTF-16")
Top
whynotregister
Posts: 147
Joined: 05 Nov 2016, 22:42

Re: c++ strcpynW to Ahk

22 Sep 2021, 23:27

thqby wrote:
22 Sep 2021, 22:45

Code: Select all

buffer := NumGet(ModuleFileName, buffer_offset?, "ptr")
StrGet(buffer,"UTF-16")
.unfortunately it also doesn't return modulefilename.

Code: Select all

buffer := NumGet(ModuleFileName,  "ptr")
StrGet(buffer,"UTF-16")
Top
User avatar
jNizM
Posts: 3183
Joined: 30 Sep 2013, 01:33
Contact:
Contact jNizM

Re: c++ strcpynW to Ahk

23 Sep 2021, 01:19

Get? IN PUNICODE_STRING ModuleFileName is an INput parameter and not an OUTput parameter
ModuleHandle is what you get from this function (OUT PHANDLE ModuleHandle)
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Top
swagfag
Posts: 6222
Joined: 11 Jan 2017, 17:59

Re: c++ strcpynW to Ahk  Topic is solved

23 Sep 2021, 02:18

Code: Select all

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

Code: Select all

Length := NumGet(ModuleFileName+0, "UShort")
MaximumLength := NumGet(ModuleFileName+2, "UShort")
Buffer := NumGet(ModuleFileName+4, "Ptr")
MsgBox % StrGet(Buffer, Length * 2, "UTF-16")
string may or may not be nullterminated, so u cant just omit the length
Top
whynotregister
Posts: 147
Joined: 05 Nov 2016, 22:42

Re: c++ strcpynW to Ahk

23 Sep 2021, 02:25

jNizM wrote:
23 Sep 2021, 01:19
 Get? IN PUNICODE_STRING ModuleFileName is an INput parameter and not an OUTput parameter
ModuleHandle is what you get from this function (OUT PHANDLE ModuleHandle)

My question was a bit odd. Let me explain more clearly.
When dll injection is performed, the LdrLoadDll function inside ntdll is called.
When the LdrLoadDll function is called, we are trying to get the name of the module to be injected.
Both LoadLibraryW,LoadLibraryExW can import successfully.
But for LdrLoadDll, I didn't get the third parameter, ModuleFileName.
When LdrLoadDll is called, we want to get the name of the module we want to inject (the third parameter, ModuleFileName).

Here is the code I am using. I used minhook.

Code: Select all

setbatchlines -1
	NTDLLLdrLoadDll := New MinHook("ntdll.dll", "LdrLoadDll", "NTDLLLdrLoadDll_Hook")
	NTDLLLdrLoadDll.Enable()

	KernelBaseLoadLibraryW := New MinHook("KERNELBASE.dll", "LoadLibraryW", "KernelBaseLoadLibraryW_Hook")
	KernelBaseLoadLibraryW.Enable()
	Return

;Failed to get module name. (ntdll.LdrLoadDll)
		NTDLLLdrLoadDll_Hook(PathToFile, Flags, ModuleFileName, ModuleHandle) {
		global NTDLLLdrLoadDll
		buffer1 := NumGet(ModuleHandle, "Ptr")
		str1 := StrGet(buffer1,"UTF-16")
		fileappend,%str1%`n,c:\str1.txt
		msgbox %str1%
		return DllCall(NTDLLLdrLoadDll.original, "UPtr", PathToFile, "Uint", Flags, "Ptr", ModuleFileName, "UPTR", ModuleHandle)
	}
	
;can get module name. (KERNELBASE.LoadLibraryW)
		KernelBaseLoadLibraryW_Hook(lpLibFileName) {
		global KernelBaseLoadLibraryW
		thisModule := strget(lpLibFileName,"UTF-16")
		fileappend,%thisModule%`n,c:\KernelBaseLoadLibraryW.txt
		msgbox %thisModule%
		return DllCall(KernelBaseLoadLibraryW.original, "UPTR", lpLibFileName)
	}
Return
I checked it out just in case. LdrLoadDll certainly takes ModuleFileName as a parameter when the function is called.
Image
Top
whynotregister
Posts: 147
Joined: 05 Nov 2016, 22:42

Re: c++ strcpynW to Ahk

23 Sep 2021, 02:41

swagfag wrote:
23 Sep 2021, 02:18

Code: Select all

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

Code: Select all

Length := NumGet(ModuleFileName+0, "UShort")
MaximumLength := NumGet(ModuleFileName+2, "UShort")
Buffer := NumGet(ModuleFileName+4, "Ptr")
MsgBox % StrGet(Buffer, Length * 2, "UTF-16")
string may or may not be nullterminated, so u cant just omit the length
Thank you. This works perfectly. I learned a lot from your answers. Thank you. :D
Also thank you jNizM for your help.
Top
Post Reply

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: No registered users and 310 guests