Skip to content
Permalink
Browse files

silence some compiler warnings

  • Loading branch information...
taviso committed Jun 17, 2019
1 parent 20be6d3 commit 8a433e3f3afb570eed27256131d7f79b4ea0c46d
Showing with 77 additions and 46 deletions.
  1. +1 −0 .gitignore
  2. +1 −0 .zipignore
  3. +1 −1 GNUmakefile
  4. +29 −21 command.c
  5. +22 −15 ctftool.c
  6. +5 −0 ctftool.h
  7. +4 −2 marshal.c
  8. +1 −1 messages.c
  9. +3 −1 module.c
  10. +2 −1 payload.c
  11. +8 −4 winutil.c
@@ -18,6 +18,7 @@
*.ipdb
*.iobj
*.log
*.tmp
archive
.vscode
.ctfhistory
@@ -26,3 +26,4 @@
*/*.zip
*/*.exe
*/*.dll
*/*.tmp
@@ -69,7 +69,7 @@ ctftool.exe: command.obj ctftool.obj winmsg.obj marshal.obj \
| edit.lib peparse.lib

clean:
rm -rf *.exp *.exe *.obj *.pdb *.ilk *.xml build-*.* *.res *.ipdb *.iobj *.dll
rm -rf *.exp *.exe *.obj *.pdb *.ilk *.xml build-*.* *.res *.ipdb *.iobj *.dll *.tmp

# These are slow to rebuild and I dont change them often.
distclean: clean
@@ -31,7 +31,7 @@
#include "winutil.h"
#include "command.h"

#pragma warning(disable: 4090)
#pragma warning(disable: 4090 6387 28159 28278)

UINT64 DefaultThread;
UINT64 DefaultStub;
@@ -235,15 +235,16 @@ ULONG RunHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
GetExitCodeProcess(ProcessInfo.hProcess, &ReturnCode);
CloseHandle(ProcessInfo.hProcess);
CloseHandle(ProcessInfo.hThread);

// Make result available as a variable.
LastCommandResult = ReturnCode;
} else {
LogMessage(stderr, "Failed to create process %s.", CommandLine);
}

// Restore Redirection.
Wow64RevertWow64FsRedirection(OldValue);

LastCommandResult = ReturnCode;

return 1;
}

@@ -498,9 +499,11 @@ ULONG ScanHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)

if (Message.Result == 0) {
PCHAR ImageName;
ULONG ClientFlags = Message.Params[0];
ULONG Flags;
HANDLE Process;

Flags = Message.Params[0];

// Ask what their HWND is.
Message.Message = MSG_GETTHREADHWND;
Message.SrcThreadId = ClientThreadId;
@@ -522,15 +525,18 @@ ULONG ScanHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
LogMessage(stdout, "Client %u, Tid %4u (Flags %#04x, Hwnd %p, Pid %u, %s)",
Count++,
ThreadData.th32ThreadID,
ClientFlags,
Flags,
ClientWindow,
ThreadData.th32OwnerProcessID,
ImageName);
}
} while(Thread32Next(SnapshotHandle, &ThreadData));

cleanup:
CloseHandle(SnapshotHandle);
if (SnapshotHandle != INVALID_HANDLE_VALUE) {
#pragma warning(suppress: 6387)
CloseHandle(SnapshotHandle);
}
return 1;
}

@@ -544,7 +550,7 @@ ULONG ForgetHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
ULONG CreateStubHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
{
PCTF_MARSHAL_PARAM CreateParams;
WCHAR WideParameter[128];
WCHAR WideParameter[128] = {0};
PKNOWN_INTERFACE ClassName;
ULONG CreateParamCount = 4;
HRESULT Result;
@@ -560,9 +566,9 @@ ULONG CreateStubHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
ThreadId = ThreadId ? ThreadId : DefaultThread;

// First see if user specified a GUID.
// This doesnt work for some reason
_snwprintf(WideParameter, _countof(WideParameter), L"{%hs}", Parameters[2]);
_snwprintf(WideParameter, _countof(WideParameter) - 1, L"{%hs}", Parameters[2]);

#pragma warning(suppress: 6053)
if (CLSIDFromString(WideParameter, &ParsedClass) == 0) {
LogMessage(stdout, "parsed '%s' as a GUID", Parameters[2]);
Interface = &ParsedClass;
@@ -804,14 +810,16 @@ ULONG SetArgHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
case MARSHAL_TYPE_DATA: {
static GUID ParsedGuid;
static BYTE HexBuf[MAX_BUF];
WCHAR WideParameter[512];
WCHAR WideParameter[512] = {0};
CHAR CurrentChar[3] = {0};
PCHAR ByteString = Parameters[ParamCount - 1];
ULONG ParamLength = strlen(ByteString);

// First we try to parse it as a GUID, a very common case in CTF.
// The format is 00000000-0000-0000-0000-000000000000
_snwprintf(WideParameter, _countof(WideParameter), L"{%hs}", ByteString);
_snwprintf(WideParameter, _countof(WideParameter) - 1, L"{%hs}", ByteString);

#pragma warning(suppress: 6053)
if (CLSIDFromString(WideParameter, &ParsedGuid) == 0) {
Value = &ParsedGuid;
Size = sizeof ParsedGuid;
@@ -850,6 +858,7 @@ ULONG SetArgHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
for (Size = 0; *ByteString;) {
CurrentChar[0] = *ByteString++;
CurrentChar[1] = *ByteString++;
#pragma warning(suppress: 6328)
if (sscanf(CurrentChar, "%hhx", &HexBuf[Size++]) != 1) {
LogMessage(stderr, "Parsing hex string but failed, I stopped at %s", CurrentChar);
return 1;
@@ -951,7 +960,7 @@ ULONG PatchHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
UINT64 Adjust;
UINT64 Value;

Shift = Adjust = 0;
Width = Index = Offset = Value = Shift = Adjust = 0;

switch (ParamCount) {
case 6: Shift = DecodeIntegerParameter(Parameters[5]);
@@ -1086,8 +1095,8 @@ ULONG HijackHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)

if ((ConnectMessage.Header.u2.s2.Type & 0xFF) == LPC_CONNECTION_REQUEST) {
PCHAR ImageName = QueryImageName(ConnectMessage.ProcessId);
LogMessage(stderr, "\tProcessID: %d, %s", ConnectMessage.ProcessId, ImageName);
LogMessage(stderr, "\tThreadId: %d", ConnectMessage.ThreadId);
LogMessage(stderr, "\tProcessID: %u, %s", ConnectMessage.ProcessId, ImageName);
LogMessage(stderr, "\tThreadId: %u", ConnectMessage.ThreadId);
LogMessage(stderr, "\tWindowID: %p", ConnectMessage.WindowId);
free(ImageName);
}
@@ -1297,7 +1306,7 @@ ULONG SymbolHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
}

if (GetSymbolInfo64(ModulePath, Symbol, &Is64, &ImageBase, &Address)) {
LogMessage(stdout, "%s is a %ubit module.", ModulePath, Is64 ? 64 : 32);
LogMessage(stdout, "%s is a %dbit module.", ModulePath, Is64 ? 64 : 32);
LogMessage(stdout, "%s!%s@%#llx+%#llx", Module, Symbol, ImageBase, Address - ImageBase);

LastSymbolOffset = Address - ImageBase;
@@ -1422,6 +1431,7 @@ ULONG CallHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
// Note that there is no fourth parameter in the protocol, but
// there is slack space in the structure because one of the union
// members is a pointer.
#pragma warning(suppress: 6201 6386)
Message.Params[3] = DecodeIntegerParameter(Parameters[5]);
}
case 5: Message.Params[2] = DecodeIntegerParameter(Parameters[4]);
@@ -1435,11 +1445,10 @@ ULONG CallHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
}

LogMessage(stdout, "Message: %#x", Message.Message);
LogMessage(stdout, "Parameters In [ %08x %08X %08X (+%08X)]",
LogMessage(stdout, "Parameters In [ %08x %08X %08X ]",
Message.Params[0],
Message.Params[1],
Message.Params[2],
Message.Params[3]);
Message.Params[2]);

Result = SendReceivePortMessage(PortHandle,
&Message.Header,
@@ -1452,11 +1461,10 @@ ULONG CallHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
}

LogMessage(stdout, "Result: %#x", Message.Result);
LogMessage(stdout, "Parameters Out: [ %08x %08X %08X +(%08X)]",
LogMessage(stdout, "Parameters Out: [ %08x %08X %08X ]",
Message.Params[0],
Message.Params[1],
Message.Params[2],
Message.Params[3]);
Message.Params[2]);

hexdump(&Message, sizeof Message);

@@ -21,7 +21,7 @@
#include "messages.h"
#include "command.h"

#pragma warning(disable : 4090)
#pragma warning(disable : 4090 6011)

FARPROC AlpcInitializeMessageAttribute;
FARPROC AlpcGetMessageAttribute;
@@ -35,6 +35,9 @@ BOOL InitializeAlpcRoutines()
if (NtDll == NULL)
return FALSE;

if (Shell32 == NULL)
return FALSE;

AlpcInitializeMessageAttribute = GetProcAddress(NtDll, "AlpcInitializeMessageAttribute");
AlpcGetMessageAttribute = GetProcAddress(NtDll, "AlpcGetMessageAttribute");
AlpcGetMessageAttribute = GetProcAddress(NtDll, "AlpcGetMessageAttribute");
@@ -75,7 +78,7 @@ HANDLE OpenAlpcPort(PWCHAR AlpcPortName, PPORT_MESSAGE ConnectMessage, SIZE_T Me
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING PortName;
ALPC_PORT_ATTRIBUTES PortAttributes;
HANDLE PortHandle = INVALID_HANDLE_VALUE;
HANDLE AlpcHandle = INVALID_HANDLE_VALUE;
ULONG BufferLength = 64;
NTSTATUS Result;

@@ -90,7 +93,7 @@ HANDLE OpenAlpcPort(PWCHAR AlpcPortName, PPORT_MESSAGE ConnectMessage, SIZE_T Me
PortAttributes.MaxMessageLength = 512;
PortAttributes.DupObjectTypes = 0x88000000;

Result = NtAlpcConnectPort(&PortHandle,
Result = NtAlpcConnectPort(&AlpcHandle,
&PortName,
&ObjectAttributes,
&PortAttributes,
@@ -106,10 +109,10 @@ HANDLE OpenAlpcPort(PWCHAR AlpcPortName, PPORT_MESSAGE ConnectMessage, SIZE_T Me
LogMessage(stdout, "NtAlpcConnectPort(\"%S\") => %#x", AlpcPortName, Result);
}

return PortHandle;
return AlpcHandle;
}

NTSTATUS SendReceiveMarshalData(HANDLE PortHandle,
NTSTATUS SendReceiveMarshalData(HANDLE AlpcHandle,
ULONG TypeFlags,
PCTF_MARSHAL_PARAM Params,
ULONG ParamCount,
@@ -127,7 +130,7 @@ NTSTATUS SendReceiveMarshalData(HANDLE PortHandle,

// Append marshal parameters.
memcpy(&SendReceiveBuffer[1], Params, GetParamsSize(Params, ParamCount));

// Configure Message.
SendReceiveBuffer->Message = TypeFlags;
SendReceiveBuffer->SrcThreadId = ClientThreadId;
@@ -137,12 +140,12 @@ NTSTATUS SendReceiveMarshalData(HANDLE PortHandle,
SendReceiveBuffer->ulDataLength = GetParamsSize(Params, ParamCount);

// Send the data.
Result = SendReceivePortMessage(PortHandle,
Result = SendReceivePortMessage(AlpcHandle,
&SendReceiveBuffer->Header,
BufferLength,
NULL);

// Check if the send worked.
// Check if the send worked.
if (Result != 0) {
goto cleanup;
}
@@ -167,7 +170,7 @@ UINT64 ProxyExtra1;
UINT64 ProxyExtra2;
UINT64 ProxyExtra3;

NTSTATUS SendReceiveProxyData(HANDLE PortHandle,
NTSTATUS SendReceiveProxyData(HANDLE AlpcHandle,
ULONG TypeFlags,
PCTF_MARSHAL_PARAM Params,
ULONG ParamCount,
@@ -207,7 +210,7 @@ NTSTATUS SendReceiveProxyData(HANDLE PortHandle,
for (int i = 0; i < ParamCount; i++) {
ParamPtr[i].Start += sizeof(CTF_PROXY_SIGNATURE);
}

// Configure Message.
SendReceiveBuffer->Message = TypeFlags;
SendReceiveBuffer->SrcThreadId = ClientThreadId;
@@ -218,7 +221,7 @@ NTSTATUS SendReceiveProxyData(HANDLE PortHandle,
SendReceiveBuffer->ulNumParams = ParamCount;

// Send the data.
Result = SendReceivePortMessage(PortHandle,
Result = SendReceivePortMessage(AlpcHandle,
&SendReceiveBuffer->Header,
BufferLength,
NULL);
@@ -243,7 +246,7 @@ NTSTATUS SendReceiveProxyData(HANDLE PortHandle,
return Result;
}

NTSTATUS SendReceivePortMessage(HANDLE PortHandle,
NTSTATUS SendReceivePortMessage(HANDLE AlpcHandle,
PPORT_MESSAGE PortMessage,
ULONG BufferLength,
PLARGE_INTEGER Timeout)
@@ -252,7 +255,9 @@ NTSTATUS SendReceivePortMessage(HANDLE PortHandle,
ULONG MessageAttributeSize;
PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes = NULL;

if (AlpcInitializeMessageAttribute(0x60000000, NULL, 0, &MessageAttributeSize) != STATUS_BUFFER_TOO_SMALL) {
Result = AlpcInitializeMessageAttribute(0x60000000, NULL, 0, &MessageAttributeSize);

if (Result != STATUS_BUFFER_TOO_SMALL) {
LogMessage(stderr, "unexpected result from AlpcInitializeMessageAttribute()");
goto cleanup;
}
@@ -271,7 +276,7 @@ NTSTATUS SendReceivePortMessage(HANDLE PortHandle,

InitializeMessageHeader(PortMessage, BufferLength, 0);

Result = NtAlpcSendWaitReceivePort(PortHandle,
Result = NtAlpcSendWaitReceivePort(AlpcHandle,
ALPC_MSGFLG_SYNC_REQUEST,
PortMessage,
NULL,
@@ -295,7 +300,9 @@ int main(int argc, char **argv)

MessageThread = CreateThread(NULL, 0, MessageHandlerThread, NULL, 0, NULL);

ClientThreadId = GetThreadId(MessageThread);
if (MessageThread) {
ClientThreadId = GetThreadId(MessageThread);
}

LogMessage(stdout, "An interactive ctf exploration tool by @taviso.");
LogMessage(stdout, "Type \"help\" for available commands.");
@@ -14,6 +14,11 @@ NTSTATUS SendReceiveProxyData(HANDLE PortHandle,
PCTF_MARSHAL_COMSTUB Stub,
DWORD FunctionIndex,
DWORD DestinationThread);
NTSTATUS SendReceiveMarshalData(HANDLE PortHandle,
ULONG TypeFlags,
PCTF_MARSHAL_PARAM Params,
ULONG ParamCount,
DWORD DestinationThread);

HANDLE OpenAlpcPort(PWCHAR AlpcPortName, PPORT_MESSAGE ConnectMessage, SIZE_T MessageSize);
BOOL InitializeAlpcRoutines();
@@ -19,6 +19,8 @@
#include "ctftool.h"
#include "util.h"

#pragma warning(disable: 6031 6308 28182)

// Calculate size for malloc of the existing params.
SIZE_T GetParamsSize(PCTF_MARSHAL_PARAM Base, ULONG Count)
{
@@ -56,7 +58,7 @@ void MarshalParamsDumpData(PCTF_MARSHAL_PARAM Base, ULONG Index)

// Well, I'll parse it for you if it's a GUID.
if (Base[Index].Size == sizeof(GUID)) {
StringFromGUID2(GuidData, GuidString, sizeof GuidString);
StringFromGUID2(GuidData, GuidString, _countof(GuidString));
LogMessage(stdout, "Possibly a GUID, %S", GuidString);
}

@@ -71,7 +73,7 @@ void MarshalParamsDumpData(PCTF_MARSHAL_PARAM Base, ULONG Index)
// This is a marshalled comstub
assert(Base[Index].Size == sizeof(CTF_MARSHAL_COMSTUB));

StringFromGUID2(&Stub->Interface, Interface, sizeof Interface);
StringFromGUID2(&Stub->Interface, Interface, _countof(Interface));

LogMessage(stdout, "Marshalled Value %u, COM %S, ID %u, Timestamp %#x",
Index,
@@ -42,7 +42,7 @@ DWORD WINAPI MessageHandlerThread(PVOID Parameter)
" wParam: %#x\n"
" lParam: %#x\n"
" time: %#x\n"
" pt: %lu %lu\n",
" pt: %ld %ld\n",
LastMsg.hwnd,
LastMsg.wParam,
LastMsg.lParam,

0 comments on commit 8a433e3

Please sign in to comment.
You can’t perform that action at this time.