Cannot get to run.

[MichaelKoopa]

I got it to build but whenever I run it, the window that is supposed to spawn inside of taskmanager never spawns all I get is the injector window and after pressing any key nothing happens.
I first thought it was my windows version as my main install is 19042 but running it in a vm on 19041 it still does not run. I have not tried it on 18363 but seeing as it doesnt work on 19041 I don't think it's the windows version breaking it. If you need any more info let me know.

[turtiustrek]

try placing the injector and the dll in your root folder(C:\) as i can see yo mama has spaces.

[MichaelKoopa]

It still does not spawn the window inside of taskmanager. Also here is winver just to make sure I'm not wasting time.

[turtiustrek]

ah, thanks for that. just noticed the 19041.264. This version is not supported but the console should still spawn..
This is worth taking a look into.
These are the supported versions:

10.0.19041.844
10.0.19041.746
10.0.18362.1316
Also, if you can then please attach your compiled dll's (sounds strange but this is the only i can confirm this)

[MichaelKoopa]

Injector.exe
[please compile the source instead]
dllmain.dll
[please compile the source instead]
also how would I find those specific versions?

[turtiustrek]

I tried your DLL and can confirm, the console does not spawn even though the final binary is 64-bit. strange.
if you don't mind trying out random binaries on the internet, here is the freshly compiled binary

[please compile the source instead]

For reference this the g++ version I am using

g++ --version
g++ (x86_64-posix-seh-rev0, Built by MinGW-W64 project) 8.1.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[MichaelKoopa]

The verison of g++ is the exact verison that I am using.

The newly compiled version you attached did not spawn a window in task manager although I still have not gotten the exact version of windows that is supported.
Edit: I moved it to the root (because of the space) and that did not help.

[turtiustrek]

The newly compiled version you attached did not spawn a window in task manager although I still have not gotten the exact version of windows that is supported.

Yes, but even if the version is wrong, the console should still spawn regardless of the version and complain about it in the console.
I'm currently on

Task manager version:

also how would I find those specific versions?

I'm not sure if Microsoft allows downloading specific versions of windows.

[MichaelKoopa]

This is my task manager version:

[turtiustrek]

The only thing i can say is use an external injector like https://processhacker.sourceforge.io (run as admin)
and try it from there. if the console spawns then it should complain about the version and that can be addressed later.

[MichaelKoopa]

Okay doing it with process hacker does not work, I also tried using extreme injector and that does not work either.

relized the frames folder was missing fixed that

[turtiustrek]

try injecting it into Notepad.exe and see if it even spawns a console. Console spawning is not task manager dependent.
That's all i got honestly, i'm not sure why the console is not even spawning.

[MichaelKoopa]

Injecting into notepad also does not work.

[trigger337]

I have the same issue on

using pre-compiled injector and library (I can't setup mingw cuz i'm stupid)

[turtiustrek]

Hmm, seems like multiple versions of windows 10 are having this issue (could be because mingw-64 is not placing the functions in the right section for these versions or LoadLibrary with mingw is messed up ). Either way i have no idea about this problem but ill look into with these versions.

[lybchikfreed]

same issue on my system

[turtiustrek]

That's not 19041 but 19042. this does not support 19042

[ii64]

Could you provide how you find the function:
UpdateData, GetBlockWidth, IsServer, GetBlockColors, SetBlockData, SetRefreshRate

On my side, the program cannot found: UpdateData, GetBlockWidth

So people can find pattern for functions in case of windows/taskmgr version compatibility

Update

Just use decompiler and Taskmgr.pdb you'll got result like this, hopefully it's works

[turtiustrek]

Could you provide how you find the function:

Absolutely!

To make comparison easier, you can use this tool to download different task manager versions and compare them with the entries in pattern.hpp file.
The contents in the pattern.hpp file contains the first 40 bytes of the routine. Luckily since the PDB is available, you can look up the functions in IDA (from the comments of LookupPatternTable struct). Then simply copy over the first forty bytes of the function. You can simply append the new set of stubs in without worrying about the adjusting the size of the table and make sure to provide the version string.

[ii64]

Absolutely!

Thanks, i am using original taskmgr it's running but nothing happend

[turtiustrek]

It seems like the handler returned from UpdateDataHook did not populate.
Did you switch over to the performance tab before the DLL was loaded? if so then try again and let the DLL show the 'Waiting for handler to populate' message and then switch over to the performance tab.

[ii64]

Alright after i continue debugging, I got that UpdateDataHook is not even got called. (i tried wait for handler to populate, same result)

Find pattern for UpdateData got 0x7ff631e48d64
And offset function 0xA8164
So this looks correct right?
0x7ff631da0000 + 0xA8164 = 0x7ff631e48164 (hooked)

Base address 0x7ff631da0000
DLL address 0x656016c3
Process Version: 10.0.17763.1697
Table task manager version:10.0.17763.1697
Finding UpdateData function... 0x7ff631e48d64 Done
Finding GetBlockWidth function... 0x7ff631e48448 Done
Finding IsServer function... 0x7ff631dd2c30 Done
Finding GetBlockColors function... 0x7ff631e482e8 Done
Finding SetBlockData function... 0x7ff631e48c40 Done
Finding SetRefreshRate function... 0x7ff631dd4e7c Done

Anyway, if GlobalSettings already retrieved from IsServer function, and *cpu_count already changed to fake one
Shouldn't it updated?

[turtiustrek]

So this looks correct right?

Yes that looks correct.

Anyway, if GlobalSettings already retrieved from IsServer function, and *cpu_count already changed to fake one
Shouldn't it updated?

On some versions this does not update since there is another struct which for the viewable placeholders(10.0.19041.746). A better way to check the hooks would be trigger the SetRefreshRate function. to do that head to the Performance tab and set the update speed to High by navigating to View>Update speed in task manager.

[ii64]

Okay, View>Update speed triggers SetRefreshRate, unfortunately CPU count still the same, i noticed the update become faster (because SetRefreshRate)

[turtiustrek]

i feared this would happen. GLOBAL_SETTINGS_CPU_OFFSET may in fact be incorrect or this version does not properly show the change. The callee of the function UpdateData references this GLOBAL_SETTINGS_CPU_OFFSET. Also it'll help if you can kindly share the stubs you found(pattern.hpp attached or something).

[ii64]

I attached dll source code, and Taskmgr executable binary + IDA db
10.0.17763.1697.zip

[turtiustrek]

Awesome thanks, will check that out soon.

[turtiustrek]

@ii64 can you try this gist?
https://gist.github.com/turtiustrek/e737a9b4155004f9a1c4187bfc25725f
Only the GLOBAL_SETTINGS_CPU_OFFSET has been changed iirc

[ii64]

Hi, just tested the gist code, it doesn't change anything except the *cpu_core value is 0 (the original GLOBAL_SETTINGS_CPU_OFFSET 0x944 giving the same amout)
UpdateDataHook still not even got called, is this the root cause why it still waiting handler to populate?

update

[turtiustrek]

UpdateDataHook still not even got called, is this the root cause why it still waiting handler to populate?

bummer, UpdateDataHook should only get called when the fake_cores count is greater then 64. This is then called when switching into the performance tab so the 'handler' should populate when this occurs.
so if you follow the init of the heatmap(AtmCpuView::LoadLogicalCpuChart), you'll see that a call is made to TmGlobalSettings::GetProcessorDetailsLogicalCount which checks the processor count. if its > 0x40 only then the heatmap init is called and the heatmap is used.

If you follow TmGlobalSettings::GetProcessorDetailsLogicalCount, it returns the value which is referenced by GLOBAL_SETTINGS_CPU_OFFSET + GlobalSettings.
So perhaps try hooking TmGlobalSettings::GetProcessorDetailsLogicalCount so that it always returns the fake_cores (no clue if it will work though).

[ii64]

Okay i did implemented the TmGlobalSettings::GetProcessorDetailsLogicalCount hook, it is called when i switch to Performace tab, it is got called, but immediately crash the TaskManager, i think there's race between this function, and *cpu_count = fakeCores, like it's accessed before the dll change it to fakeCores

[turtiustrek]

it is called when i switch to Performace tab, it is got called, but immediately crash the TaskManager

did it call the UpdateData hook at least once?

i think there's race between this function, and *cpu_count = fakeCores, like it's accessed before the dll change it to fakeCores

probably, currently it was assumed that TmGlobalSettings::GetProcessorDetailsLogicalCount only gets called when switching into the Performance tab which holds true for the supported task manager builds. It could easily be wrong for newer builds.

[ii64]

did it call the UpdateData hook at least once?

it never call UpdateData, right after entering the Performace tab, function that replaceTmGlobalSettings::GetProcessorDetailsLogicalCount (int64 GetProcessorDetailsLogicalCountHook(void *st)) called, it still execute the code inside but before exiting from the function,Task Manager freeze, and exited, could it be SIGSEGV because detour trampoline?

[turtiustrek]

I wish i'd can help you on that but supported versions use AtmCpuView::ShowLogicalHeatMap to indicate if the heatmap will load or not which is not true on your build( 17763.1697) so i cannot really replicate this.

it still execute the code inside but before exiting from the function,Task Manager freeze, and exited, could it be SIGSEGV because detour trampoline?

How did you place the hooks?

[Pikotaro]

I am having a similar issue. running version 2004 19041.1
compiled on 20h2 19042.928
I have tried injecting via Process Hacker, but the console inside taskmanager won't appear. I'll now try compiling it inside the VM.

[Pikotaro]

okay. this time it actually did something. it looks like it inject successfully, but when it says switch to performance tab taskmanager crashes

[ii64]

https://www.youtube.com/watch?v=oKQ1X_4JCn0&t=834