I met the Bug Series 1 win7 in the generated program, playing audio without sound

1 knowledge background, need to have basic programming function of C + +, can read c/++ Project project, understand injection process, understand basic safety programming

2 required to inject the driver and the program, as well as the need to inject the DLL

3 related tools WinDbg win7x64 virtual machine Pchunter64.exe Procxp.exe

3 problem description in win7x64 with our own tools generated by the program, launch later open, video, audio, play without sound, expect to have sound

4 bug positioning, bug-related code is mainly two chunks, one is the driver, the other is a DLL. The driver injects the DLL into the process when the process is created. First Test the program that generates the different options, the test under what options will trigger the bug, and finally locate a and injection function related, this injection function has a flag flag, remove the flag in the test, OK. Find the entire solution, those positioning use this macro, exclude irrelevant, and finally to a shouldopenprocessbedenied function, this function is to decide whether to refuse to open the process, the log open to run, view the log, the effect is to inject PID 0xXXX c \ Windows\system32\audiodg.exd Open pid:0xxxx C:\Program Files (x86) \internet Explorer\iexplorer.exe failed, craving permission 0x00000040, Corresponding Process_dup_handle, now know the reason, iexplorer in the protection of the desktop, the external audiodg.exe to open Iexplorer.exe, need a process_dup_handle permissions. And this permission was removed from the drive.

Then because there is injected openprocess ntopenprocess ntalpcopensenderprocess, need to look at the AUDIODG open ie, walk the branch, the return of the error is how much, Re-shouldopenprocessbedenied the breakpoint under the function, run, view the stack after the break, and then see the outer stack has called openprocess, and found that the function is not hook, using the original Ntdll function.

The question now is why this function is not on the hook.

Is the problem of injection or DLL (after injection removed), with PROCXP scan Audiodg.exe not see the module, and then with Pchunter Scan, see the module is Microsoft's own module, and there is no injected module. Install the company's other products, one of which sees an injected DLL library. (Sorry, do not want to disclose the company's things, slightly)

In the end where there is a problem, add breakpoints in the DLL, kill Audiodg.exe,win+r +audiodg.exe, broken down, found to inject the back unloading. Call the Ldrunloaddll, the upper function freelibary, Hook freelibary, define a global variable, check to call this module's program if Audiodg.exe, and is to unload the module is Xx.dll, return to True. Amount, not called. Forced to end, it seems that this does not work. Try, Ldrunloaddll, restart, or not, too many, can not move.

Then the DLL is changed to another injected DLL name, reboot, found injected. It would have been better if we had been able to test it back then, but the result was still not injected. There seems to be a problem with the drive injection. Injectlibary Entrance Add code if the program name contains Audiodg.exe, the download is interrupted, indicating that the DLL library is to be injected into this audiodg.exe. The injection process can refer to http://bbs.pediy.com/thread-208082.htm, which is to apply a piece of space in the target process, and put custom Nttestalert code shellcode to hook The Nttestalert code in Ntdll, the custom Nttestalert, is called Ldrloaddll loading the DLL through a custom function injection function.

After the code is successfully injected, the process needs to be cut through. Process 0 0, find the eprocess of the target process, and then pass! process/i/P eprocess value, enter after the prompt press G, run, after the second stop, loading symbols, hooks Nttestalert can be debugged

Debug to Ntloaddll function, Discovery call failed, return value 0xc0000428, status_invalid_image_hash means Windows cannot verify the digital signature for thi S file. A recent hardware or software change might has installed a file that's signed incorrectly or damaged, or that might be M Alicious software from a unknown source. It seems that the digital signature has something to do with it, and it is unclear what sign it is.

Summary: The problem is always responsible, a surface phenomenon like an iceberg exposed to the water. Solving the problem should be a chain of thought that guides you in the end to finding the root cause, not always solving the surface problem.

　　

　　

I met the Bug Series 1 win7 in the generated program, playing audio without sound