eppsman
asked on
"Obsfucator" in OSR2 and Win98
In Matt Pietrek's "Windows 95 System Programming Secrets" he talks about how process and thread ID's are XOR'd with an "obsfucator" value to give a pointer to the process or thread's internal data structures. The code provided in his book does not appear to work on Windows 95 revision B (with USB supplement). I haven't tried it on Windows 98 yet, but I'm assuming that it probably does not work there, either.
Does anybody know if the method to retrieve the obfuscator has changed, or if it still even exists? I know in original betas of Chicago, the process ID was a direct pointer to the structure - no obfuscator existed. Could it have possibly (however unlikely) been removed outright?
I would really like to be able to walk the process and thread structures, just to see what's going on, and I think the only way I'll be able to do this is to find out what has changed with the "obsfucator" and how I can find the structures in OSR2 and 98.
Thanks in advance.
Does anybody know if the method to retrieve the obfuscator has changed, or if it still even exists? I know in original betas of Chicago, the process ID was a direct pointer to the structure - no obfuscator existed. Could it have possibly (however unlikely) been removed outright?
I would really like to be able to walk the process and thread structures, just to see what's going on, and I think the only way I'll be able to do this is to find out what has changed with the "obsfucator" and how I can find the structures in OSR2 and 98.
Thanks in advance.
ASKER
I have the code to calculate the value, but it appears that using this value will only produce correct results under the original release of Windows 95. Trying to use the "obsfucator" under Win95B fails. I want to know if anybody has some obsfucator code that they know works under Win95 rev. B with USB supplement installed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Madshi,
Please standby, I'm going to try converting this stuff. It looks good!
Aaron
Please standby, I'm going to try converting this stuff. It looks good!
Aaron
ASKER
Code looks good, I just have one question:
Do you know if the PROCESS_DATABASE structures have changed in 95B and 98? I have tried to retrieve some information from this structure after I have unobfuscated it, but I'm getting junk, so it appears that some fields may have been added to the structure or something...
I was just wondering if you knew, but if not, I'll award you the points anyway, of course.
Do you know if the PROCESS_DATABASE structures have changed in 95B and 98? I have tried to retrieve some information from this structure after I have unobfuscated it, but I'm getting junk, so it appears that some fields may have been added to the structure or something...
I was just wondering if you knew, but if not, I'll award you the points anyway, of course.
This is the structure I'm using. The fields that I use, are "pHandleTable" and "parentPpid0" and these two fields are working correctly under all win9x systems.
Which values are you using and for which purpose? Perhaps I can help with finding out the differences.
I've already found a difference in the thread structure. You see that in the code I've posted in the answer.
type Tpid0 = packed record
dwType : dword;
refCount : dword;
unk1,unk2 : dword;
termStatus : dword;
unk3 : dword;
defaultHeap : dword;
memContext : dword;
flags : dword;
pPsp : dword;
pspSelector : word;
mteIndex : word;
nThreads : word;
nThreadsNotTerm : word;
unk5 : word;
nROThreads : word;
ptrUnk3 : pointer;
k16TDBSel : word;
unk6 : word;
unk7 : pointer;
pEDB : pointer;
pHandleTable : PHANDLE_TABLE;
parentPpid0 : TPpid0;
modrefList : pointer;
threadList : pointer;
unk8,unk9,unk10 : pointer;
z4Unk11 : pointer;
unk12,unk13,unk14 : pointer;
z1Unk15 : pointer;
end;
Regards, Madshi.
Which values are you using and for which purpose? Perhaps I can help with finding out the differences.
I've already found a difference in the thread structure. You see that in the code I've posted in the answer.
type Tpid0 = packed record
dwType : dword;
refCount : dword;
unk1,unk2 : dword;
termStatus : dword;
unk3 : dword;
defaultHeap : dword;
memContext : dword;
flags : dword;
pPsp : dword;
pspSelector : word;
mteIndex : word;
nThreads : word;
nThreadsNotTerm : word;
unk5 : word;
nROThreads : word;
ptrUnk3 : pointer;
k16TDBSel : word;
unk6 : word;
unk7 : pointer;
pEDB : pointer;
pHandleTable : PHANDLE_TABLE;
parentPpid0 : TPpid0;
modrefList : pointer;
threadList : pointer;
unk8,unk9,unk10 : pointer;
z4Unk11 : pointer;
unk12,unk13,unk14 : pointer;
z1Unk15 : pointer;
end;
Regards, Madshi.
ASKER
I was trying to take a peak at the flags field, but I was getting values that:
a) changed every time I ran the program, but the same program's data was being looked at every time;
b) the values were not valid values for the flags field.
Thanks in advance.
a) changed every time I ran the program, but the same program's data was being looked at every time;
b) the values were not valid values for the flags field.
Thanks in advance.
Please give me a description of the flags. Then I'll see if I can find something...
ASKER
Here's a description of the flags(All of these are in hexidecimal, of course.):
00000001 - fDebugSingle - Set if process is being debugged
00000002 - fCreateProcessEvent - Set in debugged processes after starting
00000004 - fExitProcessEvent - Might be set in debugged processes at exit time
00000008 - fWin16Process - Set if process is a Windows 3.x program
00000010 - fDosProcess - Set if process is a DOS program
00000020 - fConsoleProcess - Set if process is a Win32 console program
00000040 - fFileApisAreOem - See SetFileApisToOEM() in API documentation
00000080 - fNukeProcess - ?
00000100 - fServiceProcess - Processes like MSGSRV32
00000800 - fLoginScriptHack - Might be a Novell network login process(?)
There are others, but there is absolutely no documentation on what they do, and they're rare to find, anyway.
00000001 - fDebugSingle - Set if process is being debugged
00000002 - fCreateProcessEvent - Set in debugged processes after starting
00000004 - fExitProcessEvent - Might be set in debugged processes at exit time
00000008 - fWin16Process - Set if process is a Windows 3.x program
00000010 - fDosProcess - Set if process is a DOS program
00000020 - fConsoleProcess - Set if process is a Win32 console program
00000040 - fFileApisAreOem - See SetFileApisToOEM() in API documentation
00000080 - fNukeProcess - ?
00000100 - fServiceProcess - Processes like MSGSRV32
00000800 - fLoginScriptHack - Might be a Novell network login process(?)
There are others, but there is absolutely no documentation on what they do, and they're rare to find, anyway.
Well, I've written a little testprogram that looked something like this:
c1 = GetProcessIdOfCalc;
ShowFlagsOfCalc;
RegisterServiceProcess(c1)
ShowFlagsOfCalc;
UnregisterServiceProcess(c
ShowFlagsOfCalc;
And I let this program run under win95, win95osr2 and win98 (I have them all on my harddisk). And you know what? It worked perfectly on all 3 systems with the same pid0 structure!! :-)
win95&win95 showed 0x0 -> 0x100 -> 0x0
win98 showed 0x200 -> 0x300 -> 0x200
So I guess, you must have done something wrong with either the conversion of my code or with the declaration of the structure. Let me see your code. Perhaps I'll find something.
c1 = GetProcessIdOfCalc;
ShowFlagsOfCalc;
RegisterServiceProcess(c1)
ShowFlagsOfCalc;
UnregisterServiceProcess(c
ShowFlagsOfCalc;
And I let this program run under win95, win95osr2 and win98 (I have them all on my harddisk). And you know what? It worked perfectly on all 3 systems with the same pid0 structure!! :-)
win95&win95 showed 0x0 -> 0x100 -> 0x0
win98 showed 0x200 -> 0x300 -> 0x200
So I guess, you must have done something wrong with either the conversion of my code or with the declaration of the structure. Let me see your code. Perhaps I'll find something.
Any progress?
P.S: Please don't forget to accept my answer... :-))
ASKER
Sorry for the delay, I was out of town over the weekend. I'll take a peak at my code... Probably screwed up my pointers or something! Thanks, I'll accept your answer... :)
Thanx for the A grade... Yam yam... :-)
Is this a problem for you?
What do you need? "Only" how to calculate the "magic number", which you have to xor to the IDs? Or do you need more? What?
Regards, Madshi.