9 May
2005
9 May
'05
6:48 p.m.
Javier Muñoz Mellid wrote:
Thanks.
Headers weren't emailed to me. Structure yes and it didn't contain any
reference to Msoft headers.
But it could've only came from them.
I am not viewing one second call to SeCaptureSubjectContext. I
back-reverse from WinXP no-sp and it only take one call. Can you mail
me version and SP to check ?
Sorry, I didnt' see you were already calling it. Forget what I said.
If you want i can attach in this list my SeCreateAccessState's
dead-listing from Windows XP no-sp (Spanish version).
No, it's ok.
Anyway the point is that we know that the original structure have tree
members.
Right, after playing around with the stack of an Ob* function i noticed
the size was 0xC bytes. Took a damn long time.
It is publicly know in a legal or ilegal way but we
can't add that
structure because Google doesn't reference that third member and
public code references doesn't exist.
Ok, functions doesn't need that third member so we can delete it.
Not quite delete it.
Alex, my problem is that i get that information with a single question
in an internal but public list to students and professors. When i
change my raw structure by that best match i was thinking in code
calculating sizeofs or allocating memory internally by drivers
programmed for Windows where we have only the binary.
I seriously doubt drivers need to use access states (I don't even know
why MS exported that API), much less know anythign about AuxData.
My question is about closed-source drivers. Imagine that they allocate
that opaque structure and then they zeroed with a sizeof(). I am sure
that it should get problems.
Right, which is why we can't delete it.
I think that if we know a structure we should can add
it avoiding
future crashes but i get your point perfectly.
Yeah, but the question is how did you come to know upon it.
so what do you think about erase the third member and keep the two
field touched by SeCreateAccessState ?
It should be renamed to ULONG Reserved;
I'll fix up your patch and commit it.
We are really in need of someone experienced with Se*; we do have Eric
Kohl but he's been very busy lately. but I also hope you also know some
of NT's design and won't spend days reversing Windows; to tell you the
truth, we really don't like that approach unless it is the only approach
left and it is really needed. It would've been easy to write these
functions from scratch just by looking at the public ACCESS_STATE
structure and figuring out what goes in AuxData; you would've avoided
many problems by doing just that. Reversing shoudln't be a solution,
it's should be a last-chance attempt.
-Javier
Best regards,
Alex Ionescu