Javier Muñoz Mellid wrote:
I am not viewing one second call to SeCaptureSubjectContext. I back-reverse from WinXP no-sp and it only take one call. Can you mail me version and SP to check ?
Sorry, I didnt' see you were already calling it. Forget what I said.
If you want i can attach in this list my SeCreateAccessState's dead-listing from Windows XP no-sp (Spanish version).
No, it's ok.
Thanks.
Headers weren't emailed to me. Structure yes and it didn't contain any reference to Msoft headers.
But it could've only came from them.
Anyway the point is that we know that the original structure have tree members.
Right, after playing around with the stack of an Ob* function i noticed the size was 0xC bytes. Took a damn long time.
It is publicly know in a legal or ilegal way but we can't add that structure because Google doesn't reference that third member and public code references doesn't exist.
Ok, functions doesn't need that third member so we can delete it.
Not quite delete it.
Alex, my problem is that i get that information with a single question in an internal but public list to students and professors. When i change my raw structure by that best match i was thinking in code calculating sizeofs or allocating memory internally by drivers programmed for Windows where we have only the binary.
I seriously doubt drivers need to use access states (I don't even know why MS exported that API), much less know anythign about AuxData.
My question is about closed-source drivers. Imagine that they allocate that opaque structure and then they zeroed with a sizeof(). I am sure that it should get problems.
Right, which is why we can't delete it.
I think that if we know a structure we should can add it avoiding future crashes but i get your point perfectly.
Yeah, but the question is how did you come to know upon it.
so what do you think about erase the third member and keep the two field touched by SeCreateAccessState ?
It should be renamed to ULONG Reserved; I'll fix up your patch and commit it.
We are really in need of someone experienced with Se*; we do have Eric Kohl but he's been very busy lately. but I also hope you also know some of NT's design and won't spend days reversing Windows; to tell you the truth, we really don't like that approach unless it is the only approach left and it is really needed. It would've been easy to write these functions from scratch just by looking at the public ACCESS_STATE structure and figuring out what goes in AuxData; you would've avoided many problems by doing just that. Reversing shoudln't be a solution, it's should be a last-chance attempt.
-Javier
Best regards, Alex Ionescu