BanMe
June 23rd, 2009, 20:49
ok so my current problem requires that I delve into RtlRemoteCall, as I am using it as the ThreadDispatcher for my recycling routine in my server.. 
and it is return a nasty error 0x80000002.. Another form of DATA_TYPE_MISALIGNMENT.. similiar to the error with Native_MapModule that some might remember..
the Problem occurs with the way im calling RtlRemoteCall. I'm sure that it has to do with the way im passing in the parameter for Native_AcceptConnectionRequest routine, I think I should just copy it to a PAGE_SIZE aligned heap and and then pass it..but im gonna try a harder approach and see if i can get the answer.
so rather then bore you with my assumptions and guess's, Im going to do a actual analysis of the function call with olly. but in order to due this I need to place a breakpoint on RtlRemoteCall before it is called.. Olly provides just such a mechanism for the user..ie Make First Pause at System Breakpoint or Break on new module(dll) in the debugging options both provide time before the actual exe is loaded in order to place breakpoints.
we simply right click when it break click goto->Expression and type RtlRemoteCall and then place a breakpoint.
and seeing how RtlRemoteCall is only executed after the first client has completed communication and a new client is making a connection request we must follow follow the execution of the first client and then restart the client when finished.. in order to successfully break on RtlRemoteCall..
*update*
ok so i taught myself how to use windbg.. and did a lil research in debugger.chm
windbg acts totally different then olly in that i can find no options to tell it where to breakpoint on load. it always seems to breakpoint at system breakpoint right before LdrInitializeProcess() but im guessing that is how its supposed to act..
so instead of the method described above for olly, I used this method to set a breakpoint with windbg click f9 then in "command" type "bp ntdll!RtlRemoteCall" and luckily windbg handles the connection of clients seamlessly
so after analyzing RtlRemoteCall and seeing that it actually succeeds in redirecting the local thread to Native_AcceptConnectionRequest,but sadly it mangles the ACCEPT_PARAMS that are passed to the function in the process...on this note Im still not sure how, or why at the moment..im to tired to continue now, but there will be definitly more on this tommorow.
regards BanMe

and it is return a nasty error 0x80000002.. Another form of DATA_TYPE_MISALIGNMENT.. similiar to the error with Native_MapModule that some might remember..
the Problem occurs with the way im calling RtlRemoteCall. I'm sure that it has to do with the way im passing in the parameter for Native_AcceptConnectionRequest routine, I think I should just copy it to a PAGE_SIZE aligned heap and and then pass it..but im gonna try a harder approach and see if i can get the answer.
so rather then bore you with my assumptions and guess's, Im going to do a actual analysis of the function call with olly. but in order to due this I need to place a breakpoint on RtlRemoteCall before it is called.. Olly provides just such a mechanism for the user..ie Make First Pause at System Breakpoint or Break on new module(dll) in the debugging options both provide time before the actual exe is loaded in order to place breakpoints.
we simply right click when it break click goto->Expression and type RtlRemoteCall and then place a breakpoint.
and seeing how RtlRemoteCall is only executed after the first client has completed communication and a new client is making a connection request we must follow follow the execution of the first client and then restart the client when finished.. in order to successfully break on RtlRemoteCall..
*update*
ok so i taught myself how to use windbg.. and did a lil research in debugger.chm
windbg acts totally different then olly in that i can find no options to tell it where to breakpoint on load. it always seems to breakpoint at system breakpoint right before LdrInitializeProcess() but im guessing that is how its supposed to act..
so instead of the method described above for olly, I used this method to set a breakpoint with windbg click f9 then in "command" type "bp ntdll!RtlRemoteCall" and luckily windbg handles the connection of clients seamlessly

so after analyzing RtlRemoteCall and seeing that it actually succeeds in redirecting the local thread to Native_AcceptConnectionRequest,but sadly it mangles the ACCEPT_PARAMS that are passed to the function in the process...on this note Im still not sure how, or why at the moment..im to tired to continue now, but there will be definitly more on this tommorow.
regards BanMe