rekindled hope (maybe) [Archive] - RCE Messageboard's Regroupment

View Full Version : rekindled hope (maybe)

BanMe

July 14th, 2009, 20:26

I really don't like to give up on things..
I want Allocate a console from a Native Mode Application..

I tried dynamic calling of the function and it succeeds but nothing is displayed, because I we are running in Session 0.. This can be bypassed..I know it can..

Elicz did it in w32asap with user32 api..and a crafted call to CreateProcess..

So In my fishing of the net, I found a question about "Starting a process on the winlogon desktop in session >0" by andrewb (#1) .. and his question gave me a idea..

If I can obtain the token of explorer.exe I can use it in my call to specially recrafted AllocConsole and hopefully get the Window to show up...I've got a clear view of the solution now.. hopefully i can implement it ;] and if I cant implement it this way the backup plan is to hijack my own token to make my window show up..but after that I think I might be outta gas..except for spawning from the client.

(#1)
http://www.eggheadcafe.com/software/aspnet/30999838/starting-a-process-on-the.aspx

regards BanMe

BanMe

July 14th, 2009, 21:49

Code:



enum { OB_TYPE_UNKNOWN = 0, OB_TYPE_TYPE = 1, OB_TYPE_DIRECTORY,

        OB_TYPE_SYMBOLIC_LINK,  OB_TYPE_TOKEN,  OB_TYPE_PROCESS,

        OB_TYPE_THREAD, /*OB_TYPE_UNKNOWN_7,*/ OB_TYPE_EVENT,

        OB_TYPE_EVENT_PAIR, OB_TYPE_MUTANT, //OB_TYPE_UNKNOWN_11,

        OB_TYPE_SEMAPHORE, OB_TYPE_TIMER, OB_TYPE_PROFILE,

        OB_TYPE_WINDOW_STATION, OB_TYPE_DESKTOP, OB_TYPE_SECTION,

        OB_TYPE_KEY, OB_TYPE_PORT, OB_TYPE_WAITABLE_PORT,

        /*OB_TYPE_UNKNOWN_21, OB_TYPE_UNKNOWN_22, OB_TYPE_UNKNOWN_23,

        OB_TYPE_UNKNOWN_24,*/ OB_TYPE_JOB, //22 on Whistler

        //OB_TYPE_CONTROLLER, OB_TYPE_DEVICE, OB_TYPE_DRIVER,

        OB_TYPE_IO_COMPLETION, OB_TYPE_FILE, OB_TYPE_WMI_GUID,

};

the methodology now to do this is to Pole the Real HandleTable for "explorer.exe", then duplicate out all the handles I need...
ep_x0ff wrote about using the handle table to bypass the protections of a AV..

located here http://www.rootkit.com/board.php?did=edge778&closed=1&lastx=15

It was a delphi implementation of using the handle table..I translated it to C++ and repurposed it to work genericly ( I posted that code ).. so that is what I am going to use as the base.. just a little restructuring and hopefully this method will work..as a sufficient way to get the handles I need without calling "suspicious" API's

regards BanMe

Kayaker

July 15th, 2009, 22:44

I'm just curious BanMe, which I know is a dangerous thing, but what are you going to use the console window for? To inform the user, yes, but is it to allow user interaction? i.e. are you going to be able to pause Windows booting if something "of interest" happens and get user input?

If it's only for informational purposes, wouldn't NtDisplayString on the boot screen work? Or, just log all the info to a buffer and spit it out when you can create a legit console.

I know it's more fun to force a console "when I want it dammit"

A thought, if you get a console showing, will it always be visible to the user (stay topmost) throughout the boot process, through to the desktop appearing?

Cheers,
Kayaker

BanMe

July 16th, 2009, 08:04

Idea is to have a "interface" that can take user input. this interface will also be used for output. the "input" will be for directing the "client" to do specific actions(ie load plugins, send code, so forth..

NtDisplayString will only work on the "boot screen" and this will not work directly after the call to SmSsContinue..as there is no more boot screen

Im not sure about "topmost" always and it wont be started until after the "boot" process is done and explorer is "loaded". because in order to get a handle to the window station and desktop i have to pole the System HandleTable for "explorer.exe" albeit the "test" just before I run Native_Server in the "new" code.

hope this help

regards BanMe

BanMe

July 16th, 2009, 19:37

Heres how I'm gonna search for explorer..I updated the code for this cause it was not to my liking...still more modifications to do to this but Ill post this and explain how im gonna use it to wait for a process

*removed buggy code*

So apparently this is "not" a good method cause it never obtains the right amount of memory to "write" the handle table into. resulting in a infinite loop of allocating and releasing memory..and the hated "low virtual memory" message from windows.

so to combat this Im going to just allocate 10 pages 0x40960 of memory and skip the "proper" way to do it..also thanks to Kayaker for showing me how to "setup windbg in vmware" in one of his earliar postings I think in the "server thread recycling" thread..the only thing I can add to that is if SIN32 is running as a "subsystem" you should use NtGlobal program to allow debugging of the subsystem

The New Code for this little bit will be up soon as well as Im adding OBJ_TYPE_WINDOW_STATION and OBJ_TYPE_DESKTOP to the object types available to be queried with this function,
Currently It only works with OBJ_TYPE_PROCESS and OBJ_TYPE_THREAD (5 and 6) respectivly.

Hope you enjoy

regards BanMe

BanMe

July 17th, 2009, 15:18

this code should work properly

Code:



HANDLE Native_DuplicateHandleInProcess(wchar_t *pName,ULONG HandleType)

{

	THREAD_BASIC_INFORMATION tbi = {0};

	POBJECT_NAME_INFORMATION oni = {0};

	CLIENT_ID Cid = {0};

	OBJECT_ATTRIBUTES oa = {0};

	PSYSTEM_HANDLE_INFORMATION_EX buf = {0};

	PUNICODE_STRING pnb = 0;

	HANDLE hCProcess = INVALID_HANDLE_VALUE,TempHandle = INVALID_HANDLE_VALUE;

	NTSTATUS Status = 0;

	ULONG Reusable = 0x40960;

	BOOLEAN test = 0;

	InitializeObjectAttributes(&oa,0,0,0,0);

	__try

	{

SzMismatch:

		buf = (PSYSTEM_HANDLE_INFORMATION_EX)RtlAllocateHeap(RtlProcessHeap(),HEAP_ZERO_MEMORY |HEAP_GROWABLE,Reusable);

		Status = NtQuerySystemInformation(SystemHandleInformation,buf,Reusable,&Reusable);

		if(Status == 0xC0000004 )

		{

			if(RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf))

			{

				__asm jmp SzMismatch;			

			}

		}

		if(!NT_SUCCESS(Status))

		{

			RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

			return INVALID_HANDLE_VALUE;

		}

		for(Reusable = 0;Reusable < buf->NumberOfHandles;Reusable++)

		{

			if(buf->Information[Reusable].ProcessId != 4)

			{

				if(buf->Information[Reusable].ObjectTypeNumber == OB_TYPE_PROCESS)

				{

					Cid.UniqueProcess = (PVOID)buf->Information[Reusable].ProcessId;

					Cid.UniqueThread = 0;

					Status = NtOpenProcess(&hCProcess,PROCESS_ALL_ACCESS,&oa,&Cid);

					if(hCProcess != INVALID_HANDLE_VALUE)

					{	

						pnb = (PUNICODE_STRING)RtlAllocateHeap(RtlProcessHeap(),HEAP_ZERO_MEMORY|HEAP_GROWABLE,0x1024);

						Status = NtQueryInformationProcess(hCProcess,ProcessImageFileName,(PVOID)pnb,0x1024,0);

						if(pnb->Buffer != NULL)

						{

							PWCHAR cpn = (PWCHAR)pnb->Buffer;

							USHORT cln = pnb->Length;

							do

							{

								cpn++;

								if(wcscmp(pName,cpn)== 0)

								{

									switch(HandleType)

									{

										case OB_TYPE_PROCESS:

											test = RtlFreeHeap(RtlProcessHeap(),0,(PVOID)pnb);

											test = RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

											return hCProcess;

										case OB_TYPE_THREAD :

											Reusable = 0;

											do

											{

												if(buf->Information[Reusable].ProcessId == (USHORT)Cid.UniqueProcess)

												{

													if(buf->Information[Reusable].ObjectTypeNumber == OB_TYPE_THREAD)

													{

														Status = NtDuplicateObject(hCProcess,(PHANDLE)buf->Information[Reusable].Handle,NtCurrentProcess(),&TempHandle,0,0,DUPLICATE_SAME_ACCESS);

														Status = NtQueryInformationThread(TempHandle,ThreadBasicInformation,&tbi,sizeof(tbi),0);

														if(tbi.ClientId.UniqueProcess == (PVOID)Cid.UniqueProcess)

														{

															RtlFreeHeap(RtlProcessHeap(),0,(PVOID)pnb);

															RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

															NtClose(hCProcess);

															return TempHandle;

														}

													}

												}

												Reusable++;

											}while(Reusable != buf->NumberOfHandles);

										case OB_TYPE_WINDOW_STATION:

											Reusable = 0;

											do

											{

												if(buf->Information[Reusable].ProcessId == (USHORT)Cid.UniqueProcess)

												{

													if(buf->Information[Reusable].ObjectTypeNumber == OB_TYPE_WINDOW_STATION)

													{

														Status = NtDuplicateObject(hCProcess,(PHANDLE)buf->Information[Reusable].Handle,NtCurrentProcess(),&TempHandle,0,0,DUPLICATE_SAME_ACCESS);

														if(TempHandle != INVALID_HANDLE_VALUE)

														{

															RtlFreeHeap(RtlProcessHeap(),0,(PVOID)pnb);

															RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

															NtClose(hCProcess);

															return TempHandle;

														}

													}

												}

												Reusable++;

											}while(Reusable != buf->NumberOfHandles);

										case OB_TYPE_DESKTOP:

											Reusable = 0;

											do

											{

												if(buf->Information[Reusable].ProcessId == (USHORT)Cid.UniqueProcess)

												{

													if(buf->Information[Reusable].ObjectTypeNumber == OB_TYPE_DESKTOP)

													{

														Status = NtDuplicateObject(hCProcess,(PHANDLE)buf->Information[Reusable].Handle,NtCurrentProcess(),&TempHandle,0,0,DUPLICATE_SAME_ACCESS);

														if(TempHandle != INVALID_HANDLE_VALUE)

														{

															RtlFreeHeap(RtlProcessHeap(),0,(PVOID)pnb);

															RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

															NtClose(hCProcess);

															return TempHandle;

														}

													}

												}

												Reusable++;

											}while(Reusable != buf->NumberOfHandles);

										default :

											return INVALID_HANDLE_VALUE;

										}

								}

								cln--;

							}while(cln);

						}

					}

				}

			}

		}

		if(pnb)

		{

			RtlFreeHeap(RtlProcessHeap(),0,(PVOID)pnb);

		}

		if(buf)

		{

			RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

		}

		if(hCProcess)

		{

			NtClose(hCProcess);

		}

		if(TempHandle)

		{

			NtClose(TempHandle);

		}

	}

	__except(1)

	{

		if(pnb)

		{

			RtlFreeHeap(RtlProcessHeap(),0,(PVOID)pnb);

		}

		if(buf)

		{

			RtlFreeHeap(RtlProcessHeap(),0,(PVOID)buf);

		}

		if(hCProcess)

		{

			NtClose(hCProcess);

		}

		if(TempHandle)

		{

			NtClose(TempHandle);

		}

	}

	return INVALID_HANDLE_VALUE;

}

added the previously described features and bugfixes and "debugged" it a few times, I also added Handle Leak Prevention and buffer clean up.

regards BanMe

BanMe

July 17th, 2009, 18:18

Ok so that didn't solve it either, but the code works "If" Initialization has ended and the handle table isnt growing every millisecond..so I have a few options left to consider to solve this..

First one is using NtDelayExecution after the call to SmSsContinue..Otherwise it just waits at the boot screen..
this is not a good solution because system boot times vary from system to system.

Second option is to wait for a client to Connects to do the call described above..
The 2nd option has the added benefit of being "reliable behavior" on slower systems..
and the benefit of not trying to get the handletable, when handles are being added to it constantly.. so the 2nd one it is

regards BanMe

BanMe

July 19th, 2009, 03:57

BBQ ?

wtf i forget about most basic IPC when deving a complex one..I forgot about named pipes and the first thing I code used them..(it was in perl and wsc format..Telnet.TelnetAdmin..might be out there still...)..but damn basic IO..not good .. :[ losing my mind ]: or have i lost it already? hmm...

regards BanMe

BanMe

July 30th, 2010, 12:50

So as j00ru has 'briefly' described some of Csrss internals,I'd like to hit the console window 'creation' and 'interaction' part more in detail, but that wasn't the actual direction the 'native csrss layer' he was talking about describing went. Though he did mention about the specific api's I am going to speak about, just not to the depth that I desired. So with that said lets look at AllocConsole from a few different perspectives..

1st the code that reactos used for this..this just for understanding purposes as this might be outdated..

Code:



* @implemented

*/

 BOOL

 WINAPI

 AllocConsole(VOID)

 {

     CSR_API_MESSAGE Request;

     ULONG CsrRequest;

     NTSTATUS Status;

     HANDLE hStdError;

 

     if (NtCurrentPeb()->ProcessParameters->ConsoleHandle)

     {

         DPRINT("AllocConsole: Allocate duplicate console to the same Process\n";

         SetLastErrorByStatus (STATUS_OBJECT_NAME_EXISTS);

         return FALSE;

     }

 

     Request.Data.AllocConsoleRequest.CtrlDispatcher = ConsoleControlDispatcher;

     Request.Data.AllocConsoleRequest.ConsoleNeeded = TRUE;

     Request.Data.AllocConsoleRequest.Visible = TRUE;

 

     CsrRequest = MAKE_CSR_API(ALLOC_CONSOLE, CSR_CONSOLE);

 

     Status = CsrClientCallServer(&Request, NULL, CsrRequest, sizeof(CSR_API_MESSAGE));

     if (!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status))

     {

         SetLastErrorByStatus(Status);

         return FALSE;

     }

 

     NtCurrentPeb()->ProcessParameters->ConsoleHandle = Request.Data.AllocConsoleRequest.Console;

 

     SetStdHandle(STD_INPUT_HANDLE, Request.Data.AllocConsoleRequest.InputHandle);

     SetStdHandle(STD_OUTPUT_HANDLE, Request.Data.AllocConsoleRequest.OutputHandle);

 

     hStdError = DuplicateConsoleHandle(Request.Data.AllocConsoleRequest.OutputHandle,

                                        0,

                                        TRUE,

                                       DUPLICATE_SAME_ACCESS);

 

     SetStdHandle(STD_ERROR_HANDLE, hStdError);

     return TRUE;

 }

The actual implementation varies alot.. :]
But you get the idea of what is done here so lets move onto the actual implementation..

XP sp3 kernel32!AllocConsole

Code:



7C871541 >/$ 68 70040000    PUSH 470

7C871546  |. 68 1817877C    PUSH kernel32.7C871718

7C87154B  |. E8 760FF9FF    CALL kernel32.7C8024C6

7C871550  |. A1 CC46887C    MOV EAX,DWORD PTR DS:[7C8846CC]

7C871555  |. 8945 E4        MOV [LOCAL.7],EAX

7C871558  |. 33DB           XOR EBX,EBX

7C87155A  |. 899D D4FBFFFF  MOV [LOCAL.267],EBX

7C871560  |. 68 A046887C    PUSH kernel32.7C8846A0

7C871565  |. FF15 8011807C  CALL DWORD PTR DS:[<&ntdll.RtlEnterCriti>;  ntdll.RtlEnterCriticalSection

7C87156B  |. 895D FC        MOV [LOCAL.1],EBX

7C87156E  |. 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]

7C871574  |. 8985 C4FBFFFF  MOV [LOCAL.271],EAX

7C87157A  |. 8B40 30        MOV EAX,DWORD PTR DS:[EAX+30]

7C87157D  |. 8B40 10        MOV EAX,DWORD PTR DS:[EAX+10]

7C871580  |. 3958 10        CMP DWORD PTR DS:[EAX+10],EBX

7C871583  |. 74 12          JE SHORT kernel32.7C871597

7C871585  |. 6A 05          PUSH 5

7C871587  |. E8 407DF9FF    CALL kernel32.7C8092CC

7C87158C  |. 899D D4FBFFFF  MOV [LOCAL.267],EBX

7C871592  |. E9 4E010000    JMP kernel32.7C8716E5

7C871597  |> 8D85 DCFBFFFF  LEA EAX,[LOCAL.265]

7C87159D  |. 50             PUSH EAX

7C87159E  |. 53             PUSH EBX

7C87159F  |. 8D85 D8FBFFFF  LEA EAX,[LOCAL.266]

7C8715A5  |. 50             PUSH EAX

7C8715A6  |. 53             PUSH EBX

7C8715A7  |. 8D85 C8FBFFFF  LEA EAX,[LOCAL.270]

7C8715AD  |. 50             PUSH EAX

7C8715AE  |. 53             PUSH EBX

7C8715AF  |. E8 D687FBFF    CALL kernel32.7C829D8A

7C8715B4  |. E8 C09AFAFF    CALL kernel32.7C81B079

7C8715B9  |. BE 0A020000    MOV ESI,20A

7C8715BE  |. 89B5 D0FBFFFF  MOV [LOCAL.268],ESI

7C8715C4  |. C785 CCFBFFFF >MOV [LOCAL.269],100

7C8715CE  |. 8D85 E4FEFFFF  LEA EAX,[LOCAL.71]

7C8715D4  |. 50             PUSH EAX

7C8715D5  |. 8D85 CCFBFFFF  LEA EAX,[LOCAL.269]

7C8715DB  |. 50             PUSH EAX

7C8715DC  |. 8D85 D8FCFFFF  LEA EAX,[LOCAL.202]

7C8715E2  |. 50             PUSH EAX

7C8715E3  |. 8D85 D0FBFFFF  LEA EAX,[LOCAL.268]

7C8715E9  |. 50             PUSH EAX

7C8715EA  |. E8 309BFAFF    CALL kernel32.7C81B11F

7C8715EF  |. 8D85 80FBFFFF  LEA EAX,[LOCAL.288]

7C8715F5  |. 50             PUSH EAX                                 ; /pStartupinfo

7C8715F6  |. E8 5508F9FF    CALL kernel32.GetStartupInfoW            ; \GetStartupInfoW

7C8715FB  |. 399D 8CFBFFFF  CMP [LOCAL.285],EBX

7C871601  |. 75 0A          JNZ SHORT kernel32.7C87160D

7C871603  |. C785 8CFBFFFF >MOV [LOCAL.285],kernel32.7C84EACC        ;  UNICODE "Command Prompt"

7C87160D  |> FFB5 8CFBFFFF  PUSH [LOCAL.285]                         ; /String

7C871613  |. E8 0184F9FF    CALL kernel32.lstrlenW                   ; \lstrlenW

7C871618  |. 8D4400 02      LEA EAX,DWORD PTR DS:[EAX+EAX+2]

7C87161C  |. 0FB7C0         MOVZX EAX,AX

7C87161F  |. 8985 C8FBFFFF  MOV [LOCAL.270],EAX

7C871625  |. 3BC6           CMP EAX,ESI

7C871627  |. 72 02          JB SHORT kernel32.7C87162B

7C871629  |. 8BC6           MOV EAX,ESI

7C87162B  |> 0FB7F8         MOVZX EDI,AX

7C87162E  |. 89BD C8FBFFFF  MOV [LOCAL.270],EDI

7C871634  |. 8B85 88FBFFFF  MOV EAX,[LOCAL.286]

7C87163A  |. 3BC3           CMP EAX,EBX

7C87163C  |. 74 29          JE SHORT kernel32.7C871667

7C87163E  |. 66:3918        CMP WORD PTR DS:[EAX],BX

7C871641  |. 74 24          JE SHORT kernel32.7C871667

7C871643  |. 50             PUSH EAX                                 ; /String

7C871644  |. E8 D083F9FF    CALL kernel32.lstrlenW                   ; \lstrlenW

7C871649  |. 8D4400 02      LEA EAX,DWORD PTR DS:[EAX+EAX+2]

7C87164D  |. 0FB7C0         MOVZX EAX,AX

7C871650  |. 8985 D8FBFFFF  MOV [LOCAL.266],EAX

7C871656  |. 3BC6           CMP EAX,ESI

7C871658  |. 72 02          JB SHORT kernel32.7C87165C

7C87165A  |. 8BC6           MOV EAX,ESI

7C87165C  |> 0FB7C0         MOVZX EAX,AX

7C87165F  |. 8985 D8FBFFFF  MOV [LOCAL.266],EAX

7C871665  |. EB 06          JMP SHORT kernel32.7C87166D

7C871667  |> 899D D8FBFFFF  MOV [LOCAL.266],EBX

7C87166D  |> 8D85 DCFBFFFF  LEA EAX,[LOCAL.265]

7C871673  |. 50             PUSH EAX

7C871674  |. 68 1113877C    PUSH kernel32.7C871311

7C871679  |. 68 B054877C    PUSH kernel32.7C8754B0

7C87167E  |. FFB5 CCFBFFFF  PUSH [LOCAL.269]

7C871684  |. 8D85 E4FEFFFF  LEA EAX,[LOCAL.71]

7C87168A  |. 50             PUSH EAX

7C87168B  |. FFB5 D0FBFFFF  PUSH [LOCAL.268]

7C871691  |. 8D85 D8FCFFFF  LEA EAX,[LOCAL.202]

7C871697  |. 50             PUSH EAX

7C871698  |. FFB5 D8FBFFFF  PUSH [LOCAL.266]

7C87169E  |. FFB5 88FBFFFF  PUSH [LOCAL.286]

7C8716A4  |. 57             PUSH EDI

7C8716A5  |. FFB5 8CFBFFFF  PUSH [LOCAL.285]

7C8716AB  |. E8 85F9FFFF    CALL kernel32.7C871035

7C8716B0  |. 8985 D4FBFFFF  MOV [LOCAL.267],EAX

7C8716B6  |. 3BC3           CMP EAX,EBX

7C8716B8  |. 74 2B          JE SHORT kernel32.7C8716E5

7C8716BA  |. 8D85 DCFBFFFF  LEA EAX,[LOCAL.265]

7C8716C0  |. 50             PUSH EAX

7C8716C1  |. E8 7A88FBFF    CALL kernel32.7C829F40

7C8716C6  |. E8 A561FAFF    CALL kernel32.7C817870

7C8716CB  |. 8B85 E0FBFFFF  MOV EAX,[LOCAL.264]

7C8716D1  |. A3 3440887C    MOV DWORD PTR DS:[7C884034],EAX

7C8716D6  |. E8 0A99FAFF    CALL kernel32.7C81AFE5

7C8716DB  |. C785 D4FBFFFF >MOV [LOCAL.267],1

7C8716E5  |> 834D FC FF     OR [LOCAL.1],FFFFFFFF

7C8716E9  |. E8 19000000    CALL kernel32.7C871707

7C8716EE  |. 8B85 D4FBFFFF  MOV EAX,[LOCAL.267]

7C8716F4  |. 8B4D E4        MOV ECX,[LOCAL.7]

7C8716F7  |. E8 1E80F9FF    CALL kernel32.7C80971A

7C8716FC  |. E8 000EF9FF    CALL kernel32.7C802501

7C871701  \. C3             RETN

ok so I dont know about you, but this doesnt look anything like the previous code.

but none the less the call to CsrClientCallServer is from AllocConsole+16A(7C8716AB) and that is seen here...

Code:



which breaks down to this call..

7C87113B  |. 6A 2C          PUSH 2C

7C87113D  |. 68 24020200    PUSH 20224

7C871142  |. 53             PUSH EBX

7C871143  |. 8D85 44FFFFFF  LEA EAX,[LOCAL.47]

7C871149  |. 50             PUSH EAX

7C87114A  |. FF15 3410807C  CALL DWORD PTR DS:[<&ntdll.CsrClientCall>;  ntdll.CsrClientCallServer

This call has a signifigant amount of information passed to it and there passed to csrss..
First off the size of the 'data' passed is 2c or 44 bytes, and the API number called is 20224. The next parameters need further investigation and im not a pro at building structures but I am going to attempt it.. But I cannot be sure that it's correct without someone more knowledgeable input about this then I.

Now I'm putting a breakpoint on the above call and seeing what i can gather about the parameters passed..

The Next Parameter passed is the pointer to a CSR_CAPTURE_HEADER

Code:



typedef struct _CSR_CAPTURE_HEADER {

    ULONG Length;

    PCSR_CAPTURE_HEADER RelatedCaptureBuffer;

    ULONG CountMessagePointers;

    PCHAR FreeSpace;

    ULONG_PTR MessagePointerOffsets[1]; // Offsets within CSR_API_MSG of pointers

} CSR_CAPTURE_HEADER, *PCSR_CAPTURE_HEADER;

This is see in the value in ebx for me it is 0x00190688 and this dumps out to be

Code:



00190688  00000214//length

0019068C  BAADF00D//related captures

00190690  00000005//num of message buffers

00190694  00190880//pointer to free space

00190698  0006FA24 /0006FA24->001906AC->0008021E == 02200008

0019069C  0006FA2C //0006FA2C  001907A8  UNICODE "C:\Documents and Settings\BanMe\Desktop\Olly\LOADDLL.EXE"

001906A0  0006FA34 //0006FA34  0019081C  UNICODE "WinSta0\Default"

001906A4  0006FA44 //0006FA44  0019083C  UNICODE "C:\WINDOWS\system32\"

001906A8  0006FA3C //0006FA3C  00190868  UNICODE "LOADDLL.EXE"

next up the CSR_API_MESSAGE that is passed in eax for me this registers points to 0006F9FC..

This Message structure should look similar to this according to the WDK

Code:





typedef struct _CSR_API_CONNECTINFO {

    OUT HANDLE ObjectDirectory;

    OUT PVOID SharedSectionBase;

    OUT PVOID SharedStaticServerData;

    OUT PVOID SharedSectionHeap;

    OUT ULONG DebugFlags;

    OUT ULONG SizeOfPebData;

    OUT ULONG SizeOfTebData;

    OUT ULONG NumberOfServerDllNames;

    OUT HANDLE ServerProcessId;

} CSR_API_CONNECTINFO, *PCSR_API_CONNECTINFO;



typedef struct _CSR_API_MSG {

    PORT_MESSAGE h;

    union {

        CSR_API_CONNECTINFO ConnectionRequest;

        struct {

            PCSR_CAPTURE_HEADER CaptureBuffer;

            CSR_API_NUMBER ApiNumber;

            ULONG ReturnValue;

            ULONG Reserved;

            union {

                CSR_CLIENTCONNECT_MSG ClientConnect;

                ULONG_PTR ApiMessageData[39];

            } u;

        };

    };

} CSR_API_MSG, *PCSR_API_MSG;

This is where I get thrown off what I see at the dump and stack locations doesnt correlate to a CSR_API_MESSAGE...

this is what I see in the dump at that location..

Code:



0006F9FC  00000281

0006FA00  00000287

0006FA04  00000000

0006FA08  00000000

0006FA0C  0009B158

0006FA10  0006F954

0006FA14  00000000

0006FA18  00000000

0006FA1C  0006FA28

0006FA20  755D3865  RETURN to msctfime.755D3865 from msctfime.755D8A2C

0006FA24  001906AC

0006FA28  00000072

0006FA2C  001907A8  UNICODE "C:\Documents and Settings\BanMe\Desktop\Olly\LOADDLL.EXE"

0006FA30  00000020

0006FA34  0019081C  UNICODE "WinSta0\Default"

0006FA38  00000018

0006FA3C  00190868  UNICODE "LOADDLL.EXE"

0006FA40  0000002A

0006FA44  0019083C  UNICODE "C:\WINDOWS\system32\"

0006FA48  7C8754B0  kernel32.7C8754B0

0006FA4C  7C871311  kernel32.7C871311

some help on the last structure would be greatly appreciated, just locating the PORT_MESSAGE in there would be good start

This has to be the port message..

Code:



0006F9FC  00000281

0006FA00  00000287

0006FA04  00000000

0006FA08  00000000

0006FA0C  0009B158

0006FA10  0006F954

0006FA14  00000000

0006FA18  00000000

0006FA1C  0006FA28

but no client ID yet..hmm
or did i miss something...

kind regards BanMe

Woodmann

July 30th, 2010, 20:32

Howdy,

I love to see persistence

.

Sorry, thats all I got.

Woodmann

BanMe

July 31st, 2010, 16:20

Lol thnx, btw the answer to the riddle hit me the other day.. on the porch..but then I forgot the real meaning of the answer..lol

Its ok you got nothing on this, I will get to what I want eventually, thanks in part to the site.

Also I spoke with j00ru on this subject, to wit my real intentions are remote console 'Allocation' to GUI processes supplying both dynamic user input and output mechanism's using just a LPC message...but j00ru has informed me that the ClientId is filled out in the call to ZwRequestWaitReplyPort,that makes 'easily' spoofing the 'Request' a bit more diffucult.At any rate I still am going to hit every path and idea for making this work with a native(ie kernelmode)implementation.

BanMe

July 31st, 2010, 21:00

Code:



/*++



Copyright (c) 1985 - 1999, Microsoft Corporation



Module Name:



    conmsg.h



Abstract:



    This include file defines the message formats used to communicate

    between the client and server portions of the CONSOLE portion of the

    Windows subsystem.



Author:



    Therese Stowell (thereses) 10-Nov-1990



Revision History:



--*/



#ifndef _CONMSG_H_

#define _CONMSG_H_



#define CONSOLE_INPUT_HANDLE 1

#define CONSOLE_OUTPUT_HANDLE 2



// max lengths, in bytes!

#define MAX_TITLE_LENGTH ((MAX_PATH+1)*sizeof(WCHAR))

#define MAX_APP_NAME_LENGTH 256



#define INITIALIZATION_SUCCEEDED 0

#define INITIALIZATION_FAILED 1

#define NUMBER_OF_INITIALIZATION_EVENTS 2



#if defined(FE_SB) // for Kernel32 Single Binary

#include "winconp.h"  // need FONT_SELECT

#endif // FE_SB



typedef struct _CONSOLE_INFO {

    IN OUT HANDLE ConsoleHandle;

    OUT HANDLE InputWaitHandle;

    OUT HANDLE StdIn;

    OUT HANDLE StdOut;

    OUT HANDLE StdErr;

    OUT HANDLE InitEvents[NUMBER_OF_INITIALIZATION_EVENTS];

    IN UINT   iIconId;

    IN HICON  hIcon;

    IN HICON  hSmIcon;

    IN DWORD dwHotKey;

    IN DWORD dwStartupFlags;

    IN WORD  wFillAttribute OPTIONAL;

    IN WORD  wPopupFillAttribute OPTIONAL;

    IN WORD  wShowWindow OPTIONAL;

    IN WORD  wReserved OPTIONAL;

    IN COORD dwScreenBufferSize OPTIONAL;

    IN COORD dwWindowSize OPTIONAL;

    IN COORD dwWindowOrigin OPTIONAL;

    IN DWORD nFont OPTIONAL;

    IN DWORD nInputBufferSize OPTIONAL;

    IN COORD dwFontSize OPTIONAL;

    IN UINT  uFontFamily OPTIONAL;

    IN UINT  uFontWeight OPTIONAL;

    IN WCHAR FaceName[LF_FACESIZE];

    IN UINT  uCursorSize OPTIONAL;

    IN BOOL  bFullScreen OPTIONAL;

    IN BOOL  bQuickEdit  OPTIONAL;

    IN BOOL  bInsertMode OPTIONAL;

    IN BOOL  bAutoPosition OPTIONAL;

    IN UINT  uHistoryBufferSize OPTIONAL;

    IN UINT  uNumberOfHistoryBuffers OPTIONAL;

    IN BOOL  bHistoryNoDup OPTIONAL;

    IN COLORREF ColorTable[ 16 ] OPTIONAL;

#if defined(FE_SB) // for Kernel32 Single Binary

    IN UINT  uCodePage;

#endif // FE_SB

} CONSOLE_INFO, *PCONSOLE_INFO;





//

// This structure is filled in by the client prior to connecting to the CONSRV

// DLL in the Windows subsystem server.  The server DLL will fill in the OUT

// fields if prior to accepting the connection.

//



typedef struct _CONSOLE_API_CONNECTINFO {

    IN OUT CONSOLE_INFO ConsoleInfo;

    IN BOOLEAN ConsoleApp;

    IN BOOLEAN WindowVisible;

    IN LPTHREAD_START_ROUTINE CtrlRoutine;

    IN LPTHREAD_START_ROUTINE PropRoutine;

#if defined(FE_SB)

#if defined(FE_IME)

    IN LPTHREAD_START_ROUTINE ConsoleIMERoutine;

#endif // FE_IME

#endif // FE_SB

    IN DWORD TitleLength;

    IN WCHAR Title[MAX_TITLE_LENGTH/2];

    IN DWORD DesktopLength;

    IN LPWSTR Desktop;

    IN DWORD AppNameLength;

    IN WCHAR AppName[MAX_APP_NAME_LENGTH/2];

    IN DWORD CurDirLength;

    IN WCHAR CurDir[MAX_PATH+1];

} CONSOLE_API_CONNECTINFO, *PCONSOLE_API_CONNECTINFO;



//

// Message format for messages sent from the client to the server

//



typedef enum _CONSOLE_API_NUMBER {

    ConsolepOpenConsole = CONSRV_FIRST_API_NUMBER,

    ConsolepGetConsoleInput,

    ConsolepWriteConsoleInput,

    ConsolepReadConsoleOutput,

    ConsolepWriteConsoleOutput,

    ConsolepReadConsoleOutputString,

    ConsolepWriteConsoleOutputString,

    ConsolepFillConsoleOutput,

    ConsolepGetMode,

    ConsolepGetNumberOfFonts,

    ConsolepGetNumberOfInputEvents,

    ConsolepGetScreenBufferInfo,

    ConsolepGetCursorInfo,

    ConsolepGetMouseInfo,

    ConsolepGetFontInfo,

    ConsolepGetFontSize,

    ConsolepGetCurrentFont,

    ConsolepSetMode,

    ConsolepSetActiveScreenBuffer,

    ConsolepFlushInputBuffer,

    ConsolepGetLargestWindowSize,

    ConsolepSetScreenBufferSize,

    ConsolepSetCursorPosition,

    ConsolepSetCursorInfo,

    ConsolepSetWindowInfo,

    ConsolepScrollScreenBuffer,

    ConsolepSetTextAttribute,

    ConsolepSetFont,

    ConsolepSetIcon,

    ConsolepReadConsole,

    ConsolepWriteConsole,

    ConsolepDupHandle,

    ConsolepGetHandleInformation,

    ConsolepSetHandleInformation,

    ConsolepCloseHandle,

    ConsolepVerifyIoHandle,

    ConsolepAlloc,

    ConsolepFree,

    ConsolepGetTitle,

    ConsolepSetTitle,

    ConsolepCreateScreenBuffer,

    ConsolepInvalidateBitmapRect,

    ConsolepVDMOperation,

    ConsolepSetCursor,

    ConsolepShowCursor,

    ConsolepMenuControl,

    ConsolepSetPalette,

    ConsolepSetDisplayMode,

    ConsolepRegisterVDM,

    ConsolepGetHardwareState,

    ConsolepSetHardwareState,

    ConsolepGetDisplayMode,

    ConsolepAddAlias,

    ConsolepGetAlias,

    ConsolepGetAliasesLength,

    ConsolepGetAliasExesLength,

    ConsolepGetAliases,

    ConsolepGetAliasExes,

    ConsolepExpungeCommandHistory,

    ConsolepSetNumberOfCommands,

    ConsolepGetCommandHistoryLength,

    ConsolepGetCommandHistory,

    ConsolepSetCommandHistoryMode,

    ConsolepGetCP,

    ConsolepSetCP,

    ConsolepSetKeyShortcuts,

    ConsolepSetMenuClose,

    ConsolepNotifyLastClose,

    ConsolepGenerateCtrlEvent,

    ConsolepGetKeyboardLayoutName,

    ConsolepGetConsoleWindow,

#if defined(FE_SB) // for Kernel32 Single Binary

    ConsolepCharType,

    ConsolepSetLocalEUDC,

    ConsolepSetCursorMode,

    ConsolepGetCursorMode,

    ConsolepRegisterOS2,

    ConsolepSetOS2OemFormat,

#if defined(FE_IME)

    ConsolepGetNlsMode,

    ConsolepSetNlsMode,

    ConsolepRegisterConsoleIME,

    ConsolepUnregisterConsoleIME,

#endif // FE_IME

#endif // FE_SB

    ConsolepGetLangId,

    ConsolepMaxApiNumber

} CONSOLE_API_NUMBER, *PCONSOLE_API_NUMBER;



typedef struct _CONSOLE_CREATESCREENBUFFER_MSG {

    IN HANDLE ConsoleHandle;

    IN ULONG DesiredAccess;

    IN BOOL InheritHandle;

    IN ULONG ShareMode;

    IN DWORD Flags;

    IN OUT CONSOLE_GRAPHICS_BUFFER_INFO GraphicsBufferInfo;

    OUT HANDLE hMutex;

    OUT PVOID lpBitmap;

    OUT HANDLE Handle;

} CONSOLE_CREATESCREENBUFFER_MSG, *PCONSOLE_CREATESCREENBUFFER_MSG;



typedef struct _CONSOLE_OPENCONSOLE_MSG {

    IN HANDLE ConsoleHandle;

    IN ULONG HandleType;

    IN ULONG DesiredAccess;

    IN BOOL InheritHandle;

    IN ULONG ShareMode;

    OUT HANDLE Handle;

} CONSOLE_OPENCONSOLE_MSG, *PCONSOLE_OPENCONSOLE_MSG;



#define INPUT_RECORD_BUFFER_SIZE 5



typedef struct _CONSOLE_GETCONSOLEINPUT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE InputHandle;

    OUT INPUT_RECORD Record[INPUT_RECORD_BUFFER_SIZE];

    OUT PINPUT_RECORD  BufPtr;

    IN OUT ULONG  NumRecords;   // this value is valid even for error cases

    IN USHORT Flags;

    BOOLEAN Unicode;

} CONSOLE_GETCONSOLEINPUT_MSG, *PCONSOLE_GETCONSOLEINPUT_MSG;



typedef struct _CONSOLE_WRITECONSOLEINPUT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE InputHandle;

    IN INPUT_RECORD Record[INPUT_RECORD_BUFFER_SIZE];

    IN PINPUT_RECORD  BufPtr;

    IN OUT ULONG  NumRecords;  // this value is valid even for error cases

    BOOLEAN Unicode;

    BOOLEAN Append;

} CONSOLE_WRITECONSOLEINPUT_MSG, *PCONSOLE_WRITECONSOLEINPUT_MSG;



typedef struct _CONSOLE_READCONSOLEOUTPUT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    OUT CHAR_INFO Char;

    OUT PCHAR_INFO BufPtr;

    IN OUT SMALL_RECT CharRegion; // this value is valid even for error cases

    BOOLEAN Unicode;

} CONSOLE_READCONSOLEOUTPUT_MSG, *PCONSOLE_READCONSOLEOUTPUT_MSG;



typedef struct _CONSOLE_WRITECONSOLEOUTPUT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN CHAR_INFO Char;

    IN PCHAR_INFO BufPtr;

    IN OUT SMALL_RECT CharRegion; // this value is valid even for error cases

    BOOLEAN Unicode;

    BOOLEAN ReadVM;

} CONSOLE_WRITECONSOLEOUTPUT_MSG, *PCONSOLE_WRITECONSOLEOUTPUT_MSG;



#define BUFFER_SIZE 80



/*

 * WriteOutputString and ReadInputString types

 */

#define CONSOLE_ASCII             0x1

#define CONSOLE_REAL_UNICODE      0x2

#define CONSOLE_ATTRIBUTE         0x3

#define CONSOLE_FALSE_UNICODE     0x4



typedef struct _CONSOLE_READCONSOLEOUTPUTSTRING_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN COORD ReadCoord;

    IN DWORD  StringType;

    OUT WCHAR String[BUFFER_SIZE/2];

    OUT PWCHAR BufPtr;

    IN OUT ULONG NumRecords; // this value is valid even for error cases

} CONSOLE_READCONSOLEOUTPUTSTRING_MSG, *PCONSOLE_READCONSOLEOUTPUTSTRING_MSG;



typedef struct _CONSOLE_WRITECONSOLEOUTPUTSTRING_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN COORD WriteCoord;

    IN DWORD  StringType;

    OUT WCHAR String[BUFFER_SIZE/2];

    IN PWCHAR BufPtr;

    IN OUT ULONG NumRecords; // this value is valid even for error cases

} CONSOLE_WRITECONSOLEOUTPUTSTRING_MSG, *PCONSOLE_WRITECONSOLEOUTPUTSTRING_MSG;



typedef struct _CONSOLE_FILLCONSOLEOUTPUT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN COORD WriteCoord;

    IN DWORD  ElementType;

    IN WORD Element;

    IN OUT ULONG Length; // this value is valid even for error cases

} CONSOLE_FILLCONSOLEOUTPUT_MSG, *PCONSOLE_FILLCONSOLEOUTPUT_MSG;



typedef struct _CONSOLE_MODE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    IN DWORD Mode;

} CONSOLE_MODE_MSG, *PCONSOLE_MODE_MSG;



typedef struct _CONSOLE_GETNUMBEROFFONTS_MSG {

    IN HANDLE ConsoleHandle;

    OUT ULONG NumberOfFonts;

} CONSOLE_GETNUMBEROFFONTS_MSG, *PCONSOLE_GETNUMBEROFFONTS_MSG;



typedef struct _CONSOLE_GETNUMBEROFINPUTEVENTS_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE InputHandle;

    OUT DWORD ReadyEvents;

} CONSOLE_GETNUMBEROFINPUTEVENTS_MSG, *PCONSOLE_GETNUMBEROFINPUTEVENTS_MSG;



typedef struct _CONSOLE_GETLARGESTWINDOWSIZE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    OUT COORD  Size;

} CONSOLE_GETLARGESTWINDOWSIZE_MSG, *PCONSOLE_GETLARGESTWINDOWSIZE_MSG;



typedef struct _CONSOLE_GETSCREENBUFFERINFO_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    OUT COORD Size;

    OUT COORD CursorPosition;

    OUT COORD ScrollPosition;

    OUT WORD  Attributes;

    OUT COORD CurrentWindowSize;

    OUT COORD MaximumWindowSize;

} CONSOLE_GETSCREENBUFFERINFO_MSG, *PCONSOLE_GETSCREENBUFFERINFO_MSG;



typedef struct _CONSOLE_GETCURSORINFO_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    OUT DWORD CursorSize;

    OUT BOOLEAN Visible;

} CONSOLE_GETCURSORINFO_MSG, *PCONSOLE_GETCURSORINFO_MSG;



typedef struct _CONSOLE_GETMOUSEINFO_MSG {

    IN HANDLE ConsoleHandle;

    OUT ULONG NumButtons;

} CONSOLE_GETMOUSEINFO_MSG, *PCONSOLE_GETMOUSEINFO_MSG;



typedef struct _CONSOLE_GETFONTINFO_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN BOOLEAN MaximumWindow;

    OUT PCHAR BufPtr;

    IN OUT ULONG NumFonts;  // this value is valid even for error cases

} CONSOLE_GETFONTINFO_MSG, *PCONSOLE_GETFONTINFO_MSG;



typedef struct _CONSOLE_GETFONTSIZE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN DWORD  FontIndex;

    OUT COORD FontSize;

} CONSOLE_GETFONTSIZE_MSG, *PCONSOLE_GETFONTSIZE_MSG;



typedef struct _CONSOLE_GETCURRENTFONT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN BOOLEAN MaximumWindow;

    OUT DWORD FontIndex;

    OUT COORD FontSize;

} CONSOLE_GETCURRENTFONT_MSG, *PCONSOLE_GETCURRENTFONT_MSG;



typedef struct _CONSOLE_SETACTIVESCREENBUFFER_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

} CONSOLE_SETACTIVESCREENBUFFER_MSG, *PCONSOLE_SETACTIVESCREENBUFFER_MSG;



typedef struct _CONSOLE_FLUSHINPUTBUFFER_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE InputHandle;

} CONSOLE_FLUSHINPUTBUFFER_MSG, *PCONSOLE_FLUSHINPUTBUFFER_MSG;



typedef struct _CONSOLE_SETSCREENBUFFERSIZE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN COORD  Size;

} CONSOLE_SETSCREENBUFFERSIZE_MSG, *PCONSOLE_SETSCREENBUFFERSIZE_MSG;



typedef struct _CONSOLE_SETCURSORPOSITION_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN COORD  CursorPosition;

} CONSOLE_SETCURSORPOSITION_MSG, *PCONSOLE_SETCURSORPOSITION_MSG;



typedef struct _CONSOLE_SETCURSORINFO_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN DWORD  CursorSize;

    IN BOOLEAN Visible;

} CONSOLE_SETCURSORINFO_MSG, *PCONSOLE_SETCURSORINFO_MSG;



typedef struct _CONSOLE_SETWINDOWINFO_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN BOOL Absolute;

    IN SMALL_RECT Window;

} CONSOLE_SETWINDOWINFO_MSG, *PCONSOLE_SETWINDOWINFO_MSG;



typedef struct _CONSOLE_SCROLLSCREENBUFFER_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN SMALL_RECT ScrollRectangle;

    IN SMALL_RECT ClipRectangle;

    IN BOOL Clip;

    IN COORD  DestinationOrigin;

    IN CHAR_INFO Fill;

    IN BOOLEAN Unicode;

} CONSOLE_SCROLLSCREENBUFFER_MSG, *PCONSOLE_SCROLLSCREENBUFFER_MSG;



typedef struct _CONSOLE_SETTEXTATTRIBUTE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN WORD   Attributes;

} CONSOLE_SETTEXTATTRIBUTE_MSG, *PCONSOLE_SETTEXTATTRIBUTE_MSG;



typedef struct _CONSOLE_SETFONT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN DWORD  FontIndex;

} CONSOLE_SETFONT_MSG, *PCONSOLE_SETFONT_MSG;



typedef struct _CONSOLE_SETICON_MSG {

    IN HANDLE ConsoleHandle;

    IN HICON hIcon;

} CONSOLE_SETICON_MSG, *PCONSOLE_SETICON_MSG;



typedef struct _CONSOLE_READCONSOLE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE InputHandle;

    IN USHORT ExeNameLength;

    IN OUT WCHAR   Buffer[BUFFER_SIZE/2];

    OUT PVOID  BufPtr;

    IN OUT ULONG  NumBytes;    // this value is valid even for error cases

    IN ULONG CaptureBufferSize;

    IN ULONG InitialNumBytes;

    IN ULONG CtrlWakeupMask;

    OUT ULONG ControlKeyState;

    IN BOOLEAN Unicode;

} CONSOLE_READCONSOLE_MSG, *PCONSOLE_READCONSOLE_MSG;



typedef struct _CONSOLE_WRITECONSOLE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN WCHAR   Buffer[BUFFER_SIZE/2];

    IN PVOID  BufPtr;

    IN OUT ULONG  NumBytes;    // this value is valid even for error cases

    PWCHAR TransBuffer;         // used by server side only

    IN BOOLEAN BufferInMessage;

    IN BOOLEAN Unicode;

    BOOLEAN StackBuffer;        // used by server side only

    DWORD WriteFlags;           // used by server side only

} CONSOLE_WRITECONSOLE_MSG, *PCONSOLE_WRITECONSOLE_MSG;



typedef struct _CONSOLE_CLOSEHANDLE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

} CONSOLE_CLOSEHANDLE_MSG, *PCONSOLE_CLOSEHANDLE_MSG;



typedef struct _CONSOLE_DUPHANDLE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE SourceHandle;

    IN DWORD  DesiredAccess;

    IN BOOLEAN InheritHandle;

    IN DWORD Options;

    OUT HANDLE TargetHandle;

} CONSOLE_DUPHANDLE_MSG, *PCONSOLE_DUPHANDLE_MSG;



typedef struct _CONSOLE_GETHANDLEINFORMATION_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    OUT DWORD Flags;

} CONSOLE_GETHANDLEINFORMATION_MSG, *PCONSOLE_GETHANDLEINFORMATION_MSG;



typedef struct _CONSOLE_SETHANDLEINFORMATION_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    IN DWORD Mask;

    IN DWORD Flags;

} CONSOLE_SETHANDLEINFORMATION_MSG, *PCONSOLE_SETHANDLEINFORMATION_MSG;



typedef struct _CONSOLE_ADDALIAS_MSG {

    HANDLE ConsoleHandle;

    USHORT SourceLength;

    USHORT TargetLength;

    USHORT ExeLength;

    PVOID Source;

    PVOID Target;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_ADDALIAS_MSG, *PCONSOLE_ADDALIAS_MSG;



typedef struct _CONSOLE_GETALIAS_MSG {

    HANDLE ConsoleHandle;

    USHORT SourceLength;

    USHORT TargetLength;

    USHORT ExeLength;

    PVOID Source;

    PVOID Target;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_GETALIAS_MSG, *PCONSOLE_GETALIAS_MSG;



typedef struct _CONSOLE_GETALIASESLENGTH_MSG {

    HANDLE ConsoleHandle;

    USHORT ExeLength;

    PVOID Exe;

    DWORD AliasesLength;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_GETALIASESLENGTH_MSG, *PCONSOLE_GETALIASESLENGTH_MSG;



typedef struct _CONSOLE_GETALIASEXESLENGTH_MSG {

    HANDLE ConsoleHandle;

    DWORD AliasExesLength;

    BOOLEAN Unicode;

} CONSOLE_GETALIASEXESLENGTH_MSG, *PCONSOLE_GETALIASEXESLENGTH_MSG;



typedef struct _CONSOLE_GETALIASES_MSG {

    HANDLE ConsoleHandle;

    USHORT ExeLength;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

    DWORD AliasesBufferLength;

    PVOID AliasesBuffer;

} CONSOLE_GETALIASES_MSG, *PCONSOLE_GETALIASES_MSG;



typedef struct _CONSOLE_GETALIASEXES_MSG {

    HANDLE ConsoleHandle;

    DWORD AliasExesBufferLength;

    PVOID AliasExesBuffer;

    BOOLEAN Unicode;

} CONSOLE_GETALIASEXES_MSG, *PCONSOLE_GETALIASEXES_MSG;



typedef struct _CONSOLE_EXPUNGECOMMANDHISTORY_MSG {

    HANDLE ConsoleHandle;

    USHORT ExeLength;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_EXPUNGECOMMANDHISTORY_MSG, *PCONSOLE_EXPUNGECOMMANDHISTORY_MSG;



typedef struct _CONSOLE_SETNUMBEROFCOMMANDS_MSG {

    HANDLE ConsoleHandle;

    DWORD NumCommands;

    USHORT ExeLength;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_SETNUMBEROFCOMMANDS_MSG, *PCONSOLE_SETNUMBEROFCOMMANDS_MSG;



typedef struct _CONSOLE_GETCOMMANDHISTORYLENGTH_MSG {

    HANDLE ConsoleHandle;

    DWORD CommandHistoryLength;

    USHORT ExeLength;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_GETCOMMANDHISTORYLENGTH_MSG, *PCONSOLE_GETCOMMANDHISTORYLENGTH_MSG;



typedef struct _CONSOLE_GETCOMMANDHISTORY_MSG {

    HANDLE ConsoleHandle;

    DWORD CommandBufferLength;

    PVOID CommandBuffer;

    USHORT ExeLength;

    PVOID Exe;

    BOOLEAN Unicode;

    BOOLEAN UnicodeExe;

} CONSOLE_GETCOMMANDHISTORY_MSG, *PCONSOLE_GETCOMMANDHISTORY_MSG;



typedef struct _CONSOLE_SETCOMMANDHISTORYMODE_MSG {

    HANDLE ConsoleHandle;

    DWORD Flags;

} CONSOLE_SETCOMMANDHISTORYMODE_MSG, *PCONSOLE_SETCOMMANDHISTORYMODE_MSG;



typedef struct _CONSOLE_VERIFYIOHANDLE_MSG {

    BOOL Valid;

    HANDLE ConsoleHandle;

    HANDLE Handle;

} CONSOLE_VERIFYIOHANDLE_MSG, *PCONSOLE_VERIFYIOHANDLE_MSG;



typedef struct _CONSOLE_ALLOC_MSG {

    IN PCONSOLE_INFO ConsoleInfo;

    IN DWORD TitleLength;

    IN LPWSTR Title;

    IN DWORD DesktopLength;

    IN LPWSTR Desktop;

    IN DWORD AppNameLength;

    IN LPWSTR AppName;

    IN DWORD CurDirLength;

    IN LPWSTR CurDir;

    IN LPTHREAD_START_ROUTINE CtrlRoutine;

    IN LPTHREAD_START_ROUTINE PropRoutine;

} CONSOLE_ALLOC_MSG, *PCONSOLE_ALLOC_MSG;



typedef struct _CONSOLE_FREE_MSG {

    IN HANDLE ConsoleHandle;

} CONSOLE_FREE_MSG, *PCONSOLE_FREE_MSG;



typedef struct _CONSOLE_GETTITLE_MSG {

    IN HANDLE ConsoleHandle;

    IN OUT DWORD TitleLength;

    OUT PVOID Title;

    BOOLEAN Unicode;

} CONSOLE_GETTITLE_MSG, *PCONSOLE_GETTITLE_MSG;



typedef struct _CONSOLE_SETTITLE_MSG {

    IN HANDLE ConsoleHandle;

    IN DWORD TitleLength;

    IN PVOID Title;

    BOOLEAN Unicode;

} CONSOLE_SETTITLE_MSG, *PCONSOLE_SETTITLE_MSG;



typedef struct _CONSOLE_INVALIDATERECT_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    SMALL_RECT Rect;

} CONSOLE_INVALIDATERECT_MSG, *PCONSOLE_INVALIDATERECT_MSG;



typedef struct _CONSOLE_VDM_MSG {

    IN HANDLE ConsoleHandle;

    IN DWORD  iFunction;

    OUT BOOL Bool;

    IN OUT POINT Point;

    OUT RECT Rect;

#if defined(FE_SB) && defined(i386) // for Kernel32 Single Binary

    IN OUT VDM_IOCTL_PARAM VDMIoctlParam;

#endif // FE_SB

} CONSOLE_VDM_MSG, *PCONSOLE_VDM_MSG;



typedef struct _CONSOLE_SETCURSOR_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN HCURSOR CursorHandle;

} CONSOLE_SETCURSOR_MSG, *PCONSOLE_SETCURSOR_MSG;



typedef struct _CONSOLE_SHOWCURSOR_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN BOOL bShow;

    OUT int DisplayCount;

} CONSOLE_SHOWCURSOR_MSG, *PCONSOLE_SHOWCURSOR_MSG;



typedef struct _CONSOLE_MENUCONTROL_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN UINT CommandIdLow;

    IN UINT CommandIdHigh;

    OUT HMENU hMenu;

} CONSOLE_MENUCONTROL_MSG, *PCONSOLE_MENUCONTROL_MSG;



typedef struct _CONSOLE_SETPALETTE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN HPALETTE hPalette;

    IN UINT dwUsage;

} CONSOLE_SETPALETTE_MSG, *PCONSOLE_SETPALETTE_MSG;



typedef struct _CONSOLE_SETDISPLAYMODE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN DWORD dwFlags;

    OUT COORD ScreenBufferDimensions;

    IN HANDLE hEvent;

} CONSOLE_SETDISPLAYMODE_MSG, *PCONSOLE_SETDISPLAYMODE_MSG;



typedef struct _CONSOLE_REGISTERVDM_MSG {

    IN HANDLE ConsoleHandle;

    IN DWORD RegisterFlags;

    IN HANDLE StartEvent;

    IN HANDLE EndEvent;

    IN LPWSTR StateSectionName;

    IN DWORD StateSectionNameLength;

    OUT ULONG StateLength;

    OUT PVOID StateBuffer;

    IN LPWSTR VDMBufferSectionName;

    IN DWORD VDMBufferSectionNameLength;

    IN COORD VDMBufferSize;

    OUT PVOID VDMBuffer;

} CONSOLE_REGISTERVDM_MSG, *PCONSOLE_REGISTERVDM_MSG;



typedef struct _CONSOLE_GETHARDWARESTATE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    OUT COORD Resolution;

    OUT COORD FontSize;

} CONSOLE_GETHARDWARESTATE_MSG, *PCONSOLE_GETHARDWARESTATE_MSG;



typedef struct _CONSOLE_SETHARDWARESTATE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE OutputHandle;

    IN COORD Resolution;

    IN COORD FontSize;

} CONSOLE_SETHARDWARESTATE_MSG, *PCONSOLE_SETHARDWARESTATE_MSG;



typedef struct _CONSOLE_GETDISPLAYMODE_MSG {

    IN HANDLE ConsoleHandle;

    OUT ULONG ModeFlags;

} CONSOLE_GETDISPLAYMODE_MSG, *PCONSOLE_GETDISPLAYMODE_MSG;



typedef struct _CONSOLE_GETCP_MSG {

    IN HANDLE ConsoleHandle;

    UINT wCodePageID;

    BOOL Output;

} CONSOLE_GETCP_MSG, *PCONSOLE_GETCP_MSG;



typedef struct _CONSOLE_SETCP_MSG {

    IN HANDLE ConsoleHandle;

    UINT wCodePageID;

    BOOL Output;

#if defined(FE_SB) // for Kernel32 Single Binary

    HANDLE hEvent;

#endif // FE_SB

} CONSOLE_SETCP_MSG, *PCONSOLE_SETCP_MSG;



typedef struct _CONSOLE_GETKEYBOARDLAYOUTNAME_MSG {

    IN HANDLE ConsoleHandle;

    union {

        WCHAR awchLayout[9];

        char achLayout[9];

    };

    BOOL bAnsi;

} CONSOLE_GETKEYBOARDLAYOUTNAME_MSG, *PCONSOLE_GETKEYBOARDLAYOUTNAME_MSG;



typedef struct _CONSOLE_SETKEYSHORTCUTS_MSG {

    IN HANDLE ConsoleHandle;

    BOOL Set;

    BYTE ReserveKeys;

    DWORD NumAppKeys;

    LPAPPKEY AppKeys;

} CONSOLE_SETKEYSHORTCUTS_MSG, *PCONSOLE_SETKEYSHORTCUTS_MSG;



typedef struct _CONSOLE_SETMENUCLOSE_MSG {

    IN HANDLE ConsoleHandle;

    BOOL Enable;

} CONSOLE_SETMENUCLOSE_MSG, *PCONSOLE_SETMENUCLOSE_MSG;



typedef struct _CONSOLE_NOTIFYLASTCLOSE_MSG {

    IN HANDLE ConsoleHandle;

} CONSOLE_NOTIFYLASTCLOSE_MSG, *PCONSOLE_NOTIFYLASTCLOSE_MSG;



typedef struct _CONSOLE_CTRLEVENT_MSG {

    IN HANDLE ConsoleHandle;

    IN DWORD CtrlEvent;

    IN DWORD ProcessGroupId;

} CONSOLE_CTRLEVENT_MSG, *PCONSOLE_CTRLEVENT_MSG;



#if defined(FE_SB) // for Kernel32 Single Binary

typedef struct _CONSOLE_CHAR_TYPE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    IN COORD coordCheck;

    OUT DWORD dwType;

} CONSOLE_CHAR_TYPE_MSG, *PCONSOLE_CHAR_TYPE_MSG;



typedef struct _CONSOLE_LOCAL_EUDC_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    IN WORD CodePoint;

    IN COORD FontSize;

    IN PCHAR FontFace;

} CONSOLE_LOCAL_EUDC_MSG, *PCONSOLE_LOCAL_EUDC_MSG;



typedef struct _CONSOLE_CURSOR_MODE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    IN BOOL Blink;

    IN BOOL DBEnable;

} CONSOLE_CURSOR_MODE_MSG, *PCONSOLE_CURSOR_MODE_MSG;



typedef struct _CONSOLE_REGISTEROS2_MSG {

    IN HANDLE ConsoleHandle;

    IN BOOL fOs2Register;

} CONSOLE_REGISTEROS2_MSG, *PCONSOLE_REGISTEROS2_MSG;



typedef struct _CONSOLE_SETOS2OEMFORMAT_MSG {

    IN HANDLE ConsoleHandle;

    IN BOOL fOs2OemFormat;

} CONSOLE_SETOS2OEMFORMAT_MSG, *PCONSOLE_SETOS2OEMFORMAT_MSG;



#if defined(FE_IME)

typedef struct _CONSOLE_NLS_MODE_MSG {

    IN HANDLE ConsoleHandle;

    IN HANDLE Handle;

    IN OUT BOOL Ready;

    IN DWORD NlsMode;

    IN HANDLE hEvent;

} CONSOLE_NLS_MODE_MSG, *PCONSOLE_NLS_MODE_MSG;



typedef struct _CONSOLE_REGISTER_CONSOLEIME_MSG {

    IN HANDLE ConsoleHandle;

    IN HWND hWndConsoleIME;

    IN DWORD dwConsoleIMEThreadId;

    IN DWORD DesktopLength;

    IN LPWSTR Desktop;

    OUT DWORD dwConsoleThreadId;

} CONSOLE_REGISTER_CONSOLEIME_MSG, *PCONSOLE_REGISTER_CONSOLEIME_MSG;



typedef struct _CONSOLE_UNREGISTER_CONSOLEIME_MSG {

    IN HANDLE ConsoleHandle;

    IN DWORD dwConsoleIMEThreadId;

} CONSOLE_UNREGISTER_CONSOLEIME_MSG, *PCONSOLE_UNREGISTER_CONSOLEIME_MSG;

#endif // FE_IME



#endif // FE_SB



typedef struct _CONSOLE_GETCONSOLEWINDOW_MSG {

    IN HANDLE ConsoleHandle;

    HANDLE hwnd;

} CONSOLE_GETCONSOLEWINDOW_MSG, *PCONSOLE_GETCONSOLEWINDOW_MSG;



typedef struct _CONSOLE_LANGID_MSG {

    IN HANDLE ConsoleHandle;

    OUT LANGID LangId;

} CONSOLE_LANGID_MSG, *PCONSOLE_LANGID_MSG;



typedef struct _CONSOLE_API_MSG {

    PORT_MESSAGE h;

    PCSR_CAPTURE_HEADER CaptureBuffer;

    CSR_API_NUMBER ApiNumber;

    ULONG ReturnValue;

    ULONG Reserved;

    union {

        CONSOLE_OPENCONSOLE_MSG OpenConsole;

        CONSOLE_GETCONSOLEINPUT_MSG GetConsoleInput;

        CONSOLE_WRITECONSOLEINPUT_MSG WriteConsoleInput;

        CONSOLE_READCONSOLEOUTPUT_MSG ReadConsoleOutput;

        CONSOLE_WRITECONSOLEOUTPUT_MSG WriteConsoleOutput;

        CONSOLE_READCONSOLEOUTPUTSTRING_MSG ReadConsoleOutputString;

        CONSOLE_WRITECONSOLEOUTPUTSTRING_MSG WriteConsoleOutputString;

        CONSOLE_FILLCONSOLEOUTPUT_MSG FillConsoleOutput;

        CONSOLE_MODE_MSG GetConsoleMode;

        CONSOLE_GETNUMBEROFFONTS_MSG GetNumberOfConsoleFonts;

        CONSOLE_GETNUMBEROFINPUTEVENTS_MSG GetNumberOfConsoleInputEvents;

        CONSOLE_GETSCREENBUFFERINFO_MSG GetConsoleScreenBufferInfo;

        CONSOLE_GETCURSORINFO_MSG GetConsoleCursorInfo;

        CONSOLE_GETMOUSEINFO_MSG GetConsoleMouseInfo;

        CONSOLE_GETFONTINFO_MSG GetConsoleFontInfo;

        CONSOLE_GETFONTSIZE_MSG GetConsoleFontSize;

        CONSOLE_GETCURRENTFONT_MSG GetCurrentConsoleFont;

        CONSOLE_MODE_MSG SetConsoleMode;

        CONSOLE_SETACTIVESCREENBUFFER_MSG SetConsoleActiveScreenBuffer;

        CONSOLE_FLUSHINPUTBUFFER_MSG FlushConsoleInputBuffer;

        CONSOLE_GETLARGESTWINDOWSIZE_MSG GetLargestConsoleWindowSize;

        CONSOLE_SETSCREENBUFFERSIZE_MSG SetConsoleScreenBufferSize;

        CONSOLE_SETCURSORPOSITION_MSG SetConsoleCursorPosition;

        CONSOLE_SETCURSORINFO_MSG SetConsoleCursorInfo;

        CONSOLE_SETWINDOWINFO_MSG SetConsoleWindowInfo;

        CONSOLE_SCROLLSCREENBUFFER_MSG ScrollConsoleScreenBuffer;

        CONSOLE_SETTEXTATTRIBUTE_MSG SetConsoleTextAttribute;

        CONSOLE_SETFONT_MSG SetConsoleFont;

        CONSOLE_SETICON_MSG SetConsoleIcon;

        CONSOLE_READCONSOLE_MSG ReadConsole;

        CONSOLE_WRITECONSOLE_MSG WriteConsole;

        CONSOLE_DUPHANDLE_MSG DuplicateHandle;

        CONSOLE_GETHANDLEINFORMATION_MSG GetHandleInformation;

        CONSOLE_SETHANDLEINFORMATION_MSG SetHandleInformation;

        CONSOLE_CLOSEHANDLE_MSG CloseHandle;

        CONSOLE_VERIFYIOHANDLE_MSG VerifyConsoleIoHandle;

        CONSOLE_ALLOC_MSG AllocConsole;

        CONSOLE_FREE_MSG FreeConsole;

        CONSOLE_GETTITLE_MSG GetConsoleTitle;

        CONSOLE_SETTITLE_MSG SetConsoleTitle;

        CONSOLE_CREATESCREENBUFFER_MSG CreateConsoleScreenBuffer;

        CONSOLE_INVALIDATERECT_MSG InvalidateConsoleBitmapRect;

        CONSOLE_VDM_MSG VDMConsoleOperation;

        CONSOLE_SETCURSOR_MSG SetConsoleCursor;

        CONSOLE_SHOWCURSOR_MSG ShowConsoleCursor;

        CONSOLE_MENUCONTROL_MSG ConsoleMenuControl;

        CONSOLE_SETPALETTE_MSG SetConsolePalette;

        CONSOLE_SETDISPLAYMODE_MSG SetConsoleDisplayMode;

        CONSOLE_REGISTERVDM_MSG RegisterConsoleVDM;

        CONSOLE_GETHARDWARESTATE_MSG GetConsoleHardwareState;

        CONSOLE_SETHARDWARESTATE_MSG SetConsoleHardwareState;

        CONSOLE_GETDISPLAYMODE_MSG GetConsoleDisplayMode;

        CONSOLE_ADDALIAS_MSG AddConsoleAliasW;

        CONSOLE_GETALIAS_MSG GetConsoleAliasW;

        CONSOLE_GETALIASESLENGTH_MSG GetConsoleAliasesLengthW;

        CONSOLE_GETALIASEXESLENGTH_MSG GetConsoleAliasExesLengthW;

        CONSOLE_GETALIASES_MSG GetConsoleAliasesW;

        CONSOLE_GETALIASEXES_MSG GetConsoleAliasExesW;

        CONSOLE_EXPUNGECOMMANDHISTORY_MSG ExpungeConsoleCommandHistoryW;

        CONSOLE_SETNUMBEROFCOMMANDS_MSG SetConsoleNumberOfCommandsW;

        CONSOLE_GETCOMMANDHISTORYLENGTH_MSG GetConsoleCommandHistoryLengthW;

        CONSOLE_GETCOMMANDHISTORY_MSG GetConsoleCommandHistoryW;

        CONSOLE_SETCOMMANDHISTORYMODE_MSG SetConsoleCommandHistoryMode;

        CONSOLE_GETCP_MSG GetConsoleCP;

        CONSOLE_SETCP_MSG SetConsoleCP;

        CONSOLE_SETKEYSHORTCUTS_MSG SetConsoleKeyShortcuts;

        CONSOLE_SETMENUCLOSE_MSG SetConsoleMenuClose;

        CONSOLE_NOTIFYLASTCLOSE_MSG SetLastConsoleEventActive;

        CONSOLE_CTRLEVENT_MSG GenerateConsoleCtrlEvent;

        CONSOLE_GETKEYBOARDLAYOUTNAME_MSG GetKeyboardLayoutName;

        CONSOLE_GETCONSOLEWINDOW_MSG GetConsoleWindow;

#if defined(FE_SB) // for Kernel32 Single Binary

        CONSOLE_CHAR_TYPE_MSG GetConsoleCharType;

        CONSOLE_LOCAL_EUDC_MSG SetConsoleLocalEUDC;

        CONSOLE_CURSOR_MODE_MSG SetConsoleCursorMode;

        CONSOLE_CURSOR_MODE_MSG GetConsoleCursorMode;

        CONSOLE_REGISTEROS2_MSG RegisterConsoleOS2;

        CONSOLE_SETOS2OEMFORMAT_MSG SetConsoleOS2OemFormat;

#if defined(FE_IME)

        CONSOLE_NLS_MODE_MSG GetConsoleNlsMode;

        CONSOLE_NLS_MODE_MSG SetConsoleNlsMode;

        CONSOLE_REGISTER_CONSOLEIME_MSG RegisterConsoleIME;

        CONSOLE_UNREGISTER_CONSOLEIME_MSG UnregisterConsoleIME;

#endif // FE_IME

#endif // FE_SB

        CONSOLE_LANGID_MSG GetConsoleLangId;

    } u;

} CONSOLE_API_MSG, *PCONSOLE_API_MSG;



#endif

If you dont see what this explains..
here...

Code:





typedef struct _CONSOLE_ALLOC_MSG { 

    IN PCONSOLE_INFO ConsoleInfo;

    IN DWORD TitleLength;

    IN LPWSTR Title;

    IN DWORD DesktopLength;

    IN LPWSTR Desktop;

    IN DWORD AppNameLength;

    IN LPWSTR AppName;

    IN DWORD CurDirLength;

    IN LPWSTR CurDir;

    IN LPTHREAD_START_ROUTINE CtrlRoutine;

    IN LPTHREAD_START_ROUTINE PropRoutine;

} CONSOLE_ALLOC_MSG, *PCONSOLE_ALLOC_MSG;



0006F9FC  00000281

0006FA00  00000287

0006FA04  00000000

0006FA08  00000000

0006FA0C  0009B158

0006FA10  0006F954

0006FA14  00000000

0006FA18  00000000

0006FA1C  0006FA28

0006FA20  755D3865  RETURN to msctfime.755D3865 from msctfime.755D8A2C

0006FA24  001906AC

0006FA28  00000072

0006FA2C  001907A8  UNICODE "C:\Documents and Settings\BanMe\Desktop\Olly\LOADDLL.EXE"

0006FA30  00000020

0006FA34  0019081C  UNICODE "WinSta0\Default"

0006FA38  00000018

0006FA3C  00190868  UNICODE "LOADDLL.EXE"

0006FA40  0000002A

0006FA44  0019083C  UNICODE "C:\WINDOWS\system32\"//current dir

0006FA48  7C8754B0  kernel32.7C8754B0//ctrl routine

0006FA4C  7C871311  kernel32.7C871311//prop routine

BanMe

August 8th, 2010, 13:09

All this information is good but it gets us no where, so a different approach to this, I must seek, and the option presents itself rather quickly... CsrServerCallServer..optaining a connection to ConSrv inside WinSrv before hand obviously..but code for this will have to wait until tonight.. :]

Kind regards BanMe

Indy

August 9th, 2010, 17:23

BanMe
What you do not like APIs ?
API is a wrapper around native, no need to communicate with csrss directly through ports

BanMe

August 9th, 2010, 22:02

lol, its not that I dont like API's..It's that I like finding alternative methods for doing things, or even better 'new' undocumented ways to do things..Also you might have missed the fact that im not 'really' communicating "to" csrss, just calling a functionality that is based within it using the API 'CsrServerCallServer'..but the motivation behind this is the Native IO applications(ie they except input from user)that ive seen and the lack of a way to implement from a "purely" NATIVE standpoint..making by design my implementation 'Kernel Mode' friendly.. But I enjoyed the question and definitly encourage more.

regards BanMe

Indy

August 10th, 2010, 09:23

BanMe
You have not answered my question

BanMe

August 10th, 2010, 09:35

oh.. I didnt give a concrete answer, did I..

In my current project the answer is No,I dont like bloated API 'frameworks' that need to be imported through various dll's and make slimware into bloatware...