CsrClientCallServer какие параметры?

Пытаюсь создать процес на Native Api в User mode. Функция CsrClientCallServer выдайт ошибку.
NT::CsrClientCallServer(&csrmsg, 0, 0x10000, 0x24); в книге Неббета.
Смотрю под отладчиком эту функцию при вызове CreateProcessW.
CsrClientCallServer(&csrmsg, &arg, 0x10000, 0xB4)
Непонятный arg. Смотрю его в отладчике

Код (Text):

1. 0x00010590  00000320 baadf00d 00000004 000108a8 0012fb50 0012fb58 0012fba4 0012fbc4   ....р­є....Ё...Pы..Xы..¤ы..Ды..
2. 0x000105B0  003a0043 0077005c 006e0069 006f0064 00730077 0073005c 00730079 00650074  C.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.
3. 0x000105D0  0033006d 005c0032 00610063 0063006c 0065002e 00650078 baad0000 003f005c  m.3.2.\.c.a.l.c...e.x.e...­є\.?.
4. 0x000105F0  005c003f 003a0043 0077005c 006e0069 006f0064 00730077 0073005c 00730079  ?.\.C.:.\.w.i.n.d.o.w.s.\.s.y.s.
5. 0x00010610  00650074 0033006d 005c0032 00610063 0063006c 0065002e 00650078 baad0000  t.e.m.3.2.\.c.a.l.c...e.x.e...­є
6. 0x00010630  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
7. 0x00010650  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
8. 0x00010670  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
9. 0x00010690  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
10. 0x000106B0  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
11. 0x000106D0  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
12. 0x000106F0  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
13. 0x00010710  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
14. 0x00010730  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
15. 0x00010750  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
16. 0x00010770  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
17. 0x00010790  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
18. 0x000107B0  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
19. 0x000107D0  baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d baadf00d  .р­є.р­є.р­є.р­є.р­є.р­є.р­є.р­є
20. 0x000107F0  baadf00d baadf00d baadf00d baadf00d baadf00d baadfeee 00750072 0052002d  .р­є.р­є.р­є.р­є.р­єою­єr.u.-.R.
21. 0x00010810  00000055 00750072 00650000 002d006e 00530055 00650000 0000006e 00000000  U...r.u...e.n.-.U.S...e.n.......
22. 0x00010830  002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
23. 0x00010850  002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
24. 0x00010870  002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
25. 0x00010890  002d002d 002d002d 002d002d 002d002d 002d002d 0000002d baadf00d baadf00d  -.-.-.-.-.-.-.-.-.-.-....р­є.р­є
26. 0x000108B0  abababab abababab 00000000 00000000 a9d6c2cf 00004a29 000100c4 000100c4  ««««««««........ПВЦ©)J..Д...Д...
27. 0x000108D0  feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee  оюоюоюоюоюоюоюоюоюоюоюоюоюоюоюою
28. 0x000108F0  feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee  оюоюоюоюоюоюоюоюоюоюоюоюоюоюоюою

пытаюсь его разобрать
dd 0x320 размер буфера
dd 0 можно занулить
dd 4
dd adr1 адрес на конец последней строки в буфере
dd &a1 переменная которая содержит адрес пути C:\...
dd &a2 пер. содерж адрес пути \??\C:\
dd &a3 ru-RU
dd &a4 --------

все строки в unicode и в этом самом буфере размером 0x320

мой буфер такой

Код (Text):

1. 0x00010590  00000320 00000000 00000004 0001063e 0012f8c8 0012f8bc 0012f8b0 0012f8a4   ...........>...Иш..јш..°ш..¤ш..
2. 0x000105B0  003a0043 0054005c 006d0065 005c0070 00610063 0063006c 002e0031 00780065  C.:.\.T.e.m.p.\.c.a.l.c.1...e.x.
3. 0x000105D0  00000065 003f005c 005c003f 003a0043 0054005c 006d0065 005c0070 00610063  e...\.?.?.\.C.:.\.T.e.m.p.\.c.a.
4. 0x000105F0  0063006c 002e0031 00780065 00000065 00750072 0052002d 00000055 002d002d  l.c.1...e.x.e...r.u.-.R.U...-.-.
5. 0x00010610  002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d 002d002d  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
6. 0x00010630  002d002d 002d002d 002d002d 00000000 00000000 00000000 00000000 00000000  -.-.-.-.-.-.....................
7. 0x00010650  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
8. 0x00010670  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
9. 0x00010690  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
10. 0x000106B0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
11. 0x000106D0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
12. 0x000106F0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
13. 0x00010710  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
14. 0x00010730  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
15. 0x00010750  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
16. 0x00010770  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
17. 0x00010790  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
18. 0x000107B0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
19. 0x000107D0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
20. 0x000107F0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
21. 0x00010810  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
22. 0x00010830  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
23. 0x00010850  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
24. 0x00010870  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
25. 0x00010890  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  ................................
26. 0x000108B0  feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee  оюоюоюоюоюоюоюоюоюоюоюоюоюоюоюою
27. 0x000108D0  feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee  оюоюоюоюоюоюоюоюоюоюоюоюоюоюоюою
28. 0x000108F0  feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee feeefeee  оюоюоюоюоюоюоюоюоюоюоюоюоюоюоюою

но всё равно функция возвращает ошибку

 

Ну ты погуглил бы
это структура CSR_CAPTURE_HEADER
typedef struct _CSR_CAPTURE_HEADER {
ULONG Length;
PCSR_CAPTURE_HEADER RelatedCaptureBuffer;
ULONG CountMessagePointers;
PCHAR FreeSpace;
ULONG_PTR MessagePointerOffsets[1]; // Offsets within CSR_API_MSG of pointers
} CSR_CAPTURE_HEADER, *PCSR_CAPTURE_HEADER;

создает его CsrAllocateCaptureBuffer

туда капчюрится строки для передачи через LPC
ясен пень, что для каждого сервиса нужны свои строки .\\

смотри еще CsrAllocateMessagePointer, CsrCaptureMessageBuffer

вот тебе исходнички

Код (Text):

1. /*++
2.  
3. Copyright (c) 1989  Microsoft Corporation
4.  
5. Module Name:
6.  
7.     dllutil.c
8.  
9. Abstract:
10.  
11.     This module contains utility procedures for the Windows Client DLL
12.  
13.  
14. Author:
15.  
16.     Steve Wood (stevewo) 8-Oct-1990
17.  
18. Revision History:
19.  
20. --*/
21.  
22. #include "csrdll.h"
23.  
24. NTSTATUS
25. CsrClientCallServer(
26.     IN OUT PCSR_API_MSG m,
27.     IN OUT PCSR_CAPTURE_HEADER CaptureBuffer OPTIONAL,
28.     IN CSR_API_NUMBER ApiNumber,
29.     IN ULONG ArgLength
30.     )
31.  
32. /*++
33.  
34. Routine Description:
35.  
36.     This function sends an API request to the Windows Emulation Subsystem
37.     Server and waits for a reply.
38.  
39. Arguments:
40.  
41.     m - Pointer to the API request message to send.
42.  
43.     CaptureBuffer - Optional pointer to a capture buffer located in the
44.         Port Memory section that contains additional data being sent
45.         to the server.  Since Port Memory is also visible to the server,
46.         no data needs to be copied, but pointers to locations within the
47.         capture buffer need to be converted into pointers valid in the
48.         server's process context, since the server's view of the Port Memory
49.         is not at the same virtual address as the client's view.
50.  
51.     ApiNumber - Small integer that is the number of the API being called.
52.  
53.     ArgLength - Length, in bytes, of the argument portion located at the
54.         end of the request message.  Used to calculate the length of the
55.         request message.
56.  
57. Return Value:
58.  
59.     Status Code from either client or server
60.  
61. --*/
62.  
63. {
64.     NTSTATUS Status;
65.     PULONG_PTR PointerOffsets;
66.     ULONG CountPointers;
67.     ULONG_PTR Pointer;
68.  
69.     //
70.     // Initialize the header of the message.
71.     //
72.  
73.     if ((LONG)ArgLength < 0) {
74.         ArgLength = (ULONG)(-(LONG)ArgLength);
75.         m->h.u2.s2.Type = 0;
76.         }
77.     else {
78.         m->h.u2.ZeroInit = 0;
79.         }
80.  
81.     ArgLength |= (ArgLength << 16);
82.     ArgLength +=     ((sizeof( CSR_API_MSG ) - sizeof( m->u )) << 16) |
83.                      (FIELD_OFFSET( CSR_API_MSG, u ) - sizeof( m->h ));
84.     m->h.u1.Length = ArgLength;
85.     m->CaptureBuffer = NULL;
86.     m->ApiNumber = ApiNumber;
87.  
88.     //
89.     // if the caller is within the server process, do the API call directly
90.     // and skip the capture buffer fixups and LPC call.
91.     //
92.  
93.     if (CsrServerProcess == FALSE) {
94.  
95.         //
96.         // If the CaptureBuffer argument is present, then there is data located
97.         // in the Port Memory section that is being passed to the server.  All
98.         // Port Memory pointers need to be converted so they are valid in the
99.         // Server's view of the Port Memory.
100.         //
101.  
102.         if (ARGUMENT_PRESENT( CaptureBuffer )) {
103.             //
104.             // Store a pointer to the capture buffer in the message that is valid
105.             // in the server process's context.
106.             //
107.  
108.             m->CaptureBuffer = (PCSR_CAPTURE_HEADER)
109.                 ((PCHAR)CaptureBuffer + CsrPortMemoryRemoteDelta);
110.  
111.             //
112.             // Mark the fact that we are done allocating space from the end of
113.             // the capture buffer.
114.             //
115.  
116.             CaptureBuffer->FreeSpace = NULL;
117.  
118.             //
119.             // Loop over all of the pointers to Port Memory within the message
120.             // itself and convert them into server pointers.  Also, convert
121.             // the pointers to pointers into offsets.
122.             //
123.  
124.             PointerOffsets = CaptureBuffer->MessagePointerOffsets;
125.             CountPointers = CaptureBuffer->CountMessagePointers;
126.             while (CountPointers--) {
127.                 Pointer = *PointerOffsets++;
128.                 if (Pointer != 0) {
129.                     *(PULONG_PTR)Pointer += CsrPortMemoryRemoteDelta;
130.                     PointerOffsets[ -1 ] = Pointer - (ULONG_PTR)m;
131.                     }
132.                 }
133.             }
134.  
135.         //
136.         // Send the request to the server and wait for a reply.  The wait is
137.         // NOT alertable, because ? FIX,FIX
138.         //
139.  
140.         Status = NtRequestWaitReplyPort( CsrPortHandle,
141.                                          (PPORT_MESSAGE)m,
142.                                          (PPORT_MESSAGE)m
143.                                        );
144.         //
145.         // If the CaptureBuffer argument is present then reverse what we did
146.         // to the pointers above so that the client side code can use them
147.         // again.
148.         //
149.  
150.         if (ARGUMENT_PRESENT( CaptureBuffer )) {
151.             //
152.             // Convert the capture buffer pointer back to a client pointer.
153.             //
154.  
155.             m->CaptureBuffer = (PCSR_CAPTURE_HEADER)
156.                 ((PCHAR)m->CaptureBuffer - CsrPortMemoryRemoteDelta);
157.  
158.             //
159.             // Loop over all of the pointers to Port Memory within the message
160.             // itself and convert them into client pointers.  Also, convert
161.             // the offsets pointers to pointers into back into pointers
162.             //
163.  
164.             PointerOffsets = CaptureBuffer->MessagePointerOffsets;
165.             CountPointers = CaptureBuffer->CountMessagePointers;
166.             while (CountPointers--) {
167.                 Pointer = *PointerOffsets++;
168.                 if (Pointer != 0) {
169.                     Pointer += (ULONG_PTR)m;
170.                     PointerOffsets[ -1 ] = Pointer;
171.                     *(PULONG_PTR)Pointer -= CsrPortMemoryRemoteDelta;
172.                     }
173.                 }
174.             }
175.  
176.         //
177.         // Check for failed status and do something.
178.         //
179.         if (!NT_SUCCESS( Status )) {
180.             IF_DEBUG {
181.                 if (Status != STATUS_PORT_DISCONNECTED &&
182.                     Status != STATUS_INVALID_HANDLE
183.                    ) {
184.                     DbgPrint( "CSRDLL: NtRequestWaitReplyPort failed - Status == %X\n",
185.                               Status
186.                             );
187.                     }
188.                 }
189.  
190.             m->ReturnValue = Status;
191.             }
192.         }
193.     else {
194.         m->h.ClientId = NtCurrentTeb()->ClientId;
195.         Status = (CsrServerApiRoutine)((PCSR_API_MSG)m,
196.                                        (PCSR_API_MSG)m
197.                                       );
198.  
199.         //
200.         // Check for failed status and do something.
201.         //
202.  
203.         if (!NT_SUCCESS( Status )) {
204.             IF_DEBUG {
205.                 DbgPrint( "CSRDLL: Server side client call failed - Status == %X\n",
206.                           Status
207.                         );
208.                 }
209.  
210.             m->ReturnValue = Status;
211.             }
212.         }
213.  
214.     //
215.     // The value of this function is whatever the server function returned.
216.     //
217.  
218.     return( m->ReturnValue );
219. }
220.  
221.  
222. PCSR_CAPTURE_HEADER
223. CsrAllocateCaptureBuffer(
224.     IN ULONG CountMessagePointers,
225.     IN ULONG Size
226.     )
227.  
228. /*++
229.  
230. Routine Description:
231.  
232.     This function allocates a buffer from the Port Memory section for
233.     use by the client in capture arguments into Port Memory.  In addition to
234.     specifying the size of the data that needs to be captured, the caller
235.     needs to specify how many pointers to captured data will be passed.
236.     Pointers can be located in either the request message itself, and/or
237.     the capture buffer.
238.  
239. Arguments:
240.  
241.     CountMessagePointers - Number of pointers within the request message
242.         that will point to locations within the allocated capture buffer.
243.  
244.     Size - Total size of the data that will be captured into the capture
245.         buffer.
246.  
247. Return Value:
248.  
249.     A pointer to the capture buffer header.
250.  
251. --*/
252.  
253. {
254.     PCSR_CAPTURE_HEADER CaptureBuffer;
255.     ULONG CountPointers;
256.  
257.     //
258.     // Calculate the total number of pointers that will be passed
259.     //
260.  
261.     CountPointers = CountMessagePointers;
262.  
263.     //
264.     // Calculate the total size of the capture buffer.  This includes the
265.     // header, the array of pointer offsets and the data length.  We round
266.     // the data length to a 32-bit boundary, assuming that each pointer
267.     // points to data whose length is not aligned on a 32-bit boundary.
268.     //
269.  
270.     if (Size >= MAXLONG) {
271.         //
272.         // Bail early if too big
273.         //
274.         return NULL;
275.         }
276.     Size += FIELD_OFFSET(CSR_CAPTURE_HEADER, MessagePointerOffsets) + (CountPointers * sizeof( PVOID ));
277.     Size = (Size + (3 * (CountPointers+1))) & ~3;
278.  
279.     //
280.     // Allocate the capture buffer from the Port Memory Heap.
281.     //
282.  
283.     CaptureBuffer = RtlAllocateHeap( CsrPortHeap, MAKE_CSRPORT_TAG( CAPTURE_TAG ), Size );
284.     if (CaptureBuffer == NULL) {
285.  
286.         //
287.         // FIX, FIX - need to attempt the receive lost reply messages to
288.         // to see if they contain CaptureBuffer pointers that can be freed.
289.         //
290.  
291.         return( NULL );
292.     }
293.  
294.     //
295.     // Initialize the capture buffer header
296.     //
297.  
298.     CaptureBuffer->Length = Size;
299.     CaptureBuffer->CountMessagePointers = 0;
300.  
301.     //
302.     // If there are pointers being passed then initialize the arrays of
303.     // pointer offsets to zero.  In either case set the free space pointer
304.     // in the capture buffer header to point to the first 32-bit aligned
305.     // location after the header, the arrays of pointer offsets are considered
306.     // part of the header.
307.     //
308.  
309.     RtlZeroMemory( CaptureBuffer->MessagePointerOffsets,
310.                    CountPointers * sizeof( ULONG_PTR )
311.                  );
312.  
313.     CaptureBuffer->FreeSpace = (PCHAR)
314.         (CaptureBuffer->MessagePointerOffsets + CountPointers);
315.  
316.     //
317.     // Returned the address of the capture buffer.
318.     //
319.  
320.     return( CaptureBuffer );
321. }
322.  
323.  
324. VOID
325. CsrFreeCaptureBuffer(
326.     IN PCSR_CAPTURE_HEADER CaptureBuffer
327.     )
328.  
329. /*++
330.  
331. Routine Description:
332.  
333.     This function frees a capture buffer allocated by CsrAllocateCaptureBuffer.
334.  
335. Arguments:
336.  
337.     CaptureBuffer - Pointer to a capture buffer allocated by
338.         CsrAllocateCaptureBuffer.
339.  
340. Return Value:
341.  
342.     None.
343.  
344. --*/
345.  
346. {
347.     //
348.     // Free the capture buffer back to the Port Memory heap.
349.     //
350.  
351.     RtlFreeHeap( CsrPortHeap, 0, CaptureBuffer );
352. }
353.  
354.  
355. ULONG
356. CsrAllocateMessagePointer(
357.     IN OUT PCSR_CAPTURE_HEADER CaptureBuffer,
358.     IN ULONG Length,
359.     OUT PVOID *Pointer
360.     )
361.  
362. /*++
363.  
364. Routine Description:
365.  
366.     This function allocates space from the capture buffer along with a
367.     pointer to point to it.  The pointer is presumed to be located in
368.     the request message structure.
369.  
370. Arguments:
371.  
372.     CaptureBuffer - Pointer to a capture buffer allocated by
373.         CsrAllocateCaptureBuffer.
374.  
375.     Length - Size of data being allocated from the capture buffer.
376.  
377.     Pointer - Address of the pointer within the request message that
378.         is to point to the space allocated out of the capture buffer.
379.  
380. Return Value:
381.  
382.     The actual length of the buffer allocated, after it has been rounded
383.     up to a multiple of 4.
384.  
385. --*/
386.  
387. {
388.     if (Length == 0) {
389.         *Pointer = NULL;
390.         Pointer = NULL;
391.         }
392.  
393.     else {
394.  
395.         //
396.         // Set the returned pointer value to point to the next free byte in
397.         // the capture buffer.
398.         //
399.  
400.         *Pointer = CaptureBuffer->FreeSpace;
401.  
402.         //
403.         // Round the length up to a multiple of 4
404.         //
405.  
406.         if (Length >= MAXLONG) {
407.             //
408.             // Bail early if too big
409.             //
410.             return 0;
411.             }
412.  
413.         Length = (Length + 3) & ~3;
414.  
415.         //
416.         // Update the free space pointer to point to the next available byte
417.         // in the capture buffer.
418.         //
419.  
420.         CaptureBuffer->FreeSpace += Length;
421.         }
422.  
423.  
424.     //
425.     // Remember the location of this pointer so that CsrClientCallServer can
426.     // convert it into a server pointer prior to sending the request to
427.     // the server.
428.     //
429.  
430.     CaptureBuffer->MessagePointerOffsets[ CaptureBuffer->CountMessagePointers++ ] =
431.         (ULONG_PTR)Pointer;
432.  
433.     //
434.     // Returned the actual length allocated.
435.     //
436.  
437.     return( Length );
438. }
439.  
440.  
441. VOID
442. CsrCaptureMessageBuffer(
443.     IN OUT PCSR_CAPTURE_HEADER CaptureBuffer,
444.     IN PVOID Buffer OPTIONAL,
445.     IN ULONG Length,
446.     OUT PVOID *CapturedBuffer
447.     )
448.  
449. /*++
450.  
451. Routine Description:
452.  
453.     This function captures an ASCII string into a counted string data
454.     structure located in an API request message.
455.  
456. Arguments:
457.  
458.     CaptureBuffer - Pointer to a capture buffer allocated by
459.         CsrAllocateCaptureBuffer.
460.  
461.     Buffer - Optional pointer to the buffer.  If this parameter is
462.         not present, then the counted string data structure is set to
463.         the null string and no space is allocated from the capture
464.         buffer.
465.  
466.     Length - Length of the buffer.
467.  
468.     CaptureString - Pointer to the field in the message that will
469.         be filled in to point to the capture buffer.
470.  
471. Return Value:
472.  
473.     None.
474.  
475. --*/
476.  
477. {
478.     //
479.     // Set the length fields of the captured string structure and allocated
480.     // the Length for the string from the capture buffer.
481.     //
482.  
483.     CsrAllocateMessagePointer( CaptureBuffer,
484.                                Length,
485.                                CapturedBuffer
486.                              );
487.  
488.     //
489.     // If Buffer parameter is not present or the length of the data is zero,
490.     // return.
491.     //
492.  
493.     if (!ARGUMENT_PRESENT( Buffer ) || (Length == 0)) {
494.         return;
495.         }
496.  
497.     //
498.     // Copy the buffer data to the capture area.
499.     //
500.  
501.     RtlMoveMemory( *CapturedBuffer, Buffer, Length );
502.  
503.     return;
504. }
505.  
506. VOID
507. CsrCaptureMessageString(
508.     IN OUT PCSR_CAPTURE_HEADER CaptureBuffer,
509.     IN PCSTR String OPTIONAL,
510.     IN ULONG Length,
511.     IN ULONG MaximumLength,
512.     OUT PSTRING CapturedString
513.     )
514.  
515. /*++
516.  
517. Routine Description:
518.  
519.     This function captures an ASCII string into a counted string data
520.     structure located in an API request message.
521.  
522. Arguments:
523.  
524.     CaptureBuffer - Pointer to a capture buffer allocated by
525.         CsrAllocateCaptureBuffer.
526.  
527.     String - Optional pointer to the ASCII string.  If this parameter is
528.         not present, then the counted string data structure is set to
529.         the null string and no space is allocated from the capture
530.         buffer.
531.  
532.     Length - Length of the ASCII string.
533.  
534.     MaximumLength - Maximum length of the string.  Different for null
535.         terminated strings, where Length does not include the null and
536.         MaximumLength does.
537.  
538.     CaptureString - Pointer to the counted string data structure that will
539.         be filled in to point to the capture ASCII string.
540.  
541. Return Value:
542.  
543.     None.
544.  
545. --*/
546.  
547. {
548.     //
549.     // If String parameter is not present, then set the captured string
550.     // to be the null string and returned.
551.     //
552.  
553.     if (!ARGUMENT_PRESENT( String )) {
554.         CapturedString->Length = 0;
555.         CapturedString->MaximumLength = (USHORT)MaximumLength;
556.         CsrAllocateMessagePointer( CaptureBuffer,
557.                                    MaximumLength,
558.                                    (PVOID *)&CapturedString->Buffer
559.                                  );
560.         return;
561.         }
562.  
563.     //
564.     // Set the length fields of the captured string structure and allocated
565.     // the MaximumLength for the string from the capture buffer.
566.     //
567.  
568.     CapturedString->Length = (USHORT)Length;
569.     CapturedString->MaximumLength = (USHORT)
570.         CsrAllocateMessagePointer( CaptureBuffer,
571.                                    MaximumLength,
572.                                    (PVOID *)&CapturedString->Buffer
573.                                  );
574.     //
575.     // If the Length of the ASCII string is non-zero then move it to the
576.     // capture area.
577.     //
578.  
579.     if (Length != 0) {
580.         RtlMoveMemory( CapturedString->Buffer, String, MaximumLength );
581.         if (CapturedString->Length < CapturedString->MaximumLength) {
582.             CapturedString->Buffer[ CapturedString->Length ] = '\0';
583.             }
584.         }
585.  
586.     return;
587. }
588.  
589.  
590.  
591. PLARGE_INTEGER
592. CsrCaptureTimeout(
593.     IN ULONG MilliSeconds,
594.     OUT PLARGE_INTEGER Timeout
595.     )
596. {
597.     if (MilliSeconds == -1) {
598.         return( NULL );
599.         }
600.     else {
601.         Timeout->QuadPart = Int32x32To64( MilliSeconds, -10000 );
602.         return( (PLARGE_INTEGER)Timeout );
603.         }
604. }
605.  
606. VOID
607. CsrProbeForWrite(
608.     IN PVOID Address,
609.     IN ULONG Length,
610.     IN ULONG Alignment
611.     )
612.  
613. /*++
614.  
615. Routine Description:
616.  
617.     This function probes a structure for read accessibility.
618.     If the structure is not accessible, then an exception is raised.
619.  
620. Arguments:
621.  
622.     Address - Supplies a pointer to the structure to be probed.
623.  
624.     Length - Supplies the length of the structure.
625.  
626.     Alignment - Supplies the required alignment of the structure expressed
627.         as the number of bytes in the primitive datatype (e.g., 1 for char,
628.         2 for short, 4 for long, and 8 for quad).
629.  
630. Return Value:
631.  
632.     None.
633.  
634. --*/
635.  
636. {
637.     volatile CHAR *StartAddress;
638.     volatile CHAR *EndAddress;
639.     CHAR Temp;
640.  
641.     //
642.     // If the structure has zero length, then do not probe the structure for
643.     // write accessibility or alignment.
644.     //
645.  
646.     if (Length != 0) {
647.  
648.         //
649.         // If the structure is not properly aligned, then raise a data
650.         // misalignment exception.
651.         //
652.  
653.         ASSERT((Alignment == 1) || (Alignment == 2) ||
654.                (Alignment == 4) || (Alignment == 8));
655.         StartAddress = (volatile CHAR *)Address;
656.  
657.         if (((ULONG_PTR)StartAddress & (Alignment - 1)) != 0) {
658.             RtlRaiseStatus(STATUS_DATATYPE_MISALIGNMENT);
659.         } else {
660.             //
661.             // BUG, BUG - this should not be necessary once the 386 kernel
662.             // makes system space inaccessable to user mode.
663.             //
664.             if ((ULONG_PTR)StartAddress > CsrNtSysInfo.MaximumUserModeAddress) {
665.                 RtlRaiseStatus(STATUS_ACCESS_VIOLATION);
666.             }
667.  
668.             Temp = *StartAddress;
669.             *StartAddress = Temp;
670.             EndAddress = StartAddress + Length - 1;
671.             Temp = *EndAddress;
672.             *EndAddress = Temp;
673.         }
674.     }
675. }
676.  
677. VOID
678. CsrProbeForRead(
679.     IN PVOID Address,
680.     IN ULONG Length,
681.     IN ULONG Alignment
682.     )
683.  
684. /*++
685.  
686. Routine Description:
687.  
688.     This function probes a structure for read accessibility.
689.     If the structure is not accessible, then an exception is raised.
690.  
691. Arguments:
692.  
693.     Address - Supplies a pointer to the structure to be probed.
694.  
695.     Length - Supplies the length of the structure.
696.  
697.     Alignment - Supplies the required alignment of the structure expressed
698.         as the number of bytes in the primitive datatype (e.g., 1 for char,
699.         2 for short, 4 for long, and 8 for quad).
700.  
701. Return Value:
702.  
703.     None.
704.  
705. --*/
706.  
707. {
708.     volatile CHAR *StartAddress;
709.     volatile CHAR *EndAddress;
710.     CHAR Temp;
711.  
712.     //
713.     // If the structure has zero length, then do not probe the structure for
714.     // read accessibility or alignment.
715.     //
716.  
717.     if (Length != 0) {
718.  
719.         //
720.         // If the structure is not properly aligned, then raise a data
721.         // misalignment exception.
722.         //
723.  
724.         ASSERT((Alignment == 1) || (Alignment == 2) ||
725.                (Alignment == 4) || (Alignment == 8));
726.         StartAddress = (volatile CHAR *)Address;
727.  
728.         if (((ULONG_PTR)StartAddress & (Alignment - 1)) != 0) {
729.             RtlRaiseStatus(STATUS_DATATYPE_MISALIGNMENT);
730.         } else {
731.             Temp = *StartAddress;
732.             EndAddress = StartAddress + Length - 1;
733.             Temp = *EndAddress;
734.         }
735.     }
736. }

 

конечно, pointers должны лежать в CSR_API_MSG. а у тебя там лежат?

 

Спасибо за помощь. Сейчас буду пробовать. А dllutil.c это файл из sources винды? Или я ошибаюсь. Где можно скачать остальные файлики?

 

Great

не совсем пойму какие указатели должны лежать в этой структуре
typedef struct _CSRMSG{
PORT_MESSAGE PortMessage;
CSRSS_MESSAGE CsrssMessage;
PROCESS_INFORMATION ProcessInformation;
CLIENT_ID Debugger;
ULONG CreationFlags;
ULONG VdmInfo[2];
}CSRMSG,*PCSRMSG;

у меня первый параметр так описывается. Заполнил только PROCESS_INFORMATION ID Thread, ID Process и хенделами соответственно. Все остальное в этой структуре ноль.

 

могу открыть у себя фтп, сольешь

 

Выяснилось что у меня первый аргумент был неправильно описан.
typedef struct _CSR_API_MSG {
PORT_MESSAGE h;
union {
CSR_API_CONNECTINFO ConnectionRequest;
struct {
PCSR_CAPTURE_HEADER CaptureBuffer;
CSR_API_NUMBER ApiNumber;
ULONG ReturnValue;
ULONG Reserved;
union {
CSR_CLIENTCONNECT_MSG ClientConnect;
ULONG_PTR ApiMessageData[39];
} u;
};
};
Может кто знает как заполнить эту структура для запуска процесса? А то я пока на неё в отладчике смотрю

 

http://www.kernelmode.info/forum/viewtopic.php?f=15&t=40