Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort #128

acheron2302 · 2025-02-07T04:34:13Z

Overview
When I tried to emulate a file with comctl32.dll, the emulator fail when tried to run through comctl32.dll entry point.

Reason
user32.dll call CsrClientConnectServer which in turn call "CsrClietnCallServer" and "NtAlpcSendWaitReceivePort" in order to get the information from csrss.exe but "handle_NtAlpcSendWaitReceivePort" hasn't been implemented to support the case.

Version of windows:
windows 11 pro (10.0.22631 build 22631)

Reproduce:
Make change to test.cpp, compile the code and run the command .\analyzer.exe -e "root" -r "registry" "C:\temp\test.exe"

bool test_tls()
{
    std::atomic_bool kill{false};
    std::atomic_uint32_t successes{0};
    constexpr uint32_t thread_count = 2;

    std::vector<std::thread> ts{};
    kill = false;

    for (size_t i = 0; i < thread_count; ++i)
    {
        ts.emplace_back([&] {
            while (!kill)
            {
                std::this_thread::yield();
            }

            if (tls_var.num == GetCurrentThreadId())
            {
                ++successes;
            }
        });
    }

    LoadLibraryA("d3dcompiler_47.dll");
    LoadLibraryA("dsound.dll");
    LoadLibraryA("comctl32.dll"); // the change is here
    /*LoadLibraryA("d3d9.dll");
    LoadLibraryA("dxgi.dll");
    LoadLibraryA("wlanapi.dll");*/

    kill = true;

    for (auto& t : ts)
    {
        if (t.joinable())
        {
            t.join();
        }
    }

    return successes == thread_count;
}

Idea for solutions
Idea 1: just port every argument when the emulator call NtAlpcSendWaitReceivePort to the real NtAlpcSendWaitReceivePort syscall.
Idea 2: Implement a specific case for NtAlpcSendWaitReceivePort of user32.dll and only emulate that case, allocate a memory buffer and copy the content of a fake NtAlpcSendWaitReceivePort to that buffer.
Idea 3 (hardest): dump csrss.exe and fully emulate NtAlpcSendWaitReceivePort.

The text was updated successfully, but these errors were encountered:

momo5502 · 2025-02-07T19:28:18Z

Can you test if it works for you now?

momo5502 · 2025-02-09T07:34:06Z

Loading comctl32.dll should work now, but NtAlpcSendWaitReceivePort does not. That will be needed sooner or later and I'm going to use this issue to track the progress

This is related to #128

momo5502 added the feature New feature or request label Feb 7, 2025

momo5502 changed the title ~~Fail to emulate comctl32.dll entry point~~ Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort Feb 7, 2025

momo5502 changed the title ~~Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort~~ Support loading comctl32.dll Feb 7, 2025

momo5502 linked a pull request Feb 7, 2025 that will close this issue

Support loading comctl32.dll #129

Merged

momo5502 closed this as completed in #129 Feb 7, 2025

momo5502 changed the title ~~Support loading comctl32.dll~~ Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort Feb 9, 2025

momo5502 reopened this Feb 9, 2025

momo5502 added a commit that referenced this issue Feb 9, 2025

Hack to skip nls/alpc communication

8a427ec

This is related to #128

momo5502 mentioned this issue Feb 9, 2025

Hack to skip nls/alpc communication #134

Merged

momo5502 added a commit that referenced this issue Feb 9, 2025

Hack to skip nls/alpc communication (#134)

7d8ca0a

This is related to #128

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort #128

Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort #128

acheron2302 commented Feb 7, 2025 •

edited

Loading

momo5502 commented Feb 7, 2025

momo5502 commented Feb 9, 2025

Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort #128

Support NtAlpcConnectPort/NtAlpcSendWaitReceivePort #128

Comments

acheron2302 commented Feb 7, 2025 • edited Loading

momo5502 commented Feb 7, 2025

momo5502 commented Feb 9, 2025

acheron2302 commented Feb 7, 2025 •

edited

Loading