set_entry_point_break() uses GetModuleInformation to fetch the
address of the exe's entry point. However, just as with
lpStartAddress from the CREATE_PROCESS_DEBUG_EVENT event, the
returned address is only computed from the PE file header. It's
not actually the entry point in memory, if the executable is
relocated (ASLR). See
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684229(v=vs.85).aspx
Convert this to using the info from CREATE_PROCESS_DEBUG_EVENT
combined with the offset from the PE file header's AddressOfEntryPoint
to deal with relocation.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far ldd terminates the inferior process as soon as some thread
is started. Apparently threads are started from even ntdll.dll
before the main thread of the application is started. As a result
the dll list is cut short since ldd terminates prematurely.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Commit b1b46d45 introduced a regression. After redefining FIONREAD
as part of restructuring newlib/Cygwin headers, the call to ioctlsocket
in the FIONREAD branch of fhandler_socket::ioctl should have been
changed to use the Winsock definition of FIONREAD, which I neglected.
This only affects 64 bit Cygwin.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
In get_mem_values we open the process without PROCESS_VM_READ access
and are *still* able to request working set information, despite
MSDN claiming we need it for this purpose. Instead of adding this
access right, just add an comment to point this out for now.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Using PROCESS/THREAD_QUERY_INFORMATION may limit the number of
processes/threads we can inspect depending on their integrity level.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Always create child user window station and desktop, unless only
spawning with restricted token. Also fix formatting of a few comments
in child_info_spawn::worker.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Convert sys_privs to const struct with TOKEN_PRIVILEGES layout.
Drop function get_system_priv_list. Just use pointer to sys_privs.
Dropping max_sys_priv from wincaps requires to make sure that the
bitfield is 8 byte aligned on x86_64, otherwise gcc (5.3 only?)
apparently breaks access to the bitfield (off by 4 bytes).
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The change introduced in commit b2867a6 contains a faulty check for
the major device number in fhandler_dev_floppy::lock_partition.
Fix this. Also fix comments.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
