LPC通信连接建立成功后,客户进程向服务进程发送消息NtReplyPort失败 错误值0xc000000d,就两个参数。不知道哪里错误了。
服务代码:
DWORD CdirveInjectDlg::NewlpcServer(LPVOID lpParam)
{
CdirveInjectDlg *pThis = (CdirveInjectDlg*)lpParam;
HANDLE hserverPort;
HANDLE hAcceptPort;
OBJECT_ATTRIBUTES oa;//此结构可以看msdn
TLPC_PORTMSG pmRecv;
TLPC_PORTMSG pmSend;
NTSTATUS status;
TCHAR outInfo[MAX_PATH] = { 0 };
do
{
//初始化Unicode字串
pThis->meRtlInitUnicodeString(&pThis->portName, L"\\RPC Control\\DEMO PORT");
//定义并填充结构体
InitializeObjectAttributes(&oa, &pThis->portName, /*0*/OBJ_CASE_INSENSITIVE| OBJ_FORCE_ACCESS_CHECK, NULL,NULL);
//创建LPC server port
status = pThis->meNtCreatePort(&hserverPort, &oa, TLPC_MAX_MSG_DATA_LENGTH,sizeof(TLPC_PORTMSG), 0);
if (!NT_SUCCESS(status)) { OutputDebugString("NtCreatePort fail\r\n");break; }
else{ OutputDebugString("NtCreatePort succeed\r\n"); }
status = pThis->meNtListenPort(hserverPort, (PPORT_MESSAGE)(&pmRecv));
if (!NT_SUCCESS(status)) { OutputDebugString("NtListenPort fail\r\n");break; }
//////连接消息
sprintf_s(outInfo, "连接消息格式\nprocessID:%08x\nthreadID%08x\nMessageType %d\nMessageSize %d\nMessageID %x\nDataSize %d\n\n",
pmRecv.header.ClientId.UniqueProcess,
pmRecv.header.ClientId.UniqueThread,
pmRecv.header.u2.s2.Type,
pmRecv.header.u1.s1.TotalLength,
pmRecv.header.MessageId,
pmRecv.header.u1.s1.DataLength);
OutputDebugString(outInfo);
sprintf_s(outInfo, "请求内容:\r\n%s\r\n", pmRecv.Data);
OutputDebugString(outInfo);
//接收连接
status = pThis->meNtAcceptConnectPort(&hAcceptPort, 0, /*&pmSend.header*/(PPORT_MESSAGE)&pmRecv, TRUE, 0, 0);
if (!NT_SUCCESS(status)) { OutputDebugString("NtAcceptConnectPort fail\r\n");break; }
else { OutputDebugString("NtAcceptConnectPort succeed\r\n");}
//唤醒客户
status = pThis->meNtCompleteConnectPort(hAcceptPort);
if (!NT_SUCCESS(status)) { OutputDebugString("NtCompleteConnectPort fail\r\n");break; }
//握手完成之后就开始循环与client通信了
while (true)
{
OutputDebugString("等待客户端消息...\r\n");
status = pThis->meNtReplyWaitReceivePort(hAcceptPort, 0, 0, (PPORT_MESSAGE)&pmRecv);
if (!NT_SUCCESS(status)) { OutputDebugString("NtReplyWaitReceivePort fail\r\n");break; }
sprintf_s(outInfo, "收到客户端%d新消息:\n%s\n", pmRecv.header.ClientId.UniqueProcess, pmRecv.Data);
OutputDebugString(outInfo);
}
} while (FALSE);
return 0;
}
//客户
DWORD ClpcclDlg::lpcthreadCL(LPVOID lpParam)
{
ClpcclDlg * pThis = (ClpcclDlg*)lpParam;
TCHAR outInfo[MAX_PATH] = { 0 };
HANDLE portServer = NULL;
SECURITY_QUALITY_OF_SERVICE SecurityQos;
NTSTATUS status;
UNICODE_STRING portName;
TLPC_PORTMSG pmRecv;
TLPC_PORTMSG pmSend;
memset(&pmSend, 0, sizeof(pmSend));
memset(&pmRecv, 0, sizeof(pmRecv));
ULONG ConnectInfoSize = sizeof(TLPC_PORTMSG);
do
{
pThis->meRtlInitUnicodeString(&portName, L"\\RPC Control\\DEMO PORT");
SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQos.EffectiveOnly = TRUE/*FALSE*/;
SecurityQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
SecurityQos.ImpersonationLevel = SecurityImpersonation;
sprintf_s(outInfo, "connect %ws ...\r\n", portName.Buffer);
OutputDebugString(outInfo);
memcpy(pmRecv.Data,"HAOYJIP", TLPC_MAX_MSG_DATA_LENGTH);
//通过该服务,客户进程可通过名称来连接到一个服务器进程
status = pThis->meNtConnectPort(&portServer,
&(portName),
&SecurityQos,
0, // No attributes
0,
0,
(char *)&pmRecv,
&ConnectInfoSize
);
if (!NT_SUCCESS(status))
{
sprintf_s(outInfo, "NtConnectPort Failed:%x\n", status);
OutputDebugString(outInfo); break;
}
OutputDebugString("client connct port ok!\r\n");
//pmSend.h.u1.s1.DataLength = strlen("12345689")+1/*TLPC_MAX_MSG_DATA_LENGTH*/;
//pmSend.h.u1.s1.TotalLength = sizeof(PORT_MESSAGE)+ strlen("12345689")+1/*TLPC_MAX_MSG_DATA_LENGTH*/;
//pmSend.h.u2.s2.Type = LPC_REQUEST;
strcpy_s((PSTR)pmSend.Data , TLPC_MAX_MSG_DATA_LENGTH, "12345689");
//发送一个请求消息 ,并且等待此请求的应答消息
// status = pThis->meNtRequestWaitReplyPort(portServer, (PPORT_MESSAGE)&pmSend, (PPORT_MESSAGE)&pmRecv);
status = pThis->meNtReplyPort(portServer, (PPORT_MESSAGE)&pmSend);
Sleep(500000);
CloseHandle(portServer);
} while (false);
return 0;
}
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
