SfcGetNextProtectedFile and WriteConsole

[dev_zero]

Hi folks, I very newbie at programming windows api, and I hope some of you can help me a little with these problems.

I'm trying to make a program which prints out files which are protected by windows with the SfcGetNextProtectedFile command and then output the names to the console with WriteConsole. The code is without any error checking, I debugged the program in ollydbg and found out these errors.

This is my problems:
SfcGetNextProtectedFile returns ERROR_IO_PENDING, I don't know why it do that so I hope you can answer me on this one.
WriteConsole returns ERROR_NOT_ENOUGH_MEMORY, I don't know why it does this either because my memory is not full.

It finds many files as I see them in memory in ollydbg, but it doesn't print them in console.

Code Select Expand

#sfc_check.asm
Invoke GetStdHandle,STD_OUTPUT_HANDLE
mov hBuffer, eax
mov pfd.FileNumber, 0
roll:
Invoke SfcGetNextProtectedFile,0,addr pfd
cmp eax, 0
jz exit
Invoke WriteConsoleW,hBuffer,addr pfd.FileName,addr pfd.FileName,offset NumOfCharsWritten,0
jmp roll
exit:
Invoke CloseHandle,hBuffer
Invoke ExitProcess,0

Code Select Expand

#sfc_check.inc
Include windows.inc
Include kernel32.inc
Include shell32.inc
Include sfc.inc

Includelib kernel32.lib
Includelib shell32.lib
Includelib sfc.lib

.data
PROTECTED_FILE_DATA STRUCT
FileName db MAX_PATH dup(0)
FileNumber dd ?
PROTECTED_FILE_DATA ENDS
pfd PROTECTED_FILE_DATA <>

hBuffer DWORD ?
NumOfCharsWritten dd ?
If you wonder why I want to write such a unusable program, I don't know why actually, I just found the function and I wanted to test it.
I'm also adding the RadASM project file so it's a little easier to assemble.

Edit: And the reason because I wrote the PROTECTED_FILE_DATA structure was because I couldn't find it in masm32

[attachment deleted by admin]

[Tedd]

I'm sure this doesn't help..

Code Select Expand

    Invoke WriteConsoleW,hBuffer,addr pfd.FileName,addr pfd.FileName,offset NumOfCharsWritten,0

Should it be..?

Invoke lstrlen, addr pfd.FileName
Invoke WriteConsoleW,hBuffer,addr pfd.FileName,eax,offset NumOfCharsWritten,0

[dev_zero]

I'm sure this doesn't help..

Code Select Expand

    Invoke WriteConsoleW,hBuffer,addr pfd.FileName,addr pfd.FileName,offset NumOfCharsWritten,0

Should it be..?

Invoke lstrlen, addr pfd.FileName
Invoke WriteConsoleW,hBuffer,addr pfd.FileName,eax,offset NumOfCharsWritten,0

Hehe thanks for taking the time to try figure out the problem, when I read your post and looked at my sourcecode again. I noticed that it was a typing fault from my side..
It should be:
Invoke WriteConsoleW,hBuffer,addr pfd.FileName,sizeof pfd.FileName,offset NumOfCharsWritten,0

And this leaves me with another error, but I will try debugging some more and see if I can manage to figure out this new problem.
I f anyone have some time to kill, please download the source and try it out, I can't seem to find why the program behaves like it do.



[attachment deleted by admin]

[Tedd]

After some playing around..

I'm not entirely sure it is your code that's the problem :wink
I tried re-writing the whole thing, just to see if there was some tiny invisible problem (see attachment.)
It seems that, depending on which directory you try to run the program from, you may 'lose' access to the console. I tried running it in the same directory as I built it, and it worked fine (though obviously there were no protected files.) But in all other directories I tried, I got no output.
In all cases, you get "Started!" printed (before the call to the sfc function), but then it depends whether or not you get anything else, such as "0 files" :dazzled:
I'm assuming it's something to do with permissions, but I tried running as root and it seems to make no difference. Unless there's something to set for program permissions? :eek

[attachment deleted by admin]

[dev_zero]

After watching your code I rewrote my own, and I got almost the output which I wanted the only problem is that SfcGetNExtProtectedFile returns the filename in UNICODE. So I need a macro or function which can convert the string into a string without the zero words between the characters. I don't know any macros or functions that does this.


[attachment deleted by admin]

[MichaelW]

I coded a version using a different structure definition and output function, and it seems to work just as it should, regardless of where I run it.

Code Select Expand


; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    .486                       ; create 32 bit code
    .model flat, stdcall       ; 32 bit memory model
    option casemap :none       ; case sensitive

    include \masm32\include\windows.inc
    include \masm32\include\masm32.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\sfc.inc
    include \masm32\include\msvcrt.inc
    includelib \masm32\lib\masm32.lib
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\sfc.lib
    includelib \masm32\lib\msvcrt.lib
    include \masm32\macros\macros.asm

    _PROTECTED_FILE_DATA STRUCT
        FileName    WORD MAX_PATH dup(?)
        FileNumber  DWORD ?
    _PROTECTED_FILE_DATA ENDS
; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    .data
        pfd _PROTECTED_FILE_DATA <>
        count dd 0
    .code
; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
start:
; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    .REPEAT
        invoke SfcGetNextProtectedFile, NULL, ADDR pfd
        .IF eax
            invoke crt__putws, ADDR pfd.FileName
            inc   count
        .ELSE
            invoke GetLastError
            .IF eax != ERROR_NO_MORE_FILES
                mov   ebx, eax
                print chr$("unexpected error ")
                print ustr$(ebx),13,10
            .ENDIF
            .BREAK
        .ENDIF
    .UNTIL 0
    print chr$("total files : ")
    print ustr$(count),13,10
    mov   eax, input(13,10,"Press enter to exit...")
    exit
; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end start


On my Windows 2000 SP4 system it returns 2459 files.