Hi all, I need dump the data using the debug log. trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil) if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source? thanks a lot, -- _______________________________________________________________________________ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de TecnologÃas de la Comunicación email: juancarlos.montes(a)inteco.es | jcmontes(a)cert.inteco.es Tlf. 0034 987 877 189 - ext. 532 _______________________________________________________________________________
Am Dienstag, 22. Januar 2008 16:19:54 schrieb Juan Carlos Montes:
Hi all,
I need dump the data using the debug log.
trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil)
if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source? You have to change the source, or attach a debugger and read the memory I think.
I dont like change the source to use all versions of wine... but... I'll try make a debugger to dump the memory. So... thanks a lot. Stefan Dösinger escribió:
Am Dienstag, 22. Januar 2008 16:19:54 schrieb Juan Carlos Montes:
Hi all,
I need dump the data using the debug log.
trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil)
if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source? You have to change the source, or attach a debugger and read the memory I think.
-- _______________________________________________________________________________ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de TecnologÃas de la Comunicación email: juancarlos.montes(a)inteco.es | jcmontes(a)cert.inteco.es Tlf. 0034 987 877 189 - ext. 532 _______________________________________________________________________________
Juan Carlos Montes escribió:
I dont like change the source to use all versions of wine... but...
I'll try make a debugger to dump the memory.
So... thanks a lot.
Stefan Dösinger escribió:
Am Dienstag, 22. Januar 2008 16:19:54 schrieb Juan Carlos Montes:
Hi all,
I need dump the data using the debug log.
trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil)
if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source?
You have to change the source, or attach a debugger and read the memory I think.
Could you please explain *why* you need to peek into the buffer data? Is there a mismatch between what the app intends to send to the socket and the actual wire contents of the packet? Do you have a bug opened for whatever issue the app is experiencing? It seems strange that you mention making this change for *all* versions of Wine, unless I have misunderstood your comment, or somehow you are interested in dumping the data for a reason other than debugging Wine itself.
BTW: se habla español (fuera de la lista de discusión). -- perl -e '$x=2.4;print sprintf("%.0f + %.0f = %.0f\n",$x,$x,$x+$x);'
I'll send u a mail to detail the process, :) Alex Villacís Lasso escribió:
Juan Carlos Montes escribió:
I dont like change the source to use all versions of wine... but...
I'll try make a debugger to dump the memory.
So... thanks a lot.
Stefan Dösinger escribió:
Am Dienstag, 22. Januar 2008 16:19:54 schrieb Juan Carlos Montes:
Hi all,
I need dump the data using the debug log.
trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil)
if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source?
You have to change the source, or attach a debugger and read the memory I think.
Could you please explain *why* you need to peek into the buffer data? Is there a mismatch between what the app intends to send to the socket and the actual wire contents of the packet? Do you have a bug opened for whatever issue the app is experiencing? It seems strange that you mention making this change for *all* versions of Wine, unless I have misunderstood your comment, or somehow you are interested in dumping the data for a reason other than debugging Wine itself.
BTW: se habla español (fuera de la lista de discusión).
-- _______________________________________________________________________________ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de TecnologÃas de la Comunicación email: juancarlos.montes(a)inteco.es | jcmontes(a)cert.inteco.es Tlf. 0034 987 877 189 - ext. 532 _______________________________________________________________________________
Alex Villacís Lasso escribió:
Juan Carlos Montes escribió:
I dont like change the source to use all versions of wine... but...
I'll try make a debugger to dump the memory.
So... thanks a lot.
Stefan Dösinger escribió:
Am Dienstag, 22. Januar 2008 16:19:54 schrieb Juan Carlos Montes:
Hi all,
I need dump the data using the debug log.
trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil)
if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source?
You have to change the source, or attach a debugger and read the memory I think.
Could you please explain *why* you need to peek into the buffer data? Is there a mismatch between what the app intends to send to the socket and the actual wire contents of the packet? Do you have a bug opened for whatever issue the app is experiencing? It seems strange that you mention making this change for *all* versions of Wine, unless I have misunderstood your comment, or somehow you are interested in dumping the data for a reason other than debugging Wine itself.
BTW: se habla español (fuera de la lista de discusión).
You could add a new debugging channel, for example "winsock_buffer", that will do what you want. This channel might be actually useful for purposes other than malware scanning, as the buffers the app prepares (or receives) could reveal mistakes in data processed with Wine's implementation of functions. I suggest that you create a patch for this and send it to wine-patches. If your patch is accepted, future versions of Wine will have your required functionality added, which happens to be useful to others too. To the rest of the list, what do you think? -- perl -e '$x=2.4;print sprintf("%.0f + %.0f = %.0f\n",$x,$x,$x+$x);'
Ok, i can make the patch. what do you need to make the new channel? I use this code to dump: //////////////////////////////////////////////////////////////////////////// // Insert to dump buffers // Inserted by Juan Carlos Montes // Date: 23/01/08 char file_name[255] = ""; sprintf( file_name, "dumps\\wsasendto_%d", GetTickCount()+rand() ); HANDLE file = CreateFileA( file_name, GENERIC_WRITE | GENERIC_READ, 0, NULL, CREATE_ALWAYS, 0, NULL ); DWORD bytes = 0, pos = 0; for (pos=0; pos<dwBufferCount; pos++) WriteFile( file, lpBuffers[pos].buf, lpBuffers[pos].len, &bytes, NULL ); CloseHandle( file ); TRACE( "filename %s\n", file_name ); // End to insert At this time, i have dumps for WriteFile, ReadFile, WSASendTo and WSARecvFrom. But i need it for Registry set value functions... Do you want that i make a diff with all change? Alex Villacís Lasso escribió:
Alex Villacís Lasso escribió:
Juan Carlos Montes escribió:
I dont like change the source to use all versions of wine... but...
I'll try make a debugger to dump the memory.
So... thanks a lot.
Stefan Dösinger escribió:
Am Dienstag, 22. Januar 2008 16:19:54 schrieb Juan Carlos Montes:
Hi all,
I need dump the data using the debug log.
trace:winsock:WSASendTo socket 00f8, wsabuf 0x34e1e0, nbufs 1, flags 0, to (nil), tolen 0, ovl (nil), func (nil)
if have this one, can i dump the data in 0x34e1e0 with another option in debug, or i need change the source?
You have to change the source, or attach a debugger and read the memory I think.
Could you please explain *why* you need to peek into the buffer data? Is there a mismatch between what the app intends to send to the socket and the actual wire contents of the packet? Do you have a bug opened for whatever issue the app is experiencing? It seems strange that you mention making this change for *all* versions of Wine, unless I have misunderstood your comment, or somehow you are interested in dumping the data for a reason other than debugging Wine itself.
BTW: se habla español (fuera de la lista de discusión).
You could add a new debugging channel, for example "winsock_buffer", that will do what you want. This channel might be actually useful for purposes other than malware scanning, as the buffers the app prepares (or receives) could reveal mistakes in data processed with Wine's implementation of functions. I suggest that you create a patch for this and send it to wine-patches. If your patch is accepted, future versions of Wine will have your required functionality added, which happens to be useful to others too.
To the rest of the list, what do you think?
-- _______________________________________________________________________________ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de Tecnologías de la Comunicación email: juancarlos.montes(a)inteco.es | jcmontes(a)cert.inteco.es Tlf. 0034 987 877 189 - ext. 532 _______________________________________________________________________________
"Juan Carlos Montes" <jcmontes(a)cert.inteco.es> wrote:
At this time, i have dumps for WriteFile, ReadFile, WSASendTo and WSARecvFrom. But i need it for Registry set value functions...
Do you want that i make a diff with all change?
This dumping feature doesn't belong to Wine, if you need it use either specialized traffic shaping tools or add your own custom code for debugging. -- Dmitry.
I'm working in a new patch to add the new channel to can dump the buffers. regards, Dmitry Timoshkov wrote:
"Juan Carlos Montes" <jcmontes(a)cert.inteco.es> wrote:
At this time, i have dumps for WriteFile, ReadFile, WSASendTo and WSARecvFrom. But i need it for Registry set value functions...
Do you want that i make a diff with all change?
This dumping feature doesn't belong to Wine, if you need it use either specialized traffic shaping tools or add your own custom code for debugging.
-- _______________________________________________________________________________ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de Tecnologías de la Comunicación email: juancarlos.montes(a)inteco.es | jcmontes(a)cert.inteco.es Tlf. 0034 987 877 189 - ext. 532 _______________________________________________________________________________
participants (4)
-
Alex Villacís Lasso -
Dmitry Timoshkov -
Juan Carlos Montes -
Stefan Dösinger