I wrote a Password Filter DLL to intercept password changes and pass them off to PowerShell so it can then update our other systems… which doesn’t work. But because it’s a DLL, I can’t exactly step through the code to see why it doesn’t work. So I decided to write a little app that sets up some variables, then called a copy of the same PasswordChangeNotify() function that I was using in the DLL.
This has helped me solve a lot of the issues, but there’s still one that remains. Whenever I try to run the line that actually makes the PowerShell command line, I get this error:
Exception thrown at 0x00007FFC024113FC (ucrtbased.dll) in TestDLLOutput2.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.
I’m working in Visual Studio 2022, and here’s my code:
#include <iostream>
#include <Windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winternl.h>
#include <string.h>
using namespace std;
NTSTATUS __stdcall PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword);
int main()
{
long IDNum = 123456;
UNICODE_STRING SupUserName;
RtlInitUnicodeString(&SupUserName, L"cyousoon");
UNICODE_STRING SupPasWrd;
RtlInitUnicodeString(&SupPasWrd, L"FunkyChicken");
NTSTATUS ReturnNum = 0;
ReturnNum = PasswordChangeNotify(&SupUserName, IDNum, &SupPasWrd);
}
NTSTATUS __stdcall PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword)
{
std::wcout << L"Running PasswordChangeNotifyn";
// Initialize pszCmdLine to nullptr
PWSTR pszCmdLine = nullptr;
int lenConstant = wcslen(L"powershell.exe SD60PWS.ps1 -Section 'ChangeNotify' -UserName -NewPassword ");
int lenUsername = wcslen(UserName->Buffer);
int lenNewPassword = wcslen(NewPassword->Buffer);
int totalLen = lenConstant + lenUsername + lenNewPassword;
// Calculate the required length for the command line
//int totalLen = _snwprintf_s(nullptr, 0, 0,
// L"powershell.exe SD60PWS.ps1 -Section 'ChangeNotify' -UserName @%wZ -NewPassword @%wZ",
// UserName->Buffer, NewPassword->Buffer);
if (totalLen > 0)
{
std::wcout << L"len > 0n";
// Allocate memory for pszCmdLine
pszCmdLine = (PWSTR)alloca((totalLen + 1) * sizeof(WCHAR));
// Format the command line
_snwprintf_s(pszCmdLine, totalLen + 1, _TRUNCATE,
L"powershell.exe SD60PWS.ps1 -Section 'ChangeNotify' -UserName @%wZ -NewPassword @%wZ",
UserName->Buffer, NewPassword->Buffer);
std::wcout << pszCmdLine << std::endl;
// Create the process
STARTUPINFO si{ sizeof(si) };
PROCESS_INFORMATION pi;
if (CreateProcessW(0, pszCmdLine, 0, 0, 0, 0, 0, 0, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
return 0;
}
If I let it run to just before the _snwprintf_s command (using Run To Cursor), everything looks ok, and here’s the values of the variables:
(Note that this is not actually code I wrote, but rather copy-paste information from hovering over the variables once execution paused. It’s just in a code block to satisfy the question editor.)
UserName = 0x00000069bd4ff888 {Length=16 MaximumLength=18 Buffer=0x00007ff7a5c8aea8 L"cyousoon" }
NewPassword = 0x00000069bd4ff8b8 {Length=24 MaximumLength=26 Buffer=0x00007ff7a5c8aec0 L"FunkyChicken" }
lenConstant = 75
lenUsername = 8
lenNewPassword = 12
totalLen = 95
pszCmdLine = 0x00000069bd4ff500 L"(98 Unicode characters, removed so this question wouldn't get marked as Spam)"
At first I though that maybe the alloca command wasn’t allocating the right amount of memory. So I started looking into it and ended up going down the rabbit hole of “alloca is OK, if called in a function, because when you return the memory is freed up automatically” and “Never use alloca! Use malloc and free instead.” then “Never use malloc/free! You need to use new/delete instead.”
So, as a test, I simplified my code to this:
NTSTATUS __stdcall PasswordChangeNotify(PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword)
{
PWSTR pszCmdLine = nullptr;
int totalLen = wcslen(L"powershell.exe SD60PWS.ps1 -Section 'ChangeNotify' -UserName cyousoon -NewPassword FunkyChicken");
if (totalLen > 0)
{
pszCmdLine = (PWSTR)alloca((totalLen + 1) * sizeof(WCHAR));
_snwprintf_s(pszCmdLine, totalLen + 1, _TRUNCATE,
L"powershell.exe SD60PWS.ps1 -Section 'ChangeNotify' -UserName cyousoon -NewPassword FunkyChicken");
STARTUPINFO si{ sizeof(si) };
PROCESS_INFORMATION pi;
if (CreateProcessW(0, pszCmdLine, 0, 0, 0, 0, 0, 0, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
return 0;
}
This code works beautifully, but then I tried adding one of the variables back in (trying both UserName and NewPassword individually) and it didn’t matter which one I tried, they both caused the same error. (well, not exactly the same, the ‘thrown at’ number changes slightly, but the rest of the error is the same)
OK, so now I know that the error has something to do with accessing the memory for the passed variables, but I have no idea what the problem is. Are the variables not declared properly in main()? Is there something wrong with how they are passed to PasswordChangeNotify()? Is alloca really not allocating memory properly? Is there something wrong with the _snwprintf_s command?
I really appreciate any help you experts can give me. I feel like I’m so close to getting this working, but I just need a little more guidance.
Additional Notes:
In my initial DLL code, I was passing RelativeId out to the PowerShell script, just to see what it was. Then I decided to drop it, as I know it won’t be relevant to the PowerShell script anyway. However, I’m still setting up IDNum in main() and passing it to PasswordChangeNotify() because I want to emulate what Windows would do as closely as possible.
Also, I left the commented code that I was originally using to calculate the total length, for reference. It would always give me a length of 0, so I switched to figuring out individual lengths and adding them up.
Thank you