Jump to content

GrayHot

Members
 View Profile  See their activity

  • Posts

    1

  • Joined

  • Last visited

 Content Type 

Posts posted by GrayHot

  1. I found some more hidden INI keys

    in LabVIEW General

    Posted

    On 8/15/2023 at 8:12 PM, dadreamer said:

    Since LV 2021 hooking CfgGetDefault is not enough. There are two new classes in the mgcore library: LazyConfigValue_Bool32 and LazyConfigValue_PathRef. I assume, they're introduced for faster access to the token values. I always used good ol' WinAPIOverride by Jacquelin Potier to catch API calls (including LV ones), but now it seems that it lacks some necessary functionality (e.g., custom actions on a BP hit). So I decided to adapt that Lua script. 

    LVEXEPath = "C:\\Program Files (x86)\\National Instruments\\LabVIEW 2023\\LabVIEW.exe"
MGCore = "mgcore_SH_23_3.dll"

FoundIt = false
Tracing = false

list = createStringlist()
list.Sorted = true
list.setDuplicates(dupIgnore)

-- attach before any dynamically loaded modules, so break on EP (last arg)
createProcess(LVEXEPath, "", true, true)

CfgGetDefault = getAddress("LabVIEW.CfgGetDefault")
debug_setBreakpoint(CfgGetDefault)
LoadLibraryExA = getAddress("kernelbase.LoadLibraryExA")
debug_setBreakpoint(LoadLibraryExA)

function debugger_onBreakpoint()
if EIP == CfgGetDefault then
    local tType = readString(ESP+4, 4)
    local size = readBytes(readInteger(ESP+8), 1, false)
    local token = readString(readInteger(ESP+8) + 1, size)
    local addr = readInteger(ESP+12)
    if (list.IndexOf(token) == -1) then
        list.add(token)
        print(string.format("%s (0x%X) [%s]", token, addr, tType))
    end
    debug_continueFromBreakpoint(co_run)
    return 1
elseif EIP == LoadLibraryExA then
    local mod = readString(readInteger(ESP+4), 255)
    if (string.find(string.lower(mod),string.lower(MGCore))) then
        print("MGCore loaded")
        Tracing = true
        debug_continueFromBreakpoint(co_stepover)
        return 1
    else
        debug_continueFromBreakpoint(co_run)
        return 1
    end
elseif EIP == mgc_f1 then --LazyConfigValue_Bool32::LazyConfigValue_Bool32
    --print(getNameFromAddress(EIP))
    local token = readString(readInteger(ESP+4), 50)
    if (list.IndexOf(token) == -1) then
        list.add(token)
        print(string.format("%s [Bool]", token))
    end
    debug_continueFromBreakpoint(co_run)
    return 1
elseif EIP == mgc_f2 then --LazyConfigValue_PathRef::LazyConfigValue_PathRef
    --print(getNameFromAddress(EIP))
    local token = readString(readInteger(ESP+4), 50)
    if (list.IndexOf(token) == -1) then
        list.add(token)
        print(string.format("%s [Path]", token))
    end
    debug_continueFromBreakpoint(co_run)
    return 1
elseif EIP == mgc_f3 then --LazyConfigValue_Bool32::FindExposedValue
    --print(getNameFromAddress(EIP))
    local token = readString(readInteger(ESP+4), 50)
    if (list.IndexOf(token) == -1) then
        list.add(token)
        print(string.format("%s [Bool]", token))
    end
    debug_continueFromBreakpoint(co_run)
    return 1
elseif EIP == mgc_f4 then --LazyConfigValue_Bool32::operator bool
    --print(getNameFromAddress(EIP))
    local token = readString(readInteger(ECX+4), 50)
    local tType = readString(ECX+8, 4)
    if (list.IndexOf(token) == -1) then
        list.add(token)
        print(string.format("%s (_) [%s]", token, tType))
    end
    debug_continueFromBreakpoint(co_run)
    return 1
else
    if (Tracing) and (not FoundIt) then
        debug_continueFromBreakpoint(co_stepover)
        extra, opcode, bytes, addy = splitDisassembledString(disassemble(EIP))

        RetFound = string.find(opcode, "ret")
        if RetFound then
            print(string.format("RET found as %s", opcode))
            FoundIt = true
            Tracing = false
            debug_removeBreakpoint(LoadLibraryExA)
            reinitializeSymbolhandler(true)

            mgc_f1 = getAddress("mgcore_SH_23_3.LazyConfigValue_Bool32::LazyConfigValue_Bool32")
            debug_setBreakpoint(mgc_f1)
            mgc_f2 = getAddress("mgcore_SH_23_3.LazyConfigValue_PathRef::LazyConfigValue_PathRef")
            debug_setBreakpoint(mgc_f2)
            mgc_f3 = getAddress("mgcore_SH_23_3.LazyConfigValue_Bool32::FindExposedValue")
            debug_setBreakpoint(mgc_f3)
            -- ! USE WITH CAUTION
            -- This func is called THOUSANDS of times
            -- LV becomes lagging and badly responsive
            mgc_f4 = getAddress("mgcore_SH_23_3.LazyConfigValue_Bool32::operator bool")
            debug_setBreakpoint(mgc_f4)

            return 1
        end
    else
        debug_continueFromBreakpoint(co_run)
        return 1
    end
end

end

    Not that I'm a big fan of scripting languages, plus Lua in CE acts odd sometimes, so this script is far away from ideal. It also hooks only a few LazyConfigValue functions as the rest doesn't really matter. Now here's what I've got.

    Launching LabVIEW:

    Creating a new VI:

    Doing various stuff in there (incl. building an EXE as the last operation):

    No new tokens on the VI close or LabVIEW exit. Did I grab them all? Very unlikely. But I think, tokens for most common scenarios are on the list. And there are some interesting ones. :rolleyes:

    I thinks you are right, you grab them all. 

    But by time there will be new tokens when there will be any updates in version. 

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept