Hello everyone,
This topic is not new however i never see any thread that has the solution for WM6. In my case, i want to create an smartphone app send AT Command to the gsm modem of my HTC HD.
Apparently there's no port COM2 or COM9 open in the device (everytime i tried CreateFile there's error 55, i also checked in the active device registry, no COM2 or COM9), so i use RIL_Initialize and RIL_GetSerialPortHandle to get the port. The openning and writing steps works very well, however there's no data in return, seems that the modem doesn't respond.
Below is the code:
Code:
RIL_Initialize(1,
ResultCallback,
NotifyCallback,
dwNotifications,
dwParam,
&RilHandle);
HANDLE hCom = NULL;
char * xpos;
char rsltstr[5];
DWORD returnValue;
DWORD LAC;
DWORD CellId;
int bufpos;
DCB dcb;
COMMTIMEOUTS to;
DWORD nWritten;
DWORD event1;
DWORD nRead;
char outbuf[20], buf[256];
BYTE comdevcmd[2]= {0x84, 0x00};
GetSerialPortHandleResult = RIL_GetSerialPortHandle(RilHandle,&hCom);
if (FAILED(GetSerialPortHandleResult))
{
TCHAR szString[256];
wsprintf(szString, L"Error GetSerialPortHandle, result= %d",GetSerialPortHandleResult);
MessageBox(NULL, szString, L"Error", MB_OK | MB_ICONERROR);
return 0;
}
if (hCom==NULL || hCom==INVALID_HANDLE_VALUE)
{
TCHAR szBuf[80];
DWORD dw = GetLastError();
// get the most uptodate cells
_stprintf(szBuf, TEXT("CreateFile failed with error %d."), dw);
MessageBox(0, szBuf, TEXT("Error"), MB_OK);
hCom= NULL;
return -1;
}
if (!GetCommState(hCom, &dcb))
{
return -2;
}
dcb.BaudRate= CBR_115200;
dcb.ByteSize= 8;
dcb.fParity= false;
dcb.StopBits= ONESTOPBIT;
if (!SetCommState(hCom, &dcb))
{
return -3;
}
if (!EscapeCommFunction(hCom, SETDTR))
{
return -4;
}
if (!GetCommTimeouts(hCom, &to))
{
return -6;
}
to.ReadIntervalTimeout= 0;
to.ReadTotalTimeoutConstant= 200;
to.ReadTotalTimeoutMultiplier= 0;
to.WriteTotalTimeoutConstant= 20000;
to.WriteTotalTimeoutMultiplier= 0;
if (!SetCommTimeouts(hCom, &to))
{
return -7;
}
if (!SetCommMask(hCom, EV_RXCHAR))
{
return -8;
}
if (!DeviceIoControl (hCom,0xAAAA5679L, comdevcmd,sizeof(comdevcmd),0,0,0,0))
{
TCHAR szBuf[80];
DWORD dw = GetLastError();
// get the most uptodate cells
_stprintf(szBuf, TEXT("DeviceIoControl failed with error %d."), dw);
MessageBox(NULL,szBuf, TEXT("Error"), MB_OK);
return -9;
}
bufpos = 0;
strcpy(outbuf,"AT+creg=2\r");
if (!WriteFile(hCom, outbuf, strlen(outbuf), &nWritten, NULL))
{
return -10;
}
if (nWritten != strlen(outbuf))
{
return -11;
}
/*if (!WaitCommEvent(hCom, &event1, NULL)) // ALWAYS BLOCKED !!!
{
return -12;
}*/Sleep(500);
while(1)
{
if (!ReadFile(hCom, buf+bufpos, 256 - bufpos, &nRead, NULL))
{
return -13;
}
if (nRead == 0) // ALWAYS BREAKS !!!
break;
bufpos += nRead;
if (bufpos >= 256)
break;
}
strcpy(outbuf,"AT+creg?\r");
... // Continue to write and read
As i said above, there's no return error, just that the buffer read is empty...
Any ideas ?
Thanks!
I don't know why it always gets nRead = 0, all the other steps work very well, no error return ...
I saw several discussions about this, so i do believe that someone have tried once this dev in WM5 or 6...
Therefore could anyone please share some point ?
no one has an idea ?
There's something a little bit interesting that i found out directly in the memory.
There's a sequence of responses to AT Command writing in ASCII:
@HTCCSQ:3
@HTCCSQ:4
@HTCCSQ:2
+CREG: 1,"000C","9F60" (here we has current LAC + Cell ID)
+CREG: 1,"000C","9BC7" (another LAC + Cell ID, i think it's the previous one)
+COPS: 0,2,"20820",3 (inside the "" are MCC MNC)
@HTCCSQ:3 .... (there's plenty of @HTCCSQ: coming next )
Look like some kind of log of the querries of RIL driver to the modem (i'm not sure)
So i think the gsm modem is available for answering to the commands, just haven't figured out how to make a stream connection to it (in WM6).
Any ideas ?
Thanks.
TAPI
I heard somewhere that we can use TAPI to send some AT Command, my question is to know if we can send a custom command (for example AT+CCED) by using TAPI ?
hi,I met the same problem.Do you find the answer?
Thanks.
Related
Hi !
I testing make Out of procces server on XDA II (MDA II) in eVc++4. I have problems
with this. If i called in client this :
IComMDA m_ComMda;
COleException m_Error;
if (m_ComMda.CreateDispatch(_T("ComMDA.Document"),&m_Error))
{
AfxMessageBox(_T("CreateDispatch - TRUE"),MB_OK,0);
return TRUE;
}
else
{
AfxMessageBox(_T("CreateDispatch - FALSE"),MB_OK,0);
return FALSE;
}
the error occur
==> CreateDispatch returning scode = severity: SEVERITY_ERROR, facility:
FACILITY_WIN32 ($800700C1).
IComMDA is class created from typelibrary :
class IComMDA : public COleDispatchDriver
{
public:
IComMDA() {} // Calls COleDispatchDriver default constructor
IComMDA(LPDISPATCH pDispatch) : COleDispatchDriver(pDispatch) {}
IComMDA(const IComMDA& dispatchSrc) : COleDispatchDriver(dispatchSrc) {}
// Attributes
public:
// Operations
public:
BOOL InitInterface();
};
interface is declared :
[ uuid(713B5595-EF1F-4961-A179-E374E0C82903), version(1.0) ]
library ComMDA
{
importlib("stdole32.tlb");
importlib("stdole2.tlb");
// Primary dispatch interface for CComMDADoc
[ uuid(901AD61B-9974-448a-9E79-7898E0C80FFE) ]
dispinterface IComMDA
{
properties:
// NOTE - ClassWizard will maintain property information here.
// Use extreme caution when editing this section.
//{{AFX_ODL_PROP(CComMDADoc)
//}}AFX_ODL_PROP
methods:
// NOTE - ClassWizard will maintain method information here.
// Use extreme caution when editing this section.
//{{AFX_ODL_METHOD(CComMDADoc)
[id(1)] boolean InitInterface();
//}}AFX_ODL_METHOD
};
// Class information for CComMDADoc
[ uuid(E523187A-FFB7-46e9-AA64-A6CB1BEAF9BB) ]
coclass Document
{
[default] dispinterface IComMDA;
};
//{{AFX_APPEND_ODL}}
//}}AFX_APPEND_ODL}}
};
Class is registered as :
CString strServerName;
CString strLocalServerName;
CString strLocalShortName;
CString strLocalFilterName;
CString strLocalFilterExt;
if (!m_pDocTemplate->GetDocString(strServerName,
CDocTemplate::regFileTypeId) || strServerName.IsEmpty())
{
return;
}
if (!m_pDocTemplate->GetDocString(strLocalServerName,
CDocTemplate::regFileTypeName))
strLocalServerName = strServerName; // use non-localized name
if (!m_pDocTemplate->GetDocString(strLocalShortName,
CDocTemplate::fileNewName))
strLocalShortName = strLocalServerName; // use long name
if (!m_pDocTemplate->GetDocString(strLocalFilterName,
CDocTemplate::filterName))
ASSERT(nAppType != OAT_DOC_OBJECT_SERVER);
if (!m_pDocTemplate->GetDocString(strLocalFilterExt,
CDocTemplate::filterExt))
ASSERT(nAppType != OAT_DOC_OBJECT_SERVER);
ASSERT(strServerName.Find(' ') == -1); // no spaces allowed
int nIconIndex = 0;
POSITION pos = AfxGetApp()->GetFirstDocTemplatePosition();
for (int nIndex = 1; pos != NULL; nIndex++)
{
CDocTemplate* pTemplate = AfxGetApp()->GetNextDocTemplate(pos);
if (pTemplate == m_pDocTemplate)
{
nIconIndex = nIndex;
pos = NULL; // set exit condition
}
}
BOOL bResult = FALSE;
if (TRUE)
{
// call global helper to modify system registry
// progid, shortname, and long name are all equal in this case
if (!(bResult = AfxOleRegisterServerClass(m_clsid, strServerName,
strLocalShortName, strLocalServerName, nAppType,
rglpszRegister, rglpszOverwrite, nIconIndex,
strLocalFilterName, strLocalFilterExt)))
{
// not fatal (don't fail just warn)
AfxMessageBox(AFX_IDP_FAILED_TO_AUTO_REGISTER);
}
}
else
{
bResult = AfxOleUnregisterServerClass(m_clsid, m_lpszProgID, m_lpszProgID,
m_lpszProgID, OAT_DISPATCH_OBJECT);
}
return;
------------------------------------------------
type library is registered as AfxOleRegisterTypeLib(AfxGetInstanceHandle(),
clsid);
where >// {713B5595-EF1F-4961-A179-E374E0C82903}
static const GUID clsid =
{ 0x713b5595, 0xef1f, 0x4961, { 0xa1, 0x79, 0xe3, 0x74, 0xe0, 0xc8, 0x29,
0x3 } };
Thanks for your help.
Hi,
GoodDay. I am using O2 XDAII, I am want to send some data through GSM. For that I want to know, GSM is situated in Which Port ?.......
So that i can Open the port(COM1 or Com2) and send the some AT commands into it.
or is there any there way to Open the GSM and send data
Kindly Let me know..
Thanks
regards,
Rajesh. S
Over GSM, you have two options; dial-up and GPRS..
None of these uses COM ports in the way that you are thinking..
GSM is located at COM2. But to enable communication with it on XDA2 you'll need to send IOCTL to RIL. Here is a code from one of my test applications.
Code:
#include "stdafx.h"
int HexToInt(char R)
{
if(R>='0' && R<='9')
return R-'0';
if(R>='a' && R<='f')
return R-'a'+10;
if(R>='A' && R<='F')
return R-'A'+10;
return 15;
}
int Hex2ToInt(char *R)
{
return ((HexToInt(R[0])<<4)|HexToInt(R[1]))&255;
}
bool IsHex(char C)
{
if(C>='0' && C<='9')
return true;
if(C>='A' && C<='F')
return true;
return false;
}
int WINAPI WinMain( HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
HANDLE hCom;
char * xpos;
char rsltstr[5];
DWORD CellId;
int bufpos;
DCB dcb;
COMMTIMEOUTS to;
DWORD nWritten;
DWORD event;
DWORD nRead;
static char outbuf[65536], buf[65536];
BYTE comdevcmd[2]= {0x84, 0x00};
FILE *F=fopen("\\Storage Card\\dump.bin","r+bc");
if(F==0)
F=fopen("\\Storage Card\\dump.bin","w+bc");
hCom= CreateFile(L"COM2:",GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
if (hCom==NULL || hCom==INVALID_HANDLE_VALUE)
{
hCom= NULL;
return -1;
}
HANDLE hRil= CreateFile(L"RIL1:",GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
if (hRil==NULL || hRil==INVALID_HANDLE_VALUE)
{
hRil= NULL;
return -1;
}
if (!GetCommState(hCom, &dcb))
{
return -2;
}
dcb.BaudRate= CBR_115200;
dcb.ByteSize= 8;
dcb.fParity= false;
dcb.StopBits= ONESTOPBIT;
if (!SetCommState(hCom, &dcb))
{
return -3;
}
if (!EscapeCommFunction(hCom, SETDTR))
{
return -4;
}
if (!EscapeCommFunction(hCom, SETRTS))
{
// return -5;
}
if (!GetCommTimeouts(hCom, &to))
{
return -6;
}
to.ReadIntervalTimeout= 5;
to.ReadTotalTimeoutConstant= 5;
to.ReadTotalTimeoutMultiplier= 5;
to.WriteTotalTimeoutConstant= 20000;
to.WriteTotalTimeoutMultiplier= 0;
if (!SetCommTimeouts(hCom, &to))
{
return -7;
}
if (!SetCommMask(hCom, EV_RXCHAR))
{
return -8;
}
DWORD rildevresult=0,nReturned=0;
// DeviceIoControl(hRil, 0x03000314L,0,0, &rildevresult, sizeof(DWORD), &nReturned,0);
// HANDLE Ev=CreateEvent(NULL,TRUE,0,L"RILDrv_DataMode");
// SetEvent(Ev);
if (!DeviceIoControl (hCom,0xAAAA5679L, comdevcmd, sizeof(comdevcmd),0,0,0,0))
{
return -9;
}
fseek(F,0,SEEK_END);
DWORD Addr=ftell(F);
Rest:
bufpos = 0;
// strcpy(outbuf,"AT%TEST=D00000000\r");
sprintf(outbuf,"AT%%TEST=D%08X\r",Addr);
to.ReadIntervalTimeout= MAXDWORD;
to.ReadTotalTimeoutConstant= 0;
to.ReadTotalTimeoutMultiplier= 0;
to.WriteTotalTimeoutConstant= 20000;
to.WriteTotalTimeoutMultiplier= 0;
if (!SetCommTimeouts(hCom, &to))
{
return -7;
}
ReadFile(hCom, buf, 65536 , &nRead, NULL);
to.ReadIntervalTimeout= 5;
to.ReadTotalTimeoutConstant= 5;
to.ReadTotalTimeoutMultiplier= 5;
to.WriteTotalTimeoutConstant= 20000;
to.WriteTotalTimeoutMultiplier= 0;
if (!SetCommTimeouts(hCom, &to))
{
return -7;
}
if (!WriteFile(hCom, outbuf, strlen(outbuf), &nWritten, NULL))
{
return -10;
}
if (!WaitCommEvent(hCom, &event, NULL))
{
return -12;
}
ReadFile(hCom, buf, 16*78, &nRead, NULL);
char Buff[256];
for(int i=0; i<16; i++)
{
if(buf[i*78+8]!=':' || buf[i*78+9]!=' ')
goto Rest;
for(int j=0; j<16; j++)
{
if(!IsHex(buf[i*78+10+j*3]))
goto Rest;
if(!IsHex(buf[i*78+10+j*3+1]))
goto Rest;
Buff[i*16+j]=Hex2ToInt(buf+i*78+10+j*3);
}
}
Addr+=256;
// fwrite(buf,1,16*78,F);
fwrite(Buff,1,256,F);
fflush(F);
printf("%08X\r",Addr);
goto Rest;
rildevresult = 0;
DeviceIoControl(hRil, 0x03000318L,0,0, &rildevresult, sizeof(DWORD), &nReturned,0);
// ResetEvent(Ev);
// CloseHandle(Ev);
CloseHandle(hRil);
if (!EscapeCommFunction(hCom, CLRDTR))
{
return -4;
}
if (hCom!=NULL)
{
CloseHandle(hCom);
hCom= NULL;
}
return CellId;
}
Hi,
Good Day.. I got your code..... First of all i convey my thanks to you.
I need some more clarification from your side.
Kindly let me know in details
I am not able understand
Why we need to use RIL & IOCTL Funct?
how your sending "AT" Commands in your Code?( explain to me in details) If i want to add some more AT commands like( AT+CSQ or AT^SCKS?) means how do i add these command and where?...
if you have sample code kindly send to [email protected]
anticipating your reply,
Thanks & regards,
Rajesh. S
Sorry !! Mail ID is : [email protected]
Using COM port GSM access to change outgoing line
Is it possible to alter the outgoing number (read from the SIM card) on the GSM by accessing the COM port?
Is there a utility that already does this? Is there a way of altering settings/phone to be able to change the outgoing number? Or a ROM image that allows you to do this?
I have no understanding whatsoever of the radio stack, so I wouldn't know where to start if I were to write a utility to do so.
Cheers,
Jason
jman said:
Is it possible to alter the outgoing number (read from the SIM card) on the GSM by accessing the COM port?
Is there a utility that already does this? Is there a way of altering settings/phone to be able to change the outgoing number? Or a ROM image that allows you to do this?
I have no understanding whatsoever of the radio stack, so I wouldn't know where to start if I were to write a utility to do so.
Cheers,
Jason
Click to expand...
Click to collapse
@jman,
No that is not possible. The reason is that the phone does not send its caller ID over the air. What happens is that a pseudo random number (called TMSI) is assigned to the mobile phone. The mobile phone sends its TMSI for identification and the MSC (Mobile Switching Centre) does the mapping for the TMSI to calling MSISDN (techno term for mobile phone number).
However, if you are a really good programmer and know your phone internal GSM functioning very well. Then you can spoof the TMSI. Meaning, you should listen to the Paging Messages that are being received on the PCH and get the TMSI from them and then generate a CHAN_REQ based on one of those TMSI. If you want to know more about it, then I suggest that you read a document called GSM04.08 from www.3gpp.org .
Please note that whatever I have written above is valid for a GSM/GPRS/EDGE network only.
Regards,
hi
I've been writing code to access the gsm modem of PPCs and SPs. I found these posts http://forum.xda-developers.com/showthread.php?t=220396 and http://forum.xda-developers.com/showthread.php?t=268809 and this one too http://www.nicecuppa.net/nicetrack.asp to name a few.
here is a sample
Code:
PDACELLID_API long fnGetCell(LPTSTR outData)
{
HANDLE hCom;
char * xpos;
char rsltstr[5];
DWORD CellId;
int bufpos;
DCB dcb;
COMMTIMEOUTS to;
DWORD nWritten;
DWORD event;
DWORD nRead;
char outbuf[20], buf[256];
BYTE comdevcmd[2]= {0x84, 0x00};
hCom= CreateFile(L"COM2:",GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
if (hCom==NULL || hCom==INVALID_HANDLE_VALUE)
{
hCom= NULL;
return -1;
}
if (!GetCommState(hCom, &dcb))
{
return -2;
}
dcb.BaudRate= CBR_115200;
dcb.ByteSize= 8;
dcb.fParity= false;
dcb.StopBits= ONESTOPBIT;
if (!SetCommState(hCom, &dcb))
{
return -3;
}
if (!EscapeCommFunction(hCom, SETDTR))
{
return -4;
}
if (!GetCommTimeouts(hCom, &to))
{
return -6;
}
to.ReadIntervalTimeout= 0;
to.ReadTotalTimeoutConstant= 200;
to.ReadTotalTimeoutMultiplier= 0;
to.WriteTotalTimeoutConstant= 20000;
to.WriteTotalTimeoutMultiplier= 0;
if (!SetCommTimeouts(hCom, &to))
{
return -7;
}
if (!SetCommMask(hCom, EV_RXCHAR))
{
return -8;
}
if (!DeviceIoControl (hCom,0xAAAA5679L, comdevcmd, sizeof(comdevcmd),0,0,0,0))
{
return -9;
}
bufpos = 0;
strcpy(outbuf,"AT+creg=2\r");
if (!WriteFile(hCom, outbuf, 10, &nWritten, NULL))
{
return -10;
}
if (nWritten != 10)
{
return -11;
}
if (!WaitCommEvent(hCom, &event, NULL))
{
return -12;
}
while(1)
{
if (!ReadFile(hCom, buf+bufpos, 256 - bufpos, &nRead, NULL))
{
return -13;
}
if (nRead == 0)
break;
bufpos += nRead;
if (bufpos >= 256)
break;
}
strcpy(outbuf,"AT+creg?\r");
if (!WriteFile(hCom, outbuf, 9, &nWritten, NULL))
{
return -14;
}
if (nWritten != 9)
{
return -15;
}
if (!WaitCommEvent(hCom, &event, NULL))
{
return -16;
}
while(1)
{
if (!ReadFile(hCom, buf+bufpos, 256 - bufpos, &nRead, NULL))
{
return -17;
}
if (nRead == 0)
break;
bufpos += nRead;
if (bufpos >= 256)
break;
}
buf[bufpos] = 0;
mbstowcs(outData,buf,bufpos+1);
if ((xpos = strstr(buf,"CREG")) == NULL)
{
CellId = -19;
}
else
{
memcpy(rsltstr,xpos+18,4);
rsltstr[4] = 0;
if (sscanf(rsltstr,"%X",&CellId) != 1)
{
CellId = -20;
}
}
if (hCom!=NULL)
{
CloseHandle(hCom);
hCom= NULL;
}
return CellId;
}
Some of these posts assume that I already know the com port of the gsm modem, Others tell you to get the com port handle by either:
1- TAPI's lineGetID - which only gets a valid handle if I originate a voice call (not data call). In my case I only query information from the network so I don't need to make a voice call and that is why I'll never get a com port handle.
2- Silent the RIL and open the com port manually as in here
http://forum.xda-developers.com/showpost.php?p=963262&postcount=1
which apparetnly turns on the flight mode and shuts down the phone on WM2005.
3- I tried to detect the right com port using the registry key HKLM\Drivers\BuiltIn\Serial which doesn't give the right result on every device.
In the HTC universal (i-mate jasjar) there is no "known" way to open the GSM com port. Even nicetrack couldn't detect the gsm modem port.
There is definitely a way to get the com port handle but it may involve reverse engineering which i'm not good at. I leave that to the pros
Save me from madness!!!
I have a several smartphone devices with windows CE
CE 6.0 - hp IPAQ 500 series
CE 5.0 - Samsung i600
I need to inject DLL into the process "home.exe". I use method with performcallback4 function. This method works successfully for all processes ("device.exe", "service.exe", etc.) except process "home.exe". In what a problem?
source code : InjectDLL.exe link with toolhelp.lib
#include <windows.h>
#include <Tlhelp32.h>
typedef struct _CALLBACKINFO {
HANDLE hProc;
FARPROC pfn;
PVOID pvArg0;
} CALLBACKINFO;
extern "C"
{
DWORD PerformCallBack4(CALLBACKINFO *pcbi,...);
LPVOID MapPtrToProcess(LPVOID lpv, HANDLE hProc);
BOOL SetKMode(BOOL fMode);
DWORD SetProcPermissions(DWORD newperms);
};
DWORD GetProcessId(WCHAR *wszProcessName)
{
HANDLE hTH= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize= sizeof(PROCESSENTRY32);
DWORD PID=0;
if (Process32First(hTH, &pe))
{
do {
if (wcsicmp(wszProcessName, pe.szExeFile)==0)
{
PID=pe.th32ProcessID;
}
} while (Process32Next(hTH, &pe));
}
CloseToolhelp32Snapshot(hTH);
return PID;
}
HMODULE GetDllHandle(DWORD ProcessId,WCHAR* ModuleName)
{
HANDLE ToolHelp=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessId);
if (ToolHelp!=INVALID_HANDLE_VALUE)
{
MODULEENTRY32 ModuleEntry={sizeof MODULEENTRY32};
if (Module32First(ToolHelp,&ModuleEntry))
do
{
if (wcsicmp(ModuleEntry.szModule, ModuleName)==0)
return ModuleEntry.hModule;
}
while(Module32Next(ToolHelp,&ModuleEntry));
CloseToolhelp32Snapshot(ToolHelp);
}
return NULL;
}
BOOL InjectDll(WCHAR* ProcessName,WCHAR* ModuleName)
{
DWORD ProcessId=GetProcessId(ProcessName);
HMODULE ModuleHandle=GetDllHandle(ProcessId,ModuleName);
if (ModuleHandle!=NULL)
return TRUE;
HANDLE Process=OpenProcess(0,0,ProcessId);
if (Process==NULL)
return FALSE;
void* ModuleNamePtr=MapPtrToProcess(ModuleName,GetCurrentProcess());
if (ModuleNamePtr==NULL)
return FALSE;
CALLBACKINFO ci;
ci.hProc=Process;
void* LoadLibraryPtr=MapPtrToProcess(GetProcAddress(GetModuleHandle(L"coredll.dll"),L"LoadLibraryW"),Process);
if (LoadLibraryPtr==NULL)
return FALSE;
ci.pfn=(FARPROC)LoadLibraryPtr;
ci.pvArg0=ModuleNamePtr;
PerformCallBack4(&ci); in this place process exit. visual studio output message : "process exit with code 0xc0000030"
Sleep(500);
CloseHandle(Process);
return GetDllHandle(ProcessId,ModuleName)!=NULL;
}
extern "C"
{
BOOL SetKMode(BOOL fMode);
DWORD SetProcPermissions(DWORD newperms);
};
#define DLLNAME L"MyDll.dll"
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPWSTR lpCmdLine,int nShowCmd)
{
WCHAR Path[MAX_PATH];
GetModuleFileName(NULL,Path,MAX_PATH);
wcscpy(wcsrchr(Path,L'\\')+1,DLLNAME);
WCHAR NewPath[MAX_PATH]=L"\\Windows\\";
wcscat(NewPath,DLLNAME);
CopyFile(Path,NewPath,FALSE);
BOOL Res=InjectDll(L"home.exe",L"MyDll.dll");
return 0;
}
the error code is
#define STATUS_INVALID_PARAMETER_MIX 0xC0000030
(maybe too fast for getting the thread infos?)
try to make the "Sleep(500);" before "PerformCallBack4(&ci);"
I have tried, a problem not in it. Any ideas?
I have not found the reason.... I Use other method without performcallback4
Problem with injection dll to cprog.exe process?
I want to inject dll to cprog.exe process. but it doesn't work.
source code.
Code:
VOID
InjectDllToCprog()
{
WCHAR DllPath[MAX_PATH] = L"";
CallbackInfo ci;
GetModuleFileName(NULL, DllPath, MAX_PATH);
PWCHAR p = wcsrchr(DllPath, L'\\');
DllPath[p - DllPath] = '\0';
wcscat(DllPath, L"\\CprogInject.dll");
ZeroMemory(&ci, sizeof(ci));
g_hCprog = FindCprogProcess(L"Cprog.exe"); // the handle is right.
if(g_hCprog != NULL)
{
DWORD dwMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
FARPROC pFunc = GetProcAddress(GetModuleHandle(L"Coredll.dll"), L"LoadLibraryW");
ci.ProcId = (HANDLE)g_hCprog;
ci.pFunc = (FARPROC)MapPtrToProcess(pFunc, g_hCprog);
ci.pvArg0 = MapPtrToProcess(DllPath, GetCurrentProcess());
g_InjectCprog = (HINSTANCE)PerformCallBack4(&ci, 0, 0, 0);
if(GetLastError() != 0) // GetLastError() = 5
DbgError(L"PerformCallBack 执行失败", GetLastError());
SetKMode(dwMode);
SetProcPermissions(dwPerm);
}
}
GetLastError() return 0x00000005(Access is denied)
Anyone can help me? Sorry for my poor english.
I want to add to HKLM\init an all purpose application launcher (CE 6.0 device has persistent registry):
Code:
[HKEY_LOCAL_MACHINE\Init]
"Depend199"=hex:00,14,00,1e,00,60
[HKEY_LOCAL_MACHINE\Init]
"Launch199"="\NandFlash\CeLaunchAppsAtBootTime.exe"
[HKEY_CURRENT_USER\Startup]
"Process1"="\NandFlash\SetBackLight.exe"
"Process1Delay"=dword:0
The launcher's code is
Code:
#include <Windows.h>
#if defined(OutputDebugString)
#undef OutputDebugString
void OutputDebugString(LPTSTR lpText)
{}
#endif
BOOL IsAPIReady(DWORD hAPI);
void WalkStartupKeys(void);
DWORD WINAPI ProcessThread(LPVOID lpParameter);
#define MAX_APPSTART_KEYNAME 256
typedef struct _ProcessStruct {
WCHAR szName[MAX_APPSTART_KEYNAME];
DWORD dwDelay;
} PROCESS_STRUCT,*LPPROCESS_STRUCT;
int WINAPI _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
int nLaunchCode = -1;
// Quick check to see whether we were called from within HKLM\init -> by default HKLM\init passes the lauch code
if(lpCmdLine && *lpCmdLine)
{
// MessageBox(NULL, lpCmdLine ,NULL,MB_OK);
nLaunchCode = _ttoi( (const TCHAR *) lpCmdLine);
}
else
{
// MessageBox(NULL, _T("No argumets passed"),NULL,MB_OK);
}
//Wait for system has completely initialized
BOOL success = FALSE;
int i = 0;
while((!IsAPIReady(SH_FILESYS_APIS)) && (i++ < 50))
{
Sleep(200);
}
success = (i < 50);
if(success)
{
i = 0;
while((!IsAPIReady(SH_DEVMGR_APIS))&& (i++ < 50))
{
Sleep(200);
}
success = (i < 50);
if(success)
{
i = 0;
while((!IsAPIReady(SH_SHELL))&& (i++ < 50))
{
Sleep(200);
}
success = (i < 50);
if(success)
{
i = 0;
while((!IsAPIReady(SH_WMGR))&& (i++ < 50))
{
Sleep(200);
}
success = (i < 50);
if(success)
{
i = 0;
while((!IsAPIReady(SH_GDI))&& (i++ < 50))
{
Sleep(200);
}
success = (i < 50);
}
}
}
}
if(nLaunchCode != -1)
{
// Since this is application is launched through the registry HKLM\Init we need to call SignalStarted passing in the command line parameter
SignalStarted((DWORD) nLaunchCode);
}
//If system has completely initialized
if( success)
{
WalkStartupKeys();
}
return (0);
}
void WalkStartupKeys(void)
{
HKEY hKey;
WCHAR szName[MAX_APPSTART_KEYNAME];
WCHAR szVal[MAX_APPSTART_KEYNAME];
WCHAR szDelay[MAX_APPSTART_KEYNAME];
DWORD dwType, dwNameSize, dwValSize, i,dwDelay;
DWORD dwMaxTimeout=0;
HANDLE hWaitThread=NULL;
HANDLE ThreadHandles[100];
int iThreadCount=0;
if (RegOpenKeyEx(HKEY_CURRENT_USER, TEXT("Startup"), 0, KEY_READ, &hKey) != ERROR_SUCCESS) {
return;
}
dwNameSize = MAX_APPSTART_KEYNAME;
dwValSize = MAX_APPSTART_KEYNAME * sizeof(WCHAR);
i = 0;
while (RegEnumValue(hKey, i, szName, &dwNameSize, 0, &dwType,(LPBYTE)szVal, &dwValSize) == ERROR_SUCCESS) {
if ((dwType == REG_SZ) && !wcsncmp(szName, TEXT("Process"), 7)) { // 7 for "Process"
// szval
wsprintf(szDelay,L"%sDelay",szName);
dwValSize=sizeof(dwDelay);
if (ERROR_SUCCESS == RegQueryValueEx(hKey,szDelay,0,&dwType,(LPBYTE)&dwDelay,&dwValSize)) {
// we now have the process name and the process delay - spawn a thread to "Sleep" and then create the process.
LPPROCESS_STRUCT ps=(LPPROCESS_STRUCT) LocalAlloc( LMEM_FIXED , sizeof( PROCESS_STRUCT));
ps->dwDelay=dwDelay;
wcscpy(ps->szName,szVal);
DWORD dwThreadID;
OutputDebugString(L"Creating Thread...\n");
HANDLE hThread=CreateThread(NULL,0,ProcessThread,(LPVOID)ps,0,&dwThreadID);
ThreadHandles[iThreadCount++]=hThread;
if (dwDelay > dwMaxTimeout) {
hWaitThread=hThread;
dwMaxTimeout=dwDelay;
}
LocalFree((HLOCAL) ps);
}
}
dwNameSize = MAX_APPSTART_KEYNAME;
dwValSize = MAX_APPSTART_KEYNAME * sizeof(WCHAR);
i++;
}
// wait on the thread with the longest delay.
DWORD dwWait=WaitForSingleObject(hWaitThread,INFINITE);
if (WAIT_FAILED == dwWait) {
OutputDebugString(L"Wait Failed!\n");
}
for(int x=0;x < iThreadCount;x++) {
CloseHandle(ThreadHandles[x]);
}
RegCloseKey(hKey);
}
DWORD WINAPI ProcessThread(LPVOID lpParameter)
{
TCHAR tcModuleName[MAX_APPSTART_KEYNAME];
OutputDebugString(L"Thread Created... Sleeping\n");
LPPROCESS_STRUCT ps=(LPPROCESS_STRUCT)lpParameter;
Sleep(ps->dwDelay); // Wait for delay period
OutputDebugString(L"Done Sleeping...\n");
PROCESS_INFORMATION pi;
STARTUPINFO si;
si.cb=sizeof(si);
OutputDebugString(L"Creating Process ");
OutputDebugString(ps->szName);
OutputDebugString(L"\n");
wcscpy(tcModuleName,ps->szName);
TCHAR *tcPtrSpace=wcsrchr(ps->szName,L' '); // Launch command has a space, assume command line.
if (NULL != tcPtrSpace) {
tcModuleName[lstrlen(ps->szName)-lstrlen(tcPtrSpace)]=0x00; // overwrite the space with null, break the app and cmd line.
tcPtrSpace++; // move past space character.
}
CreateProcess( tcModuleName, // Module Name
tcPtrSpace, // Command line -- NULL or PTR to command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
0, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ); // Pointer to PROCESS_INFORMATION structure
OutputDebugString(L"Thread Exiting...\n");
return 0;
}
which compiled errorfree
Added the registry entries as shown above, copied the launcher's exe in default location, rebootet device. Nothing happened, means executable defined as
Code:
[HKEY_CURRENT_USER\Startup]
"Process1"="\NandFlash\SetBackLight.exe"
wasn't run at all.
Does anybody have an idea, where the error is? Any help appreciated. Thanks for reading.