Sign in to follow this  
Followers 0
joakim

NtOpenProcess returns "STATUS_ACCESS_VIOLATION"

7 posts in this topic

Trying to get this function in ntdll.dll working, but are facing STATUS_ACCESS_VIOLATION. I have tried granting myself debug privileges to no help. It seems the PID is not working the same way as in OpenProcess (kernel32.dll), or maybe it's the ObjectAttributes messing it up. But on Windows 7 (nt6.x in contrast to nt5.x) those should be null and with the PID set anyway, so I really don't understand what the problem is. Initializing the ObjectAttributes makes no difference and return the same 0xc0000005. Here's the core code scrapped for all nonsense added and tried:

$TargetProcess = "explorer.exe"
$list = ProcessList($TargetProcess)
For $i = 1 To $list[0][0]
ConsoleWrite($list[$i][0] & @CRLF)
$Test = _NtOpenProcess($list[$i][1])
If @error Then
ConsoleWrite("Ntstatus: 0x" & Hex($Test,8) & @CRLF)
Else
ConsoleWrite("NtOpenProcess success: " & $Test & @CRLF)
EndIf
Exit
Next

Func _NtOpenProcess($PID)
Local $aCall = DllCall("ntdll.dll", "ptr", "NtOpenProcess", "dword", 0x001F0FFF, "dword", 0, "dword", $PID)
If Not NT_SUCCESS($aCall[0]) Then
ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0],8) & @CRLF)
Return SetError(1,0,$aCall[0])
Else
Return $aCall[0]
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
Return True
Else
Return False
EndIf
EndFunc

Share this post


Link to post
Share on other sites



According to Wikipedia, a STATUS_ACCESS_VIOLATION means that you're trying to access unaccessible memory. Which leads me to this: what is 0x001F0FFF? I can't find the documentation for this function but I assume that ZwOpenProcess is close.

Share this post


Link to post
Share on other sites

Yes ZwOpenProcess is similar, it's just the kernel mode equivalent to what NtOpenProcess is (user mode); http://msdn.microsoft.com/en-us/library/windows/hardware/ff567022(v=vs.85).aspx The 0x001f0fff is $PROCESS_ALL_ACCESS for DesiredAccess. But that's likely not the issue. I think it's either ObjectAttributes or ClientID that's the issue, leaning more over to the ObjectAttributes actually. Despite the fact that ObjectName is not used, the struct must probably be be correctly initialized after all.. Or is ClientID passed on incorrectly perhaps..?

Share this post


Link to post
Share on other sites

Here is the code with the ObjectAttributes initialization, that still gives a "STATUS_ACCESS_VIOLATION".

Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
$TargetProcess = "explorer.exe"
$list = ProcessList($TargetProcess)
For $i = 1 To $list[0][0]
ConsoleWrite($list[$i][0] & @CRLF)
$Test = _NtOpenProcess($list[$i][1])
If @error Then
ConsoleWrite("Error" & @CRLF)
Else
ConsoleWrite("NtOpenProcess success: " & $Test & @CRLF)
EndIf
Exit
Next

Func _NtOpenProcess($PID)
Local $szName = DllStructCreate("wchar[0]")
Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES)
Local $sUS = DllStructCreate($tagUNICODESTRING)
DllStructSetData($szName, 1, "")
Local $ret = DllCall("ntdll.dll", "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", Chr(0))
; DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "ObjectName", Chr(0))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", Chr(0))
DllStructSetData($sOA, "SecurityQualityOfService", Chr(0))
Local $ClientID = DllStructCreate("dword UniqueThread;dword UniqueProcess")
DllStructSetData($ClientID,"UniqueThread",0)
DllStructSetData($ClientID,"UniqueProcess",$PID)
Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "dword", 0x001F0FFF, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($ClientID))
If Not NT_SUCCESS($aCall[0]) Then
ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0],8) & @CRLF)
Return SetError(1,0,$aCall[0])
Else
Return $aCall[0]
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
Return True
Else
Return False
EndIf
EndFunc

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

OK, during my internet journey I came upon a quote. LO!

NtOpenProcess is better way for bypassing noob Anti-Cheat routines?

But more advance Anti-Cheat will just hook the NtOpenProcess

Edited by LaCastiglione

Share this post


Link to post
Share on other sites

Probably should be something like this:

Func _NtOpenProcess($PID)
    Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES)
    DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
    DllStructSetData($sOA, "RootDirectory", 0)
    DllStructSetData($sOA, "ObjectName", 0)
    DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
    DllStructSetData($sOA, "SecurityDescriptor", 0)
    DllStructSetData($sOA, "SecurityQualityOfService", 0)

    Local $ClientID = DllStructCreate("dword_ptr UniqueProcessId;dword_ptr UniqueThreadId")
    DllStructSetData($ClientID, "UniqueProcessId", $PID)
    DllStructSetData($ClientID, "UniqueThreadId", 0)

    Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "handle*", 0, "dword", 0x001F0FFF, "struct*", $sOA, "struct*", $ClientID)
    If Not NT_SUCCESS($aCall[0]) Then
        ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0], 8) & @CRLF)
        Return SetError(1, 0, $aCall[0])
    Else
        Return $aCall[1]
    EndIf
EndFunc
1 person likes this

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Brilliant :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0