joakim Posted August 11, 2012 Share Posted August 11, 2012 Trying to get this function in ntdll.dll working, but are facing STATUS_ACCESS_VIOLATION. I have tried granting myself debug privileges to no help. It seems the PID is not working the same way as in OpenProcess (kernel32.dll), or maybe it's the ObjectAttributes messing it up. But on Windows 7 (nt6.x in contrast to nt5.x) those should be null and with the PID set anyway, so I really don't understand what the problem is. Initializing the ObjectAttributes makes no difference and return the same 0xc0000005. Here's the core code scrapped for all nonsense added and tried: $TargetProcess = "explorer.exe" $list = ProcessList($TargetProcess) For $i = 1 To $list[0][0] ConsoleWrite($list[$i][0] & @CRLF) $Test = _NtOpenProcess($list[$i][1]) If @error Then ConsoleWrite("Ntstatus: 0x" & Hex($Test,8) & @CRLF) Else ConsoleWrite("NtOpenProcess success: " & $Test & @CRLF) EndIf Exit Next Func _NtOpenProcess($PID) Local $aCall = DllCall("ntdll.dll", "ptr", "NtOpenProcess", "dword", 0x001F0FFF, "dword", 0, "dword", $PID) If Not NT_SUCCESS($aCall[0]) Then ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0],8) & @CRLF) Return SetError(1,0,$aCall[0]) Else Return $aCall[0] EndIf EndFunc Func NT_SUCCESS($status) If 0 <= $status And $status <= 0x7FFFFFFF Then Return True Else Return False EndIf EndFunc Link to comment Share on other sites More sharing options...
jaberwacky Posted August 11, 2012 Share Posted August 11, 2012 According to Wikipedia, a STATUS_ACCESS_VIOLATION means that you're trying to access unaccessible memory. Which leads me to this: what is 0x001F0FFF? I can't find the documentation for this function but I assume that ZwOpenProcess is close. Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
joakim Posted August 11, 2012 Author Share Posted August 11, 2012 Yes ZwOpenProcess is similar, it's just the kernel mode equivalent to what NtOpenProcess is (user mode); http://msdn.microsoft.com/en-us/library/windows/hardware/ff567022(v=vs.85).aspx The 0x001f0fff is $PROCESS_ALL_ACCESS for DesiredAccess. But that's likely not the issue. I think it's either ObjectAttributes or ClientID that's the issue, leaning more over to the ObjectAttributes actually. Despite the fact that ObjectName is not used, the struct must probably be be correctly initialized after all.. Or is ClientID passed on incorrectly perhaps..? Link to comment Share on other sites More sharing options...
joakim Posted August 11, 2012 Author Share Posted August 11, 2012 Here is the code with the ObjectAttributes initialization, that still gives a "STATUS_ACCESS_VIOLATION". expandcollapse popupGlobal Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService" Global Const $OBJ_CASE_INSENSITIVE = 0x00000040 Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer" $TargetProcess = "explorer.exe" $list = ProcessList($TargetProcess) For $i = 1 To $list[0][0] ConsoleWrite($list[$i][0] & @CRLF) $Test = _NtOpenProcess($list[$i][1]) If @error Then ConsoleWrite("Error" & @CRLF) Else ConsoleWrite("NtOpenProcess success: " & $Test & @CRLF) EndIf Exit Next Func _NtOpenProcess($PID) Local $szName = DllStructCreate("wchar[0]") Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES) Local $sUS = DllStructCreate($tagUNICODESTRING) DllStructSetData($szName, 1, "") Local $ret = DllCall("ntdll.dll", "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName)) DllStructSetData($sOA, "Length", DllStructGetSize($sOA)) DllStructSetData($sOA, "RootDirectory", Chr(0)) ; DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS)) DllStructSetData($sOA, "ObjectName", Chr(0)) DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE) DllStructSetData($sOA, "SecurityDescriptor", Chr(0)) DllStructSetData($sOA, "SecurityQualityOfService", Chr(0)) Local $ClientID = DllStructCreate("dword UniqueThread;dword UniqueProcess") DllStructSetData($ClientID,"UniqueThread",0) DllStructSetData($ClientID,"UniqueProcess",$PID) Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "dword", 0x001F0FFF, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($ClientID)) If Not NT_SUCCESS($aCall[0]) Then ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0],8) & @CRLF) Return SetError(1,0,$aCall[0]) Else Return $aCall[0] EndIf EndFunc Func NT_SUCCESS($status) If 0 <= $status And $status <= 0x7FFFFFFF Then Return True Else Return False EndIf EndFunc Link to comment Share on other sites More sharing options...
jaberwacky Posted August 11, 2012 Share Posted August 11, 2012 (edited) OK, during my internet journey I came upon a quote. LO!NtOpenProcess is better way for bypassing noob Anti-Cheat routines?But more advance Anti-Cheat will just hook the NtOpenProcess Edited August 11, 2012 by LaCastiglione Helpful Posts and Websites: AutoIt3 Variables and Function Parameters MHz | AutoIt Wiki | Using the GUIToolTip UDF BrewManNH | Can't find what you're looking for on the Forum? Link to comment Share on other sites More sharing options...
trancexx Posted August 11, 2012 Share Posted August 11, 2012 Probably should be something like this: Func _NtOpenProcess($PID) Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES) DllStructSetData($sOA, "Length", DllStructGetSize($sOA)) DllStructSetData($sOA, "RootDirectory", 0) DllStructSetData($sOA, "ObjectName", 0) DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE) DllStructSetData($sOA, "SecurityDescriptor", 0) DllStructSetData($sOA, "SecurityQualityOfService", 0) Local $ClientID = DllStructCreate("dword_ptr UniqueProcessId;dword_ptr UniqueThreadId") DllStructSetData($ClientID, "UniqueProcessId", $PID) DllStructSetData($ClientID, "UniqueThreadId", 0) Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "handle*", 0, "dword", 0x001F0FFF, "struct*", $sOA, "struct*", $ClientID) If Not NT_SUCCESS($aCall[0]) Then ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0], 8) & @CRLF) Return SetError(1, 0, $aCall[0]) Else Return $aCall[1] EndIf EndFunc joakim 1 ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
joakim Posted August 11, 2012 Author Share Posted August 11, 2012 Brilliant Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now