NtOpenProcess returns "STATUS_ACCESS_VIOLATION"

[joakim]

Trying to get this function in ntdll.dll working, but are facing STATUS_ACCESS_VIOLATION. I have tried granting myself debug privileges to no help. It seems the PID is not working the same way as in OpenProcess (kernel32.dll), or maybe it's the ObjectAttributes messing it up. But on Windows 7 (nt6.x in contrast to nt5.x) those should be null and with the PID set anyway, so I really don't understand what the problem is. Initializing the ObjectAttributes makes no difference and return the same 0xc0000005. Here's the core code scrapped for all nonsense added and tried:

$TargetProcess = "explorer.exe"
$list = ProcessList($TargetProcess)
For $i = 1 To $list[0][0]
ConsoleWrite($list[$i][0] & @CRLF)
$Test = _NtOpenProcess($list[$i][1])
If @error Then
ConsoleWrite("Ntstatus: 0x" & Hex($Test,8) & @CRLF)
Else
ConsoleWrite("NtOpenProcess success: " & $Test & @CRLF)
EndIf
Exit
Next

Func _NtOpenProcess($PID)
Local $aCall = DllCall("ntdll.dll", "ptr", "NtOpenProcess", "dword", 0x001F0FFF, "dword", 0, "dword", $PID)
If Not NT_SUCCESS($aCall[0]) Then
ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0],8) & @CRLF)
Return SetError(1,0,$aCall[0])
Else
Return $aCall[0]
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
Return True
Else
Return False
EndIf
EndFunc

[jaberwacky]

According to Wikipedia, a STATUS_ACCESS_VIOLATION means that you're trying to access unaccessible memory. Which leads me to this: what is 0x001F0FFF? I can't find the documentation for this function but I assume that ZwOpenProcess is close.

[joakim]

Yes ZwOpenProcess is similar, it's just the kernel mode equivalent to what NtOpenProcess is (user mode); http://msdn.microsoft.com/en-us/library/windows/hardware/ff567022(v=vs.85).aspx The 0x001f0fff is $PROCESS_ALL_ACCESS for DesiredAccess. But that's likely not the issue. I think it's either ObjectAttributes or ClientID that's the issue, leaning more over to the ObjectAttributes actually. Despite the fact that ObjectName is not used, the struct must probably be be correctly initialized after all.. Or is ClientID passed on incorrectly perhaps..?

[joakim]

Here is the code with the ObjectAttributes initialization, that still gives a "STATUS_ACCESS_VIOLATION".

expandcollapse popup

Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
$TargetProcess = "explorer.exe"
$list = ProcessList($TargetProcess)
For $i = 1 To $list[0][0]
ConsoleWrite($list[$i][0] & @CRLF)
$Test = _NtOpenProcess($list[$i][1])
If @error Then
ConsoleWrite("Error" & @CRLF)
Else
ConsoleWrite("NtOpenProcess success: " & $Test & @CRLF)
EndIf
Exit
Next

Func _NtOpenProcess($PID)
Local $szName = DllStructCreate("wchar[0]")
Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES)
Local $sUS = DllStructCreate($tagUNICODESTRING)
DllStructSetData($szName, 1, "")
Local $ret = DllCall("ntdll.dll", "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", Chr(0))
; DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "ObjectName", Chr(0))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", Chr(0))
DllStructSetData($sOA, "SecurityQualityOfService", Chr(0))
Local $ClientID = DllStructCreate("dword UniqueThread;dword UniqueProcess")
DllStructSetData($ClientID,"UniqueThread",0)
DllStructSetData($ClientID,"UniqueProcess",$PID)
Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "dword", 0x001F0FFF, "ptr", DllStructGetPtr($sOA), "ptr", DllStructGetPtr($ClientID))
If Not NT_SUCCESS($aCall[0]) Then
ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0],8) & @CRLF)
Return SetError(1,0,$aCall[0])
Else
Return $aCall[0]
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
Return True
Else
Return False
EndIf
EndFunc

[jaberwacky]

OK, during my internet journey I came upon a quote. LO!

NtOpenProcess is better way for bypassing noob Anti-Cheat routines?

But more advance Anti-Cheat will just hook the NtOpenProcess

Edited August 11, 2012 by LaCastiglione

[trancexx]

Probably should be something like this:

Func _NtOpenProcess($PID)
    Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES)
    DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
    DllStructSetData($sOA, "RootDirectory", 0)
    DllStructSetData($sOA, "ObjectName", 0)
    DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
    DllStructSetData($sOA, "SecurityDescriptor", 0)
    DllStructSetData($sOA, "SecurityQualityOfService", 0)

    Local $ClientID = DllStructCreate("dword_ptr UniqueProcessId;dword_ptr UniqueThreadId")
    DllStructSetData($ClientID, "UniqueProcessId", $PID)
    DllStructSetData($ClientID, "UniqueThreadId", 0)

    Local $aCall = DllCall("ntdll.dll", "hwnd", "NtOpenProcess", "handle*", 0, "dword", 0x001F0FFF, "struct*", $sOA, "struct*", $ClientID)
    If Not NT_SUCCESS($aCall[0]) Then
        ConsoleWrite("Error in NtOpenProcess: " & Hex($aCall[0], 8) & @CRLF)
        Return SetError(1, 0, $aCall[0])
    Else
        Return $aCall[1]
    EndIf
EndFunc

[joakim]

Brilliant