WSCPorts Posted May 30, 2006 Share Posted May 30, 2006 origanal code by Vladimir Scherbina *crazy Props to him* /* gate function code */ VOID __declspec(naked) GateProc(VOID){ __asm { cli // disable interrupts pushad // store all registers mov di, 0x30 mov fs, di call g_dwRing0ProcAdrr // calling *our* function to be executed in kernel mode mov di, 0x3B mov fs, di popad // restore registers sti // enable interrupts retf } } i am still in BETA TESTING STAGES for this and a few other things but if anyone wants to see the sample Of retreiving the EPROCESS if the systemprocess ill glady post up the autoit code and the modified invoke.dll ;] http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32] Link to comment Share on other sites More sharing options...
WSCPorts Posted June 3, 2006 Author Share Posted June 3, 2006 (edited) im having a lil trouble opening physical memory with autoit could someone helps me? heres what i got so far, i know its got no error handling yet i wanna see results b4 i add error handling ;] expandcollapse popupFunc LibLoad( $lpLibFileName ) $hKrnl = DllOpen("kernel32.dll") Local $LibHandle = DllCall($hKrnl, "int", "LoadLibraryA", "str", $lpLibFileName) DllClose($hKrnl) Return $LibHandle[0] EndFunc Func LibLoadEx($lpLibFileName, $hFile = 0, $dwFlags = 0) $hKrnl = DllOpen("kernel32.dll") Local $LibExHandle = DllCall($hKrnl, "int", "LoadLibraryEx", "str", $lpLibFileName, "int", $hFile, "int", $dwFlags) DllClose($hKrnl) Return $LibExHandle[0] EndFunc Func LibFree($DllHandle) $hKrnl = DllOpen("kernel32.dll") Local $LibFreed = DllCall($hKrnl, "int", "FreeLibrary", "int", $DllHandle) return $LibFreed[0] EndFunc Func GetProcAddress( $hModule, $lpProcName) $hKrnl = DllOpen("Kernel32.dll") Local $ProcessAddy = DllCall($hKrnl,"int","GetProcAddress","int",$hModule,"str",$lpProcName) DllClose($hKrnl) Return $ProcessAddy[0] EndFunc Func InvokeVirtAllocEx($FuncPtr,$hProcess,$lpAddress,$dwSize,$flAllocationType,$flProtect) $DllInvoke = DllOpen("Invoke.dll") Local $Result = DllCall($DllInvoke,"int","InvokeFunc","int",$FuncPtr,"int",$hProcess, "int",$lpAddress, "int",$dwSize, "int",$flAllocationType, "int",$flProtect) DllClose($DllInvoke) Return $Result[0] EndFunc Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid) If @error Then DllClose($av_Return[0]) SetError(1) Return 0 EndIf $av_Return[1] = $ai_Handle[0] DllClose($av_Return[0]) Return $av_Return[1] EndFunc ;==>_MemOpen Const $STANDARD_RIGHTS_REQUIRED = 0xF0000 Const $SECTION_QUERY = 0x1 Const $SECTION_MAP_WRITE = 0x2 Const $SECTION_MAP_READ = 0x4 Const $SECTION_MAP_EXECUTE = 0x8 Const $SECTION_EXTEND_SIZE = 0x10 Const $SECTION_ALL_ACCESS = BitOr($STANDARD_RIGHTS_REQUIRED, $SECTION_QUERY, $SECTION_MAP_WRITE, $SECTION_MAP_READ, $SECTION_MAP_EXECUTE, $SECTION_EXTEND_SIZE) Const $FILE_MAP_ALL_ACCESS = $SECTION_ALL_ACCESS $oa = "int;int;char;int;int;int" $Object_Attributes = DllStructCreate($oa) DllStructSetData($Object_Attributes, 1, DllStructGetSize($Object_Attributes)) DllStructSetData($Object_Attributes, 2, 0) DllStructSetData($Object_Attributes, 3, "\Device\PhysicalMemory") DllStructSetData($Object_Attributes, 4, 0) DllStructSetData($Object_Attributes, 5, 0) DllStructSetData($Object_Attributes, 6, 0) ;OBJECT_ATTRIBUTES oa ={sizeof(oa),0,&name,0,0,0}; Func InvokeOpenPhysMem(ByRef $pHandle) $DllInvoke = DllOpen("Invoke.dll") $hNT = LibLoad("ntdll.dll") Local $OpenSectionPtr = GetProcAddress($hNT, "ZwOpenSection") $Status = DllCall($DllInvoke, "int", $OpenSectionPtr, "int", $pHandle, "int", $SECTION_ALL_ACCESS, "ptr", DllStructGetPtr($Object_Attributes)) LibFree($hNT) DllClose($DllInvoke) Return $Status EndFunc $Phys = InvokeOpenPhysMem($PhysMem) MsgBox(0, "", $Phys) DllCall("kernel32.dll", "int", "CloseHandle", "int", $PhysMem) is this a better example Edited June 7, 2006 by WSCPorts http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32] Link to comment Share on other sites More sharing options...
w0uter Posted June 5, 2006 Share Posted June 5, 2006 lots of errors. ewww. Dim $PhysMem $Phys = InvokeOpenPhysMem($PhysMem) -> the function isnt byref. nor is dllcall. MsgBox(0, "", $Phys) -> dllcall returns an array DllCall(DllOpen("kernel32.dll"), "int", "CloseHandle", "int", $PhysMem) -> this way you cant close kernel32.dll not to mention str isnt a datatype for dllstruct. also where do GetProcAddress/LibLoad come from ? My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll Link to comment Share on other sites More sharing options...
WSCPorts Posted June 7, 2006 Author Share Posted June 7, 2006 yea that was a ugly attempt at it i do have to say :] TY very much for the comments as i am very rusty in autoit :[ been spending alot of time with C++ and asm so imma try to implement the fixs u suggest and see if i can get a outcome :] http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32] Link to comment Share on other sites More sharing options...
WSCPorts Posted June 20, 2006 Author Share Posted June 20, 2006 expandcollapse popup10001000 >/$ B8 01000000 MOV EAX,1 10001005 \. C3 RETN 10001006 >/$ FF75 08 PUSH DWORD PTR SS:[EBP+8] 10001009 |. 8F45 F0 POP DWORD PTR SS:[EBP-10] 1000100C |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] 1000100F |. 6A 00 PUSH 0 10001011 |. 6A 00 PUSH 0 10001013 |. 6A 00 PUSH 0 10001015 |. 6A 16 PUSH 16 10001017 |. FF31 PUSH DWORD PTR DS:[ECX] 10001019 |. 6A 10 PUSH 10 1000101B |. E8 36000000 CALL <JMP.&ntdll.ZwSystemDebugControl> 10001020 \. C3 RETN 10001021 >/$ FF75 08 PUSH DWORD PTR SS:[EBP+8] 10001024 |. 8F45 F0 POP DWORD PTR SS:[EBP-10] 10001027 |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] 1000102A |. 6A 00 PUSH 0 1000102C |. 6A 00 PUSH 0 1000102E |. 6A 00 PUSH 0 10001030 |. 6A 16 PUSH 16 10001032 |. FF31 PUSH DWORD PTR DS:[ECX] 10001034 |. 6A 11 PUSH 11 10001036 |. E8 1B000000 CALL <JMP.&ntdll.ZwSystemDebugControl> 1000103B \. C3 RETN 1000103C >/$ 8BE5 MOV ESP,EBP 1000103E |. EB 01 JMP SHORT Sysenter.10001041 10001040 | B8 DB B8 10001041 |> 0F34 SYSENTER 10001043 |. 90 NOP 10001044 |. 90 NOP 10001045 \. C3 RETN 10001046 >/$ 60 PUSHAD 10001047 |. 9C PUSHFD 10001048 |. FA CLI 10001049 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 1000104C |. E8 EBFFFFFF CALL Sysenter.SysEnterCall 10001051 |. FB STI 10001052 |. 61 POPAD 10001053 |. 9D POPFD 10001054 \. C3 RETN 10001055 CC INT3 10001056 $-FF25 00200010 JMP DWORD PTR DS:[<&ntdll.ZwSystemDebugC>; ntdll.ZwSystemDebugControl NOO SOURCE FOR JOO ~~~!!!!! http://www.myclanhosting.com/defiasVisit Join and contribute to a soon to be leader in Custumized tools development in [C# .Net 1.1 ~ 2.0/C/C++/MFC/AutoIt3/Masm32] Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now