Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   [Delphi/Native API] ZwTerminateProcess without declaration from UserMode (https://forum.exetools.com/showthread.php?t=18861)

Agmcz 07-22-2018 19:45
[Delphi/Native API] ZwTerminateProcess without declaration from UserMode
 
PHP Code:
function ZwTerminateProcess(hProcessDWORDuCodeDWORD): NTSTATUSstdcallassembler;
{
  Coded By Agmcz
  Support for all operating systems [XP788.11032bit]
  Tested on Windows XP/7/8.1/10.
}
asm
{$IFDEF WIN32}
  MOV EAXFS:[$C0]
  CMP EAX, $0
  JNZ @Exit
  MOV EAXFS:[$30]
  MOV EAX, [EAX+$A4]
  SUB EAX, $5
  JE @WinXP
  DEC EAX
  JE @Win8_81
  SUB EAX, $4
  JNE @Sys
  MOV EAX, $0024
  JMP @Sys
  @Win8_81:
  MOV EAXEBX
  MOV EAX, [EAX+$A8]
  DEC EAX
  JE @Win7
  DEC EAX
  SUB EAX, $2
  JAE @Sys
  MOV EAX, $0023
  JMP @Sys
  @Win7:
  MOV EAX, $0172
  JMP @Sys
  @WinXP:
  MOV EAX, $0101
  @Sys:
  LEA EDX,[EBP+$8]
  INT $2E
  @Exit:
{$ENDIF}
end

atom0s 07-24-2018 07:49
The sys call offset for this on Windows 10 has changed between each major patch. So this may not work for all Windows 10 versions.

Agmcz 07-24-2018 21:11
Quote:
Originally Posted by atom0s (Post 114118)
The sys call offset for this on Windows 10 has changed between each major patch. So this may not work for all Windows 10 versions.
I have not tested on all versions of Windows 10
But it works on version 10.0.15063.

See here
Code:
System Call Symbol    System Call Number
                      Windows 10 32bit
                      Version 10240.0=1507  10586=1511 14393=1607 15063=1703 16299=1709  17134=1803
NtTerminateProcess            0x0024        0x0024    0x0024    0x0024    0x0024      0x0024
or
Code:
https://j00ru.vexillium.org/syscalls/nt/32/
Logically will work.
You can test

Avalon 07-25-2018 04:48
atom0s is correct, Microsoft usually from build to build randomize the syscall table

Btw you've mentioned in your first post ZwTerminateProcess() yet in your second you state NtTerminateProcess(). Subtly different, but serious consequences (BSOD) if called from the wrong ring level.

ZwTerminateProcess is for CPL0, at that point you could mine for ZwTerminateProcess export function table from ntoskrnl via function name matching, so you never need to keep a hardcoded table of offsets.

Similarly for CPL3, NtTerminateProcess() can be mined from the UM ntdll export table. But if you want to bypass a hook if e.g. an antivirus hook placed in UM, setup the stack and make the syscall is the way to go.

*I'll leave it to you to figure out how to mine for the syscall and make it (:


All times are GMT +8. The time now is 08:00.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX