[Delphi/Native API] ZwTerminateProcess without declaration from UserMode
PHP Code:
|
The sys call offset for this on Windows 10 has changed between each major patch. So this may not work for all Windows 10 versions.
|
Quote:
But it works on version 10.0.15063. See here Code:
System Call Symbol System Call Number Code:
https://j00ru.vexillium.org/syscalls/nt/32/ You can test |
atom0s is correct, Microsoft usually from build to build randomize the syscall table
Btw you've mentioned in your first post ZwTerminateProcess() yet in your second you state NtTerminateProcess(). Subtly different, but serious consequences (BSOD) if called from the wrong ring level. ZwTerminateProcess is for CPL0, at that point you could mine for ZwTerminateProcess export function table from ntoskrnl via function name matching, so you never need to keep a hardcoded table of offsets. Similarly for CPL3, NtTerminateProcess() can be mined from the UM ntdll export table. But if you want to bypass a hook if e.g. an antivirus hook placed in UM, setup the stack and make the syscall is the way to go. *I'll leave it to you to figure out how to mine for the syscall and make it (: |
All times are GMT +8. The time now is 22:11. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX