Thread: TitanHide
View Single Post
  #21  
Old 02-06-2014, 04:38
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Post

hi
this is a Quick solution .
http://fy.chalmers.se/~appro/LD_*-gallery/WINLOGOUT.c

Pls read this too:
http://forum.sysinternals.com/howto-...opic18892.html

So we need to work Get this
ZwDuplicateObject,ZwQueryInformationProcess,ZwQuerySystemInformation
quotation:
An unusual aspect of calling NtQuerySystemInformation with SystemHandleInformation is that if you supply a buffer which is too small, it returns STATUS_INFO_LENGTH_MISMATCH (0xc0000004) instead of giving you the correct buffer size in ReturnLength. This means you will have to guess the buffer size. A common technique is to call NtQuerySystemInformation in a loop until it succeeds with STATUS_SUCCESS (0), reallocating and doubling the buffer size each time it fails with STATUS_INFO_LENGTH_MISMATCH.

/* Dump processes and find this session's CSRSS.EXE */
Let get PID of CSRSS.EXE
then retrieve of ZwQuerySystemInformation and go in a Loop to get compare with STATUS_INFO_LENGTH_MISMATCH ,untill it is not equel
quotation:
After you have the list of handles, you will probably want to get the types and names of the handles. There is no way to do this without duplicating the handle into your own process, so we can do that using DuplicateHandle (NOTE: in the source code I use NtDuplicateObject, but it's the same idea)

after we get a valid not equel STATUS_INFO_LENGTH_MISMATCH
then we go throu this handle table and check OpenProcess if it is not Null
then Close this Handle I think .
By the way mr.exodia I think u don't have to give this care about CloseHandle
because a very rare Protector use this technical .
so it is not a big deal at all ,This is my Opinion .
Attached Files
File Type: rar WINLOGOUT.rar (229.5 KB, 4 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote