#1
|
|||
|
|||
[Delphi/Native API] ZwTerminateProcess without declaration from UserMode
PHP Code:
|
#2
|
||||
|
||||
The sys call offset for this on Windows 10 has changed between each major patch. So this may not work for all Windows 10 versions.
|
The Following User Says Thank You to atom0s For This Useful Post: | ||
vic4key (07-24-2018) |
#3
|
|||
|
|||
Quote:
But it works on version 10.0.15063. See here Code:
System Call Symbol System Call Number Windows 10 32bit Version 10240.0=1507 10586=1511 14393=1607 15063=1703 16299=1709 17134=1803 NtTerminateProcess 0x0024 0x0024 0x0024 0x0024 0x0024 0x0024 Code:
https://j00ru.vexillium.org/syscalls/nt/32/ You can test |
#4
|
|||
|
|||
atom0s is correct, Microsoft usually from build to build randomize the syscall table
Btw you've mentioned in your first post ZwTerminateProcess() yet in your second you state NtTerminateProcess(). Subtly different, but serious consequences (BSOD) if called from the wrong ring level. ZwTerminateProcess is for CPL0, at that point you could mine for ZwTerminateProcess export function table from ntoskrnl via function name matching, so you never need to keep a hardcoded table of offsets. Similarly for CPL3, NtTerminateProcess() can be mined from the UM ntdll export table. But if you want to bypass a hook if e.g. an antivirus hook placed in UM, setup the stack and make the syscall is the way to go. *I'll leave it to you to figure out how to mine for the syscall and make it (: Last edited by Avalon; 07-25-2018 at 04:55. |
The Following User Says Thank You to Avalon For This Useful Post: | ||
Insid3Code (07-28-2018) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Usermode APC Injection | WorldCrackersUnited | Source Code | 4 | 06-05-2017 15:42 |
.Net native compiling | atzplzw | General Discussion | 8 | 01-10-2011 15:47 |
ZwTerminateProcess | Teerayoot | General Discussion | 6 | 09-05-2004 03:20 |