EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-22-2018, 19:45
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 15
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 52 Times in 12 Posts
Agmcz Reputation: 4
[Delphi/Native API] ZwTerminateProcess without declaration from UserMode

PHP Code:
function ZwTerminateProcess(hProcessDWORDuCodeDWORD): NTSTATUSstdcallassembler;
{
  
Coded By Agmcz
  Support 
for all operating systems [XP788.11032bit]
  
Tested on Windows XP/7/8.1/10.
}
asm
{$IFDEF WIN32}
  
MOV EAXFS:[$C0]
  
CMP EAX, $0
  JNZ 
@Exit
  
MOV EAXFS:[$30]
  
MOV EAX, [EAX+$A4]
  
SUB EAX, $5
  JE 
@WinXP
  DEC EAX
  JE 
@Win8_81
  SUB EAX
, $4
  JNE 
@Sys
  MOV EAX
, $0024
  JMP 
@Sys
  
@Win8_81:
  
MOV EAXEBX
  MOV EAX
, [EAX+$A8]
  
DEC EAX
  JE 
@Win7
  DEC EAX
  SUB EAX
, $2
  JAE 
@Sys
  MOV EAX
, $0023
  JMP 
@Sys
  
@Win7:
  
MOV EAX, $0172
  JMP 
@Sys
  
@WinXP:
  
MOV EAX, $0101
  
@Sys:
  
LEA EDX,[EBP+$8]
  
INT $2E
  
@Exit:
{
$ENDIF}
end
Reply With Quote
The Following 6 Users Say Thank You to Agmcz For This Useful Post:
canopus (08-11-2018), h4sh3m (07-24-2018), Insid3Code (07-28-2018), Nacho_dj (07-23-2018), niculaita (07-24-2018), Pushad (07-23-2018)
  #2  
Old 07-24-2018, 07:49
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 200
Rept. Given: 21
Rept. Rcvd 94 Times in 43 Posts
Thanks Given: 32
Thanks Rcvd at 236 Times in 92 Posts
atom0s Reputation: 94
The sys call offset for this on Windows 10 has changed between each major patch. So this may not work for all Windows 10 versions.
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
vic4key (07-24-2018)
  #3  
Old 07-24-2018, 21:11
Agmcz Agmcz is offline
Friend
 
Join Date: Mar 2018
Posts: 15
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 52 Times in 12 Posts
Agmcz Reputation: 4
Quote:
Originally Posted by atom0s View Post
The sys call offset for this on Windows 10 has changed between each major patch. So this may not work for all Windows 10 versions.
I have not tested on all versions of Windows 10
But it works on version 10.0.15063.

See here
Code:
System Call Symbol     System Call Number
                       Windows 10 32bit
                       Version 10240.0=1507  10586=1511 14393=1607 15063=1703 16299=1709  17134=1803 
NtTerminateProcess             0x0024        0x0024     0x0024     0x0024     0x0024      0x0024
or
Code:
https://j00ru.vexillium.org/syscalls/nt/32/
Logically will work.
You can test
Reply With Quote
  #4  
Old 07-25-2018, 04:48
Avalon Avalon is offline
Friend
 
Join Date: Jul 2018
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 2 Times in 2 Posts
Avalon Reputation: 0
atom0s is correct, Microsoft usually from build to build randomize the syscall table

Btw you've mentioned in your first post ZwTerminateProcess() yet in your second you state NtTerminateProcess(). Subtly different, but serious consequences (BSOD) if called from the wrong ring level.

ZwTerminateProcess is for CPL0, at that point you could mine for ZwTerminateProcess export function table from ntoskrnl via function name matching, so you never need to keep a hardcoded table of offsets.

Similarly for CPL3, NtTerminateProcess() can be mined from the UM ntdll export table. But if you want to bypass a hook if e.g. an antivirus hook placed in UM, setup the stack and make the syscall is the way to go.

*I'll leave it to you to figure out how to mine for the syscall and make it (:

Last edited by Avalon; 07-25-2018 at 04:55.
Reply With Quote
The Following User Says Thank You to Avalon For This Useful Post:
Insid3Code (07-28-2018)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Usermode APC Injection WorldCrackersUnited Source Code 4 06-05-2017 15:42
.Net native compiling atzplzw General Discussion 8 01-10-2011 15:47
ZwTerminateProcess Teerayoot General Discussion 6 09-05-2004 03:20


All times are GMT +8. The time now is 08:31.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX