Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-24-2020, 08:56
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Posts: 228
Rept. Given: 64
Rept. Rcvd 142 Times in 49 Posts
Thanks Given: 198
Thanks Rcvd at 282 Times in 97 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
[C++] Windows SysCall - NtCreateFile

Windows SysCall - NtCreateFile

main.cpp
Code:
#include 
#include 
#include "windows_struct.h"

int createTestFile()
{
    HANDLE hCurtProc = GetCurrentProcess();

#ifdef _WIN64
    BYTE byteNtCreateFile[0x1000]{
        0x4C, 0x8B, 0xD1,                                   // mov r10, rcx
        0xB8, 0x55, 0x00, 0x00, 0x00,                       // mov eax, 55h
        0xF6, 0x04, 0x25, 0x08, 0x03, 0xFE, 0x7F, 0x01,     // test byte ptr [7FFE0308h], 1
        0x75, 0x03,                                         // jne  ELSE 
        0x0F, 0x05,                                         // syscall
        0xC3,                                               // retn
        // ELSE:
        0xCD, 0x2E,                                         // int 2Eh
        0xC3                                                // retn
    };
#else
    BYTE byteNtCreateFile[0x1000]{
        0xB8, 0x55, 0x00, 0x00, 0x00,                       // mov eax, 55h
        0xBA, 0x40, 0x8D, 0x50, 0x77,                       // mov edx, offset j_Wow64Transition
        0xFF, 0xD2,                                         // syscall
        0xC2, 0x2C, 0x00,                                   // retn
        0x90                                                // nop
    };
#endif


    void* pShellcode = VirtualAllocEx(hCurtProc, nullptr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (pShellcode == NULL)
    {
        printf("VirtualAlloc failed 0x%X\n", GetLastError());
        return false;
    }

    BOOL bWriteMem = WriteProcessMemory(hCurtProc, pShellcode, byteNtCreateFile, sizeof(byteNtCreateFile), nullptr);
    if (bWriteMem == 0)
    {
        printf("WriteProcessMemory failed 0x%X\n", GetLastError());
        VirtualFreeEx(hCurtProc, pShellcode, 0, MEM_RELEASE);
        return false;
    }

    HANDLE hFile = NULL;
    OBJECT_ATTRIBUTES objAttr;
    IO_STATUS_BLOCK ioStatusBlock;

    // Initalize Unicode String
    UNICODE_STRING ucFilepath;
    WCHAR wcFilepath[100] = L"\\??\\\\C:\\dev\\testFile.txt";
    RtlInitUnicodeString(&ucFilepath, wcFilepath);

    // Initialize object
    InitializeObjectAttributes(&objAttr, &ucFilepath, OBJ_CASE_INSENSITIVE, NULL, NULL);


    //NtCreateFile funcNtCreateFile = (NtCreateFile)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateFile");
    NtCreateFile funcNtCreateFile = (NtCreateFile)pShellcode;

    NTSTATUS stat = funcNtCreateFile(&hFile, FILE_GENERIC_WRITE, &objAttr, &ioStatusBlock, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF,
        FILE_RANDOM_ACCESS | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
    if (!NT_SUCCESS(stat))
    {
        printf("NtCreateFile failed 0x%X\n", GetLastError());
        VirtualFreeEx(hCurtProc, pShellcode, 0, MEM_RELEASE);
        return false;
    }

    BOOL bClose = CloseHandle(hFile);
    if (bClose == FALSE)
    {
        printf("CloseHandle failed 0x%X\n", GetLastError());
        VirtualFreeEx(hCurtProc, pShellcode, 0, MEM_RELEASE);
        return false;
    }

    bool bFreeMem = VirtualFreeEx(hCurtProc, pShellcode, 0, MEM_RELEASE);
    if (bFreeMem == 0)
    {
        printf("VirutalFreeEx failed 0x%X\n", GetLastError());
        return false;
    }

    return true;
}


int main()
{
    if (createTestFile() == true)
        printf("createTestFile sucess\n");

    return 0;
}
windows_struct.h
Code:
#pragma once
#include 

#define FILE_OPEN 0x00000001
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_RANDOM_ACCESS 0x00000800
#define FILE_NON_DIRECTORY_FILE 0x00000040
#define OBJ_CASE_INSENSITIVE 0x00000040

#define InitializeObjectAttributes(p, n, a, r, s) { \
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}

typedef struct _UNICODE_STRING
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;

FORCEINLINE VOID RtlInitUnicodeString(
    _Out_ PUNICODE_STRING DestinationString,
    _In_opt_ PWSTR SourceString
)
{
    if (SourceString)
        DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(WCHAR);
    else
        DestinationString->MaximumLength = DestinationString->Length = 0;

    DestinationString->Buffer = SourceString;
}

typedef _Success_(return >= 0) LONG NTSTATUS;
typedef NTSTATUS* PNTSTATUS;



typedef struct _IO_STATUS_BLOCK
{
    union
    {
        LONG Status;
        PVOID Pointer;
    };
    ULONG Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;

typedef struct _OBJECT_ATTRIBUTES
{
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR;
    PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

typedef
NTSYSCALLAPI NTSTATUS
(*NTAPI NtCreateFile)(
    _Out_ PHANDLE FileHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _In_opt_ PLARGE_INTEGER AllocationSize,
    _In_ ULONG FileAttributes,
    _In_ ULONG ShareAccess,
    _In_ ULONG CreateDisposition,
    _In_ ULONG CreateOptions,
    _In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
    _In_ ULONG EaLength
    );
Source : guidedhacking
Reply With Quote
The Following 3 Users Say Thank You to Mahmoudnia For This Useful Post:
niculaita (03-25-2020), nimaarek (04-08-2020), Sir.V65j (03-27-2020)
  #2  
Old 03-25-2020, 06:58
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Hi

it's good idea but as you know function indexes is changing in every revisions so you need to have an table and select valid index(0x55 in this case) based on os revision id or get correct value at runtime !



BR,
h4sh3m
Reply With Quote
The Following User Says Thank You to h4sh3m For This Useful Post:
niculaita (03-27-2020)
  #3  
Old 03-25-2020, 13:40
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Posts: 228
Rept. Given: 64
Rept. Rcvd 142 Times in 49 Posts
Thanks Given: 198
Thanks Rcvd at 282 Times in 97 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Quote:
Originally Posted by h4sh3m View Post
Hi

it's good idea but as you know function indexes is changing in every revisions so you need to have an table and select valid index(0x55 in this case) based on os revision id or get correct value at runtime !



BR,
h4sh3m
Hello

Yes, Exactly.

These links includes all tables based on windows version and their revisions .

Code:
https://github.com/tinysec/windows-syscall-table
https://github.com/j00ru/windows-syscalls
Reply With Quote
The Following User Says Thank You to Mahmoudnia For This Useful Post:
niculaita (03-27-2020)
  #4  
Old 03-27-2020, 14:29
Sir.V65j Sir.V65j is offline
Friend
 
Join Date: Oct 2010
Posts: 66
Rept. Given: 35
Rept. Rcvd 32 Times in 15 Posts
Thanks Given: 68
Thanks Rcvd at 54 Times in 21 Posts
Sir.V65j Reputation: 32
Thanks Bro
Can you help me for do this in Delphi?
Reply With Quote
  #5  
Old 03-27-2020, 17:15
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Sample for NtClose in delphi(x86 api), before testing check function index in your system and replace it in array(in my system index value is $0C).

Code:
program Project1;

{$APPTYPE CONSOLE}

uses
  Windows;

var
  Nt_xyz{NtClose} : function(a1 : THandle) : DWORD; Stdcall;
  Nt_xyz_Bytes : array[0..23] of Byte = ($B8, $0C, $00, $00, $00, $33, $C9, $8D, $54, $24, $04, $64, $FF, $15, $C0, $00, $00, $00, $83, $C4, $04, $C2, $04, $00);
  w : DWORD;
  hndl : THandle;

begin
  if not(VirtualProtect(@Nt_xyz_Bytes[0], High(Nt_xyz_Bytes), PAGE_EXECUTE, w)) then
    exit;

  FlushInstructionCache(GetCurrentProcess(), @Nt_xyz_Bytes[0], High(Nt_xyz_Bytes));

  @Nt_xyz := @Nt_xyz_Bytes[0];

  hndl := OpenProcess(PROCESS_VM_READ{PROCESS_ALL_ACCESS}, False, GetCurrentProcessId);
  if hndl <> 0 then
    Nt_xyz(hndl);
    //CloseHandle(hndl);
end.
Reply With Quote
  #6  
Old 04-08-2020, 07:48
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 259
Rept. Given: 75
Rept. Rcvd 85 Times in 38 Posts
Thanks Given: 141
Thanks Rcvd at 335 Times in 113 Posts
Fyyre Reputation: 85
hFiref0x and I solve sysindex problem many many years ago, example:

https://github.com/Fyyre/directntapi...ster/usage.txt
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following 4 Users Say Thank You to Fyyre For This Useful Post:
Mahmoudnia (04-14-2020), morgot (04-08-2020), nimaarek (04-08-2020), SinaDiR (04-11-2020)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
C# (Classic .exe, Windows 10, Windows Phone etc.) Protection delidolunet General Discussion 7 10-11-2016 01:10
(Q) .NET App Source Code Protection (Silverlight, Windows Phone, Windows 8) delidolunet General Discussion 7 08-02-2013 10:33
Windows 2000 and Windows nt 4 sources, question shady General Discussion 2 04-15-2004 04:17


All times are GMT +8. The time now is 17:34.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )