<![CDATA[Latest posts for the topic "Xin giúp đỡ về gọi Nt... Functions qua syscall trên HDH 64bit"]]> /hvaonline/posts/list/36.html JForum - http://www.jforum.net Xin giúp đỡ về gọi Nt... Functions qua syscall trên HDH 64bit Each syscall number is moved into EAX and invoked through INT 2Eh. In Windows XP and later, the syscall mechanism had changed. MOV EAX, 101h ; syscall number: NtTerminateProcess MOV EDX, 7FFE0300h ; EDX = 7FFE0300h CALL EDX ; call 7FFE0300h RETN 8 Notice the difference. Instead of INT 2Eh, now it is replaced by CALL EDX which leads us to ntdll.KiFastSystemCall, a tiny stub containing the SYSENTER instruction. MOV EDX, ESP SYSENTER RETN   Dựa vào tài liệu trên, mình code như sau: Code:
#define SYSENTER __asm _emit 0x0F __asm _emit 0x34
    DWORD NtOpenProcessCall,;
    typedef struct _CLIENT_ID{
        HANDLE UniqueProcess;
        HANDLE UniqueThread;
    } CLIENT_ID, *PCLIENT_ID;

    DWORD GetCallNUM(LPCSTR FuncName)
    {
        HMODULE ntdll = GetModuleHandle("ntdll.dll");
        if (!ntdll)
            LoadLibrary("ntdll.dll");    
        DWORD sysenter = *(DWORD*)((DWORD)GetProcAddress(ntdll, FuncName) + 1);
        return sysenter;
    }
    void InitFunction()
    {
        NtOpenProcessCall = GetCallNUM("NtOpenProcess");
    }

    _declspec(naked) void __stdcall SystemCall(void)
    {
        __asm
        {
            MOV EDX,ESP
            SYSENTER
            RET
        }
    }
    __declspec(naked) NTSTATUS __stdcall 
NtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, PVOID ObjectAttributes, PCLIENT_ID ClientID)
    {
        __asm
        {
            mov eax, NtOpenProcessCall
            call SystemCall
            retn 10h
        }
    }

    void main()
    {    
        InitFunction();
        CLIENT_ID cid;
        cid.UniqueThread = 0;
        cid.UniqueProcess = (HANDLE)21060;
        BYTE bBuffer[] = {0x90, 0x90, 0x90, 0x90};
        DWORD nWritten;
        HANDLE VictimHandle = 0;
        OBJECT_ATTRIBUTES ObjectAttributes;
        InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);
        NTSTATUS stt = NtOpenProcess(&VictimHandle, PROCESS_QUERY_INFORMATION |
 PROCESS_VM_OPERATION | PROCESS_VM_WRITE, &ObjectAttributes, &cid);
        WriteProcessMemory(VictimHandle, (void*)0x000A8BE0, &bBuffer, sizeof(bBuffer), &nWritten);
        printf("0x%X \n",stt);
        system("pause");
    }
Code của mình nếu chạy ở HDH 32bit thì hoạt động tốt nhưng khi chạy trên nền 64bit thì lại crash ở đoạn gọi NtOpenProcess. Có ai biết vì sao và giải thích cho mình được không :(]]> /hvaonline/posts/list/39127.html#240374 /hvaonline/posts/list/39127.html#240374 GMT Xin giúp đỡ về gọi Nt... Functions qua syscall trên HDH 64bit /hvaonline/posts/list/39127.html#240380 /hvaonline/posts/list/39127.html#240380 GMT