Log in

View Full Version : using filestreams to store data..or code as data?

BanMe
August 7th, 2009, 21:11
eh wtf..
trying to make it work in win32..before moving to the native equivelent..
self storage..so much is available!?we can most likely use some?



Code:


wchar_t NativePath[255] = {0};

wchar_t *wString = {0};

IO_STATUS_BLOCK IOSB = {0};

LARGE_INTEGER li = {0}

NTSTATUS Status = 0;

ULONG dwWritten = 0;

__asm

{

	xor eax,eax

	add eax,0x30

	mov eax,fs:[eax]//PEB!!!

	mov eax,[eax+0x10]//RTL_USER_PROCESS_PARAMETERS!!!!

	add eax,0x38//UNICODE_STRING ImagePathName;!!!!

	mov eax,[eax][UNICODE_STRING.Buffer]//ImagePathName.Buffer!!!!!

	push eax//PUSH the buffer

	pop wString //pop it into a wchar*

}

             //we now have the Win32 Path Name and not the NT Path Name...

	//so we create our own Nt Path Name

             wcscpy((wchar_t*)&NativePath,L"\\??\\";

	wcscat((wchar_t*)&NativePath,wString);

             //string looks like:

             //\??\C:\Windows\System32\Sin32.exe

             // : is the signifier for a file stream attached to a file

	wcscat((wchar_t*)&NativePath,L"EBUG_STREAM";

             //this is what it looks like with a File Stream specified

             //\??\C:\Windows\System32\Sin32.exeEBUG_STREAM

	//Init the Created String

             RtlInitUnicodeString(&Unicode,(PCWSTR)&NativePath);

	InitializeObjectAttributes(&oa,&Unicode,OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);

	li.QuadPart = 0x4096;

	li.LowPart = 0x4096;

	li.u.LowPart = 0x4096;

	Status = NtCreateFile(&Reusable,GENERIC_WRITE,&oa,&IOSB,&li,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OVERWRITE_IF,FILE_WRITE_THROUGH,0,0);

             //try to write to the file stream

	Recycler = WriteFile(Reusable,"This is Sin32EBUG_STREAM\r\n",29,&dwWritten,0);

	//Flush File Stream...

             FlushFileBuffers(Reusable);

	CloseHandle(Reusable);

for some reason its not writing.. and my head hurtz...
please some assistance?

BanMe
FrankRizzo
August 7th, 2009, 22:05
No errors either?
BanMe
August 7th, 2009, 22:08
none Writefile return 0 as well as dwWritten 0 Status of CreateFile 0...
Im gonna figure it out..doing
Code:


run wordpad "C:\Windows\System32\Sin32.exeEBUG_STREAM"

to check dbg output is better then just debugger output capturing..or creating a new text file on disk..
WriteFile Fails at 0 ...thats only error..
FrankRizzo
August 7th, 2009, 22:15
Check the # of bytes you are telling it to write. Maybe it's set to 0!
BanMe
August 7th, 2009, 22:19
its 29 o0?

but this works!!
Code:


wchar_t NativePath[255] = {0};

wchar_t *wString = {0};

IO_STATUS_BLOCK IOSB = {0};

LARGE_INTEGER li = {0}

NTSTATUS Status = 0;

ULONG dwWritten = 0;

	__asm

	{

		xor eax,eax

		add eax,0x30

		mov eax,fs:[eax]

		mov eax,[eax+0x10]

		add eax,0x38

		mov eax,[eax][UNICODE_STRING.Buffer]

		push eax

		pop wString

	}

	//wcscpy((wchar_t*)&NativePath,L"\\??\\";

	wcscat((wchar_t*)&NativePath,wString);

	wcscat((wchar_t*)&NativePath,L"EBUG_STREAM";

	RtlInitUnicodeString(&Unicode,(PCWSTR)&NativePath);

	InitializeObjectAttributes(&oa,&Unicode,OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);

	li.QuadPart = 0x4096;

	li.LowPart = 0x4096;

	li.u.LowPart = 0x4096;

	//Status = NtCreateFile(&Reusable,GENERIC_READ | GENERIC_WRITE,&oa,&IOSB,&li,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OVERWRITE,FILE_WRITE_THROUGH|FILE_NO_INTERMEDIATE_BUF FERING,0,0);

	Reusable = CreateFileW((LPCWSTR)&NativePath,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,0,NULL );

	Recycler = WriteFile(Reusable,"This is Sin32EBUG_STREAM\r\n",31,&dwWritten,0);

	FlushFileBuffers(Reusable);

	CloseHandle(Reusable);

}


if x86 and xp (I need vista peb to make it work on vista) you can throw that code into a dll and inject it and upon DLL_THREAD_ATTACH call this function..then open the 'file stream' by using wordpad as show above..but I want it to work with NtCreatefile and NtWriteFile so ive got the base now to build and work with it..


regards BanMe
drizz
August 8th, 2009, 20:54
Hi,

I think you mixed up incompatible flags for NtCreateFile.
btw, why arent you using the lovely NDK by Alex Ionescu?

here is my sample:
Code:
#if defined(__INTEL_COMPILER)

#pragma message("conversion does not require any typecast"

#endif

#define UNICODE

#include <wchar.h>

#define WINVER 0x0501		// Windows 5.1

#define _WIN32_WINNT 0x0501	//

#define WIN32_LEAN_AND_MEAN	//

#define WIN32_NO_STATUS		// Tell Windows headers you'll use ntstatus from NDK 

#include <windows.h>		// Declare Windows Headers like you normally would

#define NTOS_MODE_USER

#include <ntndk.h>			// Declare the NDK Headers http://code.google.com/p/native-nt-toolkit/

#include <strsafe.h>



NtStatusMsg(NTSTATUS dwStatus);



DWORD wmain (DWORD argc, WCHAR *argv[])

{

	UNICODE_STRING us;

	WCHAR path[MAX_PATH];

	PEB *peb=NtCurrentPeb();

	OBJECT_ATTRIBUTES oa;

	IO_STATUS_BLOCK iosb;

	HANDLE hFile;

	WCHAR Stream[1024];



	StringCbPrintf(&path,MAX_PATH,L"\\??\\%sEBUG_STREAM",\

		peb->ProcessParameters->ImagePathName.Buffer);

	

	RtlInitUnicodeString(&us,&path);

	

	_putws(us.Buffer);

	

	InitializeObjectAttributes(&oa,&us,OBJ_CASE_INSENSITIVE|OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);

	

	RtlZeroMemory(&Stream,sizeof(Stream));

	StringCchCopy(&Stream,sizeof(Stream),L"Hello World!";



	signed register Status;

	

	Status = NtCreateFile(&hFile,GENERIC_READ|GENERIC_WRITE|SYNCHRONIZE,\

			&oa,&iosb,0,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,\

			FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,0,0);

	if ( NT_SUCCESS(Status))

	{

		if ( iosb.Information == FILE_CREATED )

		{

			Status = NtWriteFile(hFile,0,0,0,&iosb,&Stream,sizeof(Stream),0,0);

			NtStatusMsg(Status);

		}

		else if ( iosb.Information == FILE_OPENED ) 

		{

			RtlZeroMemory(&Stream,sizeof(Stream));

			Status = NtReadFile(hFile,0,0,0,&iosb,&Stream,sizeof(Stream),0,0);

			if (NT_SUCCESS(Status))

				_putws(&Stream);

			else

				NtStatusMsg(Status);

		}

		NtClose(hFile);

	}

	else

		NtStatusMsg(Status);



	RtlFreeUnicodeString(&us);

	return getwchar();

}



NtStatusMsg(NTSTATUS dwStatus)

{

	DWORD doserr = RtlNtStatusToDosError(dwStatus);

	WORD *pbuff;

	FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,0,doserr,0,&pbuff,0x400-1,0);

	_putws(pbuff);

	LocalFree(pbuff);

}
BanMe
August 8th, 2009, 21:32
most excellent work Drizz..I made it to where it was 'writing squares' to the file.. I tried to use the NDK by aionescu, but I really dont like Frameworks, and it gave me horrible amounts of errors to ferret out..thanks very much for the help I was reading everything I could find about NtCreateFile's flags, it just wasnt coming together properly..and yay for a reliable Debug Output Framework without external file.. !!

regards BanMe
drizz
August 8th, 2009, 21:58
For me it was the opposite, I had a bunch of ntdll.h files laying around and neither one was complete enough, I even started putting together my own, it was horrible to use them in projects... and then I discovered NDK
Yes i did have to change some stuff for "NTOS_MODE_USER" usage and add some files, but that was easy..

cheers