BanMe
February 11th, 2011, 12:40
I want to just overwrite a string in ntdll and it gets all bitchy at me..So I decided to smack it with a mallet, so to speak..This has a issue with NtProtectVirtualMemory currently but all is due in time..
seh.inc fille 'hmm I fixed it for you..'?
updated code..
regards BanMe

seh.inc fille 'hmm I fixed it for you..'?
updated code..
Code:
.486
.model flat,stdcall
option casemap:none
code SEGMENT DWORD flat PUBLIC 'text'
Scstart:
assume fs:nothing
push 006c006fh ;- 8
mov esi,dword ptr fs:[30h]
add esi,20h;RtlEnterCriticalSection
lodsd
and eax,0ffff0000h;get ntdll's base;clear off the extra
mov esi,[eax+170h];read reloc offset from PE
mov ebx,[eax+174h];read reloc size from PE
push eax ;- 4
add esi,eax
next_section:
lodsd
mov edx,eax
lodsd
sub ebx,eax
sub eax,8h
mov ecx,eax
find_data:
lodsw
and eax,0fffh
pop edi ;get base address
add eax,edi
add eax,edx
push edi
push esi
test eax,edi
jl next_entry
mov esi, dword ptr [eax]
cmp esi,edi;that shoud fix it Indy??
jl next_entry
mov edi,dword ptr [esp+8h]
cmp dword ptr [esi],edi
je NtProtect_Module
next_entry:
pop esi
sub ecx,2
cmp ecx,2
jne find_data
add esi,2
jmp next_section
end_this:
mov eax,1
ret
NtProtect_Module:
mov edx,[esp+4h]
push esi
mov edi,edx
mov ecx,[edx+14ch]
add edx,[edx+148h]
add edx,ecx
mov esi,edx
xor eax,eax
find_NtProtect:
lodsw
cmp eax,089b8h
jne find_NtProtect
sub esi,2
push ebp
push esp
sub esp,10h
mov dword ptr [esp],-1
mov dword ptr [ebp],edi
mov dword ptr [esp+4],ebp
mov dword ptr [ebp+4],0b2000h
add ebp,4
mov dword ptr [esp+8h],ebp
mov dword ptr [esp+0Ch],4h
add ebp,4
xor eax,eax
mov dword ptr [ebp],eax
mov [esp+10h],ebp
call esi
test eax,eax
jnz end_this
mov edi,[esp+4h]
pop esp
pop ebp
write_string:
push 00730077h
pop eax
stosd
push 005f0032h
pop eax
stosd
push 00320033h
pop eax
stosd
push 0064002eh
pop eax
stosd
push 006C006Ch
pop eax
stosd
ret
end Scstart
code ENDS
regards BanMe
Quote:
NX SEH (promotion chain sec outside the modules). In the UM set flazhek MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE not succeed because of the established flag MEM_EXECUTE_OPTION_PERMANENT. In KM, these options are not used. Possible ways: o Load system module without its initialization and zeroing directory exclusions and table handler s in the configuration directory of the module. Code is placed in the data section of this module and installed atm ribut E for the section (region). o Promotion sec hand. In the UM through VEH. In KM by KD (puts severe restrictions) bagcheko in (private) or any other suitable mechanism. This requires the use of a graph to check the occurrence of Ip in the protected code described by the graph. o Dynamic copying procedures in place within the module. Also requires the rebuilding of the graph for an arbitrary implementation of the protected code. o The UM Trace Manager exceptions VEH before entering the service NtQueryInformationProcess (ProcessExecu teFlags) and Checking MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE. |