Archive

Archive for the ‘NTDLL’ Category

SystemProcessesAndThreadsInformation

September 3rd, 2010 Karcrack No comments 
'---------------------------------------------------------------------------------------
' Module    : mProcessInformation
' Author    : Karcrack
' Now       : 26/08/2010 15:00
' Purpose   : Native Process Enumeration
' History   : 26/08/2010 First cut .........................................................
'---------------------------------------------------------------------------------------

Option Explicit
Option Base 0

Public Type PROCESS
    sName           As String
    lPID            As Long
End Type

'NTDLL
Private Declare Function NtQuerySystemInformation Lib "NTDLL" (ByVal SystemInformationClass As Long, ByRef SystemInformation As Any, ByVal SystemInformationLength As Long, ByRef ReturnLength As Long) As Long
Private Declare Sub RtlMoveMemory Lib "NTDLL" (ByRef Destination As Any, ByRef Source As Any, ByVal Length As Long)

Private Const SystemProcessesAndThreadsInformation  As Long = 5&
Private Const STATUS_INFO_LENGTH_MISMATCH           As Long = &HC0000004

Public Function RetrieveProcesses() As PROCESS()
    Dim bvSPI(17)           As Long 'As SYSTEM_PROCESS_INFORMATION
    Dim bvTmp()             As PROCESS
    Dim bvBuffer()          As Byte
    Dim cbBuffer            As Long
    Dim lRet                As Long
    Dim lPos                As Long
    Dim lSize               As Long

    ReDim bvTmp(0)
    cbBuffer = 1
    Do
        cbBuffer = cbBuffer * 2
        ReDim bvBuffer(cbBuffer)
        lRet = NtQuerySystemInformation(SystemProcessesAndThreadsInformation, bvBuffer(0), cbBuffer, lSize)
    Loop While lRet = STATUS_INFO_LENGTH_MISMATCH

    If lRet < 0 Then Exit Function

    lPos = VarPtr(bvBuffer(0))

    Do
        Call RtlMoveMemory(bvSPI(0), ByVal lPos, 18 * 4)
        With bvTmp(UBound(bvTmp))
            .lPID = bvSPI(17)
            .sName = ReadUStr(bvSPI(15))
        End With
        lPos = lPos + bvSPI(0)
        If bvSPI(0) = 0 Then Exit Do
        ReDim Preserve bvTmp(UBound(bvTmp) + 1)
    Loop

    RetrieveProcesses = bvTmp
    Erase bvBuffer
End Function

Private Function ReadUStr(ByVal lPtr As Long) As String
    Dim i                   As Long
    Dim uChar               As Integer

    If Not lPtr > 0 Then Exit Function
    i = lPtr
    Do
        Call RtlMoveMemory(uChar, ByVal i, &H2)
        If uChar = 0 Then Exit Do
        ReadUStr = ReadUStr & ChrW$(uChar)
        i = i + 2
    Loop
End Function

Sample call:

Private Sub Form_Load()
    Dim x()     As PROCESS
    Dim i       As Long

    x = RetrieveProcesses

    For i = 0 To UBound(x)
        Debug.Print x(i).lPID, "->", x(i).sName
    Next i
End Sub
Categories: Code, NTDLL

GetProcessTimes Alternative

July 29th, 2010 Karcrack No comments 
Option Explicit

Public Type KERNEL_USER_TIMES
    liCreateTime            As Currency 'LARGE_INTEGER
    liExitTime              As Currency 'LARGE_INTEGER
    liKernelTime            As Currency 'LARGE_INTEGER
    liUserTime              As Currency 'LARGE_INTEGER
End Type

'NTDLL
Private Declare Function NtQueryInformationProcess Lib "NTDLL" (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As Long, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Long, ReturnLength As Long) As Long

Private Const ProcessTimes  As Long = &H4
Public Const CurrentProcess As Long = -1

'---------------------------------------------------------------------------------------
' Procedure : GetProcessTimes
' Author    : Karcrack
' Date      : 290710
' Purpose   : Get some Process Time Info... like when it was created...
'---------------------------------------------------------------------------------------
'
Public Function GetProcessTimes(ByVal hProc As Long) As KERNEL_USER_TIMES
    Call NtQueryInformationProcess(hProc, ProcessTimes, VarPtr(GetProcessTimes), &H20, ByVal 0&)
End Function
Categories: Code, NTDLL

Remote process Environment Variables

February 23rd, 2010 Cobein 6 comments

A simple module to read Environment Variables from a remote process. Tested on XP and 7.

'---------------------------------------------------------------------------------------
' Module      : mRemoteGetEnviron
' DateTime    : 23/02/2010 21:29
' Author      : Cobein
' Mail        : cobein27@hotmail.com
' WebPage     : http://www.advancevb.com.ar
' Purpose     : Read remote process environment variables.
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' Reference   : http://www.codeproject.com/KB/threads/ReadProcEnv.aspx
'
' History     : 23/02/2010 First Cut....................................................
'---------------------------------------------------------------------------------------
Option Explicit

Private Const PROCESS_QUERY_INFORMATION As Long = &H400
Private Const PROCESS_VM_READ           As Long = 16&

Public Type PROCESS_BASIC_INFORMATION
    ExitStatus                      As Long
    PEBBaseAddress                  As Long
    AffinityMask                    As Long
    BasePriority                    As Long
    UniqueProcessId                 As Long
    InheritedFromUniqueProcessId    As Long
End Type

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function NtQueryInformationProcess Lib "ntdll.dll" (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As Long, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Long, ReturnLength As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function RtlAdjustPrivilege Lib "ntdll" (ByVal Privilege As Long, ByVal bEnablePrivilege As Long, ByVal bCurrentThread As Long, ByRef OldState As Long) As Long

Public Function ReadEnviron(ByVal lPid As Long) As Collection
    Dim lPtr            As Long
    Dim lProc           As Long
    Dim cData           As New Collection

    Set ReadEnviron = cData

    Call RtlAdjustPrivilege(20, 1, 0, 0)

    lPtr = GetPEB(lPid)

    lProc = OpenProcess(PROCESS_VM_READ, 0, lPid)

    If lProc Then

        If Not ReadProcessMemory(lProc, ByVal lPtr + &H10, lPtr, &H4, 0&) = 0 Then 'RTL_USER_PROCESS_PARAMETERS

            If Not ReadProcessMemory(lProc, ByVal lPtr + &H48, lPtr, &H4, 0&) = 0 Then 'environment variables block

                Dim bData As Byte
                Dim sData As String
                Dim lOffset As Long

                Do
                    lOffset = lOffset + 2
                    If bData = 0 Then
                        If Not sData = vbNullString Then cData.Add sData
                        sData = vbNullString
                        Call ReadProcessMemory(lProc, ByVal lPtr + lOffset, bData, &H1, 0&)
                        If bData = 0 Then
                            Exit Do
                        End If
                    Else
                        Call ReadProcessMemory(lProc, ByVal lPtr + lOffset, bData, &H1, 0&)
                    End If
                    sData = sData & Chr$(bData)
                Loop
            End If

        End If

        Call CloseHandle(lProc)

    End If

    Set ReadEnviron = cData

End Function

Private Function GetPEB(ByVal lPid As Long) As Long
    Dim tPBI    As PROCESS_BASIC_INFORMATION
    Dim lRet    As Long
    Dim lProc   As Long

    lProc = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, lPid)
    If lProc Then
        If NtQueryInformationProcess(lProc, 0, VarPtr(tPBI), Len(tPBI), lRet) = 0 Then
            GetPEB = tPBI.PEBBaseAddress
        End If
        CloseHandle lProc
    End If

End Function
Categories: Code, NTDLL

HeapView

November 15th, 2009 Cobein No comments

I was reading an interesting article from www.securityxploded.com about how to enumerate heaps using native API and decided to translate it to VB. I was doing a tool but, meh, I got lazy so here is it. The tool is functional, not perfect or full of features but functional.

heap

Heap View

Categories: Code, NTDLL

NtDelayExecution – Native Sleep

October 20th, 2009 Karcrack No comments 
'NTDLL
Private Declare Sub NtDelayExecution Lib "NTDLL" (ByVal Alertable As Boolean, ByRef Interval As Any)

Private Sub NtSleep(ByVal lMs As Long)
    Call NtDelayExecution(False, CCur(-(lMs)))
End Sub
Categories: Code, NTDLL

[ANTI] ImSandBoxed, WindowFlags

September 23rd, 2009 Karcrack 4 comments

Works fine with Sandboxie and Anubis

Option Explicit

'NTDLL
Private Declare Function RtlGetCurrentPeb Lib "NTDLL" () As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal pBuffer As Long, ByVal NumberOfBytesToWrite As Long, ByRef NumberOfBytesWritten As Long) As Long

'---------------------------------------------------------------------------------------
' Procedure : ImSandBoxed
' Author    : Karcrack
' Date      : 23/09/2009
' Purpose   : Know if being SandBoxed... Anubis & Sandboxie
' Credits   : Cobein, He made the 1st version...
'---------------------------------------------------------------------------------------
'
Public Function ImSandBoxed() As Boolean
    Dim lUPP        As Long                         'RTL_USER_PROCESS_PARAMETERS
    Dim lWndFlags   As Long                         'RTL_USER_PROCESS_PARAMETERS.WindowFlags

    lUPP = GetMemLng(RtlGetCurrentPeb + (&H4 * 4))
    lWndFlags = GetMemLng(lUPP + (&H4 * 26))
    ImSandBoxed = (lWndFlags <= 1)                  'WindowFlags;0 Anubis;1 Sandboxie
End Function

Private Function GetMemLng(ByVal lAddr As Long) As Long
    Call NtWriteVirtualMemory(-1, VarPtr(GetMemLng), lAddr, &H4, ByVal 0&)
End Function

Based on Cobein’s Anti:

Private Function IsSandboxed() As Boolean
    Dim lvData(16)      As Long
    Call GetStartupInfoW(lvData(0))
    IsSandboxed = (lvData(11) <= 1) 'dwFlags '0 anubis '1 sandboxie
End Function
Categories: Antis, Code, NTDLL

[NTDLL-NATIVE] GetLogicalDrives/GetLogicalDrivesStrings [ALTERNATIVE]

September 9th, 2009 Karcrack 4 comments 
Option Explicit
'---------------------------------------------------------------------------------------
' Module    : mNativeGetDrives
' Author    : Karcrack
' Date      : 09/09/2009
' Purpose   : Alternative to GetLogicalDrives/GetLogicalDriveStrings/GetDriveType
'               using NATIVE APIs!!!!
' Thanks    : SkyWeb -> Tester =P
' ChangeLog :
'           - First release                                             090909
'           - Improved, now with structure and added NtGetDriveType     100909
'---------------------------------------------------------------------------------------

'NTDLL
Private Declare Function NtQueryInformationProcess Lib "NTDLL" (ByVal hProcess As Long, ByVal ProcessInformationClass As Long, ProcessInformation As Any, ByVal ProcessInformationLength As Long, ReturnLength As Long) As Long

Private Type PROCESS_DEVICEMAP_INFORMATION
    DriveMap                As Long
    DriveType(1 To 32)      As Byte
End Type

Private Const ProcessDeviceMap = 23

Public Function NtGetLogicalDrives() As Long
    Dim tPDC                    As PROCESS_DEVICEMAP_INFORMATION

    If NtQueryInformationProcess(-1, ProcessDeviceMap, tPDC, Len(tPDC), ByVal 0&) = 0 Then
        NtGetLogicalDrives = tPDC.DriveMap
    End If
End Function

Public Function NtGetLogicalDrivesStrings() As String
    Dim lUnits                  As Long
    Dim i                       As Long

    lUnits = NtGetLogicalDrives

    For i = 0 To 25
        If lUnits And 2 ^ i Then
            NtGetLogicalDrivesStrings = NtGetLogicalDrivesStrings & Chr$(Asc("A") + i) & ":\" & Chr$(0)
        End If
    Next i
End Function

Public Function NtGetDriveType(ByVal nDrive As String) As Long
    Dim tPDC                    As PROCESS_DEVICEMAP_INFORMATION
    Dim lNumb                   As Long

    If NtQueryInformationProcess(-1, ProcessDeviceMap, tPDC, Len(tPDC), ByVal 0&) = 0 Then
        lNumb = Asc(Left$(UCase$(nDrive), 1)) - Asc("A")
        If Not lNumb > 31 Then
            NtGetDriveType = tPDC.DriveType(lNumb + 1)
        End If
    End If
End Function

Attached a fully working sample ;)

mNativeGetDrives Sample

UPDATED

Categories: Code, NTDLL

[NATIVE] Get Function Pointer [LdrLoadDLL - LdrGetProcedureAddress]

September 6th, 2009 Karcrack No comments 
 Option Explicit

'NTDLL
Private Declare Function LdrLoadDll Lib "NTDLL" (ByVal pWPathToFile As Long, ByVal Flags As Long, ByRef pwModuleFileName As UNICODE_STRING, ByRef ModuleHandle As Long) As Long
Private Declare Function LdrGetProcedureAddress Lib "NTDLL" (ByVal ModuleHandle As Long, ByRef paFunctionName As Long, ByVal Ordinal As Integer, ByRef FunctionAddress As Long) As Long
Private Declare Sub RtlInitUnicodeString Lib "NTDLL" (DestinationString As Any, ByVal SourceString As Long)

Private Type UNICODE_STRING
    uLength         As Integer
    uMaximumLength  As Integer
    pBuffer         As Long
End Type

Public Function NtLoadLibrary(ByVal sName As String) As Long
    Dim US          As UNICODE_STRING

    Call RtlInitUnicodeString(US, StrPtr(sName))
    Call LdrLoadDll(ByVal 0&, ByVal 0&, US, NtLoadLibrary)
End Function

Public Function NtGetProcAddr(ByVal lModuleHandle As Long, ByVal sProc As String) As Long
    Dim i           As Long
    Dim ANSI()      As Byte

    ReDim ANSI(0 To Len(sProc))
    For i = 1 To Len(sProc)
        ANSI(i - 1) = Asc(Mid$(sProc, i, 1))
    Next i

    Call LdrGetProcedureAddress(lModuleHandle, VarPtr(ANSI(0)), ByVal 0&, NtGetProcAddr)
End Function

Sample:

 Option Explicit
'KERNEL32
Private Declare Function LoadLibrary Lib "KERNEL32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "KERNEL32" (ByVal hModule As Long, ByVal lpProcName As String) As Long

Private Sub Form_Load()
    MsgBox Hex$(NtGetProcAddr(NtLoadLibrary("KERNEL32"), "ExitProcess")) & vbCrLf & Hex$(GetProcAddress(LoadLibrary("KERNEL32"), "ExitProcess"))
End Sub
Categories: Code, NTDLL

DKOM Experiments Pt2

August 27th, 2009 Cobein 3 comments

Unlinking our process, Just to test the writing capabilities and to make sure everything was working the next step was unlink our process, nothing special so far but entertaining xD. I did a small change in the physical memory mod.

DKOM Experiments Pt2

Categories: Code, NTDLL

DKOM Experiments Pt1

August 27th, 2009 Cobein No comments

Ive been working on this in my spare time (almost null lately) and just wanted to share it, its nothing really useful so far but nice to understand some basic concepts.
I got a lot of examples from the chinese comunity (thanks to everyone who provided this to me) that are really interesting but sadly they are a maze of harcoded values so, in order to understand this Ive been trying to resolve it by using API.
So far I figured out how to properly get the EPROCESS address… but I still have a lot of research to do.

Important, this was coded and is going to work only on XP

DKOM Experiments Pt1

Categories: Code, NTDLL