[Delphi] 640bit Ring3 Rootkit keeps crashing

Forum for discussion about user-mode development.
Post Reply
SysVolt
Posts: 2
Joined: Sat May 16, 2015 6:49 pm

[Delphi] 640bit Ring3 Rootkit keeps crashing

Post by SysVolt » Sun Jun 14, 2015 11:40 pm

Hey guys, could you help me out here.
The following procedure is crashing my PC, meaning its is crashing all the processes it is injected into.

Code: Select all

Procedure SetHook();
var
 Bytes: SIZE_T;
begin
  PtrZwq  := GetProcAddress(GetModuleHandle('ntdll.dll'),
                            'ZwQuerySystemInformation');
  ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
  JmpZwq.PuhsOp  := $68; 
  JmpZwq.PushArg := @NewZwQuerySystemInformation;
  JmpZwq.RetOp   := $C3; 
  ShowMessage('Puhs Value = '+IntToStr(JmpZwq.PuhsOp));
  ShowMessage('Ret Value = '+IntToStr(JmpZwq.RetOp));
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);
end;
I think it's the offsets, $68 and $C3, they are from the 32bit version, which works fine, but I could I convert them to 64bit Offsets. I hope I am clear enough. Comment if you need to see more code. Thanks

Microwave89
Posts: 52
Joined: Sat Dec 01, 2012 11:28 am

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by Microwave89 » Tue Jun 16, 2015 6:06 pm

Although I don't know Delphi:

Did you just copy-paste the x86 source into your x64 source?
If yes, this won't ever work, the instructions and also the underlying Native API architecture are somewhat different.

Have you ever looked at the ntdll!ZwQuerySystemInformation function, you intend to hook?
Additionally, why are you using ReadProcessMemory/WriteProcessMemory if you're already running in the context of the target process?
If this is the injected code it is already running in another process, and a simple dereference will work...

It would be quite helpful if you posted your complete code which is to be injected.

By the way, we aren't even using 128 bit systems, so your title is wrong ;)


Best Regards

Microwave89

t4L
Global Moderator
Posts: 139
Joined: Tue Mar 09, 2010 5:44 pm

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by t4L » Tue Jun 16, 2015 7:25 pm

You need to install Delphi 2020.

User avatar
TETYYSs
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by TETYYSs » Wed Jun 17, 2015 3:38 pm

Why are you reading memory of process with handle INVALID_HANDLE_VALUE?

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by EP_X0FF » Wed Jun 17, 2015 3:42 pm

TETYYSs wrote:Why are you reading memory of process with handle INVALID_HANDLE_VALUE?
Because it the same (HANDLE)-1 as pseudo handle from GetCurrentProcess. Anyway above code is completely awful and given information is incomplete.
Ring0 - the source of inspiration

SysVolt
Posts: 2
Joined: Sat May 16, 2015 6:49 pm

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by SysVolt » Wed Jun 17, 2015 4:09 pm

Microwave89 wrote:Although I don't know Delphi:

Did you just copy-paste the x86 source into your x64 source?
If yes, this won't ever work, the instructions and also the underlying Native API architecture are somewhat different.

Have you ever looked at the ntdll!ZwQuerySystemInformation function, you intend to hook?
Additionally, why are you using ReadProcessMemory/WriteProcessMemory if you're already running in the context of the target process?
If this is the injected code it is already running in another process, and a simple dereference will work...

It would be quite helpful if you posted your complete code which is to be injected.

By the way, we aren't even using 128 bit systems, so your title is wrong ;)


Best Regards

Microwave89
Short answer, yes. I thew in a bunch of code hoping the compiler would do all the hard work, however and old friend helped me and my problem is solved. However, I would like to know if you have an tutorials or references you would recommend for me, I am still kind of a noob at this. Again, thanks for your time.

User avatar
TETYYSs
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by TETYYSs » Wed Jun 17, 2015 10:26 pm

EP_X0FF wrote:
TETYYSs wrote:Why are you reading memory of process with handle INVALID_HANDLE_VALUE?
Because it the same (HANDLE)-1 as pseudo handle from GetCurrentProcess. Anyway above code is completely awful and given information is incomplete.
oh yeah. well, it would be same if I would put in HAL_MCE_INTERRUPTS_BASED there.

User avatar
Brock
Posts: 209
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: [Delphi] 640bit Ring3 Rootkit keeps crashing

Post by Brock » Tue Jul 14, 2015 9:16 pm

Minimum Delphi version to produce 64-bit code is XE2 unless you want to use the Lazarus compiler which supported 64-bit compilation before Delphi did. Why care about a 64-bit Delphi userland rootkit anyhow? This attempt reminds me of AFX Rootkit from 2003 days which was pure trash, don't bother with this crap
Accept nothing less than STATUS_SUCCESS

Post Reply