A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #16793  by EP_X0FF
 Sat Nov 24, 2012 2:13 am
To copy-paste in your skid Delphi trojan? Sure.
 #16808  by Dom101
 Sat Nov 24, 2012 11:09 am
nothing of this just curious to test it with other antivirus i was doing some tests but with little success

NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
NtCreatePagingFile(ObjectName,$1000 ,NIL,$1000);




Thanks anyway for the idea
 #16809  by EP_X0FF
 Sat Nov 24, 2012 12:30 pm
Dom101 wrote: NtCreatePagingFile(ObjectName,$1000 ,NIL,$1000);
What is it? A joke? You passing completely wrong parameters as 2 and 3. They are pointers to LARGE_INTEGER's and not OPT. ObjectName also what is it? It Must be @ObjectName if it's not a pointer by nature. And what it that $1000 as 4 parameter? This is pagefile priority and it can be OPT. Overall your code is nightmare.
 #16813  by EP_X0FF
 Sat Nov 24, 2012 1:52 pm
Dom101 wrote::D Yeah I know
give me a help if you want otherwise no prob
Code: Select all
function NtCreatePagingFile (
     PageFileName: PUNICODE_STRING;
     MinimumSize: PLARGE_INTEGER;
     MaximumSize: PLARGE_INTEGER;
     Priority: ULONG
    ): NTSTATUS; stdcall; external 'ntdll.dll';


procedure Proc();
var
  PagingFileName: UNICODE_STRING;
  MinPagingFileSize: LARGE_INTEGER;
  MaxPagingFileSize: LARGE_INTEGER;

begin
  RtlInitUnicodeString(@PagingFileName, '\??\C:\temp\pagefile2.sys');
  MinPagingFileSize.QuadPart := $100000 * 20;  
  MaxPagingFileSize.QuadPart := MinPagingFileSize.QuadPart;
  NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  0);

end;
rest is up to you.
 #16823  by Dom101
 Sat Nov 24, 2012 4:35 pm
Code: Select all
begin

  NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
          RtlInitUnicodeString(@PagingFileName, '?:\pagefile.sys');
       RtlInitUnicodeString(@PagingFileName, '\??\C:\temp\pagefile.sys');
        RtlInitUnicodeString(@PagingFileName, '\??\C:\pagefile.sys');
    RtlInitUnicodeString(@PagingFileName, 'C:\Program Files\AVAST Software\Avast\AvastUI.exe.manifest');
  MinPagingFileSize.QuadPart := $10000000000 * 20;
  MaxPagingFileSize.QuadPart := $10000000000 * 20;
  NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  1000);
   NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  1000);
     NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
end;
:( DOES NOT WORK
 #16824  by EP_X0FF
 Sat Nov 24, 2012 4:38 pm
Code: Select all
    RtlInitUnicodeString(@PagingFileName, 'C:\Program Files\AVAST Software\Avast\AvastUI.exe.manifest');
  MinPagingFileSize.QuadPart := $10000000000 * 20;
  MaxPagingFileSize.QuadPart := $10000000000 * 20;
  NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  1000);
   NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  1000);
     NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
end;
/facepalm

Fix your code, it's ridiculous. Or more important question, why do you want to try what you don't understand and seems unable to learn.
 #16825  by kmd
 Sat Nov 24, 2012 4:46 pm
Dom101 wrote:
Code: Select all
begin

  NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
          RtlInitUnicodeString(@PagingFileName, '?:\pagefile.sys');
       RtlInitUnicodeString(@PagingFileName, '\??\C:\temp\pagefile.sys');
        RtlInitUnicodeString(@PagingFileName, '\??\C:\pagefile.sys');
    RtlInitUnicodeString(@PagingFileName, 'C:\Program Files\AVAST Software\Avast\AvastUI.exe.manifest');
  MinPagingFileSize.QuadPart := $10000000000 * 20;
  MaxPagingFileSize.QuadPart := $10000000000 * 20;
  NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  1000);
   NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize,  1000);
     NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
end;
:( DOES NOT WORK
and why it should? :D:D:D :mrgreen: you messed up everything begining with invalid native path and ending with $10000000000 * 20, now calculate how many MB this is :D:D:D

@EP_X0FF

do we really need such threads here?