Time to read stuff I guess lol. No any forsure good docs on it?
Edit has to be userland
Edit has to be userland
A forum for reverse engineering, OS internals and malware analysis
http://www.kernelmode.info/forum/viewto ... 575&p=4187 change function declaration and put valid index for service instead of NtProtectVirtualMemory.
Ring0 - the source of inspiration
its still going to call it.
RPM- > Zw -> SYSENTER -> NtReadVirtualMemory
RPM- > Zw -> SYSENTER -> NtReadVirtualMemory
Launch process in suspended state and use APC with pointers to LoadLibrary and address of any located string that acceptable to be dll (for example ernel32.dll) to load your dll inside, resume process. This method works without NtWriteVirtualMemory or creating remote threads.
Ring0 - the source of inspiration
I forgot to mention you can't inject. Dam.
@JStar
You have been given a lot of answers, if your professor disagrees he is setting you up for failure given such strict and unreasonable usermode requirements. APC injection without remote thread creation or memory allocated in foreign process is as perfect as it gets to load executable module of your choosing. Can you post the requirements so anyone here can solve without "violating" said rules? If he wants a documented "GUI" concept perhaps SetWindowsHook(Ex)??? More details of project implementation would be needed. Are you talking memory based code alteration? If not, have you considered alerting PE on disk directly to perform your own executed code? I think you need to share project criteria or the rules will not be clear
You have been given a lot of answers, if your professor disagrees he is setting you up for failure given such strict and unreasonable usermode requirements. APC injection without remote thread creation or memory allocated in foreign process is as perfect as it gets to load executable module of your choosing. Can you post the requirements so anyone here can solve without "violating" said rules? If he wants a documented "GUI" concept perhaps SetWindowsHook(Ex)??? More details of project implementation would be needed. Are you talking memory based code alteration? If not, have you considered alerting PE on disk directly to perform your own executed code? I think you need to share project criteria or the rules will not be clear
Accept nothing less than STATUS_SUCCESS
If you can do this on an XP machine, you could try reading physical memory directly (\Device\PhysicalMemory). http://www.vrtulex.net/download/ostatni ... evkmem.txt
Does the exe have to be running to retrieve the data? If he gives you the exe static analysis on the binary seems more appropriate.
You also said the data is continously updated. If it updated via an algorithm inside of the binary, then static analysis would allow you to determine the value. If it is update via the web you could use a sniffer to get the information you want. If it is updated via a file, then just read the file...
Does the exe have to be running to retrieve the data? If he gives you the exe static analysis on the binary seems more appropriate.
You also said the data is continously updated. If it updated via an algorithm inside of the binary, then static analysis would allow you to determine the value. If it is update via the web you could use a sniffer to get the information you want. If it is updated via a file, then just read the file...
Wow, I love this forum. Such helpful people.
The criteria are:
1) He sends us a .rar file to our emails just before with a password.
2) We get to class and he tells us the password and we extract the .exe.
3) We must retrieve information relating to our student number.
4) Cannot touch NtReadVirtualMemory. I'm assuming he's doing kernel modification hooks on it.
5) He also reviews our code after words to make sure we followed the stuff above and below.
The retrieving must be done by:
1) Usermode.
2) Not injecting. And by not injecting that also means, shellcode anything relating to touching the software.
3) As 2 says it must be completly external.
As for the physical memory, I've already looked into it. Pretty confusing and can't be done in our time frame, besides its not usermode.
Also, guys he said it class its not as hard as you may think it is and he used the stupid cliche "think outside the box".
Thanks a million!
jstar
The criteria are:
1) He sends us a .rar file to our emails just before with a password.
2) We get to class and he tells us the password and we extract the .exe.
3) We must retrieve information relating to our student number.
4) Cannot touch NtReadVirtualMemory. I'm assuming he's doing kernel modification hooks on it.
5) He also reviews our code after words to make sure we followed the stuff above and below.
The retrieving must be done by:
1) Usermode.
2) Not injecting. And by not injecting that also means, shellcode anything relating to touching the software.
3) As 2 says it must be completly external.
As for the physical memory, I've already looked into it. Pretty confusing and can't be done in our time frame, besides its not usermode.
Also, guys he said it class its not as hard as you may think it is and he used the stupid cliche "think outside the box".
Thanks a million!
jstar
Without looking on software this is playing in CrystalBox game. No soft - no variants.
Ring0 - the source of inspiration
