Results 1 to 1 of 1
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    [Asm] Usermode tricks for calling WriteProcessMemory

    Usermode tricks for calling WriteProcessMemory
    This information is nothing new, but I think it's very interesting none-the-less. Given the prevalence of hooks (detours, hotpatches, IAT hooks) in todays scene, it is becoming more important to understand how to circumvent these rudimentary attempts at slowing us down.

    Hooks have been spoken about ad nauseum here at zonehacks so I won't explain what they are or how to use them... this is all assumed knowledge (and if you're still uncertain, just browse over Specific's articles). Besides this article is not about hooks per se, but rather how to call function without executing the modified (hooked) line(s) of code.

    And so, I present some usermood tricks for invoking/calling WriteProcessMemory when WriteProcessMemory is hooked;

    kernel32.WriteProcessMemory Trampoline
    USAGE:
    PHP Code:
    push lpNumberOfBytesWritten ;out
     push nSize 
    ;in
     push lpBuffer 
    ;in
     push lpBaseAddress 
    ;in
     push hProcess 
    ;in
     CALL 
    @WriteProcessMemoryTrampoline 
     @WriteProcessMemoryTrampoline:  
    mov eax, WriteProcessMemory ; IAT
    mov eax, [eax+2] ; .idata
    mov eax, [eax] ; kernel32.WriteProcessMemory
    add eax, 5 ; kernel32.WriteProcessMemory+5
    mov edi, edi ; emulate first instruction
    push ebp ; emulate second instruction
    mov ebp, esp ; emulate third instruction
    jmp eax ; JMP to kernel32.WriteProcessMemory+5


    ntdll.ZwWriteVirtualMemory Trampoline ( LoadLibrary/GetProcAddress)
    USAGE:
    PHP Code:
     push lpNumberOfBytesWritten ;out
     push nSize 
    ;in
     push lpBuffer 
    ;in
     push lpBaseAddress 
    ;in
     push hProcess 
    ;in
     CALL 
    @ZwWriteVirtualMemoryTrampoline 
     @ZwWriteVirtualMemoryTrampoline:  
    jmp @F
    pszModule db "ntdll.dll", 0
    pszFunc db "ZwWriteVirtualMemory", 0
    @@:
    push offset pszModule
    call LoadLibrary
    push offset pszFunc
    push eax
    call GetProcAddress
    mov ebx, eax
    add ebx, 05h ; ntdll.ZwWriteVirtualMemory+5
    mov eax, 115h ; emulate first instruction
    jmp ebx ; JMP to ntdll.ZwWriteVirtualMemory+5


    ZwWriteProcessMemory via Syscall
    USAGE:
    PHP Code:
     push lpNumberOfBytesWritten ;out
     push nSize 
    ;in
     push lpBuffer 
    ;in
     push lpBaseAddress 
    ;in
     push hProcess 
    ;in
     CALL 
    @ZwWPMSysCall 
     @ZwWPMSysCall:  
    push ebp
    mov ebp, esp
    push [ebp+18h]
    push [ebp+14h]
    push [ebp+10h]
    push [ebp+0ch]
    push [ebp+8h]
    mov eax, 115h
    mov edx, 7FFE0300h
    call dword ptr [edx]
    leave
    retn 18h


    ZwWriteProcessMemory via KiFastSystemCall
    USAGE:
    PHP Code:
    push lpNumberOfBytesWritten ;out
     push nSize 
    ;in
     push lpBuffer 
    ;in
     push lpBaseAddress 
    ;in
     push hProcess 
    ;in
     CALL 
    @WPM_KiFastSystemCall 
     @WPM_KiFastSystemCall:  
    push ebp
    mov ebp, esp
    jmp @F
    pszModule db "ntdll.dll", 0
    pszFunction db "KiFastSystemCall", 0
    @@:
    push offset pszModule
    call LoadLibrary
    push offset pszFunction
    push eax
    call GetProcAddress
    mov ebx, eax
    push [ebp+18h]
    push [ebp+14h]
    push [ebp+10h]
    push [ebp+0ch]
    push [ebp+8h]
    mov eax, 115h
    call ebx
    leave
    retn 14h


    ZwWriteVirtualMemory via SYSENTER / Int 2E
    USAGE:
    PHP Code:
     push lpNumberOfBytesWritten ;out
     push nSize 
    ;in
     push lpBuffer 
    ;in
     push lpBaseAddress 
    ;in
     push hProcess 
    ;in
     CALL 
    @WPM_sysenter 
     @WPM_sysenter:  
    push ebp
    mov ebp, esp
    push [ebp+18h]
    push [ebp+14h]
    push [ebp+10h]
    push [ebp+0ch]
    push [ebp+8h]
    call @stub
    leave
    retn 014h

    @stub:
    mov eax, 0115h
    mov edx, esp
    int 02Eh
    ret

    Author: Ksbunker
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •