Results 1 to 1 of 1
  1. #1
    Guest pedraosilv is an unknown quantity at this point pedraosilv's Avatar
    Join Date
    2013 Jan
    Thanked 1 Time in 1 Post
    Rep Power

    [HELP] Recover SSDT win xp > win 7 vb6

    Google Translate:

    Good day, I am studying about restoring SSDT hooks, with maked by Xtrap, example: "ZwOpenProcess","ZwReadVirtualMemory", then i realized that on windows XP, I can find the address hookeds, but in win 7 32b he not only finds the address of the original functions, the address hookados he can not read , maybe because of the difference in the win XP service packs for win 7 32b below is a piece of code I am studying in VisualBasic 6 because I got the source here in [DELPHI]UnhookSDT, but has failed in reading the kernel.

    Code get SSDT.

    Public Sub GetSSDT(ByVal lst As ListView)
    On Error Resume Next
        Dim i As Long, j As Long, Length As Long, Buff() As Byte, pKernelName As Long, hKernel As Long
        Dim dwKSDT As Long, pService As Long, DosHeader As IMAGE_DOS_HEADER, NtHeader As IMAGE_NT_HEADER
        dwServices = 0
        ZwQuerySystemInformation SystemModuleInformation, 0, 0, VarPtr(Length)
        ReDim Buff(Length - 1)
        ZwQuerySystemInformation SystemModuleInformation, VarPtr(Buff(0)), Length, 0
        With ModuleInformationFromPtr(VarPtr(Buff(4)))
            dwKernelBase = .Base
            pKernelName = VarPtr(.ImageName(0)) + .ModuleNameOffset
        End With
        hKernel = LoadLibraryEx(pKernelName, 0, DONT_RESOLVE_DLL_REFERENCES)
        dwKSDT = GetProcAddress(hKernel, "KeServiceDescriptorTable")
        Assert dwKSDT <> 0
        dwKSDT = dwKSDT - hKernel
        dwKiServiceTable = FindKiServiceTable(hKernel, dwKSDT)
        Assert dwKiServiceTable <> 0
        CopyMemory VarPtr(DosHeader), hKernel, 64
        With DosHeader
            Assert .e_magic = &H5A4D
            CopyMemory VarPtr(NtHeader), hKernel + .e_lfanew, 168
        End With
        With NtHeader
            Assert .Signature = &H4550
            Assert .Magic = &H10B
        End With
        pService = hKernel + dwKiServiceTable
        Do While DwordFromPtr(pService) - NtHeader.ImageBase < NtHeader.SizeOfImage
            Address1(dwServices) = DwordFromPtr(pService) - NtHeader.ImageBase + dwKernelBase
            pService = pService + 4
            dwServices = dwServices + 1
        FreeLibrary hKernel
        Dim QueryBuff As MEMORY_CHUNKS, ReturnLength As Long
        With QueryBuff
            .Address = dwKernelBase + dwKiServiceTable
            .pData = VarPtr(Address2(0))
            .Length = dwServices * 4
        End With
        ZwSystemDebugControl SysDbgReadVirtualMemory, VarPtr(QueryBuff), 12, 0, 0, VarPtr(ReturnLength)
        Length = DwordFromPtr(VarPtr(Buff(0)))
        For i = 0 To Length - 1
            With ModuleInformationFromPtr(VarPtr(Buff(i * 284 + 4)))
                For j = 0 To dwServices - 1
                    If Address2(j) >= .Base And Address2(j) < .Base + .Size Then
                        ModuleName(j) = StringFromPtr(VarPtr(.ImageName(0)))
                    End If
            End With
        Dim c As OLE_COLOR
        With lst.ListItems
            For i = 0 To dwServices - 1
            'RecoverSSDT i - 1
                If Address1(i) = Address2(i) Then
                    c = vbBlack
                    c = vbRed
                End If
                With .Add(, , "0x" & AddZero(Hex(i), 4))
                    .ForeColor = c
                    With .ListSubItems
                        .Add(, , FuncName(i)).ForeColor = c
                        .Add(, , "0x" & AddZero(Hex(Address1(i)), 8)).ForeColor = c
                        .Add(, , "0x" & AddZero(Hex(Address2(i)), 8)).ForeColor = c
                        .Add(, , ModuleName(i)).ForeColor = c
                    End With
                End With
        End With
    End Sub
    Someone can help read the address hooks in Win 7 32b

    printscreen result execution win 7 32b Video Hosting

Similar Threads

  1. [C++] SSDT HOOK source code
    By Dwar in forum C/C++
    Replies: 2
    Last Post: 2013-01-10, 05:08 AM
  2. [Tutorial] Recover Any Account Ongame [BR]
    By JeanBR in forum Aika Guides, Tutorials
    Replies: 17
    Last Post: 2012-12-03, 12:32 AM
  3. Bypassing GameGuard SSDT hook's
    By Dwar in forum Anti-Cheat Systems
    Replies: 6
    Last Post: 2012-10-21, 09:28 AM
  4. [Source] SSDT Shadow Unhook in Ring0
    By Dwar in forum C/C++
    Replies: 0
    Last Post: 2012-07-28, 09:24 AM
Visitors found this page by searching for:

VB6 ZwQuerySystemInformation

zwsystemdebugcontrol win7

ssdt restore address delphissdt shadow ssdt hookingdelphi restore ssdt recovery ssdt visual basicssdt recovery windows7hooking ZwOpenProcess visual basic 6vb6 _ZwReadVirtualMemoryread ssdt unhookssdt vb6unhook xtrap ssdtssdt restorehook ssdtshadow in windows xpWin7 Restore SSDT ShadowWin7 SSDT unhookRestore SSDT visual basicrestoring ssdt hook using vb.netunhook ssdt windows 7delphi recover ssdtvb StringFromPtrZwOpenProcess vb.netdelphi ZwOpenProcessWindows7 SSDT Shadow original


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts