Results 1 to 2 of 2

Thread: Sorry its taking so long on the next release of source..

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    Taking to Long..Updated..

    currently restructuring alot of the code to fix small bugs,revising my implementation approach to attain more dynamicly generic methods..

    for instance
    CallOutRecaptureRoutine's 2nd call bug fixed when thread resumed in RecaptureThread..
    ie it resumed at LEAVE...for all you asm'ers out there..
    for all you less understanding it the thread resumed at the part where it cleaned the registers it used to pefore the function...that wasn't good..but I learned..as options I thought of to fix that mess I was going to use a third event, to wait upon signal of the parameters being ready and just after the Wait use
    Code:
    __asm
    {
        push CalloutRecaptureRoutine
        ret
    }
    just after the wait to ensure no registers where modified or stack cleaning happened.. but I didnt like 'all of' that idea..

    so I trudged on..almost arriving to 'not' implementing a recycler..
    as can be seen by this code..that was going to Replace RecaptureThread..

    Code:
    void ReCreateThread()
    {
    	NTSTATUS Status = 0;
    	HANDLE Thread = INVALID_HANDLE_VALUE;
    	CLIENT_ID Cid = {0};
    	SIN32_HANDLE_TABLE_ENTRY *HandleEntry = {0};
    	Status = RtlCreateUserThread(NtCurrentProcess(),0,true,0,0x4096,0x4096,(PUSER_THREAD_START_ROUTINE)CallOutHandlerRoutine,0,&Thread,&Cid);
    	Native_GetCurrentEntry(HandleEntry);
    	Native_AddEntry((void*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,Thread,ObThread,ObTSuspended,HandleEntry);
    	Thread = Native_GetHandleTableHandle((void*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,ObThread,ObTRunning);
    	NtClose(Thread);
    	Native_DeleteEntry((void*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,ObThread,ObTRunning);
    	LoadedApi.RtlExitThread(0);
    }
    a sad sad day for me..but then things brightened..It might've been the laptop and the late night..But I put something together that hasnt been tested or fully implemented in the Dispatcher Routine yet... but it should fix the bugs and it also cleans up after itself...it's a beneficial evil i guess..Im going to present the code here..with only comments..it prolly has bugs..as it could, but thats all the fun of it..isn't it?
    if you understood the CallOutRecaptureRoutine original this is no far step.. ;)

    here is the New CallOutRecaptureRoutine..
    Code:
    __declspec(naked)void CallOutRecaptureRoutine(void *FnPointer,void* ...)
    {
    	__asm
    	{
    		POP EBP//old stack address
    		CMP EBP,0//minor parameter validations..
    		JE Failed
    		POP EBX//GetReturnAddress
    		CMP EBX,0
    		JE Failed
    		POP EDX//GetCallSite
    		CMP EDX,0
    		JE Failed
    		POP ECX//GetNumberOfParameters..
    		JMP SetupJmpStack
    CleanusFakeStack:
    		POP EAX//GetHandleToHeap
    		CMP EAX,-1
    		JE Failed
    		PUSH EAX//push heap handle
    		PUSH 0//push 0 heapflags
    		POP ECX
    		PUSH ECX
    		//GetProcessHeap
    		ADD ECX,0x30
    		MOV EAX,FS:[ECX]
            	SUB ECX,0x1E
    		MOV EAX,[EAX+ECX]
    		PUSH EAX//push handle to heap
    		POP EDI//Does Return Value Matter
    		CALL RtlFreeHeap//Free the Heap used for stack..
    		XOR ECX,ECX
    		JMP CallInitReady
    SetupJmpStack:
    		CMP ECX,0//test if there
    		JE CleanupFakeStack
    		POP EAX//Get a Parameter
    		MOV ESI,ESP
    		MOV ESP,EBP
    		PUSH EAX//push the parameter onto real stack
    		PUSH ESI
    		DEC ECX//dec parametr counter
    		POP ESP
    		JMP SetupJmpStack		
    CallInitReady:
    		PUSHAD
    		PUSH EBX
    		JMP EDX //;call the function in EDX
    		PUSH EAX
    		POPAD
    		CMP EDI,0
    		JE ReturnNotImportant
    		ADD ECX,0x18 //;add 18
    		MOV EAX,DWORD PTR FS:[ECX] //;NtCurrentTeb to ebx
    		//;return the value of call of call to a generally
    		//;read/writable area Teb.NtTib.ArbritraryUserPointer
    		MOV DWORD PTR DS:[EBX+14],EAX
    ReturnNotImportant:
    		PUSH CallOutRecaptureRoutine
    		JMP RecaptureThread
    Failed:
    		ret	
    	}
    }
    revised version here..
    Code:
    //see Indirect call thread on woodmann forums for further info.. 
    __declspec(naked)void CallOutRecaptureRoutine(void *FnPointer,void* ...)
    {
    	__asm
    	{	//Parameter_Entry..
    		//Threads ESP in [EAX]
    		//return address in [EAX+4] 
    		//call site [EAX+8]
    		//number of params+3[EAX+c]
    		PUSH ESP
    		XOR ECX,ECX
    		MOV EDX,[EAX]
    		CMP EDX,0
    		JE  Failed
    		MOV ESP,EDX
    		INC ECX
    		MOV	EDX,[EAX+(ECX*4)]
    		MOV [ESP+(ECX*4)],EDX
    		INC ECX
    		MOV EDX,[EAX+(ECX*4)]
            INC ECX
    		MOV EDI,[EAX+(ECX*4)]
    		CMP EDI,3
    		JE CallInitReady
    Increment:
    		INC ECX
    GetParameter:
    		MOV EBX,[EAX+(ECX*4)]
    		PUSH EBX
    		CMP EDI,ECX
    		JL Increment
    CallInitReady:
    		JMP EDX //;call the function in EDX
    		POP ESP
    		XOR ECX,ECX
    		ADD ECX,0x18 //;add 18
    		MOV EBX,DWORD PTR FS:[ECX] //;NtCurrentTeb to ebx
    		//;return the value of call of call to a generally
    		//;read/writable area Teb.NtTib.ArbritraryUserPointer
    		MOV DWORD PTR DS:[EBX+14],EAX
    		PUSH CallOutRecaptureRoutine
    		JMP RecaptureThread
    Failed:
    		POP ESP
    		ret
    	}
    }
    fixed RtlIsValidIndexHandle Bug..
    heres how I solved it, cant believe I missed this before.
    I kept the 'Force' Routines as backups..
    Quote Originally Posted by Wines Developers
    * NOTES
    * A valid handle must have the bit set as indicated in the code below
    * otherwise subsequent RtlIsValidHandle() calls will fail.
    *
    * static inline void RtlpMakeHandleAllocated(RTL_HANDLE * Handle)
    * {
    * ULONG_PTR *AllocatedBit = (ULONG_PTR *)(&Handle->Next);
    * *AllocatedBit = *AllocatedBit | 1;
    * }
    This obviously mangles RTL_HANDLE_TABLE_ENTRY.Next,and Im not sure I like that..but there is no other way to do it :(
    I think my original way was better, but I am aiming for no bruteforcing unless absolutly necessary..


    added a 'new' method for Debug Output, THANKS and Props to Drizz!!! I am using a 'host' process created File Stream..
    In Other words While Sin32 is running it creates
    SIN32.exe:DEBUG_STREAM and uses that to write Debug Output to..I know this code is pretty specific to my project but heres the working release that can be easily adapted if you know what your doing ;)(I guess if your still reading this.. your probably in the know..)

    Code:
    SIN32_HANDLE_TABLE_ENTRY *Init_Debug(void)
    {
    	wchar_t NativePath[MAX_PATH] = {0};
    	UNICODE_STRING Unicode = {0};
    	OBJECT_ATTRIBUTES oa = {0};
    	IO_STATUS_BLOCK IOSB = {0};
    	LARGE_INTEGER li = {0};
    	SIN32_HANDLE_TABLE_ENTRY *HandleEntry = {0};
    	ULONG HandleIndex = 0;
    	HANDLE hFile = INVALID_HANDLE_VALUE;
    	PEB *peb = NtCurrentPeb();
    	wcscpy((wchar_t*)&NativePath,L"\\??\\");
    	wcscat((wchar_t*)&NativePath,peb->ProcessParameters->ImagePathName.Buffer);
    	wcscat((wchar_t*)&NativePath,L":DEBUG_STREAM");
    	RtlInitUnicodeString(&Unicode,(PCWSTR)&NativePath);
    	InitializeObjectAttributes(&oa,&Unicode,OBJ_CASE_INSENSITIVE|OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);
    	if(NT_SUCCESS(NtCreateFile(&hFile,GENERIC_WRITE | SYNCHRONIZE,&oa,&IOSB,&li,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OPEN_IF,FILE_WRITE_THROUGH|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,0,0)))
    	{
    		HandleEntry = (SIN32_HANDLE_TABLE_ENTRY*)RtlAllocateHandle((PRTL_HANDLE_TABLE)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->ShowWindowFlags,&HandleIndex);
    		HandleEntry->Handle = hFile;
    		HandleEntry->HandleIndex = HandleIndex;
    		HandleEntry->HandleType = ObFile;
    		HandleEntry->HandleState = Ob_DbgStream;
    		return HandleEntry;
    	}
    	return HandleEntry;
    }
    __checkReturn bool Write_Debug(UNICODE_STRING *UniDbg,NTSTATUS DbgStatus)
    {
    	char Msg[MAX_PATH] = {0};
    	ANSI_STRING Ansi = {0};
    	NTSTATUS Status = 0;
    	IO_STATUS_BLOCK IOSB = {0};
    	HANDLE hFile = INVALID_HANDLE_VALUE;
    	PEB *peb = NtCurrentPeb();
    	RTL_HANDLE_TABLE *HandleTable = (RTL_HANDLE_TABLE*)peb->ProcessParameters->ShowWindowFlags;
    	if(HandleTable->SizeOfHandleTableEntry != sizeof(SIN32_HANDLE_TABLE_ENTRY))
    	{
    		return false;
    	}
    	hFile = Native_GetHandleTableHandle((void*)HandleTable,ObFile,Ob_DbgStream);
    	if(hFile != INVALID_HANDLE_VALUE)
    	{
    		if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&Ansi,UniDbg,true)))
    		{
    			strcat((char*)&Msg,Ansi.Buffer);
    			_ultoa(DbgStatus,(char *)&Msg + Ansi.Length,16);
    			strcat((char*)&Msg + Ansi.Length + 1,"\r\n");
    			Status = NtWriteFile(hFile,0,0,0,&IOSB,(PVOID)&Msg,strlen(Msg),0,0);
    			RtlFreeAnsiString(&Ansi);
    			return true;
    		}
    	}
    	return false;
    }


    trying to develop multiple methods to separate the Initialization Routines that call LdrpCallInitRoutine so that i can handle each object by type..more on that in a blog post sometime.. :d

    toying some with ideas of building PE substructures in the memory of my shared section and writing them to identifiable locations within a preruntime PE, as hinted at by piotr..

    updated hkHook with hotpatch_uprnops and hotpatch_lwrnops,also still in process of coding out some of the other things mentioned.. in the concepts thread..

    also ppl can look on my skydrive..for some stuff..might be newer..but not newest source..im gonna update that too eventually..

    Seems to be a new bug sponsored by a recent security update to XPSP3 involving RtlCreateHeap..preventing me from calling RtlInitialzeHandleTable properly..alternitives include VirtualMemory..File Mapped Sections..FileMappedStreams(a maybe on this one..still testing....)
    BanMe
    Last edited by BanMe; August 9th, 2009 at 21:58. Reason: added some 'ban'ter?

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Server Handle Table Layout ...so far...

    Handle Index#| HandleType| HandleState| HandleDescriptor|Description

    0| OB_TYPE_FILE| OB_STATE_AWAKE| OB_SERVER_HANDLE|Debug File Stream Handle

    1| OB_TYPE_EVENT| OB_STATE_DORMANT| OB_SERVER_HANDLE|Comm Event

    2| OB_TYPE_EVENT| OB_STATE_AWAKE| OB_SERVER_HANDLE|Sync Event

    3| OB_TYPE_SECTION| OB_STATE_AWAKE| OB_SERVER_HANDLE|Section Object

    4| OB_TYPE_PORT| OB_STATE_AWAKE| OB_SERVER_HANDLE|Server Port For Listening

    5| OB_TYPE_UNKNOWN| OB_STATE_AWAKE| OB_CLIENT_DATA|Client Message's are critical

    much more to come this weekend :]
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. Replies: 4
    Last Post: May 8th, 2012, 15:37
  2. OllyDbg taking 100% CPU when target is running
    By dELTA in forum OllyDbg Support Forums
    Replies: 20
    Last Post: April 18th, 2008, 11:18
  3. RTA 1.20 source code release
    By squidge in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: December 26th, 2003, 06:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •