Results 1 to 8 of 8

Thread: using filestreams to store data..or code as data?

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    using filestreams to store data..or code as data?

    eh wtf..
    trying to make it work in win32..before moving to the native equivelent..
    self storage..so much is available!?we can most likely use some?



    Code:
    wchar_t NativePath[255] = {0};
    wchar_t *wString = {0};
    IO_STATUS_BLOCK IOSB = {0};
    LARGE_INTEGER li = {0}
    NTSTATUS Status = 0;
    ULONG dwWritten = 0;
    __asm
    {
    	xor eax,eax
    	add eax,0x30
    	mov eax,fs:[eax]//PEB!!!
    	mov eax,[eax+0x10]//RTL_USER_PROCESS_PARAMETERS!!!!
    	add eax,0x38//UNICODE_STRING ImagePathName;!!!!
    	mov eax,[eax][UNICODE_STRING.Buffer]//ImagePathName.Buffer!!!!!
    	push eax//PUSH the buffer
    	pop wString //pop it into a wchar*
    }
                 //we now have the Win32 Path Name and not the NT Path Name...
    	//so we create our own Nt Path Name
                 wcscpy((wchar_t*)&NativePath,L"\\??\\");
    	wcscat((wchar_t*)&NativePath,wString);
                 //string looks like:
                 //\??\C:\Windows\System32\Sin32.exe
                 // : is the signifier for a file stream attached to a file
    	wcscat((wchar_t*)&NativePath,L":DEBUG_STREAM");
                 //this is what it looks like with a File Stream specified
                 //\??\C:\Windows\System32\Sin32.exe:DEBUG_STREAM
    	//Init the Created String
                 RtlInitUnicodeString(&Unicode,(PCWSTR)&NativePath);
    	InitializeObjectAttributes(&oa,&Unicode,OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);
    	li.QuadPart = 0x4096;
    	li.LowPart = 0x4096;
    	li.u.LowPart = 0x4096;
    	Status = NtCreateFile(&Reusable,GENERIC_WRITE,&oa,&IOSB,&li,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OVERWRITE_IF,FILE_WRITE_THROUGH,0,0);
                 //try to write to the file stream
    	Recycler = WriteFile(Reusable,"This is Sin32:DEBUG_STREAM\r\n",29,&dwWritten,0);
    	//Flush File Stream...
                 FlushFileBuffers(Reusable);
    	CloseHandle(Reusable);
    for some reason its not writing.. and my head hurtz...
    please some assistance?

    BanMe
    Last edited by BanMe; August 7th, 2009 at 21:30.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    No errors either?

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    none Writefile return 0 as well as dwWritten 0 Status of CreateFile 0...
    Im gonna figure it out..doing
    Code:
    run wordpad "C:\Windows\System32\Sin32.exe:DEBUG_STREAM"
    to check dbg output is better then just debugger output capturing..or creating a new text file on disk..
    WriteFile Fails at 0 ...thats only error..
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    Check the # of bytes you are telling it to write. Maybe it's set to 0!

  5. #5
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    its 29 o0?

    but this works!!
    Code:
    wchar_t NativePath[255] = {0};
    wchar_t *wString = {0};
    IO_STATUS_BLOCK IOSB = {0};
    LARGE_INTEGER li = {0}
    NTSTATUS Status = 0;
    ULONG dwWritten = 0;
    	__asm
    	{
    		xor eax,eax
    		add eax,0x30
    		mov eax,fs:[eax]
    		mov eax,[eax+0x10]
    		add eax,0x38
    		mov eax,[eax][UNICODE_STRING.Buffer]
    		push eax
    		pop wString
    	}
    	//wcscpy((wchar_t*)&NativePath,L"\\??\\");
    	wcscat((wchar_t*)&NativePath,wString);
    	wcscat((wchar_t*)&NativePath,L":DEBUG_STREAM");
    	RtlInitUnicodeString(&Unicode,(PCWSTR)&NativePath);
    	InitializeObjectAttributes(&oa,&Unicode,OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);
    	li.QuadPart = 0x4096;
    	li.LowPart = 0x4096;
    	li.u.LowPart = 0x4096;
    	//Status = NtCreateFile(&Reusable,GENERIC_READ | GENERIC_WRITE,&oa,&IOSB,&li,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OVERWRITE,FILE_WRITE_THROUGH|FILE_NO_INTERMEDIATE_BUFFERING,0,0);
    	Reusable = CreateFileW((LPCWSTR)&NativePath,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,0,NULL );
    	Recycler = WriteFile(Reusable,"This is Sin32:DEBUG_STREAM\r\n",31,&dwWritten,0);
    	FlushFileBuffers(Reusable);
    	CloseHandle(Reusable);
    }
    if x86 and xp (I need vista peb to make it work on vista) you can throw that code into a dll and inject it and upon DLL_THREAD_ATTACH call this function..then open the 'file stream' by using wordpad as show above..but I want it to work with NtCreatefile and NtWriteFile so ive got the base now to build and work with it..


    regards BanMe
    Last edited by BanMe; August 8th, 2009 at 19:54.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  6. #6
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    Hi,

    I think you mixed up incompatible flags for NtCreateFile.
    btw, why arent you using the lovely NDK by Alex Ionescu?

    here is my sample:
    Code:
    #if defined(__INTEL_COMPILER)
    #pragma message("conversion does not require any typecast")
    #endif
    #define UNICODE
    #include <wchar.h>
    #define WINVER 0x0501		// Windows 5.1
    #define _WIN32_WINNT 0x0501	//
    #define WIN32_LEAN_AND_MEAN	//
    #define WIN32_NO_STATUS		// Tell Windows headers you'll use ntstatus from NDK 
    #include <windows.h>		// Declare Windows Headers like you normally would
    #define NTOS_MODE_USER
    #include <ntndk.h>			// Declare the NDK Headers http://code.google.com/p/native-nt-toolkit/
    #include <strsafe.h>
    
    NtStatusMsg(NTSTATUS dwStatus);
    
    DWORD wmain (DWORD argc, WCHAR *argv[])
    {
    	UNICODE_STRING us;
    	WCHAR path[MAX_PATH];
    	PEB *peb=NtCurrentPeb();
    	OBJECT_ATTRIBUTES oa;
    	IO_STATUS_BLOCK iosb;
    	HANDLE hFile;
    	WCHAR Stream[1024];
    
    	StringCbPrintf(&path,MAX_PATH,L"\\??\\%s:DEBUG_STREAM",\
    		peb->ProcessParameters->ImagePathName.Buffer);
    	
    	RtlInitUnicodeString(&us,&path);
    	
    	_putws(us.Buffer);
    	
    	InitializeObjectAttributes(&oa,&us,OBJ_CASE_INSENSITIVE|OBJ_OPENIF|OBJ_KERNEL_HANDLE,0,0);
    	
    	RtlZeroMemory(&Stream,sizeof(Stream));
    	StringCchCopy(&Stream,sizeof(Stream),L"Hello World!");
    
    	signed register Status;
    	
    	Status = NtCreateFile(&hFile,GENERIC_READ|GENERIC_WRITE|SYNCHRONIZE,\
    			&oa,&iosb,0,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,\
    			FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,0,0);
    	if ( NT_SUCCESS(Status))
    	{
    		if ( iosb.Information == FILE_CREATED )
    		{
    			Status = NtWriteFile(hFile,0,0,0,&iosb,&Stream,sizeof(Stream),0,0);
    			NtStatusMsg(Status);
    		}
    		else if ( iosb.Information == FILE_OPENED ) 
    		{
    			RtlZeroMemory(&Stream,sizeof(Stream));
    			Status = NtReadFile(hFile,0,0,0,&iosb,&Stream,sizeof(Stream),0,0);
    			if (NT_SUCCESS(Status))
    				_putws(&Stream);
    			else
    				NtStatusMsg(Status);
    		}
    		NtClose(hFile);
    	}
    	else
    		NtStatusMsg(Status);
    
    	RtlFreeUnicodeString(&us);
    	return getwchar();
    }
    
    NtStatusMsg(NTSTATUS dwStatus)
    {
    	DWORD doserr = RtlNtStatusToDosError(dwStatus);
    	WORD *pbuff;
    	FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,0,doserr,0,&pbuff,0x400-1,0);
    	_putws(pbuff);
    	LocalFree(pbuff);
    }

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    most excellent work Drizz..I made it to where it was 'writing squares' to the file.. I tried to use the NDK by aionescu, but I really dont like Frameworks, and it gave me horrible amounts of errors to ferret out..thanks very much for the help I was reading everything I could find about NtCreateFile's flags, it just wasnt coming together properly..and yay for a reliable Debug Output Framework without external file.. !!

    regards BanMe
    Last edited by BanMe; August 8th, 2009 at 21:35.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  8. #8
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    For me it was the opposite, I had a bunch of ntdll.h files laying around and neither one was complete enough, I even started putting together my own, it was horrible to use them in projects... and then I discovered NDK
    Yes i did have to change some stuff for "NTOS_MODE_USER" usage and add some files, but that was easy..

    cheers

Similar Threads

  1. How to find code generating known data?
    By nomatter in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 10th, 2010, 04:10
  2. make olly treat stuff in data section as data
    By gtype in forum OllyDbg Support Forums
    Replies: 0
    Last Post: March 4th, 2009, 15:29
  3. ida misinterpreted data section as code
    By The Keeper in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: May 14th, 2004, 23:27
  4. code opcodes interpreted by OD as data???
    By Anonymous in forum OllyDbg Support Forums
    Replies: 1
    Last Post: March 31st, 2003, 15:30
  5. From code to data???
    By homunculus in forum OllyDbg Support Forums
    Replies: 6
    Last Post: February 5th, 2003, 00:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •