Need help with ZwOpenKey

[AH]

Hello...

I'm usually not writing in English - so please forgive my bad writing and knowlege of this laguage.
Yesterday I've made my first steps with MASM32 (so I'm not confirm with this language, too  :lol).
My Problem: I want to read out a registry key. Because I want to do this in a driver (at the end), I tried out ZwOpenKey in User Mode. Even if the Key ist present, I can't get the Handle and the Funktion returns an error  :(. What stupid things do I do wrong? Please help a real newbe...

Code Select Expand


.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                  I N C L U D E   F I L E S                                       
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


;für Test
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\debug.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\debug.lib

;include \masm32\include\w2k\ntdef.inc
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntdll.inc
includelib \masm32\lib\w2k\ntdll.lib

IFNDEF UNICODE_STRING
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
PUNICODE_STRING typedef PTR UNICODE_STRING
ENDIF

UNICODE_NULL equ 0


OBJECT_ATTRIBUTES STRUCT ; sizeof = 18h
dwLength DWORD ? ; original name Length
RootDirectory HANDLE ?
ObjectName PUNICODE_STRING ?
Attributes DWORD ?
SecurityDescriptor PVOID ? ; Points to type SECURITY_DESCRIPTOR
SecurityQualityOfService PVOID ? ; Points to type SECURITY_QUALITY_OF_SERVICE
OBJECT_ATTRIBUTES ENDS


.data
MsgCaption      db "Iczelion's tutorial no.2",0
MsgBoxText      db "Win32 Assembly is Great!",0

KeyHandle dd 0
Disposition dd 0
LSA_Unicode dw 512,514,0,0
COUNTED_ANSI_STRING dw 0,0,0,0
ANSI db "\Registry\Machine\Software\Mister Root",0
ACCESS_RIGHTS dd 196633
Unicode db 518 dup(?)


.data?
POBJECT_ATTRIBUTES OBJECT_ATTRIBUTES <>

;::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                         C O D E                                                   
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


.code


start:
        invoke RtlInitAnsiString,addr COUNTED_ANSI_STRING,addr ANSI
        PrintDec eax," Rückgabe von RtlInitAnsiString "
        lea ecx,COUNTED_ANSI_STRING       
        mov ax,[ecx+0]
        PrintDec ax," Länge des Strings "
        mov ax,[ecx+2]
        PrintDec ax," Länge des Bereichs "
        mov eax,[ecx+4]
        PrintStringByAddr eax

        lea ecx,LSA_Unicode
        lea eax,Unicode
        mov [ecx+4],eax
        invoke RtlAnsiStringToUnicodeString,addr LSA_Unicode,addr COUNTED_ANSI_STRING,0
        PrintDec eax," Rückgabe von RtlAnsiStringToUnicodeString "
        lea ecx,LSA_Unicode     
        mov ax,[ecx+0]
        PrintDec ax," Länge des Strings "
        mov ax,[ecx+2]
        PrintDec ax," Länge des Bereichs "
        mov eax,[ecx+4]
        PrintDec eax," Adresse des Unicode-Strings "

      mov POBJECT_ATTRIBUTES.dwLength,24
      mov POBJECT_ATTRIBUTES.RootDirectory,NULL
      lea ecx,LSA_Unicode
      mov POBJECT_ATTRIBUTES.ObjectName,ecx
      mov POBJECT_ATTRIBUTES.Attributes,64
      mov POBJECT_ATTRIBUTES.SecurityDescriptor,NULL
      mov POBJECT_ATTRIBUTES.SecurityQualityOfService,NULL
     
        lea  ecx,POBJECT_ATTRIBUTES
        PrintDec ecx," Adresse der Object_Attributes Struktur"
        lea eax,LSA_Unicode     
        PrintDec eax," Adresse der LSA_Unicode Struktur "
        mov [ecx+8],eax

        invoke ZwOpenKey,addr KeyHandle,ACCESS_RIGHTS,addr POBJECT_ATTRIBUTES

        ;invoke ZwCreateKey,addr KeyHandle,ACCESS_RIGHTS,addr POBJECT_ATTRIBUTES,0,0,0,addr Disposition


        PrintDec eax," Rückgabe von ZwOpenKey "
        PrintDec KeyHandle,"Handle des Schlüssels "
        invoke ZwClose,KeyHandle
        PrintDec eax," Rückgabe von ZwClose"

        invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK
       
        invoke ExitProcess,0
end start


[sluggy]

Exactly what key are you trying to open? I don't see you using a specific hive... What level are you running at on the machine (admin or user)? What is the return code from the call? What is returned from GetLastError?
Why are you trying to write a driver? It appears you are not good at making API calls in any language, let alone asm (there are a couple of basic mistakes that give you away), so why start off with something that is technically difficult? Are you making a root kit or a virus at all? Or have you just not shown all your code?

[AH]

Exactly what key are you trying to open? I don't see you using a specific hive...

HKEY_LOCAL_MACHINE\Software => the rest doesn't realy matter

What level are you running at on the machine (admin or user)?

Admin.

What is the return code from the call?

-2147483646, you can translate it into "System Error Code" by the API LsaNtStatusToWinError. I will do that later, because by now I'm not running on Windows2000.

What is returned from GetLastError?

Because it's a "kernel mode API", GetLastError doesn't return anything that makes sense.

Why are you trying to write a driver? It appears you are not good at making API calls in any language, let alone asm (there are a couple of basic mistakes that give you away), so why start off with something that is technically difficult? Are you making a root kit or a virus at all? Or have you just not shown all your code?

That's a good and right question. I'm now writing litle programms for over 20 years (hobby) - some security things, too (setting "LSA Policy Object" and "Account Objekt" Security Descriptor, managing Priviliges, Taskmanager with scans User Address Space on demand, some "time watch software" for children and so on). I've "learned" ASM two day's ago - so don't wonder - I'm better in APIs calling from my language :lol (I think, after one day of "learning" my language, you won't be much better  :bg).
In my programming language it is not possible to write a driver - so I try to learn MASM. I want to write some thing of "Anty Virus Software" that kills Viruses, which don't write something to the registry, wenn they are loaded into the kernel. I need a very little driver for that. I just want to try it out...

I hope, my english isn't to bad...

thanks for answering

AH

[AH]

there are a couple of basic mistakes that give you away

Thanks for telling me, that's what I want to know. What mistakes? I've got no teacher at all - please show me, what I've done wrong. After one day of learning (without anyone who teaches me) I'm not so bad at all, am I? :wink
Tomorrow I'll be back and I want to see Kernel Code in my language "Profan" from you!  :lol
But just stop joking now...

In fact, I want to learn something about ASM, that's why I'm here. I'm a beginner in ASM - that's why I'm posting in the "Campus" and I need help in order to learn from my faults. The rest doesn't matter at all - please help me.

PS: Why do I post a code with ZwOpenKey API to learn ASM? Because ZwOpenKey ist a "kernel mode API" (and that's the only thing I need ASM for - write kernel code) which only opens a registry key - it doesen't write anything. ZwOpenKey uses the Object_Atributes Structure, which I need later, too.

[AH]

Here is a little tool for you, progranmmed in 10 Minutes - don't expect too much: http://fundgrube.fortunecity.de/YourFault/YourFault.zip. Just put errorcode number in the edit, for NT_StATUS Error (as returned by LsaEnumerateAccountRights for example) mark the checkbox - that's all. Then you can look at errorcode descriptions yourself (I hope it works over there too, not much tested).

[AH]

OK, this seems to work correctly:

Code Select Expand


.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                 I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntdll.inc
includelib \masm32\lib\w2k\ntdll.lib

;für Test
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\debug.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\debug.lib

.data
Object_Attrib dd 24,0,0,64,0,0
COUNTED_ANSI_STRING dw 0,0,0,0
ANSI db "\Registry\Machine\Software\Mister Root",0
LSA_Unicode dw 0,518,0,0
ACCESS_RIGHTS dd 1
KeyHandle dd 0


.data?
Unicode db 518 dup(?)

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                    C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
start:
invoke RtlInitAnsiString,addr COUNTED_ANSI_STRING,addr ANSI
PrintDec eax," Rückgabe von RtlInitAnsiString "
lea ebx,COUNTED_ANSI_STRING
mov ax,[ebx+0]
PrintDec ax," Länge des Strings "
mov ax,[ebx+2]
PrintDec ax," Länge des Bereichs "
mov eax,[ebx+4]
PrintStringByAddr eax
lea ebx,LSA_Unicode
mov ax,518
mov [ebx+2],ax
lea eax,Unicode
mov [ebx+4],eax
invoke RtlAnsiStringToUnicodeString,addr LSA_Unicode,addr COUNTED_ANSI_STRING,0
PrintDec eax," Rückgabe von RtlAnsiStringToUnicodeString "
lea ebx,LSA_Unicode
mov ax,[ebx+0]
PrintDec ax," Länge des Strings "
mov ax,[ebx+2]
PrintDec ax," Länge des Bereichs "
lea ebx,Object_Attrib
PrintDec ebx," Adresse der Object_Attributes Struktur"
lea eax,LSA_Unicode
PrintDec eax," Adresse der LSA_Unicode Struktur "

PrintDec ebx," Vor Änderung"

add ebx,8

PrintDec ebx," Nach Änderung"

mov [ebx],eax

invoke ZwOpenKey,addr KeyHandle,ACCESS_RIGHTS,addr Object_Attrib
PrintDec eax," Rückgabe von ZwOpenKey "
PrintDec KeyHandle,"Handle des Schlüssels "
invoke ZwClose,KeyHandle
PrintDec eax," Rückgabe von ZwClose"
invoke ExitProcess,0
end start


Thanks for helping

AH

[TNick]

Hi!

Just a question: HA is another nick of yours?

Regards,
Nick

[AH]

No, I'm new here. Who's that? I just look...

I can't find this nick, who ist this guy? My full name is Andreas Hötker - I'm from Germany. AH is my shortname for dokumentation in my job as "Altenpfleger" (I don't now the right word in english, it's someone who takes care of old people). You can proof this very easy by looking into the net. Is there anything else, you want to know about me?

I'm posting here in this forum because I heared that here are the best in progging with ASM - and I want to learn very fast and very much.
In my programming language I started to write the first API dokumentation (XProfan), but it's totaly different to write in ASM.
In the way I need it, ASM is very easy to learn and very very powerful.

So, who is HA and why do aks such questions without helping me? In Germany, in the forum where I post normaly, everyone gets help from me in one day - without checking his personality and his knowlege of the language - in order to make him a better progger, than he is by now. Do I waste time by posting here?

Greetings

AH

[remus2k]

hi andreas

keep calm, not everybody has got clairvoyant scills.

but may be this could help http://llf6.bokee.com/4389614.html ?

better :bg

gruss remus2k

[dsouza123]

AH, the YourFault.zip utility isn't available any more from the link you provided
could you attach it to a post in this thread or is there an alternate link ?

[TNick]

Hello! Sorry because I didn't see this reply a lit a bit late. Because of that, I will send this message as a PM to you, AH.
Now, no need to be angry. I didn't ask for your real name and I don't care about it. You may use whatever nick you like, that's not my business! My fault not to say why I ask.
SORRY!
There was someone with HA nick who ask for a homework!
About the rest of your post, inhere I met people very passionate about programming in ASM, with a lot of knowledge, willing to share and to help newbys like you and me. If you are interested in ASM, asking around here and reading others post won't be a waste of time.

remus2k, as a opinion, I don't think it's nice to write posts in another language than the officialforum language.
Nick

[dsouza123]

The english translation of the german remus2k provided in his post is intriguing and an enigma.

always with does not rest it can all lightsee!

I think it might be something like

If you (keep working at it/don't give up), (it will all (become clear/come into focus)/all will be revealed).