Security Tool Issue (STATUS_ACCESS_VIOLATION on ZwProtectVirtualMemory)

Started by st00ner, April 17, 2006, 05:04:42 PM

Previous topic - Next topic

st00ner

Well, im making a user land based inline unhooker (like programs that hook the user level have power over API)

i call virtual Protect like this so i can get NTSTATUS type errors (and to avoid user level hooks on it so my security tool cant be stoped in user level)

NewVirtualProtect proc pAddy:PVOID, Leng:DWORD, NewProtect:DWORD, pOldProtect:PDWORD
PUSH pOldProtect
PUSH NewProtect
PUSH Leng
PUSH pAddy
PUSH -1
call VPEX
ret
VPEX:
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH ESI
PUSH EDI
PUSH DWORD PTR [EBP+018h]
LEA EAX,DWORD PTR [EBP+010h]
PUSH DWORD PTR [EBP+014h]
PUSH EAX
LEA EAX,DWORD PTR [EBP+00Ch]
PUSH EAX
PUSH DWORD PTR [EBP+008h]
CALL ZWPVM
POP EDI
POP ESI
POP EBP
ret
ZWPVM:
MOV EAX,ZWPVMN
CALL FSK
ret
FSK:
Mov edx, esp
word 0340Fh ;SYSENTER
ret
NewVirtualProtect endp

for some reasosn when i try to unhook some api like GetWindowThreadProcessId, VirtualProtect returns C0000005 (STATUS_ACCESS_VIOLATION)

// MessageId: STATUS_ACCESS_VIOLATION
//
// MessageText:
//
//  The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
//
#define STATUS_ACCESS_VIOLATION          ((NTSTATUS)0xC0000005L)    // winnt



Does anyone know why some api virtual protect fine while others give me access violation?

p.s. this is for a rootkit finder program

sluggy

Quote from: st00ner
Does anyone know why some api virtual protect fine while others give me access violation?
Yes. But if you are l33t enough to be writing a root kit detector then you are also l33t enough to know why you can't hook/unhook some APIs from ring 3 "user land".

Quote from: st00ner
p.s. this is for a rootkit finder program
Sure, we believe you. BTW, the code you posted above was meaningless - it was just a call to the following function which then calls the next following function. All beautifully documented so we could easily tell what was going on  :tdown  :snooty:

I have one question: in the process of unhooking, how are you telling that a hook is in place, and how are you determining whether it is a legitimate hook or not?

If you want any help or guidance from here, you are going to have to answer the questions we ask, and provide more information - both of which you have failed to do so far.


st00ner

im sorry =(

Thats just Code ripped from

VirtualProtect
VirtualProtectEx
KiFastSystemCall

I recall my friend making a program like this that could unhook them all from ring3... thats why im so confused

The only thing i wanted to know was a possible reason i was getting that error

sluggy

Quote from: st00ner on April 18, 2006, 11:32:02 PM
I recall my friend making a program like this that could unhook them all from ring3... thats why im so confused
Your friend was probably doing this on Win9x and using an undocumented hack to get to ring 0.

You will have to understand our reluctance to answer your questions, you are a new member with no track record, asking about advanced topics that are often used for bad purposes. It is nothing personal, but until you get to be "known" here you are unlikely to get these questions answered.


PBrennick

How come it is always, always 'my friend'?

No help from me
Paul
The GeneSys Project is available from:
The Repository or My crappy website