Physical Memory Mapper

[white scorpion]

The Dude of Dudes,
Ok, you used the Hide Process technique. it is ghastfulness. your MemPhys Editor should like system process lsass.exe.   Could you append the source code?
another scarcity:

    * if i selected the Physical Address, gave 0, it showed 0-ff0 the datas of this addresses; if gave 11, it still showed 0-ff0 the datas of this addresses. I think it should show the datas of the 11-----(11+ff0) addresses.
    * the datas of this addresses can be saved a txt file.

even lsass.exe can be killed pretty easily:
check out ProKill v2 it is a commandline process viewer / killer i have written in C (source included). it adds debug privileges to itself making it powerful enough to kill even the protected processes.

but i'm pretty interesting in the "hiding processes" technique. i know it is possible by hooking the right API's, but i'm wondering if there is another way... i'm going to take a look at that program now  :bg

nice work btw !!!

[EDIT] unfortunately the zipfile is empty. is a bug or is there another reason?

[six_L]

Hi,white scorpion
here a code that can killed the "lsass.exe".

Code Select Expand


;@echo off
;goto make
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib

include \masm32\Macros\macros.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LUIDCUST STRUCT
     usedpart              DWORD      ?
     ignorehigh32bitpart   DWORD      ?
LUIDCUST ENDS

TOKEN_PRIVS STRUCT
     privilegecount        DWORD      ?
     theluid               LUIDCUST   <>
     attributes            DWORD      ?
TOKEN_PRIVS ENDS
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
pName db "lsass.exe",0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
pszParam dd ?
hSnapshot dd ?
uProcess PROCESSENTRY32 <>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; For NT Type Platforms get the privilege for a Terminating Process.
Kill_AdjustToken proc

   LOCAL hdlProcessHandle:DWORD
   LOCAL hdlTokenHandle:DWORD
   LOCAL tmpLuid:LUIDCUST
   LOCAL tkp:TOKEN_PRIVS
   LOCAL tkpNewButIgnored:TOKEN_PRIVS
   LOCAL lBufferNeeded:DWORD
   LOCAL tBuff[32]:BYTE
   LOCAL ptBuff:DWORD

   invoke GetCurrentProcess       ; get the current process handle
   mov hdlProcessHandle,eax       ; save it to hdlProcessHandle

   lea eax, tBuff                 ; address of temp buffer into eax
   mov ptBuff, eax                ; set pointer to temp buffer
   mov BYTE PTR [eax], 0          ; initialize the buffer

   invoke OpenProcessToken,hdlProcessHandle,40,ADDR hdlTokenHandle
   invoke LookupPrivilegeValue,ptBuff,SADD("SeDebugPrivilege"),ADDR tmpLuid

   lea eax, tmpLuid               ; address of tmpLuid into eax

   ; Contents of tmpLuid into ecx:edx
   mov ecx, (LUIDCUST PTR [eax]).usedpart
   mov edx, (LUIDCUST PTR [eax]).ignorehigh32bitpart
   
   lea eax, tkp                   ; address of tkp into eax
   
   mov (TOKEN_PRIVS PTR [eax]).privilegecount, 1
   mov (TOKEN_PRIVS PTR [eax]).theluid.usedpart, ecx
   mov (TOKEN_PRIVS PTR [eax]).theluid.ignorehigh32bitpart, edx
   mov (TOKEN_PRIVS PTR [eax]).attributes, 2

   invoke AdjustTokenPrivileges,hdlTokenHandle,0,ADDR tkp,\
SizeOf tkpNewButIgnored,ADDR tkpNewButIgnored,ADDR lBufferNeeded

   AdjTokDone:

   ret

Kill_AdjustToken endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

start:

mov edi, OFFSET pName
mov [pszParam],edi
mov [uProcess.dwSize], sizeof uProcess ;sizeof uProcess=128h
invoke CreateToolhelp32Snapshot, 2, 0
mov [hSnapshot], eax  ;eax=7e8h
invoke Process32First, eax, ADDR uProcess  ; eax=1
.while  eax                              
xor ecx, ecx
lea edi, [uProcess.szExeFile]  ;system process that founded
mov ebx, edi
dec ebx
invoke lstrlen, edi
add edi, eax
.while  edi!=ebx ; ebx=Addr of proc will kill
invoke lstrcmpi, edi, [pszParam]  ;edi=founded proc
.if !eax                          
invoke Kill_AdjustToken
invoke OpenProcess, PROCESS_TERMINATE, 1, [uProcess.th32ProcessID]
invoke TerminateProcess, eax, 0
.if eax!=0
invoke MessageBox,NULL,chr$("Killed the Process"),chr$("--- test ---"),MB_OK or MB_ICONASTERISK
jmp done
.endif
invoke MessageBox,NULL,chr$("Can't kill the Process"),chr$("--- test ---"),MB_OK or MB_ICONSTOP

jmp done
.endif
dec edi
.endw
invoke Process32Next, [hSnapshot], ADDR uProcess ;eax=1 ecx=ADDR of next process
.endw
invoke MessageBox,NULL,chr$("Nothing Process to be selected"),chr$("--- test ---"),MB_OK or MB_ICONWARNING

done: invoke CloseHandle, [hSnapshot]
invoke ExitProcess, eax

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

end start

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

:make
set name=killproc1

   \masm32\bin\ml /c /coff %name%.bat
   \masm32\bin\Link /subsystem:windows %name%.obj

   if exist %name%.obj del %name%.obj
   if exist %name%.bak del %name%.bak


if a proc was as powerful as The Dude of Dudes's MemPhys Editor. then we must offten poweroff our PC, reinstall all datas which we backuped up.
really?

the "hiding processes" technique is rootkit technique, if we talk about it. hutch-- will shot us.

[white scorpion]

Thanks for the code but i already knew how to kill it. just add debug privileges to your program and you can kill everything.

as for the technique, i already know now where to look for it (got an email). i'm going to start to learn it myself now too (kernel driver writing).

[Geryon]

Very nice