The MASM Forum Archive 2004 to 2012

After much reading and BSODing my computer, I've completed a Driver that permits direct access to Physical Memory from user mode. It works by directly modifying the Page Table entry of a committed  memory block in the process space to point to any Physical page, while maintaining the access rights of the process memory.  It's similar to the PhysicalMemory object,  but isn't restricted in write access.  The source is documented. There's a driver installer, uninstaller and UseMemPhys.exe that demonstrates how to use the driver.   :dance:



[attachment deleted by admin]

Very interesting work !   :U

Regards,
Opcode

Very interesting, indeed.  I am interested in knowing where you obtained the following;

include ntstatus.inc
include ntddk.inc
include ntoskrnl.inc
include w2kundoc.inc

include strings.mac
includelib ntoskrnl.lib

Thanks,
Paul

They're from Four-F's KMD Kit.



[attachment deleted by admin]

Oh yeah, that was where I read about the Kernel Mode Driver, I had all but forgotten that.  :bdg

Paul

Very nice, great job  :U   :cheekygreen: :cheekygreen:

Why would you need to use physical memory?

For fun, of course!

I wanted to make something semi-useful with my driver, so I wrote a Memory Editor that uses it to view/change physical and process specific virtual memory. Had a lot of fun making it!  :toothy

Attachment changed Feb 26 (bugfix)

[attachment deleted by admin]

 :U :U :U

I guess you are FOUR-F.

best regards.

it has a bit scarcity.

• 1. it can be terminated by other process (ring3).
• 2. if it unconventionally exited, next time it can't run (msg: specified server has already existed.)  for running, we must use Kernel-mode Driver manager to Stop, Unregister.

regards.

Quoteit has a bit scarcity.

    * 1. it can be terminated by other process (ring3).
    * 2. if it unconventionally exited, next time it can't run (msg: specified server has already existed.)  for running, we must use Kernel-mode Driver manager to Stop, Unregister.

#2 - Thanks for pointing that out! I've fixed the problem and updated the attachment!  :U

#1 - Not excactly sure what you mean. Can you be more specific?

The Dude of Dudes,
hello,
Thanks you for paying attention to my test.
the second scarcity be figured out very good. I hope your MemPhys Editor is running like system process lsass.exe, can't be terminate by user Process.

there is the Process Manager v1.01 that can terminate your MemPhys Editor.
the Process Manager v1.01 has two errors(user, size), but it can terminate user Process. 


regards.


[attachment deleted by admin]

Six_L,

Try this version....  :cheekygreen:


P.S. - only for WinXP, will probably crash other versions


Edit - I've removed the attachment. I believe it borders on the edge of the forum rules, and I wish to keep the peace!  :bg

The Dude of Dudes,
Ok, you used the Hide Process technique. it is ghastfulness. your MemPhys Editor should like system process lsass.exe.   Could you append the source code?
another scarcity:

• if i selected the Physical Address, gave 0, it showed 0-ff0 the datas of this addresses; if gave 11, it still showed 0-ff0 the datas of this addresses. I think it should show the datas of the 11-----(11+ff0) addresses.
• the datas of this addresses can be saved a txt file.

[/b]
however, it is a great work.
:U :U :U

regards.

QuoteThe Dude of Dudes,
Ok, you used the Hide Process technique. it is ghastfulness. your MemPhys Editor should like system process lsass.exe.   Could you append the source code?
another scarcity:

    * if i selected the Physical Address, gave 0, it showed 0-ff0 the datas of this addresses; if gave 11, it still showed 0-ff0 the datas of this addresses. I think it should show the datas of the 11-----(11+ff0) addresses.
    * the datas of this addresses can be saved a txt file.

even lsass.exe can be killed pretty easily:
check out ProKill v2 (http://www.white-scorpion.nl/programs/prokill2.zip) it is a commandline process viewer / killer i have written in C (source included). it adds debug privileges to itself making it powerful enough to kill even the protected processes.

but i'm pretty interesting in the "hiding processes" technique. i know it is possible by hooking the right API's, but i'm wondering if there is another way... i'm going to take a look at that program now  :bg

nice work btw !!!

[EDIT] unfortunately the zipfile is empty. is a bug or is there another reason?

Hi,white scorpion
here a code that can killed the "lsass.exe".

;@echo off
;goto make
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib

include \masm32\Macros\macros.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LUIDCUST STRUCT
     usedpart              DWORD      ?
     ignorehigh32bitpart   DWORD      ?
LUIDCUST ENDS

TOKEN_PRIVS STRUCT
     privilegecount        DWORD      ?
     theluid               LUIDCUST   <>
     attributes            DWORD      ?
TOKEN_PRIVS ENDS
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
pName db "lsass.exe",0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
pszParam dd ?
hSnapshot dd ?
uProcess PROCESSENTRY32 <>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; For NT Type Platforms get the privilege for a Terminating Process.
Kill_AdjustToken proc

   LOCAL hdlProcessHandle:DWORD
   LOCAL hdlTokenHandle:DWORD
   LOCAL tmpLuid:LUIDCUST
   LOCAL tkp:TOKEN_PRIVS
   LOCAL tkpNewButIgnored:TOKEN_PRIVS
   LOCAL lBufferNeeded:DWORD
   LOCAL tBuff[32]:BYTE
   LOCAL ptBuff:DWORD

   invoke GetCurrentProcess       ; get the current process handle
   mov hdlProcessHandle,eax       ; save it to hdlProcessHandle

   lea eax, tBuff                 ; address of temp buffer into eax
   mov ptBuff, eax                ; set pointer to temp buffer
   mov BYTE PTR [eax], 0          ; initialize the buffer

   invoke OpenProcessToken,hdlProcessHandle,40,ADDR hdlTokenHandle
   invoke LookupPrivilegeValue,ptBuff,SADD("SeDebugPrivilege"),ADDR tmpLuid

   lea eax, tmpLuid               ; address of tmpLuid into eax

   ; Contents of tmpLuid into ecx:edx
   mov ecx, (LUIDCUST PTR [eax]).usedpart
   mov edx, (LUIDCUST PTR [eax]).ignorehigh32bitpart
   
   lea eax, tkp                   ; address of tkp into eax
   
   mov (TOKEN_PRIVS PTR [eax]).privilegecount, 1
   mov (TOKEN_PRIVS PTR [eax]).theluid.usedpart, ecx
   mov (TOKEN_PRIVS PTR [eax]).theluid.ignorehigh32bitpart, edx
   mov (TOKEN_PRIVS PTR [eax]).attributes, 2

   invoke AdjustTokenPrivileges,hdlTokenHandle,0,ADDR tkp,\
SizeOf tkpNewButIgnored,ADDR tkpNewButIgnored,ADDR lBufferNeeded

   AdjTokDone:

   ret

Kill_AdjustToken endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

start:

mov edi, OFFSET pName
mov [pszParam],edi
mov [uProcess.dwSize], sizeof uProcess ;sizeof uProcess=128h
invoke CreateToolhelp32Snapshot, 2, 0
mov [hSnapshot], eax  ;eax=7e8h
invoke Process32First, eax, ADDR uProcess  ; eax=1
.while  eax                              
xor ecx, ecx
lea edi, [uProcess.szExeFile]  ;system process that founded
mov ebx, edi
dec ebx
invoke lstrlen, edi
add edi, eax
.while  edi!=ebx ; ebx=Addr of proc will kill
invoke lstrcmpi, edi, [pszParam]  ;edi=founded proc
.if !eax                          
invoke Kill_AdjustToken
invoke OpenProcess, PROCESS_TERMINATE, 1, [uProcess.th32ProcessID]
invoke TerminateProcess, eax, 0
.if eax!=0
invoke MessageBox,NULL,chr$("Killed the Process"),chr$("--- test ---"),MB_OK or MB_ICONASTERISK
jmp done
.endif
invoke MessageBox,NULL,chr$("Can't kill the Process"),chr$("--- test ---"),MB_OK or MB_ICONSTOP

jmp done
.endif
dec edi
.endw
invoke Process32Next, [hSnapshot], ADDR uProcess ;eax=1 ecx=ADDR of next process
.endw
invoke MessageBox,NULL,chr$("Nothing Process to be selected"),chr$("--- test ---"),MB_OK or MB_ICONWARNING

done: invoke CloseHandle, [hSnapshot]
invoke ExitProcess, eax

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

end start

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

:make
set name=killproc1

   \masm32\bin\ml /c /coff %name%.bat
   \masm32\bin\Link /subsystem:windows %name%.obj

   if exist %name%.obj del %name%.obj
   if exist %name%.bak del %name%.bak


if a proc was as powerful as The Dude of Dudes's MemPhys Editor. then we must offten poweroff our PC, reinstall all datas which we backuped up.
really?

the "hiding processes" technique is rootkit technique, if we talk about it. hutch-- will shot us.

Thanks for the code but i already knew how to kill it. just add debug privileges to your program and you can kill everything.

as for the technique, i already know now where to look for it (got an email). i'm going to start to learn it myself now too (kernel driver writing).

Very nice