Problem with NT/ZwOpenFile

[seeq]

Hello. Sorry for the first topic ;) Here is my problem. I am writing a litle project. My code(Ring3) must work without kernel32.dll, only ntdll functions. So in my code i need to open shared Memory maped file (MMF). I use ZwOpenSection, but i have error. After call ZwOpenFile eax==80000002h (STATUS_DATATYPE_MISALIGNMENT). If i insert a "nop" before call ZwOpenFile, then eax==0C000003B (STATUS_OBJECT_PATH_SYNTAX_BAD). It seems 1st error in aligned? Whot is wrong? Where is error?

jmp strrr
;=================================================================================
FHand               dd 0   
oa OBJECT_ATTRIBUTES <>
Unicode2_Length               dw    0012h
Unicode2_MaximumLength       dw    0014h
Unicode2_Buff               dd  0
logg3 dw  "m", "m", "f", "_", "s", "h", "a", "r", "e", 0
;=================================================================================

strrr:
    lea eax, oa
    mov (OBJECT_ATTRIBUTES ptr [eax])._Length,sizeof(OBJECT_ATTRIBUTES)
    mov (OBJECT_ATTRIBUTES ptr [eax]).RootDirectory,0
    lea ebx, logg3
    mov dword ptr [Unicode2_Buff],ebx
    lea ebx, [Unicode2_Length]
    mov (OBJECT_ATTRIBUTES ptr [eax]).ObjectName,ebx
    mov (OBJECT_ATTRIBUTES ptr [eax]).Attributes,OBJ_CASE_INSENSITIVE
    mov (OBJECT_ATTRIBUTES ptr [eax]).SecurityDescriptor,NULL
    mov (OBJECT_ATTRIBUTES ptr [eax]).SecurityQualityOfService,NULL
    push eax
    push SECTION_MAP_WRITE
    lea eax,FHand
    push eax
;   nop  ?????
    call ZwOpenSection

p.s. sorry for my english

[drizz]

how about not putting that structures in a readonly section and aligning them.

Code Select Expand


jmp strrr
;==================================
.data
align 16
...
;==================================
.code
strrr:


[seeq]

ok, i rip a pice of my project, and create a litle code:
;-----------------------------------------------------------------
.386
.model flat, stdcall  ;32 bit memory model
option casemap :none  ;case sensitive

include windows.inc
include kernel32.inc
include native.inc
includelib kernel32.lib

.data
NtDll db "ntdll.dll",0 ;our dll
ZwOpenSection_proc         db"ZwOpenSection",0
mymap         DB 'spy_share',0
;===========================================
align 4
oa OBJECT_ATTRIBUTES <>
FHand         dd 0h                        ;FileHandle
Unicode2_Length         dw   0012h
Unicode2_MaximumLength   dw   0014h
Unicode2_Buff         dd  0
logg3 dw  "s", "p", "y", "_", "s", "h", "a", "r", "e", 0
;===========================================

.data?

   hInstance HINSTANCE ?
   _ZwOpenSection            dd 0
.code

start:

   invoke GetModuleHandle,NULL
   mov      hInstance,eax
   
   invoke GetModuleHandle, addr NtDll
   invoke GetProcAddress,eax, addr ZwOpenSection_proc
   mov _ZwOpenSection,eax
   
   invoke CreateFileMapping,INVALID_HANDLE_VALUE,0,PAGE_READWRITE,0,100h,addr mymap

   int 3
   lea eax, oa
   mov (OBJECT_ATTRIBUTES ptr [eax])._Length,sizeof(OBJECT_ATTRIBUTES)
   mov (OBJECT_ATTRIBUTES ptr [eax]).RootDirectory,0
   lea ebx, logg3
   mov dword ptr Unicode2_Buff,ebx
   lea ebx, Unicode2_Length
   mov (OBJECT_ATTRIBUTES ptr [eax]).ObjectName,ebx
   mov (OBJECT_ATTRIBUTES ptr [eax]).Attributes,OBJ_CASE_INSENSITIVE
   mov (OBJECT_ATTRIBUTES ptr [eax]).SecurityDescriptor,NULL
   mov (OBJECT_ATTRIBUTES ptr [eax]).SecurityQualityOfService,NULL
   push eax
   push SECTION_MAP_WRITE
   lea eax,FHand
   push eax
   call _ZwOpenSection
   
   invoke ExitProcess,0

end start
;-----------------------------------------------------------------
After call _ZwOpenSection eax==0C000003B (STATUS_OBJECT_PATH_SYNTAX_BAD). Where is ERROR?

[P1]

Ok, this is a native mode app.  It would be better for you to share what your doing.

BootExecute can be misused as well as any other feature of the OS.

Regards,  P1  :8)

[seeq]

I am writing log prg like Regmon or Filemon. I am sys programmer and this program need for work.

OK, i found my bug.
i missed RootDirectory. First need to call  NtOpenDirectoryObject for RootDirectory value.