flat assembler
Message board for the users of flat assembler.

Index > Windows > Illusion Driver

Author
Thread Post new topic Reply to topic
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 09 Jan 2010, 07:43
The following driver is a hooking SSDT NT kernel one that change the output of the ZwQueryDirectoryFile native api execution.

In windows XP, it simply change its name (it will use also the ? char!)
and if you make a refresh, it become a directory. Laughing
Only if you Stop the driver service it will return in its original state.
A simple restart will delete the driver from memory.

In windows SEVEN it only change some informations about the size and others,
but seems with no particular effect.

Why?

The attachment's screenshot show you what it does in windows XP.


Description: Included with some screenshots in windows XP
Download
Filename: XP Illusion.zip
Filesize: 361.39 KB
Downloaded: 332 Time(s)

Post 09 Jan 2010, 07:43
View user's profile Send private message Send e-mail Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 09 Jan 2010, 14:30
Code:
proc change_ssdt
...
lock xchg [ecx],edx
...
endp
    

The prefix "lock" isn't necessary.
The prefix "lock" is automatically activated here.


Quote:

Intel - XCHG :
If a memory operand is referenced, the processor’s locking protocol is automatically
implemented for the duration of the exchange operation.



_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 09 Jan 2010, 14:30
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 09 Jan 2010, 15:24
oh, yes, thanks
but i think is not for this problem.

May be the FILE_DIRECTORY_INFORMATIONS structures are differents....
Post 09 Jan 2010, 15:24
View user's profile Send private message Send e-mail Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 09 Jan 2010, 17:34

no, of course ! Wink I was not talking about this problem.

_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 09 Jan 2010, 17:34
View user's profile Send private message Send e-mail Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 09 Jan 2010, 17:46

From WDK 6001.18002 (XP/Vista)


Code:
typedef struct _FILE_DIRECTORY_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER EndOfFile;
    LARGE_INTEGER AllocationSize;
    ULONG FileAttributes;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
    


you should look in the latest WDK, compatible with "Win7" ...
to see if this structure is different for Win7

_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 09 Jan 2010, 17:46
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 09 Jan 2010, 18:20
I also have the last WDK for windows XP and Vista.
I followed that documentation, infact in XP it works good. (i don't want test it in Vista, it sucks for me)

The same functionalities, adapted to theese structures, should work in seven, but it don't.
I still don't know why.

For this reason i called that driver: XP illusion.... Laughing
Post 09 Jan 2010, 18:20
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.