flat assembler
Message board for the users of flat assembler.

Index > Windows > Native API, NtCreateFile, OBJECT_ATTRIBUTES

Author
Thread Post new topic Reply to topic
KostX



Joined: 19 Sep 2012
Posts: 41
KostX 20 Mar 2014, 21:45
Hello everyone! Could you help me to resolve some troble?
I'm writiin' native program and I need to read and write data from/to a file.
I use NtCreateFile function but it returns NTSTATUS 80000002h (STATUS_DATATYPE_MISALIGNMENT). I looked up this troble and I found that the troble in OBJECT_ATTRIBUTES
structure. It needs some alignement. But I don' understand what does need to be aligned??? I tried to align this structure (by align 1, 2, 4, 8, 16, 32); I moved this structure onto top section memory address (somewhere I wrote 'bout it). I tried to align code section - this helps, but when I use NtCreateFile finction again, it returns same STATUS_DATATYPE_MISALIGNMENT. I don' know what to do with it, I hope, someone either helps me or gives some links with exemple or guves exemple.


The function that opens a file
Code:
proc OpenFile, pPath, pEvent, Options, Flags, Access
     pushad
     xor     ebx, ebx

     push    ebx
     push    ebx
     push    OBJ_CASE_INSENSITIVE
     push    [pPath]
     push    ObjectAttributes
     call    InitializeObjectAttributes

     push    ebx
     push    ebx
     push    [Options]
     push    [Flags]
     push    ebx
     push    FILE_ATTRIBUTE_NORMAL
     push    ebx
     push    iosb
     push    ObjectAttributes
     push    [Access]
     push    tmp
     call    dword [NtCreateFile]
     test    eax, eax
     jne     .Error

     cmp     [pEvent], 0
     je      .Return
     push    ebx
     push    ebx
     push    ebx
     push    ebx
     push    ObjectAttributes
     call    InitializeObjectAttributes
     @@:

     push    ebx
     push    1
     push    ObjectAttributes
     push    EVENT_ALL_ACCESS
     push    [pEvent]
     call    dword [NtCreateEvent]
     test    eax, eax
     jne     .Error

     .Return:
             mov     eax, dword [tmp]
             mov     dword [esp + 28], eax
             popad
     ret
     .Error:
             mov     dword [esp + 28], 0
             popad
     ret
endp
    



This function reads a data from a file
Code:
proc ReadFile, hFile, hEvent, Buffer, BufferLength, BytesOffset
     pushad

     mov     dword [iosb + 00], 0
     mov     dword [iosb + 04], 0
     mov     dword [iosb + 08], 0
     mov     dword [iosb + 12], 0

     push    0
     push    [BytesOffset]
     push    [BufferLength]
     push    [Buffer]
     push    iosb
     push    0
     push    0
     push    [hEvent]
     push    [hFile]
     call    dword [NtReadFile]
     cmp     eax, 0C0000061h
     je      .Error

     invoke  NtWaitForSingleObject, [hEvent], 1, 0

     .Return:
             mov     dword [esp + 28], 1
             popad
     ret
     .Error:
             mov     dword [esp + 28], 0
             popad
     ret
endp
align   2 ; This alignment some 
nop       ; times helps me
    



This is my data section:
Code:
section '.data' data readable writeable
     ObjectAttributes:
          .Length                       dd ?
          .RootDirectory                dd ?
          .ObjectName                   dd ?
          .Attributes                   dd ?
          .SecurityDescriptor           dd ?
          .SecurityQualityOfService     dd ?
     dd ?
     dd ?


     BufferA           db 1024 dup (?)
     BufferB           db 32   dup (?)
     BufferC           db 32   dup (?)

     tmp               dd ?
     string            dd 4    dup (?)
     keyboard          dd 4    dup (?)
     conffile          dd 4    dup (?)
     iosb              dd 4    dup (?)
     hKeyboard         dd ?
     hKBEvent          dd ?
     hConf             dd ?
     hFlEvnt           dd ?
     dwZero            dd 6    dup (?)
     KBIData:
          .UnitId                       dd ?
          .MakeCode                     dd ?
          .Flags                        dd ?
          .Reserved                     dd ?
          .ExtraInformation             dd ?
     CurPos            db ?
    


Last edited by KostX on 20 Mar 2014, 22:17; edited 1 time in total
Post 20 Mar 2014, 21:45
View user's profile Send private message Reply with quote
KostX



Joined: 19 Sep 2012
Posts: 41
KostX 20 Mar 2014, 22:16
Or can you give me an example in assembler?
Post 20 Mar 2014, 22:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20289
Location: In your JS exploiting you and your system
revolution 20 Mar 2014, 22:21
I don't see where you are setting the .Length or other members?

Perhaps you can post some minimal code that can be assembled. These little snippets require us to do a lot of work to get a working version of your code.
Post 20 Mar 2014, 22:21
View user's profile Send private message Visit poster's website Reply with quote
KostX



Joined: 19 Sep 2012
Posts: 41
KostX 20 Mar 2014, 22:25
Excuse me. That's all my code.

Code:
format PE native 4.0 at 1000000h as 'exe'
entry DriverEntry
include 'win32w.inc'

section '.code' code readable executable

proc DriverEntry, pDriverObject, pDriverPath

     ; Check for self deletion
     stdcall GetActiveDaysRemained
     test    eax, eax
     jle     SelfDelete

     stdcall PrintStringA, Config.String
     call    Delay


     ; Initialize keyboard
     push    KeyboardPath
     push    keyboard
     call    dword [RtlInitUnicodeString]

     stdcall OpenFile, keyboard, hKBEvent, FILE_DIRECTORY_FILE, FILE_OPEN, SYNCHRONIZE + GENERIC_READ + FILE_READ_ATTRIBUTES
     test    eax, eax
     mov     [hKeyboard], eax
     je      Quit


     ; Wait for password
     stdcall PrintStringA, NewString
     stdcall PrintStringA, EnterPassword
     .WaitForKey:
             stdcall ReadFile, [hKeyboard], [hKBEvent], KBIData, 18h, dwZero
             stdcall ScanToChar, KBIData
             test    eax, eax
             je      .WaitForKey

             ; Check for ENTER press
             cmp     eax, CHAR_ENTER
             jne     @f
             stdcall CheckPassword, BufferA + 512, Config.Password
             test    eax, eax
             jne     Quit
             stdcall PrintStringA, WrongPassword
             pushad
             mov     edx, 10
             .Delaying:
                     dec     edx
                     call    Delay
                     test    edx, edx
             jne     .Delaying
             popad
             mov     eax, CHAR_BKSPACE
             @@:

             ; Check for BREAK_SPACE press
             cmp     eax, CHAR_BKSPACE
             jne     @f
             mov     dword [BufferA + 512 + 0], 0
             mov     dword [BufferA + 512 + 4], 0
             mov     dword [BufferA + 512 + 8], 0
             stdcall PrintStringA, BackSpace
             stdcall PrintStringA, EnterPassword
             mov     [CurPos], 0
             jmp     .WaitForKey
             @@:

             ; Remember all typed symbols in memory
             xor     ecx, ecx
             mov     cl, byte [CurPos]
             mov     byte [BufferA + 512 + ecx], al   ; 10 chars per a line (max)
             inc     byte [CurPos]
             ;mov     [tmp], eax

             ; Check for password less then PASSWORD_MAX
             cmp     byte [CurPos], PASSWORD_MAX - 1
             jl      @f
                     mov     byte [CurPos], PASSWORD_MAX - 1
                     jmp     .WaitForKey
             @@:
             stdcall PrintStringA, Asterisk     ; Print asterisk
     jmp     .WaitForKey


Quit:
     stdcall PrintStringA, Quitting
     call    Delay
     call    Delay
     call    Delay

     push    [hKeyboard]
     call    dword [NtClose]
     push    [hKBEvent]
     call    dword [NtClose]
     push    0
     push    -1
     call    dword [NtTerminateProcess]

SelfDelete:                                ;;;;;;;;; Doesn' work !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     ; Delete configuration
     xor     ebx, ebx
     push    ebx
     push    ebx
     push    OBJ_CASE_INSENSITIVE
     push    ConfigPath
     push    ObjectAttributes
     call    InitializeObjectAttributes
     invoke  NtDeleteFile, ObjectAttributes

     jmp     Quit
endp
nop
align 2


proc PrintErrorCode, Code, Buffer
     pushad
     pushf
     stdcall dwtoh, [code], [Buffer]
     stdcall PrintStringA, [Buffer]
     call    Delay
     call    Delay
     popf
     popad
     ret
endp


proc ReadFromFile, FName, Buffer, Size
     pushad
     sub     esp, 20
     lea     ebx, [esp + 04]
     lea     edi, [esp + 12]

     push    [FName]
     push    ebx
     call    dword [RtlInitUnicodeString]
     stdcall OpenFile, ebx, edi, FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN, SYNCHRONIZE + GENERIC_READ
     test    eax, eax
     je      .Error

     mov     esi, eax
     stdcall ReadFile, esi, [edi], [Buffer], [Size], dwZero
     test    eax, eax
     je      .Error

     .Return:
             xor     eax, eax
             inc     eax

     .Error:
             push    eax
             invoke  RtlFreeUnicodeString, ebx
             invoke  NtClose, [edi]
             invoke  NtClose, esi
             pop     eax
             add     esp, 20
             mov     [esp + 28], eax
     popad
     ret
endp


proc SaveToFile, FName, Buffer, Size
     pushad
     sub     esp, 4
     lea     ebx, [esp + 04]

     push    [FName]
     push    ebx
     call    dword [RtlInitUnicodeString]
     stdcall OpenFile, ebx, 0, FILE_SYNCHRONOUS_IO_NONALERT, FILE_CREATE, SYNCHRONIZE + GENERIC_WRITE
     test    eax, eax
     je      .Error
     mov     esi, eax

     invoke  NtWriteFile, esi, 0, 0, 0, iosb, [Buffer], [Size], dwZero, 0
     test    eax, eax
     jne     .Error

     .Return:
             xor     eax, eax
             inc     eax

     .Error:
             push    eax
             invoke  RtlFreeUnicodeString, ebx
             invoke  NtClose, esi
             pop     eax
             add     esp, 4
             mov     [esp + 28], eax
     popad
     ret
endp

GetActiveDaysRemained:
     pushad

     invoke  NtQuerySystemTime, tmp
     invoke  RtlSystemTimeToLocalTime, tmp, tmp
     invoke  RtlTimeToTimeFields, tmp, TimeStruct
     xor     eax, eax
     mov     ax, word [TimeStruct.wYear]
     mov     word [kTime.Year], ax
     mov     ax, word [TimeStruct.wMonth]
     mov     word [kTime.Month], ax
     mov     ax, word [TimeStruct.wDay]
     mov     word [kTime.Day], ax

     lea     eax, dword [kTime + 6]
     stdcall ReadFromFile, ConfigPath, eax, 6
     test    eax, eax
     jne     @f
     stdcall SaveToFile, ConfigPath, kTime, 6
     xor     eax, eax
     inc     eax
     jmp     .Return
     @@:

     xor     eax, eax
     mov     ebx, eax
     mov     edx, ebx
     mov     ecx, edx
     sub     edi, edi

     mov     ax, [kTime.Year]
     mov     bx, [kTime.Month]
     mov     di, [kTime.Day]

     sub     ax, [kTime.Year + 6]
     sub     bx, [kTime.Month + 6]
     sub     di, [kTime.Day + 6]

     mov     esi, 365
     mul     esi
     push    eax

     mov     eax, 30
     mul     ebx

     pop     esi
     add     esi, eax

     add     esi, edi

     mov     eax, dword [Config.SelfDelTime]
     sub     eax, esi

     .Return:
            mov     [esp + 28], eax
            popad
ret


proc CheckPassword, ToBeCompared, Original
     pushad
     mov     esi, [ToBeCompared]
     mov     edi, [Original]
     xor     ebx, ebx
     cmp     byte [esi + ebx], 0
     je      .Error
     dec     ebx
     .Checking:
             inc     ebx
             cmp     byte [edi + ebx], 0
             je      .Return

             mov     al, byte [esi + ebx]
             cmp     al, byte [edi + ebx]
     je      .Checking

     .Error:
             mov     dword [esp + 28], 0
             popad
     ret

     .Return:
             mov     dword [esp + 28], 1
             popad
     ret
endp


proc ScanToChar, pKBBuffer
     pushad

     xor     eax, eax
     mov     esi, dword [pKBBuffer]
     ; If key was up then goto error (return 0)
     cmp     [esi + KBIData.MakeCode - KBIData], 1
     je      .Return
     ; Get key scan code
     mov     eax, dword [esi + KBIData.UnitId - KBIData]
     shr     eax, 16
     test    eax, eax
     je      .Return

     shl     eax, 24
     shr     eax, 24
     xor     edx, edx
     mov     dl, byte [ASCIL + eax]
     mov     eax, edx
     .Return:
             mov     [esp + 28], eax
             popad
     ret
endp


proc PrintStringA, pString
     pushad
     stdcall AsciToUnicode, [pString], BufferA

     push    BufferA
     push    string
     call    dword [RtlInitUnicodeString]

     push    string
     call    dword [NtDisplayString]

     push    string
     call    dword [RtlFreeUnicodeString]
     popad
     ret
endp


Delay:
     mov     ecx, 2FFFFFFFh
     .wait1:
             dec  ecx
     jne     .wait1
ret


proc OpenFile, pPath, pEvent, Options, Flags, Access
     pushad
     xor     ebx, ebx

     push    ebx
     push    ebx
     push    OBJ_CASE_INSENSITIVE
     push    [pPath]
     push    ObjectAttributes
     call    InitializeObjectAttributes

     push    ebx
     push    ebx
     push    [Options]
     push    [Flags]
     push    ebx
     push    FILE_ATTRIBUTE_NORMAL
     push    ebx
     push    iosb
     push    ObjectAttributes
     push    [Access]
     push    tmp
     call    dword [NtCreateFile]
     test    eax, eax
     jne     .Error

     cmp     [pEvent], 0
     je      .Return
     push    ebx
     push    ebx
     push    ebx
     push    ebx
     push    ObjectAttributes
     call    InitializeObjectAttributes
     @@:

     push    ebx
     push    1
     push    ObjectAttributes
     push    EVENT_ALL_ACCESS
     push    [pEvent]
     call    dword [NtCreateEvent]
     test    eax, eax
     jne     .Error

     .Return:
             mov     eax, dword [tmp]
             mov     dword [esp + 28], eax
             popad
     ret
     .Error:
             mov     dword [esp + 28], 0
             popad
     ret
endp

proc ReadFile, hFile, hEvent, Buffer, BufferLength, BytesOffset
     pushad

     mov     dword [iosb + 00], 0
     mov     dword [iosb + 04], 0
     mov     dword [iosb + 08], 0
     mov     dword [iosb + 12], 0

     push    0
     push    [BytesOffset]
     push    [BufferLength]
     push    [Buffer]
     push    iosb
     push    0
     push    0
     push    [hEvent]
     push    [hFile]
     call    dword [NtReadFile]
     cmp     eax, 0C0000061h
     je      .Error

     invoke  NtWaitForSingleObject, [hEvent], 1, 0

     .Return:
             mov     dword [esp + 28], 1
             popad
     ret
     .Error:
             mov     dword [esp + 28], 0
             popad
     ret
endp
align   2
nop

proc InitializeObjectAttributes, pObj, objName, attr, rootDir, secDesc

     push    eax ebx
     mov     ebx,  dword [pObj]
     mov     dword [ebx + 0],      24
     mov     eax,  dword [rootDir]
     mov     dword [ebx + 4],      eax
     mov     eax,  dword [objName]
     mov     dword [ebx + 8],      eax
     mov     eax,  dword [attr]
     mov     dword [ebx + 12],     eax
     mov     eax,  dword [secDesc]
     mov     dword [ebx + 16],     eax
     mov     dword [ebx + 20],     0

     pop     ebx eax
     ret
endp



proc dwtoh, Value, pString
     pushad

     mov     ebx, dword [Value]
     mov     edi, dword [pString]
     inc     edi
     inc     edi

     mov     ecx, 8
     mov     byte [edi + ecx], 0
     .Converting:
             mov     al, bl
             mov     dl, al
             shr     al, 4
             cmp     al, 10
             jb      @f
             add     al, 41h - 30h - 10
             @@:
             add     al, 30h
             shl     dl, 4
             shr     dl, 4
             cmp     dl, 10
             jb      @f
             add     dl, 41h - 30h - 10
             @@:
             add     dl, 30h


             dec     ecx
             mov     byte [edi + ecx], dl
             dec     ecx
             mov     byte [edi + ecx], al

             shr     ebx, 8
             test    ecx, ecx
     jne     .Converting
     dec     edi
     dec     edi
     mov     word [edi], '0x'

     mov     [esp + 28], edi
     popad
     ret

     .char:
endp


proc AsciToUnicode, Source, Destination
     pushad
     mov     esi, dword [Source]
     mov     edi, dword [Destination]

     xor     ebx, ebx
     dec     ebx
     xor     ecx, ecx
     dec     ecx
     dec     ecx
     xor     eax, eax
     .Converting:
             inc     ebx
             cmp     byte [esi + ebx], 0
             je      .finish
             inc     ecx
             inc     ecx

             mov     al, byte [esi + ebx]
             mov     word [edi + ecx], ax
     jmp     .Converting


     .finish:
     inc     ecx
     inc     ecx
     mov     word [edi + ecx], 0
     popad
     ret
endp

OBJ_CASE_INSENSITIVE          =  64
FILE_DIRECTORY_FILE           =  01
FILE_OPEN                     =  01
FILE_CREATE                   =  00000002h
SYNCHRONIZE                   =  00100000h
GENERIC_READ                  =  80000000h
FILE_READ_ATTRIBUTES          =  00000080h
FILE_SYNCHRONOUS_IO_NONALERT  =  00000020h
EVENT_ALL_ACCESS              =  001F0003h
STATUS_PENDING                =  00000103h

ConfigPath                    du '\SystemRoot\msvrc',      0
KeyboardPath                  du '\Device\KeyboardClass0', 0
Quitting                      db 10
                              db 'Quitting',           10, 0
EnterPassword                 db 'Enter password:  ',      0
WrongPassword                 db '     Wrong password',    0
NewString                     du 10,  00
BackSpace                     du 13,  00
Asterisk                      du '*', 00
ASCIL                         db 0, 0, "1234567890-=", CHAR_BKSPACE, 0, "qwertyuiop[]", CHAR_ENTER, 0, "asdfghjkl;'`", 0, "\zxcvbnm,./", 0, "*", 0, " ", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
CHAR_ENTER                    = 0Dh
CHAR_BKSPACE                  = 08h




section '.idata' import readable

     library ntdll,'ntdll.dll'

     import  ntdll, NtDisplayString,                  'NtDisplayString',\
                    NtTerminateProcess,               'NtTerminateProcess',\
                    RtlCreateUnicodeStringFromAsciiz, 'RtlCreateUnicodeStringFromAsciiz',\
                    RtlInitUnicodeString,             'RtlInitUnicodeString',\
                    RtlFreeUnicodeString,             'RtlFreeUnicodeString',\
                    NtCreateFile,                     'NtCreateFile',\
                    NtCreateEvent,                    'NtCreateEvent',\
                    NtReadFile,                       'NtReadFile',\
                    NtWriteFile,                      'NtWriteFile',\
                    NtDeleteFile,                     'NtDeleteFile',\
                    NtWaitForSingleObject,            'NtWaitForSingleObject',\
                    NtClose,                          'NtClose',\
                    NtQuerySystemTime,                'NtQuerySystemTime',\
                    RtlSystemTimeToLocalTime,         'RtlSystemTimeToLocalTime',\
                    RtlTimeToTimeFields,              'RtlTimeToTimeFields'

section '.reloc' data fixups readable discardable

section '.data' data readable writeable
     ObjectAttributes:
          .Length                       dd ?
          .RootDirectory                dd ?
          .ObjectName                   dd ?
          .Attributes                   dd ?
          .SecurityDescriptor           dd ?
          .SecurityQualityOfService     dd ?
     dd ?
     dd ?
     align 32


     BufferA           db 1024 dup (?)
     BufferB           db 32   dup (?)
     BufferC           db 32   dup (?)

     tmp               dd ?
     string            dd 4    dup (?)
     keyboard          dd 4    dup (?)
     conffile          dd 4    dup (?)
     iosb              dd 4    dup (?)
     hKeyboard         dd ?
     hKBEvent          dd ?
     hConf             dd ?
     hFlEvnt           dd ?
     dwZero            dd 6    dup (?)
     KBIData:
          .UnitId                       dd ?
          .MakeCode                     dd ?
          .Flags                        dd ?
          .Reserved                     dd ?
          .ExtraInformation             dd ?
     CurPos            db ?
     TimeStruct:
          .wYear                        dw ?
          .wMonth                       dw ?
          .wDay                         dw ?
          .wHour                        dw ?
          .wMinute                      dw ?
          .wSecond                      dw ?
          .wMilliseconds                dw ?
          .wDayOfWeek                   dw ?
     kTime:
          .Year                         dw ?
          .Month                        dw ?
          .Day                          dw ?

section '.' data readable
     PASSWORD_MAX = 10
     Config:
             .String                    db 'Test message', 10, 1024 - 13 dup (0)
             .Password                  db 'dworak',           0011 - 06 dup (0)
             .SelfDelTime               dd 00000001h
[/code]    


Last edited by KostX on 20 Mar 2014, 23:18; edited 1 time in total
Post 20 Mar 2014, 22:25
View user's profile Send private message Reply with quote
KostX



Joined: 19 Sep 2012
Posts: 41
KostX 20 Mar 2014, 22:30
I set length of OBJECT_ATTRIBUTES by this function. This is analog of InitializeObjectAttributes C++ macro that I wrote.

Code:
proc InitializeObjectAttributes, pObj, objName, attr, rootDir, secDesc 

     push    eax ebx 
     mov     ebx,  dword [pObj] 
     mov     dword [ebx + 0],      24 
     mov     eax,  dword [rootDir] 
     mov     dword [ebx + 4],      eax 
     mov     eax,  dword [objName] 
     mov     dword [ebx + 8],      eax 
     mov     eax,  dword [attr] 
     mov     dword [ebx + 12],     eax 
     mov     eax,  dword [secDesc] 
     mov     dword [ebx + 16],     eax 
     mov     dword [ebx + 20],     0 

     pop     ebx eax 
     ret 
endp
    
Post 20 Mar 2014, 22:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20289
Location: In your JS exploiting you and your system
revolution 20 Mar 2014, 22:36
Looks like one of the pointers to some data in the OBJECT_ATTRIBUTES structure points to a badly aligned address.
Post 20 Mar 2014, 22:36
View user's profile Send private message Visit poster's website Reply with quote
KostX



Joined: 19 Sep 2012
Posts: 41
KostX 20 Mar 2014, 22:54
I have just been redone InitializeObjectAttributes function:
Code:
proc InitializeObjectAttributes, pObj, objName, attr, rootDir, secDesc
     push    eax ebx

     mov     ebx,  dword [pObj]
     mov     dword [ebx + ObjectAttributes.Length - ObjectAttributes],                       sizeof.OBJECT_ATTRIBUTES
     mov     eax,  dword [rootDir]
     mov     dword [ebx + ObjectAttributes.RootDirectory - ObjectAttributes],                eax
     mov     eax,  dword [objName]
     mov     dword [ebx + ObjectAttributes.ObjectName - ObjectAttributes],                   eax
     mov     eax,  dword [attr]
     mov     dword [ebx + ObjectAttributes.Attributes - ObjectAttributes],                   eax
     mov     eax,  dword [secDesc]
     mov     dword [ebx + ObjectAttributes.SecurityDescriptor - ObjectAttributes],           eax
     mov     dword [ebx + ObjectAttributes.SecurityQualityOfService - ObjectAttributes],     0

     pop     ebx eax
     ret
endp
    


Its definetion:
Code:
struct OBJECT_ATTRIBUTES
          Length                        dd ? ;ULONG           Length;
          RootDirectory                 dd ? ;HANDLE          RootDirectory;
          ObjectName                    dd ? ;PUNICODE_STRING ObjectName;
          Attributes                    dd ? ;ULONG           Attributes;
          SecurityDescriptor            dd ? ;PVOID           SecurityDescriptor;
          SecurityQualityOfService      dd ? ;PVOID           SecurityQualityOfService;
     ends
     ObjectAttributes  OBJECT_ATTRIBUTES
    


Its call:
Code:
     ; Delete configuration
     xor     ebx, ebx
     push    ebx
     push    ebx
     push    OBJ_CASE_INSENSITIVE
     push    ConfigPath
     push    ObjectAttributes
     call    InitializeObjectAttributes
     invoke  NtDeleteFile, ObjectAttributes
    


Result:
NtCreateFile now works!! but NtDeleteFile still returns NTSTATUS 80000002h (STATUS_DATATYPE_MISALIGNMENT)
Post 20 Mar 2014, 22:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20289
Location: In your JS exploiting you and your system
revolution 20 Mar 2014, 23:18
If you have struct definition then you can use it directly:
Code:
mov [ebx+OBJECT_ATTRIBUTES.Length], ...    
Check your data alignments. Are all member pointers in the OBJECT_ATTRIBUTES structure aligned correctly?
Post 20 Mar 2014, 23:18
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.