10 replies to this topic

[sonykuccio]

Hi All, i have a really badass problem when im trying to call the NtAllocateVirtualMemory

 export from ntdll library

 

so this is the how stack Look

 

CPU Dump
Address   Hex dump                                         ASCII
0018FB40                          BC 00 00 00|00 00 40 00|         .....@.
0018FB50  00 00 00 00|00 50 04 00|00 30 00 00|40 00 00 00| .....P..0..@...
 

BC 00 00 00 = HANDLE ProcessHandle

00 00 40 00 = Imagebase

00 00 00 00 = ULONG_PTR ZeroBits

00 50 04 00 = Size of image

00 30 00 00 = ULONG AllocationType

40 00 00 00  = ULONG Protect

 

This is how i call in ASM

 

Push 0x40
push 0x3000

 

; edi register hold many values it's a pointer to a 80 byte structure where i store all value i need

mov ecx,dword[edi] ; 'PE signature'
mov ecx,dword[ecx+0x50] ;SizeOfImage
push ecx

 

push 0

push dword[edi+4];IMAGEBASE

 

mov ecx,dword[edi+8]
push dword[ecx] ;tPROCESS_INFORMATION

call eax ; eax Hold Ntdll NtAllocateVirtualMemory pointer

 

and i always get this hex error -3ffffffb i think is STATUS_ACCESS_DENIED or STATUS_ACCESS_VIOLATION

 

so what im doing wrong? thanks !

 

 

 

 

 

 

 

[LeFF]

Quote

-3ffffffb

what is that? how do you even got this strange value? get an unsigned hexdecimal value from eax (or from PEB->LastNtStatus) and find it in

Please Login or Register to see this Hidden Content

...

[sonykuccio]

I got  0xC0000005 STATUS_ACESS_VIOLATION

[LeFF]

try using debugger, maybe pages at imagebase are already commited/reserved...

[sonykuccio]

im using NtUnmapViewOfSection

 

wich return NT_STATUS_SUCCESS

[LeFF]

Quote

im using NtUnmapViewOfSection

just check if the pages are able to commit with debugger...

[Indy]

2nd arg: IN OUT PVOID *BaseAddress, this link. R/W access, region is free.

 

Remember the DEP(NXSEH). If it enabled(and mem not IMAGE), then exception will not be processed 

[sonykuccio]

Indy, on 27 May 2013 - 1:55 PM, said:

 

2nd arg: IN OUT PVOID *BaseAddress, this link. R/W access, region is free.

 

Remember the DEP(NXSEH). If it enabled(and mem not IMAGE), then exception will not be processed 

 

 

Yes my error was to Push the value of the imagebase, but i must push the prt to the value

 

thanks i solved !

[Hess]

If You solved it last night on shoutbox , than , I guess , this is it.

[sonykuccio]

Hess, on 28 May 2013 - 08:48 AM, said:

If You solved it last night on shoutbox , than , I guess , this is it.

was a different problem but yes i solved

[Hess]

Then , cheers !