XProfan

- Page 3 -

Sebastian
König

[quote:80e778690a]No, wrong understood - my Program is no driver. the goes too with Profan not. mere who driver write can, hats plainer with the Solution. Accurate said is the one Info on The DLL, in the the API befindet, The I there use...one very guter Info, with the itself the puzzel well without Problems solve can . [/quote:80e778690a]OK, then type I time on a the Nt... or Zw... functions in the NTDLL - but since there really a great many...

or standing the directory possibly at a solid address and can simply with ReadProcessMemory() read go?

MfG

Sebastian

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

[quote:32d5ba0af9=Sebastian king][quote:32d5ba0af9]No, wrong understood - my Program is no driver. the goes too with Profan not. mere who driver write can, hats plainer with the Solution. Accurate said is the one Info on The DLL, in the the API befindet, The I there use...one very guter Info, with the itself the puzzel well without Problems solve can . [/quote:32d5ba0af9]OK, then type I time on a the Nt... or Zw... functions in the NTDLL - but since there really a great many...

or standing the directory possibly at a solid address and can simply with ReadProcessMemory() read go?

MfG

Sebastian[/quote:32d5ba0af9]
To 1: 100 spots.

To 2: 50% correctly.!

it'll!

Sebastian
König

OK, I have straight time the following made:

- Big Brother.exe launched
- Visual studio-Debugger with the Big Brother-Process joined
- Process by Debugger angehalten
- Nachgeschaut, where the Module NTDLL in memory standing
- Breakpoint on very these address staid
- Process continued
- in the Program Button klicked, then OK, etc...

Result see Image in the attachment

I am not integrally sure, Why the straight this effect has . value time, that the add the Breakpoints somehow memory shift or überschreibt and then everything not any more is correct.

however - time bad, what with the function so begin can...

MfG

Sebastian

Aha.png	31 kB

Hochgeladen:	10/10/06

Downloadcounter:
		Download

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

I say Yes, it'll!

time look, what You there find...

Sebastian
König

for a manner Brute-Force-method

have I now subesquent code prepares:
Compile Mark Separation

!$H windows.ph
Cls
declare id&
print "ID:",
input id&
declare hProcess&
let hProcess& = ~OpenProcess(~PROCESS_ALL_ACCESS,0,id&)
print hProcess&
declare pMem#,size&
dim pMem#,2048
clear pMem#

whileloop 0,50

    if External("NTDLL.DLL","ZwQueryInformationProcess",hProcess&,&loop,pMem#,SizeOf(pMem#),Addr(size&)) = 0

        print "OK:",&loop,"-",size&,"Bytes gültig"

        whileloop 0,150,2 Vielleicht Unicode-String?

            print chr$(byte(pMem#,&loop));

        wend

        print

    endif

wend

dispose pMem#
case hProcess& <> 0 : ~CloseHandle(hProcess&)
WaitKey
end

with two Values of &loop proposes The function not at me fehl: 10 (= ProcessLdtInformation) and 27 (= ProcessImageFileName).

the Result with 27 Although nice, but not interestingly, think I time.

remaining means yet The 10: but what is ProcessLdtInformation? and what standing in this 8 byte, The it there reading can?

P.s.: The names for values have I from ntddk.h

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

already not so bad - You lie with both InformationClasses but on the incorrect steamer.

[quote:8e53af89cf]
ProcessLdtInformation Based on the name, this enum should cause NtQueryInformationProcess to return information about LDT entries for the specified process. Since most Win32 processes dont use the LDT, this enum is of limited use. In my testing, I what unable to get the API to return any LDT-related information for any process (even NTVDM).
[/quote:8e53af89cf]

there the one puzzel is, on the itself well some Informatikprofessor The teeth ausbeißen would, make I it once more something plainer:

Info 5: you missing one cue - one cue, that I in a Posting here in whom last Meet used have.

Info 6: The Solution lying inside the first 9 InformationClasses.

Sebastian
König

[quote:0251cbd18c]already not so bad - You lie with both InformationClasses but on the incorrect steamer.[/quote:0251cbd18c]
Hmm, strange... with all others InformationClasses proposes the appeal but fehl, even if I id& = ~GetCurrentProcessId() set. I have any values To 100 probiert...

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

[quote:493c1cb96b=Sebastian king]Hmm, strange... with all others InformationClasses proposes the appeal but fehl, even if I id& = ~GetCurrentProcessId() set. I have any values To 100 probiert...[/quote:493c1cb96b]
the lying on it, the your Ansatz something wrong is. ZwQueryInformationProcess is a utterly fiese function - The in Parameter 4 angegebene Size the structure must very voices, otherwise gejts into pants.

Sebastian
König

[quote:6ce9c31e7f]the lying on it, the your Ansatz something wrong is. ZwQueryInformationProcess is a utterly fiese function - The in Parameter 4 angegebene Size the structure must very voices, otherwise gejts into pants.[/quote:6ce9c31e7f]
Aaah - Yes, thanks! I had now virtual, one must only sufficient Space provide and get whom required by the 5. Parameter zurückgeliefert (what evident with 10 and 27 too the case is).

with Space for straight time a individual LongInt sees the image anyway already quite different from: 11 working values. time bad, whether there something thereby is...

Windows XP, XProfan/Profan² 4.5 bis 11
Profan2Cpp-Homepage: [...]

Alte Profan²-Seite: [...]

No, unfortunately nothing thereby, can I so already say.

so, I wished only once more say:
the Mitraten rewards itself! for each the here miträt (alike whether it utterly danebentippt), becomes not only whom View source give, sonder many, many moreover Info to API ZwQueryInformationProcess, everybody can NT-Systemen well use can.