Text only | Text with Images

The MASM Forum

General => The Campus => Topic started by: bomz on March 01, 2013, 08:57:42 PM

Title: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 01, 2013, 08:57:42 PM
QuoteCCOUNTED_UNICODE_STRING "\\??\\x:\\i386", cusdir, 4

      InitializeObjectAttributes offset DirectoryAttrib, offset cusdir, OBJ_CASE_INSENSITIVE, NULL, NULL
      invoke ZwCreateFile, hDirectory, FILE_LIST_DIRECTORY, addr DirectoryAttrib, addr Iosb,\
      NULL, 0, FILE_SHARE_READ OR FILE_SHARE_WRITE, FILE_OPEN, FILE_DIRECTORY_FILE, NULL, 0
0xc0000005 STATUS_ACCESS_VIOLATION
(http://smiles.kolobok.us/light_skin/dash1.gif)
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 01, 2013, 09:38:16 PM
addr hDirectory (http://smiles.kolobok.us/light_skin/fool.gif)
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 02, 2013, 06:15:57 AM
Quote;KI_USER_SHARED_DATA   equ 0ffdf0000h
SharedUserData      equ KI_USER_SHARED_DATA

assume ebx: ptr KUSER_SHARED_DATA
mov ebx, KI_USER_SHARED_DATA
               invoke RtlInitUnicodeString, addr dllpath, addr [ebx].NtSystemRoot;KI_USER_SHARED_DATA+30h
assume ebx:NOTHING
????
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: qWord on March 02, 2013, 06:19:59 AM
Quote from: bomz on March 02, 2013, 06:15:57 AM
Quote;KI_USER_SHARED_DATA   equ 0ffdf0000h
SharedUserData      equ KI_USER_SHARED_DATA

assume ebx: ptr KUSER_SHARED_DATA
mov ebx, KI_USER_SHARED_DATA
               invoke RtlInitUnicodeString, addr dllpath, addr [ebx].NtSystemRoot;KI_USER_SHARED_DATA+30h
assume ebx:NOTHING
????
????
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 02, 2013, 06:52:10 AM
what wrong?
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: qWord on March 02, 2013, 06:59:10 AM
Quote from: bomz on March 02, 2013, 06:52:10 AM
what wrong?
Is it so hard to formulate useful questions?

AFAIK the ASSUME directive can be used that way. If you have the correct structure definition, a one-liner is possible:

Code Select
KI_USER_SHARED_DATA   equ 0ffdf0000h

structKI_USER_SHARED_DATA struct
foo DWORD ?
NtSystemRoot PVOID ? ; what ever
structKI_USER_SHARED_DATA ends

invoke RtlInitUnicodeString, addr dllpath, ADDR (structKI_USER_SHARED_DATA ptr DS:[KI_USER_SHARED_DATA]).NtSystemRoot
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 02, 2013, 07:08:34 AM
fatal error
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: qWord on March 02, 2013, 07:13:01 AM
Quote from: bomz on March 02, 2013, 07:08:34 AM
fatal error
Quote from: qWord on March 02, 2013, 06:59:10 AMIs it so hard to formulate useful questions?
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 02, 2013, 12:08:19 PM
possible need some open function (?)

may be somebody have wxp sp3 RTL_USER_PROCESS_PARAMETERS ?
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: Vortex on March 02, 2013, 08:10:46 PM
Hi bomz,

Kindly, could you give some details about what are you trying to achieve?
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 02, 2013, 09:27:03 PM
http://hex.pp.ua/nt-native-create-process.php
I use this code and trying create process in native mode
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: Vortex on March 02, 2013, 09:59:38 PM
Hi bomz,

I hope you are not trying to walk over thin ice layer.
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: bomz on March 02, 2013, 10:13:14 PM
I make cd dir lp lm reboot shutdown - now making create process

http://s017.radikal.ru/i414/1303/7b/1eba25a0a326.gif
Title: Re: ZwCreateFile 0xc0000005 STATUS_ACCESS_VIOLATION
Post by: BogdanOntanu on March 03, 2013, 05:49:00 AM
Sorry but if you do not want to show good will and perform a minimal effort in order to:
1) Formulate a clear and understandable question
2) Explain what you want to do

Then I must lock your thread on suspicions of trying to avoid AV detection

Text only | Text with Images