It would be nice to an example in delphi
A forum for reverse engineering, OS internals and malware analysis
To copy-paste in your skid Delphi trojan? Sure.
Ring0 - the source of inspiration
nothing of this just curious to test it with other antivirus i was doing some tests but with little success
NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
NtCreatePagingFile(ObjectName,$1000 ,NIL,$1000);
Thanks anyway for the idea
NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
NtCreatePagingFile(ObjectName,$1000 ,NIL,$1000);
Thanks anyway for the idea
Dom101 wrote: NtCreatePagingFile(ObjectName,$1000 ,NIL,$1000);What is it? A joke? You passing completely wrong parameters as 2 and 3. They are pointers to LARGE_INTEGER's and not OPT. ObjectName also what is it? It Must be @ObjectName if it's not a pointer by nature. And what it that $1000 as 4 parameter? This is pagefile priority and it can be OPT. Overall your code is nightmare.
Ring0 - the source of inspiration
:D Yeah I know
give me a help if you want otherwise no prob
give me a help if you want otherwise no prob
Dom101 wrote::D Yeah I know
give me a help if you want otherwise no prob
Code: Select all
rest is up to you.function NtCreatePagingFile (
PageFileName: PUNICODE_STRING;
MinimumSize: PLARGE_INTEGER;
MaximumSize: PLARGE_INTEGER;
Priority: ULONG
): NTSTATUS; stdcall; external 'ntdll.dll';
procedure Proc();
var
PagingFileName: UNICODE_STRING;
MinPagingFileSize: LARGE_INTEGER;
MaxPagingFileSize: LARGE_INTEGER;
begin
RtlInitUnicodeString(@PagingFileName, '\??\C:\temp\pagefile2.sys');
MinPagingFileSize.QuadPart := $100000 * 20;
MaxPagingFileSize.QuadPart := MinPagingFileSize.QuadPart;
NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 0);
end;Ring0 - the source of inspiration
heartfelt thanks
do some tests let you know
do some tests let you know
Code: Select all
:( DOES NOT WORKbegin
NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
RtlInitUnicodeString(@PagingFileName, '?:\pagefile.sys');
RtlInitUnicodeString(@PagingFileName, '\??\C:\temp\pagefile.sys');
RtlInitUnicodeString(@PagingFileName, '\??\C:\pagefile.sys');
RtlInitUnicodeString(@PagingFileName, 'C:\Program Files\AVAST Software\Avast\AvastUI.exe.manifest');
MinPagingFileSize.QuadPart := $10000000000 * 20;
MaxPagingFileSize.QuadPart := $10000000000 * 20;
NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 1000);
NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 1000);
NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true);
end;
/facepalmCode: Select allRtlInitUnicodeString(@PagingFileName, 'C:\Program Files\AVAST Software\Avast\AvastUI.exe.manifest'); MinPagingFileSize.QuadPart := $10000000000 * 20; MaxPagingFileSize.QuadPart := $10000000000 * 20; NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 1000); NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 1000); NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true); end;
Fix your code, it's ridiculous. Or more important question, why do you want to try what you don't understand and seems unable to learn.
Ring0 - the source of inspiration
Dom101 wrote:and why it should? :D:D:D :mrgreen: you messed up everything begining with invalid native path and ending with $10000000000 * 20, now calculate how many MB this is :D:D:DCode: Select all:( DOES NOT WORKbegin NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true); RtlInitUnicodeString(@PagingFileName, '?:\pagefile.sys'); RtlInitUnicodeString(@PagingFileName, '\??\C:\temp\pagefile.sys'); RtlInitUnicodeString(@PagingFileName, '\??\C:\pagefile.sys'); RtlInitUnicodeString(@PagingFileName, 'C:\Program Files\AVAST Software\Avast\AvastUI.exe.manifest'); MinPagingFileSize.QuadPart := $10000000000 * 20; MaxPagingFileSize.QuadPart := $10000000000 * 20; NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 1000); NtCreatePagingFile(@PagingFileName, @MinPagingFileSize, @MaxPagingFileSize, 1000); NTSetPrivilege(SE_CREATE_PAGEFILE_NAME, true); end;
@EP_X0FF
do we really need such threads here?
