[SysVolt]

Hey guys, could you help me out here.
The following procedure is crashing my PC, meaning its is crashing all the processes it is injected into.

Code: Select all

Procedure SetHook();
var
 Bytes: SIZE_T;
begin
  PtrZwq  := GetProcAddress(GetModuleHandle('ntdll.dll'),
                            'ZwQuerySystemInformation');
  ReadProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @OldZwq, SizeOf(OldCode), Bytes);
  JmpZwq.PuhsOp  := $68; 
  JmpZwq.PushArg := @NewZwQuerySystemInformation;
  JmpZwq.RetOp   := $C3; 
  ShowMessage('Puhs Value = '+IntToStr(JmpZwq.PuhsOp));
  ShowMessage('Ret Value = '+IntToStr(JmpZwq.RetOp));
  WriteProcessMemory(INVALID_HANDLE_VALUE, PtrZwq, @JmpZwq, SizeOf(far_jmp), Bytes);
end;

I think it's the offsets, $68 and $C3, they are from the 32bit version, which works fine, but I could I convert them to 64bit Offsets. I hope I am clear enough. Comment if you need to see more code. Thanks

[Microwave89]

Although I don't know Delphi:

Did you just copy-paste the x86 source into your x64 source?
If yes, this won't ever work, the instructions and also the underlying Native API architecture are somewhat different.

Have you ever looked at the ntdll!ZwQuerySystemInformation function, you intend to hook?
Additionally, why are you using ReadProcessMemory/WriteProcessMemory if you're already running in the context of the target process?
If this is the injected code it is already running in another process, and a simple dereference will work...

It would be quite helpful if you posted your complete code which is to be injected.

By the way, we aren't even using 128 bit systems, so your title is wrong ;)


Best Regards

Microwave89

[t4L]

You need to install Delphi 2020.

[TETYYSs]

Why are you reading memory of process with handle INVALID_HANDLE_VALUE?

[EP_X0FF]

Why are you reading memory of process with handle INVALID_HANDLE_VALUE?

Because it the same (HANDLE)-1 as pseudo handle from GetCurrentProcess. Anyway above code is completely awful and given information is incomplete.

[SysVolt]

Although I don't know Delphi:

Did you just copy-paste the x86 source into your x64 source?
If yes, this won't ever work, the instructions and also the underlying Native API architecture are somewhat different.

Have you ever looked at the ntdll!ZwQuerySystemInformation function, you intend to hook?
Additionally, why are you using ReadProcessMemory/WriteProcessMemory if you're already running in the context of the target process?
If this is the injected code it is already running in another process, and a simple dereference will work...

It would be quite helpful if you posted your complete code which is to be injected.

By the way, we aren't even using 128 bit systems, so your title is wrong ;)


Best Regards

Microwave89

Short answer, yes. I thew in a bunch of code hoping the compiler would do all the hard work, however and old friend helped me and my problem is solved. However, I would like to know if you have an tutorials or references you would recommend for me, I am still kind of a noob at this. Again, thanks for your time.

[TETYYSs]

Why are you reading memory of process with handle INVALID_HANDLE_VALUE?

Because it the same (HANDLE)-1 as pseudo handle from GetCurrentProcess. Anyway above code is completely awful and given information is incomplete.

oh yeah. well, it would be same if I would put in HAL_MCE_INTERRUPTS_BASED there.

[Brock]

Minimum Delphi version to produce 64-bit code is XE2 unless you want to use the Lazarus compiler which supported 64-bit compilation before Delphi did. Why care about a 64-bit Delphi userland rootkit anyhow? This attempt reminds me of AFX Rootkit from 2003 days which was pure trash, don't bother with this crap