Virtual Files

Pages: 123
closed account (Dy7SLyTq)
his new name on these forums is OrionMaster or Cyberwarfare :)

if space worm and cyber warfare were the same people then he is a very good actor. i was there for cybers first last and quite a few in between posts. he had no idea what he was talking about and i doubt he could even begin to comprehend assembly. i havent decided if orion master knows what he is talking about yet or just trying to look smart (no offense to orion master ive just become weary after many people like that joined this forum. i was one when i first joined. dont let me opinion effect you however. i am just not a very trusting person when it comes to the web)
Check Orion master blog, his nick name there is Cyberwarfare1.
closed account (Dy7SLyTq)
it wouldnt surprise me if they are the same person, but it would shock me if he was space worm. cw and om seem to want to show that they actually are smart with posts like this: http://www.cplusplus.com/forum/jobs/115419/#msg632041. spaceworm seemed to have a much better grasp and wasnt just googling things. which imo is what om is doing.
Hi,

Anyway, I am centre of attention yea!!!! Anyway as the actual hook is taking place in Usermode\Ring3, no need for reboot or registry changes as to compensate that we can more or less inject into 3rd party processes in order to place a hook.
Anyway DTSCode is a very formal and nice and has a nice touch to his posts lol. Just sayin

Anyway I really want to learn those topics - as they can help me, not just to look "intelligent". Anyway just look in my blog to get more information...lol on what I am up to.
Last edited on
@CPLUSPLUSFORUMS

TIME TO ADMIT THE TRUTH-

ORION MASTER, CYBERWARFARE1, SPACEWORM ARE ALL SAME APART FROM CYBERWARFARE1 WAS CREATED ATLEAST 2 YEARS AGO WHEN I HAD LIMITED KNOWLEDGE, AND SPACEWORM WAS MORE RECENT. ORIONMASTER

TO TELL THOSE WHO DOUBT -
I LEFT THIS FORUM FOR LITTLE AFTER THE AV THREAD, IN WHICH THERE WAS A ARGUEMENT - WHICH I HAVE REGRET AND APOLOGIZE. ANYWAY ORIONMASTER IS MY NEW ACCOUNT.

LEAVING THIS ACCOUNT. HOWEVER NOT CLOSING. BUT CHECKING USING THIS.
Last edited on
Now hopefully all you got a better understanding of this situation and all doubts cleared up.
I've been looking around and I found Dokan, however I don't know if it can accomplish what I want - as far as I can tell it can only create new file systems as separate drives, not anything like fuse. I've also heard of a python module for fuse, but I doubt it would work on Windows despite being python.

I've also considered just making a separate drive to mirror the main drive but with the added virtual files, except that some software I want to affect hard-codes its path in the registry and so would look on the actual hard drive.

I'm still searching :p
Why can you not use symbolic links?
Last time I checked, symbolic links could only link to other real files on disk. :(
Last edited on
@ OrionMaster: Well now I feel a bit stupid for not putting that together, one leaves and a short while later the other account shows up. It should have been obvious :P. Getting back to my earlier comment, I was thinking of an IDT hook for some reason (I don't get a lot of practice with this kind of stuff). The key I was referring to would have been "HKLM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection" if it was relevant, which it is not.
Hi,

Well, IDT hooks can only be placed in Kernel\MBR level, as Windows NT kernel enforced a Interrupt protection - which protects interrupts integrity from being exploited. The same applies for SYSENTER call. This must again be executed at in-real mode address (privilege level 0).

As you may have seen in my blog many assembly instructions are disallowed in Windows to prevent unwanted exploitation of NT kernel design.
It is common to feel this way, especially as you never practise these things.

Like you, I too never tried registry method of Injection as it can easily be modified to prevent our method, in addition I do not like to use UAC majority of the time because they are too cumbersome and uneat. As we can simply inject into "explorer.exe" and we would create a "virtual file".
Likewise any attempt to get handles of all processes with one call would mean elevated privileged application injecting into "csrss.exe".

If you want to go the more or less, difficult but more deeper would be to hook in Windows NT would be hooking SYSENTER on x86. However I never attempted such low level on x64 as it does not allow drivers to be loaded - as I never tried\attempted to bypass PatchGuard.

Quick Code to hook SYSENTER_MSR, shown also in my blog: http://codeempire.blogspot.co.uk/2013/10/kernel-driver-sysenter-hook.html :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include<wdm.h> 

ULONG dwKiFastSystemCall

void InstallMSRHook(void)
{
__asm{

     mov ecx, 0x176 
     rdmsr
     
     mov dwKiFastSystemCall, eax
     mov eax, MSRCallBack 
    
     wrmsr
           }
}


Look how simply we can hook SYSENTER_MSR on Windows.
However for this I suggest a simple code injection can do the job rather than building and loading a Driver which can be too risky for these types of "experimentation".

Was that a reply to this thread or to Computergeek's comment?
both.
By 'reply to this thread' I was trying to implicitly convey the requirement of also being on-topic.
It isn't not on topic, he did mention that hooking a function would be a way to accomplish this and the snip-it he pasted is sort of related to that. I see what you're saying though and I won't derail your thread anymore.
Hooking functions is too advanced for me, in fact I'd call it dangerous. What happens when my program exits/crashes and the hook is still there?

If you had an airtight library that did it with a C/C++ API then maybe I'd use it.
Hi,

As you are hooking in Ring3, the hook remains local and when you exit the hook will be only removed from the process NOT System.
Hooking is only dangerous when the hook is placed on Ring0 & even still only if the callback is wrong and messed up.

I can help you understand hooking PM me, mate! I am here to help.

I have no clue of any library dedicated to such File Modification.
If it's local to my process then how will it affect other processes?
Hi,

As I said you need to perform a code injection\DLL injection into foreign processes. In my blog I have create a lot of Injection posts even techniques to load DLL's into Google Chrome (Worlds Secure Browser).
This is one of the code published in my Blog for injection into Firefox:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#include<Windows.h>
#include<TlHelp32.h>
#include<iostream>

using namespace std;
typedef int (WINAPI* msgparam)(HWND,LPCSTR,LPCSTR,UINT);
typedef NTSTATUS (NTAPI* NTSUSPEND)(HANDLE hProcess);
typedef NTSTATUS (NTAPI* NTRESUME)(HANDLE hProcess);

struct _CODE{
DWORD MessageBoxAddr;
char Title[50];
char Text[60];
int Buttons;
};

DWORD getPid(string procName);
int privileges();
static DWORD Injection(_CODE* sp)
{
	msgparam msgbox = (msgparam) sp->MessageBoxAddr;
	msgbox(0,sp->Text,sp->Title,sp->Buttons);
	return 0;
}
static DWORD stub();
int main()
{
	char szFirefoxPath[MAX_PATH];
    GetEnvironmentVariable("programfiles",szFirefoxPath,sizeof(szFirefoxPath));
    strcat(szFirefoxPath,"\\Mozilla Firefox\\firefox.exe");
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    ZeroMemory(&si,sizeof(si));
    ZeroMemory(&pi,sizeof(pi));
    CreateProcess(0,szFirefoxPath,NULL,NULL,false,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
	HANDLE hOpenProcess =pi.hProcess;
	if(hOpenProcess == 0) return 1;
	_CODE CodeStruct = {0};
	CodeStruct.MessageBoxAddr = (DWORD) GetProcAddress(GetModuleHandle("User32.dll"),"MessageBoxA");
	CodeStruct.Buttons = MB_OK;
	strcpy_s(CodeStruct.Text,"I AM INJECTED");
	strcpy_s(CodeStruct.Title,"SUCCESS");

	DWORD dwFunctionSize = (PBYTE) stub - (PBYTE) Injection;
	LPVOID lpAllocFunc = VirtualAllocEx(pi.hProcess,0,dwFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess,lpAllocFunc,(void*)Injection,dwFunctionSize,0);

	LPVOID lpParameterAlloc = VirtualAllocEx(pi.hProcess,0,sizeof(_CODE),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	WriteProcessMemory(pi.hProcess,lpParameterAlloc,&CodeStruct,sizeof(_CODE),0);
	HANDLE hCreateRemoteThread  = CreateRemoteThread(pi.hProcess,0,0,(LPTHREAD_START_ROUTINE)lpAllocFunc,lpParameterAlloc,0,0);
	
	ResumeThread(pi.hThread);
	if(hCreateRemoteThreas != 0) MessageBox(0,"Injection into the process was successful","Success",MB_ICONINFORMATION);
}


DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}


int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}


static DWORD stub()
{
	__asm nop;
}


As you may notice the hProcess member of PROCESS_INFORMATION pi. Can be removed and replaced with a handle of a OpenProcess of all processes. with the 3rd Parameter of the OpenProcess being PID of the process.

As for the hooking, it is more or less easy as you can simply import more library address such as VirtualProtect and such and hook it via the thread.
For those who have no clue on how to use OpenProcess in this code just do this:
1
2
3
4
DWORD dwPid = getPid("process_name.exe");
if(dwPid == NULL) return 1;
HANDLE hNewHandle = OpenProcess(PROCESS_ALL_ACCESS,false,dwPid);
if(hNewHandle == NULL) return 1;

I suggest you ask for lower privileges such PROCESS_VM_OPERATION or PROCESS_VM_WRITE
then to replace the hProcess member of pi just do this:
 
pi.hProcess = hNewHandle;


Those who do not know my Blog: http://www.codeempire.blogspot.com
Hope this helps,
OrionMaster
Last edited on
Code injection/DLL injection is not an option for this, unfortunately.
Last edited on
Pages: 123