Converting the following code from the following code to asm is really hard for me
.....................................................
//ntdef.h
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
#define UNICODE_NULL ((WCHAR)0) // winnt
//
// Object Attributes structure
//
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
.....................................................
//************My c++ code here************
VOID SomeFunction()
{
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
.......................................................................................
.......................................................................................
.......................................................................................
}
_____________________________________________
I defined the following structs in asm.
UNICODE_STRING STRUCT
Leng dw ?
MaximumLength dw ?
Buffer dd ?
UNICODE_STRING ENDS
OBJECT_ATTRIBUTES STRUCT
Leng dd ?
RootDirectory dd ?
ObjectName dd ?
Attributes dd ?
SecurityDescriptor dd ?
SecurityQualityOfService dd ?
OBJECT_ATTRIBUTES ENDS
;**********My asm code here**************
.data
ObjName UNICODE_STRING <>
ObjAtt OBJECT_ATTRIBUTES <>
AnObjName db "\\Device\\PhysicalMemory",0
UnObjName dw 50 dup (0)
.code
Go:
invoke MultiByteToWideChar,0,0,addr AnObjName,-1,addr UnObjName,50
;****InitializeObjName*****
invoke RtlInitUnicodeString,addr ObjName,addr UnObjName
;****InitializeObjectAttributes*****
mov ObjAtt.Leng,sizeof OBJECT_ATTRIBUTES
mov ObjAtt.RootDirectory,NULL
mov eax,OBJ_CASE_INSENSITIVE
or eax,OBJ_KERNEL_HANDLE
mov ObjAtt.Attributes ,eax
mov ObjAtt.ObjectName,offset ObjName
mov ObjAtt.SecurityDescriptor,NULL
mov ObjAtt.SecurityQualityOfService ,NULL
invoke ZwOpenSection,addr hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,addr ObjAtt
....................................
end go
All things work well before i run the exe, I find the returned value of ZwOpenSection is 0x80000002 (=STATUS_DATATYPE_MISALIGNMENT), I wonder how this happened.
.....................................................
//ntdef.h
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
#define UNICODE_NULL ((WCHAR)0) // winnt
//
// Object Attributes structure
//
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
.....................................................
//************My c++ code here************
VOID SomeFunction()
{
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
.......................................................................................
.......................................................................................
.......................................................................................
}
_____________________________________________
I defined the following structs in asm.
UNICODE_STRING STRUCT
Leng dw ?
MaximumLength dw ?
Buffer dd ?
UNICODE_STRING ENDS
OBJECT_ATTRIBUTES STRUCT
Leng dd ?
RootDirectory dd ?
ObjectName dd ?
Attributes dd ?
SecurityDescriptor dd ?
SecurityQualityOfService dd ?
OBJECT_ATTRIBUTES ENDS
;**********My asm code here**************
.data
ObjName UNICODE_STRING <>
ObjAtt OBJECT_ATTRIBUTES <>
AnObjName db "\\Device\\PhysicalMemory",0
UnObjName dw 50 dup (0)
.code
Go:
invoke MultiByteToWideChar,0,0,addr AnObjName,-1,addr UnObjName,50
;****InitializeObjName*****
invoke RtlInitUnicodeString,addr ObjName,addr UnObjName
;****InitializeObjectAttributes*****
mov ObjAtt.Leng,sizeof OBJECT_ATTRIBUTES
mov ObjAtt.RootDirectory,NULL
mov eax,OBJ_CASE_INSENSITIVE
or eax,OBJ_KERNEL_HANDLE
mov ObjAtt.Attributes ,eax
mov ObjAtt.ObjectName,offset ObjName
mov ObjAtt.SecurityDescriptor,NULL
mov ObjAtt.SecurityQualityOfService ,NULL
invoke ZwOpenSection,addr hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,addr ObjAtt
....................................
end go
All things work well before i run the exe, I find the returned value of ZwOpenSection is 0x80000002 (=STATUS_DATATYPE_MISALIGNMENT), I wonder how this happened.