How can read(write) Physical Memory in WinXP?
Posted on 2005-02-03 06:53:54 by ChiefA
Afternoon, ChiefA.

How can read(write) Physical Memory in WinXP?

Why would you want to do that?

Posted on 2005-02-03 15:48:37 by Scronty
I want too do that
because want to impossible become possible;)

is it enough?

but the thrue is that if i code I always write to physical but I do not know where i exactly write... I know only virtual addressing in PM memory managment.
so I want to write to specified place in physical not just to physical whereever
it can be ....
somebody do this through KMD but it is not funny method and have no joy with it...

the dark side of the moon is that if someone explain me how to do that it will be like with KMD no fun, so keep it secret if you know !
just kidding ;)
Posted on 2005-02-03 16:24:28 by etn
I think you need ring0 access to that.. And to get ring0 you'll have to make your program as a driver or you can try finding a new exploit which let you get access to ring0..
Posted on 2005-02-03 18:32:22 by dev_zero
Posted on 2005-02-03 21:03:08 by nohaven
hi mohaven!

it is not funny to have admin rights and access ring 0 !
it's similar to kernel mode driver access .

if you can get ring0 without admin rights -> it sound much better.

your link is worth to study but it doesn't solve the problem
to impossible become possible.

thx any way!
Posted on 2005-02-04 05:34:24 by etn
hi mohaven!

it is not funny to have admin rights and access ring 0 !
it's similar to kernel mode driver access .

if you can get ring0 without admin rights -> it sound much better.

your link is worth to study but it doesn't solve the problem
to impossible become possible.

thx any way!

You'll have to exploit windows to get to ring0 without admin access.. Some viruses use exploits to get ring0 access.
Posted on 2005-02-04 06:36:23 by dev_zero
I thought we are not supposed to talk virii issues on this board :D

Did the Rules changed in any ways?
Posted on 2005-02-04 11:13:32 by BogdanOntanu
You are correct. :) Let me do some editing. Same old rules as those in 2001 I think.

"There will be no linking to any cracking, warez, virii or reverse-engineering site direct nor indirect, not in messages, private messages or member home page URLs. "
Posted on 2005-02-04 11:23:38 by roticv
Sorry about that one.. But I only mentioned that group because they had a paper on some windows exploit which explained what was wrong in windows, and why you could get ring 0 through using that method.. I thought it went under the "security" topic? Oh, well case closed..
Posted on 2005-02-04 11:50:06 by dev_zero
the rules are wrong!
why only virus coderz can see Windows vulnerability?
why Microsoft is always uninformed?
why coders didn't know how system (processor) works?
why only small group of people know what the code optimisation is?
why most of internet users get access to the internet from admin account?
why this forum does not have the antivir topic?

because they know nothing about viruses and if somebody know somethig,he think that he dominates all the rest so keeps it secret.
shouldn't we give a equal chance?
why if I want to talk about that I must get the underground and to get to know the bad guys, virus coderz and crackers?
why normal people want to be more stupid than are?\
curiosity is common for the people so in my opinion there is nothing wrong with talk about viruses on every boards in the world.

My motivation is only to open what is closed
and to impossible become possible!
I do not want to harm something or write destructive viruses.
Only I want to...
is get to deep knowledge!
but it may be changed when i all the day have to talk only with virus-coderz instead of you all on this and many other programer's boards.

i was not so serious as it can appears for You so take it easy and do not be afraid ;> I do not bite! :)
Posted on 2005-02-05 05:39:13 by etn
how this is possible.

I had trojan Hors in my pc
it was included in grff4.dll

I had no possibility to delete it from admin account and any other account.

I had to change its name from VDM and then switch off the power because normal exit rebuilt it

then I delete it from VDM too because system forbided this action

I check the file attributes and all should be OK but not was !
When I update virus library to my antivir software there was 2 another viruses which defend each other by importing to own address space.

The process explorer from give me some support.
Thx to Mark Russinovich and Bryce Cogswell.

I try to get some information how it is posible to import grff4.dll to winlogon process but not with big succes.

I have some ideas but it is like poisoned mind, not clear enough.

it was before this process was loaded into memory or it was done by the process which runs winlogon.

interesting is that winlogon's IAT on the hard drive was not touched.
I know that the 3 dlls belongs to the same trojan
I know that there was 2 mechanism of infection IAT because if I tryed to log on not admin account then internet explorer was infected (not winlogon)
I do not know how it is possible to break the a-vir protection to be personal immunity against the delete or quarantine action
I do not know the way of infection and infection source.

this time I know nothing :(
nothing important
Posted on 2005-02-05 11:46:06 by etn
Hello etn,

Harold and other administrators have to have such rules so as to prevent any possibility that this server will be shut down. That is why we need to maintain certain levels of self censoring.

PS: Do you know how you got that trojan horse?
Posted on 2005-02-05 19:14:25 by roticv
the worst thing is that I do not use suspected software do not open files attached to e-mail messages, do not visit adult sites and I have no idea what was happened.
Internet Explorer can be in my opinion responsible for infection
and my fault is i get the internet access through admin account

I visit some unknown sites to find tenis table logos, gifs an pictures to my team's t-shirts project
and a few of archaeological news about egypt
it was by modem connection not as usually by ADSL
oh I forgot , there is tlen communicator installed on my pc.

I use norton antivir and XP' firewall , hehehe
I know what you think now
but to this time it was no problem with it.

grff4.dll was deleted from VDM so I have no chance to restore it from the trash
this time i turn off auto updates and all these tcp toys
this day my system is cured without reinstalling :)
but the infection mechanism seemd to intrigue me much more than other things on this world.
in a sense I want to code good virus which can be able to "eat" bad viruses
Posted on 2005-02-05 19:48:34 by etn
Good luck, but before you program that virus-eater you probably need to search around google for virus infection technics etc.. Maybe download some of the virus magazines...

CodeBreakers is a nice journal for various topics, but it's not a virus group though, I'm not posting those here since it is against the rules..
CodeBreakers-Journal publishes original research articles in all aspects of computational methods used in the working fields Algorithms, Virus-Research, Software-Protection and Reverse Code Engineering and Cryptanalysis as well as all other areas of security analysis.

edit: I have noticed that this discussion is getting way of the "original" topic.. :)
Posted on 2005-02-06 07:36:16 by dev_zero