62 questions
0
votes
0
answers
35
views
What are the correct arguments for NtCreateNamedPipeFile in a POC
I am trying to use NtCreateNamedPipe to create a pipe in the current process but i keep on getting 0xc000000d status code, i tried multiple combinations of the arguments and change the pipe name many ...
- 57
0
votes
0
answers
45
views
IOCTL_KS_PROPERTY wait never satisfied when reading microphone stream
I'm trying to read raw PCM data from a microphone stream in Windows. For this, I'm using KsCreatePin to create a connection to a microphone pin and start reading from it. Before reading, I'm setting ...
- 291
1
vote
0
answers
121
views
How to use direct system calls with NtOpenProcess?
I want to develop a trivial toolkit using direct syscalls for some of the native windows API procedures, for example I want to use NtOpenProcess to open a process and display some info related to the ...
- 139
2
votes
1
answer
1k
views
How to apply restrictions like set a timelimit for another apps, block certain URLs from my devlopment app in mobile devices?
I am trying to build a parental control application which can apply restrictions to another apps in android devices. The restrictions can be like :-
The app can restrict the opening of any game app ...
0
votes
0
answers
419
views
Why are ZwQuerySystemInformation results delayed?
I'm trying to find a process id by its image name name from kernel mode (Windows). My code is working, but newly created processes sometimes show up delayed/can't be found (up to 60 seconds after ...
- 291
0
votes
2
answers
681
views
NtQueryObject returns wrong insufficient required size via WOW64, why?
I am using the NT native API NtQueryObject()/ZwQueryObject() from user mode (and I am aware of the risks in general and I have written kernel mode drivers for Windows in the past in my professional ...
- 21.2k
1
vote
0
answers
329
views
Close file handle of process from kernelmode driver on Windows
I'm trying to close a specific file handle of a process from a kernelmode driver on Windows. For this, I'm using ZwQuerySystemInformation to enumerate all handles on the system and then filter them ...
- 291
2
votes
1
answer
2k
views
Running programs using RtlCreateUserProcess only works occasionally
Disclaimer: This questions seems to get downvoted because I should use the normal Win32 API (CreateProcess, ShellExecute). I know about these APIs and I'm aware that RtlCreateUserProcess is not ...
- 291
2
votes
1
answer
2k
views
Is it possible to call functions from a kernel mode driver in a user mode application on Windows?
I read here that the inverse is possible, but how does one achieve such a thing? I'd hope there's a simple way, similar to calling from a loaded DLL, but my google research comes up with nothing. My ...
- 381
0
votes
0
answers
186
views
What does MmMapLockedPages do in UserMode?
EDIT: while browsing on StackOverflow, I discovered ZwAllocateVirtualMemory and that was not yielded by any google searches or documentation trawling, as it’s under “Previous Versions” of the ...
- 381
1
vote
1
answer
1k
views
NtCreateFile returning STATUS_OBJECT_NAME_NOT_FOUND even if the file exists in the directory
I have been trying to open an existing file using NtCreateFile, although it cannot find the file that I am looking for even if it is present in the directory I am trying to open the file in.
...
- 81
0
votes
0
answers
346
views
Can NtWriteFile() produce a short write?
Consider this snippet (handle was opened with FILE_SYNCHRONOUS_IO_NONALERT flag):
IO_STATUS_BLOCK io;
NTSTATUS r = NtWriteFile(h, NULL, NULL, NULL, &io, data, data_len, &pos, NULL);
if ...
- 3,457
0
votes
0
answers
453
views
NtSetInformationFile(..., FileBasicInformation) fails with STATUS_INVALID_PARAMETER on FAT shares
Stumbled upon a weird problem:
let's say we have an SMB share \\<server>\<share> and we opened it for writing
NtSetInformationFile(..., FileBasicInformation) normally succeeds
... but if ...
- 3,457
1
vote
1
answer
1k
views
Creating a new registry key using the NtCreateKey() NTAPI function [NtOpenKey() function returns a NTSTATUS error value of -1073741772]
I am written the following code to create a new key in the registry but an NTSTATUS error value of -1073741772 is returned by the NtOpenKey() function when attempting to fetch the handle of the base ...
- 632
0
votes
1
answer
464
views
NativeAPI Suspend process
I try to stop some process, I use NativeAPI from ntdll. I wrote some C code, It works:
typedef LONG(NTAPI* NtSuspendProcess)(IN HANDLE ProcessHandle);
UINT __stdcall Suspend(VOID* processId)
{
...
- 95
2
votes
1
answer
3k
views
Fast way to find process id by name
Task is: find process id by executable name.
Calling application is 32 bit, finding process can be 32 or 64 bit
Solution:
#include <string>
#include <iostream>
#include <windows.h>...
- 347
1
vote
1
answer
179
views
WlanGetProfileList is not returning profiles created after device restart
WlanGetProfileList native api is working as expected until the device restarts. Once the device restart the result of the same api is empty. But still I can see the created profiles under registry ...
- 441
-2
votes
1
answer
326
views
How can i see contents of buffer and compare with dll file?
I try to write dll injector with nativeApi. For this reason, i wrote this code. NtReadFile function reads something but i cant see anything except for the first value of FileReadBuffer. Also, i dont ...
2
votes
2
answers
11k
views
NTSTATUS could not be resolved
im trying to make a program witch will get command line of proces by a Process id. Im using eclipse c++ and mingw compiler
So i found a 1 tutorial how to do that, and it needs ntstatus so like in ...
- 29
0
votes
2
answers
2k
views
How to add managed wifi API to the working project
I'd apologize because of the question , in advance.
I'm a little newbie on C# , and I don't know how to use Managed WiFi API and how to add the classes to the working project, anyone helps me ?
I've ...
- 111
6
votes
1
answer
1k
views
Python NtQueryDirectoryFile (File information structure)
I've written a simple (test) script to list files in a selected directory. Not using FindFirstFile;
only native API.
When I execute the script and watch, Win32API monitor tells me STATUS_SUCCESS.
My ...
- 75
3
votes
2
answers
1k
views
Deleting symlink created by NtCreateSymbolicLinkObject
NtCreateSymbolicLinkObject creates an object in the Windows Object Manager (you can see such links using the WinObj utility from System Internals).
What is the correct way to delete a symbolic link ...
- 554
-1
votes
3
answers
1k
views
Get HANDLE to the memory region and what HANDLE actually is [duplicate]
How can i get HANDLE to the memory region or mapped file ?
What actually HANDLE is ?
Please do not answer like this :
A handle is an abstract reference to some resourc,e provided to you by
another ...
- 9
1
vote
2
answers
389
views
Interpret Windows Native API call arguments
I am analyzing an executable based on its execution trace. I have obtained the execution trace using NtTrace tool. The output is a sequence of native api calls with arguments. I have managed to ...
- 6,083
1
vote
2
answers
2k
views
Mapping high-level functions in user-mode dlls to NTDLL.dll
The book Windows NT/2000 Native API Reference provides a comprehensive documentation (even though outdated) of undocumented (by Microsoft) Native APIs. But I am curious, is there anyway to find the ...
- 6,083