mivirtualmemory.asm

MemoryToolz 0.1 example written in assembly use NtSystemDebugControl, veery good to study

MEMORY_CHUNK struct
    VirtualAddress DWORD ?
    Buffer DWORD ?
    BufferSize DWORD ?
MEMORY_CHUNK ends

DebugReadVirtualMemory equ 8
DebugWriteVirtualMemory equ 9

.data?
NtSystemDebugControl dd ?

.data
ntdll_str db "ntdll.dll", 0
NtSystemDebugControl_str db "NtSystemDebugControl", 0
NtOpenProcessToken_str db "NtOpenProcessToken", 0
NtAdjustPrivilegesToken_str db "NtAdjustPrivilegesToken", 0

.code

SystemControl proc ControlCode:DWORD, InputBuffer:ptr MEMORY_CHUNKS
	push 0						; ReturnLength
	push 0						; OutputBufferLength
	push 0						; OutputBuffer
	push sizeof MEMORY_CHUNK	; InputBufferLength
	push InputBuffer			; InputBuffer
	push ControlCode			; ControlCode
	call NtSystemDebugControl	; service routine
	ret
SystemControl endp


MiReadVirtualMemory proc lpBaseAddress:DWORD, lpBuffer:ptr BYTE, nSize:DWORD
	LOCAL MemoryChunk:MEMORY_CHUNK
	
	push lpBaseAddress
	push lpBuffer
	push nSize
	pop MemoryChunk.BufferSize
	pop MemoryChunk.Buffer
	pop MemoryChunk.VirtualAddress
	invoke SystemControl, DebugReadVirtualMemory, addr MemoryChunk
	.if (!eax || eax == 0c0000001h)
		inc eax
	.else
		xor eax, eax
	.endif
	ret
MiReadVirtualMemory endp


MiWriteVirtualMemory proc lpBaseAddress:DWORD, lpBuffer:ptr BYTE, nSize:DWORD
	LOCAL MemoryChunk:MEMORY_CHUNK
	
	push lpBaseAddress
	push lpBuffer
	push nSize
	pop MemoryChunk.BufferSize
	pop MemoryChunk.Buffer
	pop MemoryChunk.VirtualAddress
	invoke SystemControl, DebugWriteVirtualMemory, addr MemoryChunk
	.if (!eax)
		inc eax
	.else
		xor eax, eax
	.endif
	ret
MiWriteVirtualMemory endp


MiAllocateMemory proc nSize:DWORD
	invoke VirtualAlloc, NULL, nSize, MEM_COMMIT, PAGE_READWRITE
	ret
MiAllocateMemory endp


MiFreeMemory proc VirtualAddress:DWORD
	invoke VirtualFree, VirtualAddress, 0, MEM_RELEASE
	ret
MiFreeMemory endp


RtlAdjustDebugPrivilege proc 
    LOCAL Status : DWORD 
    LOCAL Token : HANDLE 
    LOCAL LuidPrivilege : LUID 
    LOCAL NewPrivileges : TOKEN_PRIVILEGES 
    LOCAL OldPrivileges : TOKEN_PRIVILEGES 
    LOCAL cb : DWORD 
    LOCAL ZwOpenProcessToken : DWORD 
    LOCAL ZwAdjustPrivilegesToken : DWORD 
     
    invoke LoadLibrary, addr ntdll_str
    push eax 
    push eax 
    invoke GetProcAddress, eax, addr NtOpenProcessToken_str
    mov ZwOpenProcessToken, eax 
    pop eax 
    invoke GetProcAddress, eax, addr NtAdjustPrivilegesToken_str
    mov ZwAdjustPrivilegesToken, eax 
    pop eax 

     
    lea eax, Token 
    push eax 
    push TOKEN_ADJUST_PRIVILEGES + TOKEN_QUERY 
    push -1 
    call ZwOpenProcessToken 
    mov Status, eax 
    .if (eax != 0) 
        mov eax, Status 
        ret 
    .endif 
     
    mov LuidPrivilege.LowPart, 20 
    and LuidPrivilege.HighPart, 0 
    mov NewPrivileges.PrivilegeCount, 1 
    push LuidPrivilege.LowPart 
    push LuidPrivilege.HighPart 
    pop NewPrivileges.Privileges.Luid.HighPart 
    pop NewPrivileges.Privileges.Luid.LowPart 
    mov NewPrivileges.Privileges.Attributes, SE_PRIVILEGE_ENABLED 
     
    lea eax, cb 
    push eax 
    lea eax, OldPrivileges 
    push eax 
    push sizeof TOKEN_PRIVILEGES 
    lea eax, NewPrivileges 
    push eax 
    push FALSE 
    push Token 
    call ZwAdjustPrivilegesToken 
    mov Status, eax 
     
    push Token 
    call CloseHandle
     
    mov eax, Status 
    ret 
RtlAdjustDebugPrivilege endp 


MiInitVirtualMemory proc
	invoke RtlAdjustDebugPrivilege
	.if (eax)
		xor eax, eax
		dec eax
		invoke ExitProcess, eax
	.endif
	invoke GetModuleHandle, addr ntdll_str
	invoke GetProcAddress, eax, addr NtSystemDebugControl_str
	mov NtSystemDebugControl, eax
	.if (!eax)
		dec eax
		invoke ExitProcess, eax
	.endif
	ret
MiInitVirtualMemory endp