Search found 975 matches

by iconic
Fri Feb 05, 2021 8:20 am
Forum: madExcept
Topic: Custom proxy missing null termination
Replies: 2
Views: 73

Re: Custom proxy missing null termination

Hi AndersB, Your code update would be better with the below changes, but thanks for pointing this out to us. function AnsiToGlobalUnicode(const ansi: AnsiString) : pointer; var us1 : UnicodeString; begin if ansi <> '' then begin us1 := UnicodeString(ansi); result := pointer(GlobalAlloc(GPTR, Length(...
by iconic
Fri Jan 01, 2021 1:04 am
Forum: fun talk
Topic: Happy New Year!
Replies: 11
Views: 14554

Re: Happy New Year!

It's that time again... Happy New Year (2021) to all of our friends here on the forum :redBalloon: :greenBalloon: :blueBalloon: :D Stay safe and be productive.

--Iconic
by iconic
Wed Dec 02, 2020 3:55 am
Forum: madCodeHook
Topic: problem with CopyFunction
Replies: 11
Views: 4266

Re: problem with CopyFunction

Hi Bevan, Thanks for deleting your project online containing the .lib files. Much appreciated. Accidents happen and whether you were in a rush or perhaps forgot that this can be viewed publicly... things happen, but thanks for your quick deletion of such sensitive files. So... according to your last...
by iconic
Fri Nov 27, 2020 10:25 pm
Forum: madCodeHook
Topic: problem with CopyFunction
Replies: 11
Views: 4266

Re: problem with CopyFunction

Hi Bevan, I've uploaded the pre-built 64-bit binary here https://easyupload.io/mo975t You may need to disable Windows Defender and/or other security apps in order to download it, it's being detected as a virus likely because MCH was compiled into it and it's using APIs like WriteProcessMemory and Cr...
by iconic
Tue Nov 24, 2020 9:10 pm
Forum: madCodeHook
Topic: problem with CopyFunction
Replies: 11
Views: 4266

Re: problem with CopyFunction

Hi Bevan, I've rerun the demo on Windows 10 x64 20H2 and tested a 64-bit .exe compiled with madCHook64mt.lib - it continues to work as expected without issue here. I tested 3x with both the WOW64 version of Notepad as well as the Native 64-bit version of Notepad. Did you want me to upload my pre-bui...
by iconic
Tue Nov 24, 2020 5:33 am
Forum: madCodeHook
Topic: problem with CopyFunction
Replies: 11
Views: 4266

Re: problem with CopyFunction

I’ll test on Windows 10 later today and see if there is any change.

—Iconic
by iconic
Tue Nov 24, 2020 5:05 am
Forum: madCodeHook
Topic: problem with CopyFunction
Replies: 11
Views: 4266

Re: problem with CopyFunction

Hello, I've tested here on Win 7 x64 SP1 with both target builds of the same .exe (32-bit and 64-bit) and then tried both instances (32-bit and 64-bit) of Notepad to see if it was something related to WOW64 <-> Native execution but it doesn't appear to be. In any case it all worked perfectly fine fo...
by iconic
Fri Nov 20, 2020 3:43 am
Forum: madCodeHook
Topic: problem with CopyFunction
Replies: 11
Views: 4266

Re: problem with CopyFunction

Hello,

I'll make some time tomorrow to check into this. Thanks!

--Iconic
by iconic
Tue Sep 22, 2020 8:57 pm
Forum: madExcept
Topic: SMPT send problem with port 465/587
Replies: 2
Views: 1313

Re: SMPT send problem with port 465/587

Completely agree with Madshi on this one. HTTP would be the best way to go given your circumstances.

--Iconic
by iconic
Thu Aug 06, 2020 11:11 pm
Forum: madCodeHook
Topic: not injecting into the system process
Replies: 11
Views: 6289

Re: not injecting into the system process

Hi Bevan, I'm familiar with those linker flag options, especially /integritycheck. I use a kernel call to ObRegisterCallbacks() a lot in drivers to protect the thread and process object, ObRegisterCallbacks() will completely fail if /integritycheck isn't specified. Definitely appears to be CI relate...
by iconic
Thu Aug 06, 2020 10:20 pm
Forum: madCodeHook
Topic: not injecting into the system process
Replies: 11
Views: 6289

Re: not injecting into the system process

Thanks for posting your event information. After looking at it I don't think this has anything to do with opening the system process and is specifically a CI error for code integrity of your injected DLL file. SYSTEM just attempts to verify it. So, it sounds more like your signature for your DLL has...
by iconic
Thu Aug 06, 2020 10:02 pm
Forum: madCodeHook
Topic: not injecting into the system process
Replies: 11
Views: 6289

Re: not injecting into the system process

Ok, great :D We can add this to the to-do list then.

--Iconic
by iconic
Thu Aug 06, 2020 9:42 pm
Forum: madCodeHook
Topic: not injecting into the system process
Replies: 11
Views: 6289

Re: not injecting into the system process

Hey Mathias, I'm talking about the OS hardcoded process ids of 0 and 4, they're static. In Windows 2000 SYSTEM process id is 8 but on XP+ it's always 4. So, by looking at the process id alone it can be determined if it will create a failed security audit entry. That's what I was saying. Neither proc...
by iconic
Thu Aug 06, 2020 9:01 pm
Forum: madCodeHook
Topic: not injecting into the system process
Replies: 11
Views: 6289

Re: not injecting into the system process

Hi Bevan, I ran a few tests and do see that MCH is indeed opening the SYSTEM process when attempting to inject system-wide. Actually, even PID 0 (System Idle Process) is attempted as well. Of course with SYSTEM the return of NtOpenProcess() is (NTSTATUS)0xC0000022 which is STATUS_ACCESS_DENIED. So, ...
by iconic
Thu Aug 06, 2020 5:24 am
Forum: madCodeHook
Topic: not injecting into the system process
Replies: 11
Views: 6289

Re: not injecting into the system process

Hello, I’ll run some tests later today and see. Worst case we may update the code to dismiss pid 4 (XP and above) or pid 8 (Win2K). They cannot be injected successfully anyhow. What OS are you seeing the audit details in the event viewer? Legacy OSes like XP? P.S: Can you also try excluding the name...