SID_WARDEN S -> C 0x05

[brew]

I think that's because you didn't move the class pointer into ecx before calling, since it's a thiscall.

[UnknowN-TerroR]

I think that's because you didn't move the class pointer into ecx before calling, since it's a thiscall.

I've switched to assembly:

Code Select Expand

_asm {
mov ecx, dword ptr dwTable
call A
}

it still crashes, but with another wrong address.

same here:

Code Select Expand

_asm {
mov ecx, dword ptr dwTable
call dword ptr A
}

Edit: code fully converted from C++ to C. Nothing changes.

[UnknowN-TerroR]

SOLVED!

wrong:

Code Select Expand

memset(&dwTable, 0, sizeof(FuncList));
dwTable.fpSendPacket = cSendPacket;
dwTable.fpCheckModule = cCheckModule;
dwTable.fpLoadModule = cLoadModule;
dwTable.fpAllocateMemory = cAllocateMemory;
dwTable.fpReleaseMemory = cReleaseMemory;
dwTable.fpSetRC4Data = cSetRC4Data;
dwTable.fpGetRC4Data = cGetRC4Data;

fpInitializeModule((DWORD*)&dwTable);

RIGHT:

Code Select Expand

memset(&dwTable, 0, sizeof(FuncList));
dwTable.fpSendPacket = cSendPacket;
dwTable.fpCheckModule = cCheckModule;
dwTable.fpLoadModule = cLoadModule;
dwTable.fpAllocateMemory = cAllocateMemory;
dwTable.fpReleaseMemory = cReleaseMemory;
dwTable.fpSetRC4Data = cSetRC4Data;
dwTable.fpGetRC4Data = cGetRC4Data;
uint32 tableptr = &dwTable;

fpInitializeModule((DWORD*)&tableptr);

well...3 days wasted. Thanks to all for your support.
I'm going to update this page
http://www.skullsecurity.org/wiki/index.php/Warden_Modules
so no one else will have this problem.

Simple C warden module handler:
http://filebeam.com/f1489d8beca6c075933e558e150bf0fa

Edit: it works very well under windows, but it still crashes in wine...
Edit2: problems under wine SOLVED! if you want to execute some code you must use VirtualAlloc() with a specific flag.

[Ringo]

Code Select Expand


....
uint32 tableptr = &dwTable;

fpInitializeModule((DWORD*)&tableptr);

well...3 days wasted. Thanks to all for your support.

idk why you wasted 3 days on that, the answer was already there.

iirc, that is going to be a problem when calling other warden module functions, later on.
tableptr is on the stack.
You will be passing the stack address of tableptr to the init function, where the address of the callback table is stored.
Every time warden needs to call one of them callback functions, it will access the table/list of functions, through the address of tableptr.
So, for that reason, it's a good idea to have tableptr a static variable.

Thats why I stored the address of the list, in the list's last item, then pass's the address of the last item to ecx. (since the list is static)

Code Select Expand


....
    m_CallBack(7) = VarPtr(m_CallBack(0))
    'MOV    ECX, &Param
    'CALL   Address
    'RETN   16
    m_ModMem = ExecuteCode(bCode(), &HB9, VarPtr(m_CallBack(7)), _
                                    &H15FF, VarPtr(A), _
                                    &HC2, 16, 0)
End Sub

Notice, ecx gets the address of a variable that holds the address of the callback function list.