Skip to content

Read 2 bytes for SSN #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Read 2 bytes for SSN #14

wants to merge 1 commit into from

Conversation

0xflux
Copy link

@0xflux 0xflux commented May 27, 2024

Hey,

I noticed your GetSSN function was reading only the first byte (index position 4) for the SSN number - however SSNs are two bytes in length meaning if you were to make a syscall of a SSN larger than 255, you would get a runtime exception as you are calling the wrong function in the Kernel.

Demonstrated as below:

Choosing an NT function at random where SSN > 255:

table

You can also see it here in x64dbg:

NtSystemDebugControl

Original call would resolve this to decimal 205 (0xcd)

before

However, the correct SSN for this on my current Windows build is 461 (0x1cd) - fixing the bug:

after

Tested with both direct and indirect syscall projects:

Direct

1byte

Indirect

indirect

Hopefully this makes sense! Happy to answer any other questions or engage further!

Read 2 bytes for SSN
3c8b000 
Correctly reads 2 bytes instead of 1 byte from the SSN - previously, if the SSN was larger than 255 the incorrect SSN would be read, leading to an exception at runtime.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@0xflux