All Activity

yes you call it inside a assembly loader app

Thanks again but I would like using IDM with my file name instead of using browser download itself. Just bad that its not possible so far. Anyway, I will try to continue testing the code. Thanks for helping @Kanes, I'm pretty sure next questions will come soon. greetz

From what I see it's not possible because IDM captures the download at the network level. you can try using fetch with a Blob to prevent IDM from intercepting <!DOCTYPE html> <html> <body> <script> let link_to_DL = "https://www.w3schools.com/html/mov_bbb.mp4"; let title = "Test Title.mp4"; let input = document.createElement("input"); input.type = "button"; input.value = link_to_DL; input.onclick = () => download(link_to_DL, title); document.body.appendChild(input).style.cursor = "pointer"; function download(fileURL, fileName) { fetch(fileURL) .then(res => res.blob()) .then(blob => { const a = document.createElement('a'); a.href = URL.createObjectURL(blob); a.download = fileName; a.click(); URL.revokeObjectURL(a.href); }) .catch(err => alert("Download error: " + err)); } </script> </body> </html>

OK thanks again for checking that. Seems that it works now but I have still a problem. I'm using a download manager IDM and this is not showing my custom name to save it and still uses the path file name "mov_bbb.mp4". If I disable IDM then it works and the browser does download the file with my custom "Test Title.mp4" name. Do you have a clue how to make it work that IDM uses my title name? greetz

Your code is actually correct, the issue isn't in the implementation itself but in the server's security policy. you're trying to download a resource from a different origin (cross-origin), and the server you're requesting it from has CORS restrictions or does not allow forced downloads via the Content-Disposition header Try Here: https://www.w3schools.com/js/tryit.asp?filename=tryjs_intro_inner_html <!DOCTYPE html> <html> <body> <script> let link_to_DL = "https://www.w3schools.com/html/mov_bbb.mp4"; let title = "Test Title.mp4" let input=document.createElement("input"); input.type="button"; input.value=link_to_DL; input.onclick = () => download(link_to_DL, title); document.body.appendChild(input).style.cursor = "pointer"; function download(URL, TITLE) { const a = document.createElement('a'); a.href = URL; a.download = TITLE; a.click(); } </script> </body> </html>

@Kanes Thanks for the code examples but it still does not work yet to use my string. Also if I test your code on.. https://jsfiddle.net/ ...then it will use the "mov_bbb.mp4" filename and not "Anystring.mp4". Just test it. My code is like this you can also test... let link_to_DL = "https://www.w3schools.com/html/mov_bbb.mp4"; let title = "Test Title.mp4" let input=document.createElement("input"); input.type="button"; input.value=link_to_DL; input.onclick = () => download(link_to_DL, title); document.body.appendChild(input).style.cursor = "pointer"; function download(URL, TITLE) { const a = document.createElement('a'); a.href = URL; a.download = TITLE; a.click(); } ...just JS code only. Its still using the "mov_bbb.mp4" name and not my title. greetz

@LCF-AT You can use the <a> download attribute <a href="/images/myw3schoolsimage.jpg" download="w3logo"> <button onclick="download()">Download</button> <script> function download() { const a = document.createElement('a'); a.href = "https://www.w3schools.com/images/myw3schoolsimage.jpg"; a.download = "Anystring.jpg"; a.click(); } </script> <source id="file123" src="https://www.w3schools.com/html/mov_bbb.mp4"> <button onclick="download()">Download</button> <script> function download() { const a = document.createElement('a'); a.href = document.getElementById('file123').src; a.download = "Anystring.mp4"; a.click(); } </script> https://www.w3schools.com/tags//att_a_download.asp

So I have another small question. I wrote a script to fetch a direct link to a file I can download like this... <source src="https://some_url.com/12345.pdf" ...> ...and if I execute it then it will download the file or download window does popup to save the file with the file name "12345.pdf". My question is how can I customize the file name it should use to download the file? Instead of using the original file name I would give it a other name. DOWNLOAD - BUTTON <-- I made what does execute the src URL and now I want to give it a other file name or tell the button / event using XY file name instead. Is that doable? I'm using the window.open(url) to execute the URL on button click but in API description it seems not doable to set a name for the file itself etc. Do you have any clue how to make it work? greetz

Thank you, I’ll definitely read it tonight! RIP Mark Ludwig 🪦 I still have his “The little black book of computer viruses” on my bedside table, bought from Amazon US more than 15 years ago!

i may banter a lil in the opening, but that is how i was taught when i was in highschool learning ASM from the ukranians and russians, bootkits from the chinese You give a short shoutout or point to be made and ya write and code Here, i use the LCRN (LCG) from the GiantBlack Book of Viruses (Physicist Dr. Mark Ludwig) and his 16-bit many hoops and recreated it for x86 (32 bit) VXWriteUp.pdf

loader not enough you need to call dll API

no create an assembly loader to load the dll and then use dnspy and the rest

Nice example @jackyjask Yes, assuming you have a way to load the unsigned driver (by exploiting a signed driver that is not black listed, or by running NT in test mode) and you are calling these APIs from the driver itself, this should work. I never tried it personally tho. So I’m not 100% sure and there could be further hitches.

you can't debug dll find exe that runs you dll

i have file ConfuserEx 1.6.0 . but it not exe only file .dll . how to do dubug

ZwOpenSection/ZwQuerySection eg

View File ByUndefined Protector V3 ByUndefined Protector V3 Anti Debugger Anti Dump Anti Tamper Anti Memory Anti Dll Inject Anti ILDasm Resources Compress String Encrypt ControlFlow Virtualization Renamer Virtualization Updated Task: Unpack Submitter Leopar36 Submitted 04/03/2025 Category UnPackMe (.NET)  

Yeah that’s the reason (and this is why I doubt in the first place that exploiting a “bring your own vulnerable driver” attack would succeed on recent NT versions, without at least a way to disable/bypass ASLR). That wasn’t a problem in XP tho, as ASRL have been introduced starting form Vista. Anyway I’m pretty sure that more advanced rootkits of that time, used to dynamically calculate these addresses.

but it's weird to have the same contant addr even between reboots? seems ASLr was introduced later on... ?

Hi Jacky, nope, on my XP sp3 VM the correct base address is 0x7C910000. In fact I had to patch GanDiao to strictly use that address, but eventually I figured out that it still managed to unmap ntdll even using that address (because is still part of the that memory region).

@Luca91 nice wite up, thanks! quick question: >0x7C920000 is the base address of ntdll.dll! is it the same on all other OSes as well? or just WinXP Sp3 32bit and thats it?

Yeah, it is not a "clean" process termination. The process will just crash. It is more an "instant crash" at the next ntdll memory access. Your code using ZwTerminateProcess is a much cleaner approach. After finishing this paper, I was wondering if such a driver can still be loaded on recent NT using a "bring your own vulnerable driver" attack. I don't have time to test it in one of my VMs right now... @boot may ask you a favor? Since you (apparently) are form China, can you confirm that my translation of the word "GanDiao" is actually accurate? ("Get rid of" / "Kill it"). Many thanks.

Except for using MmUnmapViewOfSection to cause other processes to crash. We can also use ZwTerminateProcess to kill a specified process, which may still be effective in some versions of Win10... e.g. Code snippets taken from an old project NTSTATUS ZwKillProcess(HANDLE pid) { HANDLE hProcess = NULL; CLIENT_ID ClientId; OBJECT_ATTRIBUTES oa; NTSTATUS status; ClientId.UniqueProcess = pid; ClientId.UniqueThread = 0; oa.Length = sizeof(oa); oa.RootDirectory = 0; oa.ObjectName = 0; oa.Attributes = 0; oa.SecurityDescriptor = 0; oa.SecurityQualityOfService = 0; status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId); if (NT_SUCCESS(status)) { DbgPrint("OpenProcess success,pid: %d", hProcess); ZwTerminateProcess(hProcess, 0); ZwClose(hProcess); return status; }; DbgPrint("OpenProcess failed,pid: %d", hProcess); return FALSE; }