Going Native – Malicious Native Applications « The Wiert Corner

All categories

February 2025
M	T	W	T	F	S	S
	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28

Going Native – Malicious Native Applications

Posted by jpluimers on 2025/02/25

On the reading list wondering which tool chains can deliver NtAPI based development: [Wayback/Archive] Going Native – Malicious Native Applications

Via [Wayback/Archive] Thread by @MrPc69257431 on Thread Reader App with first tweet at

https://x.com/MrPc69257431/status/1864855379651498292

Note that being able to call NtAPI from your code base does not mean NtAPI based development: Pure NtAPI means you need a linker that can target a different output. See the quote from the above article (emphasis mine):

So, to get started with an empty native executable, all we have to do is include the “phnt.h” file, and set up the NtProcessStartup function. Then it’s important to tell the linker that we want to link against ntdll, and that we’ll be making a native application by passing in the “Native” text to the Subsystem linker option

It means that for instance Delphi is kind of out of the question for this, see these links on why:

[Wayback/Archive] Can we call Native Windows API from Delphi? – Stack Overflow (showing an example of calling NtAPI from a Delphi console application)
- Yes, there is Jedi Apilib, which did not get migrated to [Wayback/Archive] project-jedi repositories · GitHub and is still only on SourceForge (which regrettably tries its best not to be in archived in Wayback Machine and Archive Today thereby making it de facto lost for posterity) at [Wayback/Archive] JEDI API Library & Security Code Library download | SourceForge.net, and a non-maintained GitHub fork [Wayback/Archive] GitHub – ccy/jedi-apilib: The JWA library aims to provide a conversion from C to Delphi of as many headers as possible from the PSDK etc. The JWSCL (security library) is an advanced object-oriented framework for programming with the Windows security features (ACL, Tokens, etc.).
- The above mentions [Wayback/Archive] bitbucket.org/assarbad/objmgr-viewer/src/default/ – 404 — Bitbucket (BitBucket is almost as bad as SourceForge, just for having deleted all Mercurial based repositories in stead of providing downloadable archive), but luckily is at [Wayback/Archive] Mercurial Bitbucket Archive | assarbad/objmgr-viewer archive under [Wayback/Archive] Mercurial Bitbucket Archive | Projects starting with ‘as’ together with these repositories:
[Wayback/Archive] GitHub – diversenok/NtUtilsLibrary: Delphi library for system programming on Windows using Native API is a still maintained Delphi library with NtAPI interfaces; example usage is at [Wayback/Archive] GitHub – diversenok/NtUtilsLibrary-Examples: Code of samples for NtUtilsLibrary.
[Wayback/Archive] c++ – Can I write Windows drivers with Delphi 2010? – Stack Overflow
A

It may be technically possible to write some drivers with Delphi, but as far as a general answer goes, I’d say: you can’t easily write drivers with Delphi.

First, there’s a difference between user-mode driver (UMDF) drivers and kernel-mode (KMDF) drivers. UMDF drivers should be possible with Delphi. KMDF drivers aren’t easily possible though, because

1) Delphi’s linker can’t produce them and

2) Delphi’s object file format is different from the COFF format the Microsoft linker uses by default.

3) Delphi’s RTL makes the assumption it lives in user-mode and may do certain things that one shouldn’t do in kernel-land (I think e.g. of the way exceptions are handled; also different memory management), so you’d have to be very careful on which RTL functions are safe to use. There are also difficulties with System and SysInit units (see the comment by Ritsaert Hornstra to another answer here).

I’m not saying these aren’t problems that cannot be overcome (cf. the post you link to) if you’re really dedicated, but it won’t be straightforward.

Secondly, KMDF drivers (I don’t know about UMDF, actually – can anyone comment?) for Win64 have to be in 64-bit code. Since currently, there is no 64-bit Delphi compiler, writing them is a definite no-no.

C

Even the System unit and SysInit that are ALWAYS included in the generated module, some external symbols are used that are not usuable within a kernel. Eg it is quite a feat to get Delphi generated code support the external dependency requirement.

A
I’ve found some links that may help you:
- w-shadow.com/blog/2006/10/12/writing-drivers-in-delphi/
- www.delphibasics.info/home/delphibasicsprojects/advanceddelphidriverdevelopmentkit
- ~~www.kmdkit4d.net/index.jsp (in Chinese)~~ (dead link)
A

I agree with both previous answers. I’ve actually done it in a special case: A print monitor. It’s a special case of driver that runs in user mode, and I could write one in Delphi. There was definitely some benefits in using Delphi there.

But the last pitfall that wasn’t mentioned yet (I think) is that you need to translate zillions of complex structures and macros from DDK header files. Translating some convoluted macros, in particular, can be very tricky.
Note that the 64-bit argument has been moot for a while, but the other arguments still hold.
As mentioned above, [Wayback/Archive] Delphi驱动(Pascal vs C Delphi vs C++) (kmdkit4d) is down now. It was the base of [Wayback/Archive] DelphiBasics – Advanced Delphi Driver Development Kit, so that doesn’t work any more.
[Wayback/Archive] Writing Drivers in Delphi | W-Shadow.com also has their download gone, but it is still available from the Wayback Machine as web.archive.org/web/20101226215720/http://w-shadow.com/files/DDDK004.zip. It was also mentioned in [Wayback/Archive] DelphiBasics – Delphi Driver Development Kit which seems to indicate it is Delphi 2007 and lower only.

Queries:

--jeroen

https://x.com/MrPc69257431/status/1864855379651498292

This entry was posted on 2025/02/25 at 18:00 and is filed under Conference Topics, Conferences, Delphi, Development, Event, Software Development, Windows Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…
	Thaddy de Koning on Formulier voor bewindvoerders…
	Thaddy de Koning on Formulier voor bewindvoerders…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Going Native – Malicious Native Applications

A

C

A

A

Leave a comment Cancel reply

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Going Native – Malicious Native Applications

A

C

A

A

Rate this:

Share this:

Related

Leave a comment Cancel reply