The MASM Forum

General => The Campus => Topic started by: alex-rudenkiy on July 04, 2017, 08:19:25 AM

Title: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: alex-rudenkiy on July 04, 2017, 08:19:25 AM
What to do if there is no VirtualProtectFromApp in masm libraries? :(
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: jj2007 on July 04, 2017, 08:35:12 AM
Don't worry, for any standard program you will never need such an exotic function 8)
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: hutch-- on July 04, 2017, 02:00:38 PM
Alex,

Write your own.  :P
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: aw27 on July 04, 2017, 02:56:27 PM
And don't dare to use the Windows SDK libs.  :badgrin: :badgrin:
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: TWell on July 04, 2017, 03:42:00 PM
use it in dynamic way, using LoadLibrary/GetProcAddress
or make your own additional lib for kernel32 with polib.exe

example: kernel32_10.def
Code: [Select]
LIBRARY KernelBase.dll
EXPORTS
_VirtualProtectFromApp@16=VirtualProtectFromApp

EDIT: fix for wrong dll
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: jj2007 on July 04, 2017, 04:53:24 PM
And, most important: show us your full code. We are a curious bunch :badgrin:
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: Vortex on July 05, 2017, 04:55:07 AM
VirtualProtectFromApp :

https://msdn.microsoft.com/en-us/library/windows/desktop/mt169846%28v=vs.85%29.aspx

Quote
Minimum supported client
   
Windows 10 [desktop apps | UWP apps]
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: aw27 on July 05, 2017, 05:15:53 PM
The funny part is that I don't see this VirtualProtectFromApp in the Windows 10 kernel32.dll, it is also not available in the distributed Windows 10 Kit kernel32.lib. Of course, I am missing an obvious thing, I simply don't know what.
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: TWell on July 05, 2017, 05:56:30 PM
In Windows 10, it is in KernelBase.dll
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: aw27 on July 05, 2017, 06:04:28 PM
In Windows 10, it is in KernelBase.dll
Yeap  :t, but still not in the supplied libs.
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: adeyblue on July 09, 2017, 06:03:08 AM
Yeap  :t, but still not in the supplied libs.
It is, quite a few of them
Code: [Select]
G:\SDK\10\Lib\10.0.14393.0\um\x86>findstr /M "VirtualProtectFromApp" *
mincore.lib
OneCore.Lib
OneCoreUAP.Lib
WindowsApp.lib
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: aw27 on July 09, 2017, 02:40:44 PM
Yeap  :t, but still not in the supplied libs.
It is, quite a few of them
Code: [Select]
G:\SDK\10\Lib\10.0.14393.0\um\x86>findstr /M "VirtualProtectFromApp" *
mincore.lib
OneCore.Lib
OneCoreUAP.Lib
WindowsApp.lib

Wow, probably Microsoft <does not> know about that:
VirtualProtectFromApp function (https://msdn.microsoft.com/en-us/library/windows/desktop/mt169846(v=vs.85).aspx)
Library: Kernel32.lib
DLL: Kernel32.dll
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: TWell on July 09, 2017, 06:33:31 PM
API Sets for Universal Windows Platform (UWP) apps (https://msdn.microsoft.com/en-us/library/windows/desktop/mt186421(v=vs.85).aspx)
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: Vortex on July 09, 2017, 07:36:55 PM
What's the minimum build number of Windows 10 supporting VirtualProtectFromApp?

Code: [Select]
GetFileVersion.exe .\kernel32.dll
10.0.14393.0

\PellesC\bin\podump.exe /EXPORTS .\kernel32.dll | findstr "VirtualProtectFromApp"
No any result
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: jj2007 on July 09, 2017, 08:02:52 PM
It works:
Code: [Select]
include \Masm32\MasmBasic\Res\JBasic.inc ; ## builds in 32- or 64-bit mode with ML64, Uasm etc
OldProtection dd ?

jd@150 equ KernelBase ; a little hack for a missing WinAPI,
j@VirtualProtectFromApp equ jbNextApi/150:s1111 ; may be refined in the near future

Init ; OPT_64 1 ; put 0 for 32 bit, 1 for 64 bit assembly
  PrintLine Chr$("This code was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format")
  mov rbx, rv(VirtualAlloc, 0, 4096, MEM_RESERVE or MEM_COMMIT, PAGE_NOACCESS)
  usedeb=1
  deb 4, "VirtualAlloc:", x:rbx
  jinvoke VirtualProtectFromApp, rbx, 1024, PAGE_EXECUTE_READWRITE, addr OldProtection
  deb 4, "VirtualProtectFromApp:", rax, OldProtection
  PrintLine Err$()
  Inkey Chr$(jbit$, "-bit assembly is easy, it seems...")
EndOfCode

Code: [Select]
This code was assembled with HJWasm32 in 64-bit format
VirtualAlloc:   x:rbx   1b0000h
VirtualProtectFromApp:
rax     1
OldProtection   1

Can't find the key etc.

The error message is irrelevant, since rax is non-zero.

Same for the 32-bit version. This is Windows version 10.0, build 15063.
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: TWell on July 09, 2017, 09:49:17 PM
It is in KernelBase.dll.
What's the minimum build number of Windows 10 supporting VirtualProtectFromApp?
Quote
VirtualProtectFromApp   Introduced into api-ms-win-core-memory-l1-1-3.dll in Windows 10.0.10240.0
VirtualProtectFromApp   Introduced into api-ms-win-core-memory-l1-1-4.dll in Windows 10.0.14393.0
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: Vortex on July 09, 2017, 10:14:41 PM
Hi TWell,

Thanks for the info. Checking now KernelBase.dll, I see that VirtualProtectFromApp is exported by this DLL. It looks like the MS documentation is not correct.
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: jj2007 on July 09, 2017, 10:47:37 PM
It is in KernelBase.dll

Yes indeed.

jd@150 equ KernelBase            ; a little hack for a missing WinAPI

One problem is that even a call to MessageBoxA seems to be RIP-relative.

Code: [Select]
.code
ToBeCopied:
  push rax
  jinvoke MessageBox, 0, rsi, rdi, MB_OK
  pop rdx
retn

Original:
Code: [Select]
0000000140001002 | 50                     | push rax                           |
0000000140001003 | 90                     | nop                                |
0000000140001004 | 45 33 C9               | xor r9d, r9d                       |
0000000140001007 | 4C 8B C7               | mov r8, rdi                        | rdi:"MessageBox:"
000000014000100A | 48 8B D6               | mov rdx, rsi                       | rsi:"Hello World"
000000014000100D | 33 C9                  | xor ecx, ecx                       |
000000014000100F | FF 15 C3 23 00 00      | call qword ptr ds:[<&MessageBoxA>] |
0000000140001015 | 5A                     | pop rdx                            |
0000000140001016 | C3                     | ret                                |

Copy:
Code: [Select]
0000000000180000 | 50                     | push rax                           |
0000000000180001 | 90                     | nop                                |
0000000000180002 | 45 33 C9               | xor r9d, r9d                       |
0000000000180005 | 4C 8B C7               | mov r8, rdi                        | rdi:"MessageBox:"
0000000000180008 | 48 8B D6               | mov rdx, rsi                       | rsi:"Hello World"
000000000018000B | 33 C9                  | xor ecx, ecx                       |
000000000018000D | FF 15 C3 23 00 00      | call qword ptr ds:[1823D6]         |  <<<<<<<<<<<<<<<<< NO LUCK HERE
0000000000180013 | 5A                     | pop rdx                            |
0000000000180014 | C3                     | ret                                |
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: aw27 on July 10, 2017, 12:36:21 AM
This is an example where will execute some code from the data segment.

Code: [Select]
.686
.model flat, stdcall
option casemap :none 

includelib \masm32\lib\msvcrt.lib
printf PROTO C :VARARG
includelib \masm32\lib\kernel32.lib
LoadLibraryA proto stdcall  :ptr
GetProcAddress proto stdcall : dword, : ptr
ExitProcess   proto stdcall :dword

PAGE_EXECUTE equ 10h
PAGE_READWRITE equ 4h
PAGE_EXECUTE_READWRITE equ 40h

.data
tobeexecuted dw 0c3c9h ; leave, ret
LibName db "kernelbase.dll",0
ProcName db "VirtualProtectFromApp",0
OldProtection dd 0
msg1 db "OldProtection before %d",13,10,0
msg2 db "OldProtection after %d",13,10,0
msg3 db "Call result %d",13,10,0
msg4 db "This shall not be executed", 13, 10,0

.code

proc1 Proc
invoke LoadLibraryA, offset LibName
invoke GetProcAddress, eax, offset ProcName
.if eax==0
ret ; Probably not Windows 10
.endif
mov ebx, eax
invoke printf, offset msg1, OldProtection
push offset OldProtection
push PAGE_EXECUTE_READWRITE
push 2
push offset tobeexecuted

call ebx
mov ebx, eax

invoke printf, offset msg2, OldProtection ; should be 4 (PAGE_READWRITE)
invoke printf, offset msg3, ebx ; Sucess = positive value
mov eax, offset tobeexecuted ; Try to execute from data segment!
jmp eax
invoke printf, offset msg4
ret
proc1 endp

main Proc

invoke proc1
xor eax, eax
push eax
call ExitProcess

main endp
end main
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: aw27 on July 10, 2017, 01:49:18 AM
A similar example where will execute some code from the stack (sort of shellcode):

Code: [Select]
.686
.model flat, stdcall
option casemap :none 

includelib \masm32\lib\msvcrt.lib
printf PROTO C :VARARG
includelib \masm32\lib\kernel32.lib
LoadLibraryA proto stdcall  :ptr
GetProcAddress proto stdcall : dword, : ptr
ExitProcess   proto stdcall :dword

PAGE_EXECUTE equ 10h
PAGE_READWRITE equ 4h
PAGE_EXECUTE_READ equ 20h
PAGE_EXECUTE_READWRITE equ 40h

.data

LibName db "kernelbase.dll",0
ProcName db "VirtualProtectFromApp",0
OldProtection dd 0
msg1 db "OldProtection before %d",13,10,0
msg2 db "OldProtection after %d",13,10,0
msg3 db "Call result %d",13,10,0
msg4 db "This shall not be executed", 13, 10,0

.code

proc1 Proc
LOCAL execStack : word
invoke LoadLibraryA, offset LibName
invoke GetProcAddress, eax, offset ProcName
.if eax==0
ret ; Probably not Windows 10
.endif
mov ebx, eax
invoke printf, offset msg1, OldProtection
push offset OldProtection
push PAGE_EXECUTE_READWRITE
push 2

lea eax, execStack
push eax

call ebx
mov ebx, eax

invoke printf, offset msg2, OldProtection ; should be 4 (PAGE_READWRITE)
invoke printf, offset msg3, ebx ; Sucess = positive value
mov ax, 0c3c9h
mov word ptr execStack, ax
lea eax, execStack ; Try to execute from the stack
jmp eax
invoke printf, offset msg4
ret
proc1 endp

main Proc

invoke proc1
xor eax, eax
push eax
call ExitProcess

main endp
end main
Title: Re: What to do if there is no VirtualProtectFromApp in masm libraries?
Post by: jj2007 on July 11, 2017, 09:32:32 AM
Here is one with a MessageBox executed in a VirtualAlloc'ed area, in 64-bit code:

include \Masm32\MasmBasic\Res\JBasic.inc            ; requires MasmBasic of 11 July 17 (http://masm32.com/board/index.php?topic=94.0)
OldProtection   dd ?

jd@150 equ KernelBase                               ; a little hack for a missing WinAPI,
j@VirtualProtectFromApp equ jbNextApi/150:s1111     ; may be refined in the near future

.code
ToBeCopied:
  push rax                      ; align 16 (no stack frame...)
  xor r9d, r9d
  mov r8, rdi
  mov rdx, rsi
  xor ecx, ecx
  call qword ptr r12            ; jinvoke MessageBox, 0, rsi, rdi, MB_OK
  pop rdx
  retn

Init
  PrintLine Chr$("This code was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format")
  mov rdi, Chr$("MessageBox:")  ; title
  mov rsi, Chr$("Hello World")  ; text
  mov r12, rv(MessageBoxA, @address)    ; address of MessageBox in the DLL
  call ToBeCopied               ; test the routine "in place"
 
  mov rbx, rv(VirtualAlloc, 0, 4096, MEM_RESERVE or MEM_COMMIT, PAGE_NOACCESS)

  lea rsi, ToBeCopied           ; source
  mov rdi, rbx                  ; dest
  jinvoke VirtualProtectFromApp, rbx, 1024, PAGE_EXECUTE_READWRITE, addr OldProtection

  mov ecx, 20                   ; the routine has 17 bytes
  rep movsb

  mov rsi, Chr$("Hello Virtual World")
  mov rdi, Chr$("MessageBox again:")
  Print Chr$(jbit$, "-bit assembly is easy, it seems...")
  call rbx                      ; run the copied routine
EndOfCode