News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

What to do if there is no VirtualProtectFromApp in masm libraries?

Started by alex-rudenkiy, July 04, 2017, 08:19:25 AM

Previous topic - Next topic

TWell

It is in KernelBase.dll.
Quote from: Vortex on July 09, 2017, 07:36:55 PM
What's the minimum build number of Windows 10 supporting VirtualProtectFromApp?
QuoteVirtualProtectFromApp   Introduced into api-ms-win-core-memory-l1-1-3.dll in Windows 10.0.10240.0
VirtualProtectFromApp   Introduced into api-ms-win-core-memory-l1-1-4.dll in Windows 10.0.14393.0

Vortex

Hi TWell,

Thanks for the info. Checking now KernelBase.dll, I see that VirtualProtectFromApp is exported by this DLL. It looks like the MS documentation is not correct.

jj2007

Quote from: TWell on July 09, 2017, 09:49:17 PM
It is in KernelBase.dll

Yes indeed.

Quote from: jj2007 on July 09, 2017, 08:02:52 PM
jd@150 equ KernelBase            ; a little hack for a missing WinAPI

One problem is that even a call to MessageBoxA seems to be RIP-relative.

.code
ToBeCopied:
  push rax
  jinvoke MessageBox, 0, rsi, rdi, MB_OK
  pop rdx
retn


Original:
0000000140001002 | 50                     | push rax                           |
0000000140001003 | 90                     | nop                                |
0000000140001004 | 45 33 C9               | xor r9d, r9d                       |
0000000140001007 | 4C 8B C7               | mov r8, rdi                        | rdi:"MessageBox:"
000000014000100A | 48 8B D6               | mov rdx, rsi                       | rsi:"Hello World"
000000014000100D | 33 C9                  | xor ecx, ecx                       |
000000014000100F | FF 15 C3 23 00 00      | call qword ptr ds:[<&MessageBoxA>] |
0000000140001015 | 5A                     | pop rdx                            |
0000000140001016 | C3                     | ret                                |


Copy:
0000000000180000 | 50                     | push rax                           |
0000000000180001 | 90                     | nop                                |
0000000000180002 | 45 33 C9               | xor r9d, r9d                       |
0000000000180005 | 4C 8B C7               | mov r8, rdi                        | rdi:"MessageBox:"
0000000000180008 | 48 8B D6               | mov rdx, rsi                       | rsi:"Hello World"
000000000018000B | 33 C9                  | xor ecx, ecx                       |
000000000018000D | FF 15 C3 23 00 00      | call qword ptr ds:[1823D6]         |  <<<<<<<<<<<<<<<<< NO LUCK HERE
0000000000180013 | 5A                     | pop rdx                            |
0000000000180014 | C3                     | ret                                |

aw27

This is an example where will execute some code from the data segment.


.686
.model flat, stdcall
option casemap :none 

includelib \masm32\lib\msvcrt.lib
printf PROTO C :VARARG
includelib \masm32\lib\kernel32.lib
LoadLibraryA proto stdcall  :ptr
GetProcAddress proto stdcall : dword, : ptr
ExitProcess   proto stdcall :dword

PAGE_EXECUTE equ 10h
PAGE_READWRITE equ 4h
PAGE_EXECUTE_READWRITE equ 40h

.data
tobeexecuted dw 0c3c9h ; leave, ret
LibName db "kernelbase.dll",0
ProcName db "VirtualProtectFromApp",0
OldProtection dd 0
msg1 db "OldProtection before %d",13,10,0
msg2 db "OldProtection after %d",13,10,0
msg3 db "Call result %d",13,10,0
msg4 db "This shall not be executed", 13, 10,0

.code

proc1 Proc
invoke LoadLibraryA, offset LibName
invoke GetProcAddress, eax, offset ProcName
.if eax==0
ret ; Probably not Windows 10
.endif
mov ebx, eax
invoke printf, offset msg1, OldProtection
push offset OldProtection
push PAGE_EXECUTE_READWRITE
push 2
push offset tobeexecuted

call ebx
mov ebx, eax

invoke printf, offset msg2, OldProtection ; should be 4 (PAGE_READWRITE)
invoke printf, offset msg3, ebx ; Sucess = positive value
mov eax, offset tobeexecuted ; Try to execute from data segment!
jmp eax
invoke printf, offset msg4
ret
proc1 endp

main Proc

invoke proc1
xor eax, eax
push eax
call ExitProcess

main endp
end main

aw27

A similar example where will execute some code from the stack (sort of shellcode):


.686
.model flat, stdcall
option casemap :none 

includelib \masm32\lib\msvcrt.lib
printf PROTO C :VARARG
includelib \masm32\lib\kernel32.lib
LoadLibraryA proto stdcall  :ptr
GetProcAddress proto stdcall : dword, : ptr
ExitProcess   proto stdcall :dword

PAGE_EXECUTE equ 10h
PAGE_READWRITE equ 4h
PAGE_EXECUTE_READ equ 20h
PAGE_EXECUTE_READWRITE equ 40h

.data

LibName db "kernelbase.dll",0
ProcName db "VirtualProtectFromApp",0
OldProtection dd 0
msg1 db "OldProtection before %d",13,10,0
msg2 db "OldProtection after %d",13,10,0
msg3 db "Call result %d",13,10,0
msg4 db "This shall not be executed", 13, 10,0

.code

proc1 Proc
LOCAL execStack : word
invoke LoadLibraryA, offset LibName
invoke GetProcAddress, eax, offset ProcName
.if eax==0
ret ; Probably not Windows 10
.endif
mov ebx, eax
invoke printf, offset msg1, OldProtection
push offset OldProtection
push PAGE_EXECUTE_READWRITE
push 2

lea eax, execStack
push eax

call ebx
mov ebx, eax

invoke printf, offset msg2, OldProtection ; should be 4 (PAGE_READWRITE)
invoke printf, offset msg3, ebx ; Sucess = positive value
mov ax, 0c3c9h
mov word ptr execStack, ax
lea eax, execStack ; Try to execute from the stack
jmp eax
invoke printf, offset msg4
ret
proc1 endp

main Proc

invoke proc1
xor eax, eax
push eax
call ExitProcess

main endp
end main

jj2007

Here is one with a MessageBox executed in a VirtualAlloc'ed area, in 64-bit code:

include \Masm32\MasmBasic\Res\JBasic.inc            ; requires MasmBasic of 11 July 17
OldProtection   dd ?

jd@150 equ KernelBase                               ; a little hack for a missing WinAPI,
j@VirtualProtectFromApp equ jbNextApi/150:s1111     ; may be refined in the near future

.code
ToBeCopied:
  push rax                      ; align 16 (no stack frame...)
  xor r9d, r9d
  mov r8, rdi
  mov rdx, rsi
  xor ecx, ecx
  call qword ptr r12            ; jinvoke MessageBox, 0, rsi, rdi, MB_OK
  pop rdx
  retn

Init
  PrintLine Chr$("This code was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format")
  mov rdi, Chr$("MessageBox:")  ; title
  mov rsi, Chr$("Hello World")  ; text
  mov r12, rv(MessageBoxA, @address)    ; address of MessageBox in the DLL
  call ToBeCopied               ; test the routine "in place"
 
  mov rbx, rv(VirtualAlloc, 0, 4096, MEM_RESERVE or MEM_COMMIT, PAGE_NOACCESS)

  lea rsi, ToBeCopied           ; source
  mov rdi, rbx                  ; dest
  jinvoke VirtualProtectFromApp, rbx, 1024, PAGE_EXECUTE_READWRITE, addr OldProtection

  mov ecx, 20                   ; the routine has 17 bytes
  rep movsb

  mov rsi, Chr$("Hello Virtual World")
  mov rdi, Chr$("MessageBox again:")
  Print Chr$(jbit$, "-bit assembly is easy, it seems...")
  call rbx                      ; run the copied routine
EndOfCode