What to do if there is no VirtualProtectFromApp in masm libraries? :(
Don't worry, for any standard program you will never need such an exotic function 8)
Alex,
Write your own. :P
And don't dare to use the Windows SDK libs. :badgrin: :badgrin:
use it in dynamic way, using LoadLibrary/GetProcAddress
or make your own additional lib for kernel32 with polib.exe
example: kernel32_10.defLIBRARY KernelBase.dll
EXPORTS
_VirtualProtectFromApp@16=VirtualProtectFromApp
EDIT: fix for wrong dll
And, most important: show us your full code. We are a curious bunch :badgrin:
VirtualProtectFromApp :
https://msdn.microsoft.com/en-us/library/windows/desktop/mt169846%28v=vs.85%29.aspx
QuoteMinimum supported client
Windows 10 [desktop apps | UWP apps]
The funny part is that I don't see this VirtualProtectFromApp in the Windows 10 kernel32.dll, it is also not available in the distributed Windows 10 Kit kernel32.lib. Of course, I am missing an obvious thing, I simply don't know what.
In Windows 10, it is in KernelBase.dll
Quote from: TWell on July 05, 2017, 05:56:30 PM
In Windows 10, it is in KernelBase.dll
Yeap :t, but still not in the supplied libs.
Quote from: aw27 on July 05, 2017, 06:04:28 PM
Yeap :t, but still not in the supplied libs.
It is, quite a few of them
G:\SDK\10\Lib\10.0.14393.0\um\x86>findstr /M "VirtualProtectFromApp" *
mincore.lib
OneCore.Lib
OneCoreUAP.Lib
WindowsApp.lib
Quote from: adeyblue on July 09, 2017, 06:03:08 AM
Quote from: aw27 on July 05, 2017, 06:04:28 PM
Yeap :t, but still not in the supplied libs.
It is, quite a few of them
G:\SDK\10\Lib\10.0.14393.0\um\x86>findstr /M "VirtualProtectFromApp" *
mincore.lib
OneCore.Lib
OneCoreUAP.Lib
WindowsApp.lib
Wow, probably Microsoft
<does not> know about that:
VirtualProtectFromApp function (https://msdn.microsoft.com/en-us/library/windows/desktop/mt169846(v=vs.85).aspx)
Library: Kernel32.lib
DLL: Kernel32.dll
API Sets for Universal Windows Platform (UWP) apps (https://msdn.microsoft.com/en-us/library/windows/desktop/mt186421(v=vs.85).aspx)
What's the minimum build number of Windows 10 supporting VirtualProtectFromApp?
GetFileVersion.exe .\kernel32.dll
10.0.14393.0
\PellesC\bin\podump.exe /EXPORTS .\kernel32.dll | findstr "VirtualProtectFromApp"
No any result
It works:include \Masm32\MasmBasic\Res\JBasic.inc ; ## builds in 32- or 64-bit mode with ML64, Uasm etc
OldProtection dd ?
jd@150 equ KernelBase ; a little hack for a missing WinAPI,
j@VirtualProtectFromApp equ jbNextApi/150:s1111 ; may be refined in the near future
Init ; OPT_64 1 ; put 0 for 32 bit, 1 for 64 bit assembly
PrintLine Chr$("This code was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format")
mov rbx, rv(VirtualAlloc, 0, 4096, MEM_RESERVE or MEM_COMMIT, PAGE_NOACCESS)
usedeb=1
deb 4, "VirtualAlloc:", x:rbx
jinvoke VirtualProtectFromApp, rbx, 1024, PAGE_EXECUTE_READWRITE, addr OldProtection
deb 4, "VirtualProtectFromApp:", rax, OldProtection
PrintLine Err$()
Inkey Chr$(jbit$, "-bit assembly is easy, it seems...")
EndOfCode
This code was assembled with HJWasm32 in 64-bit format
VirtualAlloc: x:rbx 1b0000h
VirtualProtectFromApp:
rax 1
OldProtection 1
Can't find the key etc.
The error message is irrelevant, since rax is non-zero.
Same for the 32-bit version. This is Windows version 10.0, build 15063.
It is in KernelBase.dll.
Quote from: Vortex on July 09, 2017, 07:36:55 PM
What's the minimum build number of Windows 10 supporting VirtualProtectFromApp?
QuoteVirtualProtectFromApp Introduced into api-ms-win-core-memory-l1-1-3.dll in Windows 10.0.10240.0
VirtualProtectFromApp Introduced into api-ms-win-core-memory-l1-1-4.dll in Windows 10.0.14393.0
Hi TWell,
Thanks for the info. Checking now KernelBase.dll, I see that VirtualProtectFromApp is exported by this DLL. It looks like the MS documentation is not correct.
Quote from: TWell on July 09, 2017, 09:49:17 PM
It is in KernelBase.dll
Yes indeed.
Quote from: jj2007 on July 09, 2017, 08:02:52 PM
jd@150 equ KernelBase ; a little hack for a missing WinAPI
One problem is that even a call to MessageBoxA seems to be RIP-relative.
.code
ToBeCopied:
push rax
jinvoke MessageBox, 0, rsi, rdi, MB_OK
pop rdx
retn
Original:
0000000140001002 | 50 | push rax |
0000000140001003 | 90 | nop |
0000000140001004 | 45 33 C9 | xor r9d, r9d |
0000000140001007 | 4C 8B C7 | mov r8, rdi | rdi:"MessageBox:"
000000014000100A | 48 8B D6 | mov rdx, rsi | rsi:"Hello World"
000000014000100D | 33 C9 | xor ecx, ecx |
000000014000100F | FF 15 C3 23 00 00 | call qword ptr ds:[<&MessageBoxA>] |
0000000140001015 | 5A | pop rdx |
0000000140001016 | C3 | ret |
Copy:
0000000000180000 | 50 | push rax |
0000000000180001 | 90 | nop |
0000000000180002 | 45 33 C9 | xor r9d, r9d |
0000000000180005 | 4C 8B C7 | mov r8, rdi | rdi:"MessageBox:"
0000000000180008 | 48 8B D6 | mov rdx, rsi | rsi:"Hello World"
000000000018000B | 33 C9 | xor ecx, ecx |
000000000018000D | FF 15 C3 23 00 00 | call qword ptr ds:[1823D6] | <<<<<<<<<<<<<<<<< NO LUCK HERE
0000000000180013 | 5A | pop rdx |
0000000000180014 | C3 | ret |
This is an example where will execute some code from the data segment.
.686
.model flat, stdcall
option casemap :none
includelib \masm32\lib\msvcrt.lib
printf PROTO C :VARARG
includelib \masm32\lib\kernel32.lib
LoadLibraryA proto stdcall :ptr
GetProcAddress proto stdcall : dword, : ptr
ExitProcess proto stdcall :dword
PAGE_EXECUTE equ 10h
PAGE_READWRITE equ 4h
PAGE_EXECUTE_READWRITE equ 40h
.data
tobeexecuted dw 0c3c9h ; leave, ret
LibName db "kernelbase.dll",0
ProcName db "VirtualProtectFromApp",0
OldProtection dd 0
msg1 db "OldProtection before %d",13,10,0
msg2 db "OldProtection after %d",13,10,0
msg3 db "Call result %d",13,10,0
msg4 db "This shall not be executed", 13, 10,0
.code
proc1 Proc
invoke LoadLibraryA, offset LibName
invoke GetProcAddress, eax, offset ProcName
.if eax==0
ret ; Probably not Windows 10
.endif
mov ebx, eax
invoke printf, offset msg1, OldProtection
push offset OldProtection
push PAGE_EXECUTE_READWRITE
push 2
push offset tobeexecuted
call ebx
mov ebx, eax
invoke printf, offset msg2, OldProtection ; should be 4 (PAGE_READWRITE)
invoke printf, offset msg3, ebx ; Sucess = positive value
mov eax, offset tobeexecuted ; Try to execute from data segment!
jmp eax
invoke printf, offset msg4
ret
proc1 endp
main Proc
invoke proc1
xor eax, eax
push eax
call ExitProcess
main endp
end main
A similar example where will execute some code from the stack (sort of shellcode):
.686
.model flat, stdcall
option casemap :none
includelib \masm32\lib\msvcrt.lib
printf PROTO C :VARARG
includelib \masm32\lib\kernel32.lib
LoadLibraryA proto stdcall :ptr
GetProcAddress proto stdcall : dword, : ptr
ExitProcess proto stdcall :dword
PAGE_EXECUTE equ 10h
PAGE_READWRITE equ 4h
PAGE_EXECUTE_READ equ 20h
PAGE_EXECUTE_READWRITE equ 40h
.data
LibName db "kernelbase.dll",0
ProcName db "VirtualProtectFromApp",0
OldProtection dd 0
msg1 db "OldProtection before %d",13,10,0
msg2 db "OldProtection after %d",13,10,0
msg3 db "Call result %d",13,10,0
msg4 db "This shall not be executed", 13, 10,0
.code
proc1 Proc
LOCAL execStack : word
invoke LoadLibraryA, offset LibName
invoke GetProcAddress, eax, offset ProcName
.if eax==0
ret ; Probably not Windows 10
.endif
mov ebx, eax
invoke printf, offset msg1, OldProtection
push offset OldProtection
push PAGE_EXECUTE_READWRITE
push 2
lea eax, execStack
push eax
call ebx
mov ebx, eax
invoke printf, offset msg2, OldProtection ; should be 4 (PAGE_READWRITE)
invoke printf, offset msg3, ebx ; Sucess = positive value
mov ax, 0c3c9h
mov word ptr execStack, ax
lea eax, execStack ; Try to execute from the stack
jmp eax
invoke printf, offset msg4
ret
proc1 endp
main Proc
invoke proc1
xor eax, eax
push eax
call ExitProcess
main endp
end main
Here is one with a MessageBox executed in a VirtualAlloc'ed area, in 64-bit code:
include \Masm32\MasmBasic\Res\JBasic.inc ; requires MasmBasic of 11 July 17 (http://masm32.com/board/index.php?topic=94.0)
OldProtection dd ?
jd@150 equ KernelBase ; a little hack for a missing WinAPI,
j@VirtualProtectFromApp equ jbNextApi/150:s1111 ; may be refined in the near future
.code
ToBeCopied:
push rax ; align 16 (no stack frame...)
xor r9d, r9d
mov r8, rdi
mov rdx, rsi
xor ecx, ecx
call qword ptr r12 ; jinvoke MessageBox, 0, rsi, rdi, MB_OK
pop rdx
retn
Init
PrintLine Chr$("This code was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format")
mov rdi, Chr$("MessageBox:") ; title
mov rsi, Chr$("Hello World") ; text
mov r12, rv(MessageBoxA, @address) ; address of MessageBox in the DLL
call ToBeCopied ; test the routine "in place"
mov rbx, rv(VirtualAlloc, 0, 4096, MEM_RESERVE or MEM_COMMIT, PAGE_NOACCESS)
lea rsi, ToBeCopied ; source
mov rdi, rbx ; dest
jinvoke VirtualProtectFromApp, rbx, 1024, PAGE_EXECUTE_READWRITE, addr OldProtection
mov ecx, 20 ; the routine has 17 bytes
rep movsb
mov rsi, Chr$("Hello Virtual World")
mov rdi, Chr$("MessageBox again:")
Print Chr$(jbit$, "-bit assembly is easy, it seems...")
call rbx ; run the copied routine
EndOfCode