Hello!

My code is being executed on the Ring0 running on win98. Now I'd like to write something in the beginning of the API MessageBoxW of the dll "user32.dll", because as you know this DLL is protected by the OS, but running my code on ring0, I can do anything... Considering the fact that I am alread on ring0, how do I write something there?

Thank you!
Posted on 2004-11-04 08:31:42 by Nildo
under win98 you won't need ring0 per se to write to user32.dll.
Posted on 2004-11-04 08:47:36 by lifewire
under win98 you won't need ring0 per se to write to user32.dll.


Ok, so, 2 questions... Why nothing happens when I try to write something (in memory) into user32.dll? The OS does not returns any error but it does not work. I think thats because its loaded into the shared arena > 0x80000000, and its protected. So, what to do to write something there?

Question2: I'll need ring0 to write into the memory of system applications. But since I'm at ring0, I don't know what to do, coz I think I'll get error if IU try to use WriteProcessmemory (or any API) from Ring0...

Thanx :-D
Posted on 2004-11-04 08:53:31 by Nildo
under win98 you won't need ring0 per se to write to user32.dll.


So, how to write :?
Posted on 2004-11-04 13:22:38 by Nildo
Just write. IIRC, normally the R/O page flag is ignored in ring 0.

SInce the code is in the shared region, you needn't care about address contexts.
Posted on 2004-11-04 16:11:32 by japheth
Just write. IIRC, normally the R/O page flag is ignored in ring 0.

SInce the code is in the shared region, you needn't care about address contexts.


But when I write, nothing happens, the code that I write in that location does not take effect... look:

Retu := $c3; // a RET

Proc := OpenProcess( PROCESS_ALL_ACCESS, True, GetCurrentProcessId() );
ProcAddr := GetProcAddress( GetModuleHandle( 'user32.dll' ), 'MessageBoxW' );
WriteProcessMemory( Proc, ProcAddr, @Retu, 1, BytesWriten );


I've translated to pascal, to be easier to see what I'm doing.
The WriteProcessMemory returns True and the BytesWriten returns 1, but the changes that I made didn't take effect... But it works at any other DLL wich is not in the Shared area...

:? :? :?
Posted on 2004-11-04 20:16:03 by Nildo
you have to turn off write protection on these pages using VxD calls on win95/98

This is a snippet from an API hook by yoda:


INCLUDELIB Lib\K32Lib.lib
VxDCall4 PROTO :DWORD, :DWORD, :DWORD, :DWORD, :DWORD

ObtainWriteAccessInSharedArea9x PROC USES EBX ESI EDI, p : LPVOID, dwc : DWORD
; calc page addr/size
mov ecx, dwc
add ecx, 4096
shr ecx, 12 ; ECX -> page count
mov edi, p
shr edi, 12 ; EDI -> page index/addr

; perform VxDCall
push PC_STATIC or PC_WRITEABLE or PC_USER ; OR mask
push 0 ; AND mask
push ecx
push edi
push _PageModifyPermissions
call VxDCall4
ret
ObtainWriteAccessInSharedArea9x ENDP
Posted on 2004-11-04 21:04:54 by comrade
Can you please explain what is the purpose of this write :-?
Posted on 2004-11-04 23:20:16 by BogdanOntanu
to write to system protected area of memory...
Posted on 2004-11-04 23:25:15 by comrade
Comrade, thanks for your code.

There are many good reasons why one wants to write to dlls in the shared region.

An example I was working on: the VC toolkit 2003 C++ compiler doesn't run on win98SE because it uses some "wide" functions (like CreateFileW) which are just dummies in win98. A self-written shared dll may catch those calls and then implement a simple workaround.
Posted on 2004-11-05 01:09:54 by japheth
WriteProcessMemory doesn't accept high addresses IIRC. Use a normal write operation. However, if the function you want to overwrite is too small or not unique, you have to modify the export directory instead to point to your function.
Posted on 2004-11-05 03:53:32 by Sephiroth3
WriteProcessMemory doesn't accept high addresses IIRC. Use a normal write operation. However, if the function you want to overwrite is too small or not unique, you have to modify the export directory instead to point to your function.


Yes! I've alread donne this!
Its for an API Hooking system that I'm doing... Then I've encautered (dunno if this word exists, LoL) this problem :P

I'll test what everyone said and I'll post the results! Thanx very mutch ppl!
Posted on 2004-11-05 04:03:24 by Nildo