I want to allocate some memory, on that all applications can
jump to & execute it's code.

I've tried

call VirtualAlloc, 0, filesize, MEM_COMMIT, PAGE_EXECUTE_READWRITE


VirtualAlloc succeeds & I fill the new space with my SampleCode.

My program, which has allocated Memory can jump to my SampleCode & execute all fine
without any Errors/Problems (Seen by tracing around with SoftIce)
but jumping out of other apps it crashes. The AllocatedMemorySpace isn't available for other Apps.
It's marked with 'INVALID'.

Anyone have an idea?

thanx
:mad:
Posted on 2001-12-05 09:51:23 by CRYO
why not just put your routines in a dll and let your applications load it? :-/
Posted on 2001-12-05 09:59:20 by Hiroshimator
VirtualAlloc only allocates memory in your own process. VirtualAllocEx
(only available on nt kernels, I believe) allocates memory in one other
process.
Posted on 2001-12-05 10:03:37 by f0dder
But there must be a way to insert a snippet of Data into Mem or any other Location and after that to execute.

I'm programming an API-Replacer. If an Api is called by any Program it executes my code.

my program works with Kernel-patching. (Jumpinstruction to SnippetOfDataInMem)

after some thinking...

perhaps i should find some free space in Kernel & put my code in it! The kernel could be accessed by all applications.
That's what you mean with 'Using DLL's', right?

But now a next question!
How Windows does putting/loading a Dll into Mem?
Hey guys, there must be a way to do it manually!
Posted on 2001-12-05 11:27:05 by CRYO
To your original question, a DLL is the right way to do it. You can make a memory mapped file but that is for data, not code. I have seen specialised tools for adding sections to PE files but they are not for the weak hearted, they involve considerable knowledge of the PE format.

Now if you are after doing something sneaky like getting illegal access to operating system function, don't post it here or fearless leader's "furry paw" will come down upon you. :tongue:

Regards,

hutch@movsd.com
Posted on 2001-12-06 00:06:03 by hutch--
I haven't any bad intention. It's only for educational purposes.
Figuring out what's all possible in the system with little tricks & thinking around other solutions.
It's not my intention to misuse this wonderful forum.

thanks for all replies
Posted on 2001-12-06 01:32:31 by CRYO
I would consider creating a named FileMappingObject, that object could then be made PAGE_EXECUTE_READWRITE by the instance that created it, or by each instance as it opens it.

Also one thing to notice with masm, that say if you have the code


invoke VirtualAlloc ,NULL,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov hMem,eax

invoke MemCpy ,MyFunc,hMem,MyFunc_END - MyFunc

mov eax,hMem
call DWORD PTR [eax]

MyFunc PROC
invoke MessageBox ,NULL,ADDR text,ADDR title,MB_OK

ret
MyFunc ENDP
MyFunc_END EQU $


It will cause an exception because masm does not generate direct calls in this situation. It will generate an indirect call which means the processor will read the value pointed to by hMem, which is the code for the message box call.



00401000 6A00 push 0
00401002 681D304000 push 40301Dh
00401007 6818304000 push 403018h
0040100C 6A00 push 0
0040100E E80B040000 call fn_0040141E


and call the address 1D68006A (Indian reversed push 0, and first two bytes of push 40301Dh)

To get around this:


invoke VirtualAlloc ,NULL,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov hMem,eax

invoke MemCpy ,MyFunc,hMem,MyFunc_END - MyFunc

;Chane EAX to point to hMem
lea eax,hMem ;OR 'mov eax,OFFSET hMem'
call DWORD PTR [eax]

MyFunc PROC
invoke MessageBox ,NULL,ADDR text,ADDR title,MB_OK

ret
MyFunc ENDP
MyFunc_END EQU $
Posted on 2001-12-06 04:15:39 by huh
A DLL would work fine under 9x, since all DLLs are loaded in shared
memory. However, iirc, on win2k a DLL is *only* mapped in a process
if it's used. I think the same goes for filemapping objects. You should
have a look at some of the apispy code available (detours by some
of the microsoft guys is supposed to work very well).
Posted on 2001-12-06 09:47:52 by f0dder
the apispy examples/progs around working with hooks as far as i know. (except Lucifer48's project)

I trying it in my way with Kernel patching.
Finding some zerocaves for injecting my code.

maybe i have to change the virtualsize of sections to the rawsize of the specific section.

Playing around the PE FileFormat :-)

Take it affect modifing the PE_OptionalHeader, if a DLL is mapped like Kernel32.dll?

Or does Windows all stuff if loading a Dll into Mem

If noone knows I'll figure it out!

------------------------
calculating JMP's & CALL's isn't that hard.
But your quite right, JMP CALL & Loading effective Adresses working only if you take use of DeltaOffsets or calculating distance between instructions
Posted on 2001-12-06 10:37:12 by CRYO
Don't even bother messing with files on disk. Windows File Protection
makes this a hell, plus you'll have to boot to a dos shell to modify
files like kernel32. Second, virtualsize is useless, it's not working
the way it's supposed to.
Posted on 2001-12-06 10:44:17 by f0dder
It says that VirtualProtect is availible under all WinNT and Win95 but I dont know about VirtualAllocEx.

Im only speculating here, but using unused commited memory in another processes threads stack,GetThreadContext, VirtualProtect, WriteProcessMemory, and SetThreadContext you could figure out where a threads stack is, change some memory on the threads stack to PAGE_EXECUTE_READWRITE, write some code to it using WriteProcessMemory, and the use SetThreadContext, to set the Threads EIP to the new mem.

If u kinda get what I mean? If it would work either, im not sure, I havn't ever used any of those functions before????
Posted on 2001-12-07 00:42:32 by huh
hey fodder,you're right.
changing the the SectionHeader isn't necessary.
seen in SoftIce by writing to Dll in Mem & jumping to it.
all works fine.

many thanks for all the tips and ideas.

Is anyone interrested in my work after completing.
...thinking to make it open source. :alright:
Posted on 2001-12-07 03:49:50 by CRYO
Huh, will not work, under NT you have Copy On Write, which means
any change you do to a DLL is local to your process only. To avoid
copy on write, you have to do the modifications from ring0. And
there's still the issue of putting your code in globally available memory
(unless you use a cave, which can be a dangerous thing to do).
Posted on 2001-12-07 10:18:17 by f0dder
(..)
virtualsize is useless, it's not working
the way it's supposed to.


what do you mean? \:|
Posted on 2003-08-11 23:44:58 by wicr0s0ft