Code: |
TFuncAddies STRUCT
lpfSleep DWORD ? lpfOpenProcess DWORD ? ... TFuncAddies ENDS |
Code: |
PUSHAD
PUSH 020060000h PUSH 000000000h ; ??? PUSH 000000001h ; Page count... PUSH MemoryAddy PUSH 00001000Dh ; _PageModifyPermissions CALL VxDCall POPAD |
Code: |
ULONG _PageModifyPermissions(
ULONG firstPage, ULONG numPages, ULONG andMask, ULONG orMask ); |
Code: |
PC_WRITEABLE EQU 00020000H ;duh
PC_USER EQU 00040000H ;access from ring 3 PC_STATIC EQU 20000000H ;you need this to change permissions of kernel memory |
Code: |
push [permor] ; OR mask for permissions
push [permand] ; AND mask for permissions push [npages] ; number of pages push [page] ; linear address of first page push 1000Dh ; (0001h = VMM.VxD << 16) | 000Dh = _PageModifyPermissions call dword ptr [p_VxDCall] |
Code: |
p_VxDCall(0x1000D, page, npages, permand, permor); |
Code: |
DWORD (*p_VxDCall)(DWORD service, ...); |
Code: |
#define _PageReserve 0x00010000
#define _PageCommit 0x00010001 #define _PageDecommit 0x00010002 #define _PageFree 0x0001000A #define _PageModifyPermissions 0x0001000D #define _PageQuery 0x0001000E |
Code: |
((base_address & 0xFFF) + num_bytes + 0xFFF) >> 12 |
russiandevil wrote: |
the above snipped of the code seems to fail in GetProcAddress, with GetLastError reporting 50 (The request is not supported. ERROR_NOT_SUPPORTED). This to me suggests that I should do the manual walk-through the PE header, and locate the EXPORTS section of Kernel32.dll, and do my work... |
Quote: |
if I'm doing IAT patching on Windows 98 machine and am trying to intercept the API routine from a system dll (such as user32.dll and gdi32.dll), at some point in time I still have to modify the shared address space above the 2GB... |
russiandevil wrote: |
the main reason I didn't want to patch the API itself is because in my particular instance I only care about the API routines originating from a particular (known to me) process... and I didn't want to involve all the other currently-running (and soon-to-be-running) processes. |
russiandevil wrote: |
Well the routines I'm intercepting are all in User32.dll and Gdi32.dll |
Quote: |
Have lost the number of times I have crashed explorer.exe on my VMWare image of Windows 98, while testing the program so far. Actually, one of the crashes was in HOOK.DLL, which is one of VMWare's own libraries... so I'm wondering if VMWare itself is doing some sort of hooking... I guess ideally I'd have a stand-alone non-virtual 9x box to test things on but 'Revert to Snapshot' is just such a useful button! |
Quote: |
I'm guessing its worth mentioning on the subject of VxDCall that it returns the -1 on failure or previous page permissions in case of success, and its probably a good idea (correct me if I'm wrong) to restore the permissions, right after we're done modifying the shared address space. |
russiandevil wrote: |
-> yep, otherwise in depends.exe these routines would have been listed in the import table of my target process (for all my experimental purposes so far it has been notepad.exe) |
Quote: |
-> yep, I noticed you mentioned these routines earlier on in this thread, I'm just not too comprehensive of the the whole 'copying of address space of DLL to some new location' concept. i.e. do I need to get the base address of my interceptor DLL in memory, and copy everything starting from that address and ending god-knows-where to this newly alloc-ed block... . |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours