Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-20-2023, 23:20
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
How to enable Code section (Read / Write) in x64

Anyone have an example on how to enable Code section (Read / Write) in x64 please?
Thanks
Reply With Quote
  #2  
Old 02-21-2023, 00:33
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 297
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
Are you talking about the section headers? If so, then CFF explorer has this option to enable/disable the sections flags. Apologies if I misunderstand your question.

This might help you:

https://github.com/OsandaMalith/PESecInfo

Last edited by Stingered; 02-21-2023 at 01:12.
Reply With Quote
The Following 2 Users Say Thank You to Stingered For This Useful Post:
New Tiger (02-21-2023), niculaita (02-21-2023)
  #3  
Old 02-21-2023, 01:40
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
Quote:
Originally Posted by Stingered View Post
Are you talking about the section headers? If so, then CFF explorer has this option to enable/disable the sections flags. Apologies if I misunderstand your question.

This might help you:

https://github.com/OsandaMalith/PESecInfo
Thanks for your reply. I tried already CCF and Stud_PE. Both show that the section flag for read and write are already ticked, meaning you can write to the specified section but no way. I tried also to patch the VirtualProtect function using the same way in x32 OS's but it always returns zero !!!!
I used the same way as below:

PUSH ESP
PUSH 40 // code writable
PUSH 1000 // size of code to make writable
PUSH 401000 // start address of code to make writable
CALL VirtualProtect // xxxxxxxx is address of VirtualProtect

I did this in several x32 app's and worked just fine but in x64 no way

Last edited by New Tiger; 02-21-2023 at 05:12.
Reply With Quote
  #4  
Old 02-21-2023, 02:40
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 325
Rept. Given: 0
Rept. Rcvd 277 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 317 Times in 97 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Based on the original question, there are two ways:
  • Use the VirtualProtect function to make the memory region writable.
  • Edit the PE file header on disk and make the sections writable.
Both methods have been successfully used many times by many people.

Based on your second post, the most promising answer would be:
  • First, read a book about x86 assembler.
  • Next, read a book about Win32 programming.
  • Next, read a book about x64 assembler.
Your very short text and code fragments already violate at least 4 core principles of x86/Win32/x64 assembly. Your problem definitely is not some write permission, but the basic understanding of the CPU architecture.
Reply With Quote
The Following User Says Thank You to Kerlingen For This Useful Post:
X0rby (04-01-2024)
  #5  
Old 02-21-2023, 05:11
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
Quote:
Originally Posted by Kerlingen View Post
Based on the original question, there are two ways:
  • Use the VirtualProtect function to make the memory region writable.
  • Edit the PE file header on disk and make the sections writable.
Both methods have been successfully used many times by many people.

Based on your second post, the most promising answer would be:
  • First, read a book about x86 assembler.
  • Next, read a book about Win32 programming.
  • Next, read a book about x64 assembler.
Your very short text and code fragments already violate at least 4 core principles of x86/Win32/x64 assembly. Your problem definitely is not some write permission, but the basic understanding of the CPU architecture.
From this "Your very short text and code fragments already violate at least 4 core principles of x86/Win32/x64 assembly", It's clear that your brain is full with junky stuff sir!.
Also, based on yor answer, Mr VIP, in particular the last line "Your problem definitely is not some write permission, but the basic understanding of the CPU architecture" can you teach me Mr professional these fundamentals. Understand the question before you show off your muscles. It's real useful for you to keep this advice for your own as when I was handling these x32 stuff you were still asking for suckle, I don't know how admins promoted you to VIP here???????
Just get away! you're really very rude

Last edited by New Tiger; 02-21-2023 at 06:02.
Reply With Quote
  #6  
Old 02-21-2023, 06:35
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 297
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
@New Tiger

Take a look at this link and see if it helps:

https://ethical.blue/textz/n/28
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
New Tiger (02-21-2023)
  #7  
Old 02-21-2023, 06:52
Rasmus Rasmus is offline
Friend
 
Join Date: Jul 2019
Posts: 175
Rept. Given: 0
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 115
Thanks Rcvd at 105 Times in 63 Posts
Rasmus Reputation: 9
Quote:
Originally Posted by New Tiger View Post
Thanks for your reply. I tried already CCF and Stud_PE. Both show that the section flag for read and write are already ticked, meaning you can write to the specified section but no way. I tried also to patch the VirtualProtect function using the same way in x32 OS's but it always returns zero !!!!
I used the same way as below:

PUSH ESP
PUSH 40 // code writable
PUSH 1000 // size of code to make writable
PUSH 401000 // start address of code to make writable
CALL VirtualProtect // xxxxxxxx is address of VirtualProtect

I did this in several x32 app's and worked just fine but in x64 no way
With my limited knowledge I will try to help
@New Tiger The calling convention in 64-bit is different from that of 32-bit.

The x64 Application Binary Interface (ABI) uses a four-register fast-call calling convention by default. Space is allocated on the call stack as a shadow store for callees to save those registers.

Meaning that the parameters are passed to the function through registers as a default which differs significantly from the 32-bit manner where the stack can be wholly used for passing the parameters.

Example:
Quote:
func1(int a, int b, int c, int d, int e, int f);
// a in RCX, b in RDX, c in R8, d in R9, f then e pushed on stack
The addresses and registers in your example are also 32-bit. Maybe my mistake but you should check them once again

Please read these 2 pages for more info:
Quote:
https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170
https://accu.org/journals/overload/22/120/orr_1897/
They highlight the differences in the 64-bit calling conventions.

Then the VirtualProtect should work just fine in 64-bit also
Reply With Quote
The Following 3 Users Say Thank You to Rasmus For This Useful Post:
New Tiger (02-21-2023), sh3dow (03-02-2023), Stingered (02-21-2023)
  #8  
Old 02-21-2023, 07:22
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
@Stingered
Thanks mate for the provided link.
@Rasmus
Appreciated, really useful information mate.

Last edited by New Tiger; 02-22-2023 at 04:26.
Reply With Quote
The Following 2 Users Say Thank You to New Tiger For This Useful Post:
Rasmus (02-22-2023), Stingered (02-21-2023)
  #9  
Old 02-21-2023, 14:47
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
Problem is solved

Last edited by New Tiger; 02-22-2023 at 04:28.
Reply With Quote
  #10  
Old 02-22-2023, 02:16
WRP WRP is offline
Family
 
Join Date: Nov 2010
Posts: 184
Rept. Given: 32
Rept. Rcvd 52 Times in 33 Posts
Thanks Given: 203
Thanks Rcvd at 231 Times in 105 Posts
WRP Reputation: 52
I think this Tiger trying break brains.
But possible he banned in Google.
Reply With Quote
  #11  
Old 02-22-2023, 02:55
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
Quote:
Originally Posted by WRP View Post
I think this Tiger trying break brains.
But possible he banned in Google.
Really, are you sure?

Where are the admins?
Isn't this a false accusation and defamation
Reply With Quote
  #12  
Old 02-22-2023, 03:25
chessgod101's Avatar
chessgod101 chessgod101 is online now
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,222
Rept. Rcvd 692 Times in 220 Posts
Thanks Given: 704
Thanks Rcvd at 940 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
Hi New_Tiger,
I think it would be easier for people to help you if you were to post the assembly code you were using in x64 to attempt to solve this. Since you only provided the code in 32 bit assembly, we are left only to speculate what the issue could be. Anyway, since you posted the screenshot of what you were doing, it is clear that you were using the wrong calling convention. In x64, parameters are not passed to the WINAPI using the STDCALL convention, but rather a FAST CALL convention. Your code show be something like the following:

MOV ECX, ADDRESS_OF_SECTION
MOV EDX, SIZE_OF_SECTION
MOV r8d, NEW_PROTECT_CONSTANT
MOV r9, Address of an empty dword where the old_protect is returned
CALL VirtualProtect
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
The Following 2 Users Say Thank You to chessgod101 For This Useful Post:
New Tiger (02-22-2023), sh3dow (03-02-2023)
  #13  
Old 02-22-2023, 03:36
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
Quote:
Originally Posted by chessgod101 View Post
Hi New_Tiger,
I think it would be easier for people to help you if you were to post the assembly code you were using in x64 to attempt to solve this. Since you only provided the code in 32 bit assembly, we are left only to speculate what the issue could be. Anyway, since you posted the screenshot of what you were doing, it is clear that you were using the wrong calling convention. In x64, parameters are not passed to the WINAPI using the STDCALL convention, but rather a FAST CALL convention. Your code show be something like the following:

MOV ECX, ADDRESS_OF_SECTION
MOV EDX, SIZE_OF_SECTION
MOV r8d, NEW_PROTECT_CONSTANT
MOV r9, Address of an empty dword where the old_protect is returned
CALL VirtualProtect
Thanks for your clarification, I admit that my knowledge is very limited in x64 but what it got me out of the mode is some vulgar posts.

Once again, thanks and do apologize!
Reply With Quote
The Following 2 Users Say Thank You to New Tiger For This Useful Post:
Stingered (02-22-2023), Zeokat (02-24-2023)
  #14  
Old 02-23-2023, 06:08
chants chants is offline
Banned User
 
Join Date: Jul 2016
Posts: 763
Rept. Given: 42
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 683
Thanks Rcvd at 1,090 Times in 495 Posts
chants Reputation: 50
However if you are dealing with Linux and 64 bit ELF files, the advice is similar but the headers and format different. Instead of VirtualProtect there is mprotect, etc. Based on responses, it's clear everyone here still uses Windows, myself included.

Also at ring0 there exists possibility of modifying page tables and changing the protection directly without using the OS API wrappers for this purpose.

The 32 bit calling conventions include fastcall, register, vectorcall and thiscall which do use registers. Sure cdecl and stdcall or Pascal conventions are common, but it's incorrect to say it doesn't use registers. Those conventions exist on a multitude of compilers. By 64 bit era there are so many registers added beyond there mere double bitwidth that for performance reasons there was no reason to keep stack only methods.
Reply With Quote
The Following 3 Users Say Thank You to chants For This Useful Post:
New Tiger (02-23-2023), sh3dow (03-02-2023), X0rby (04-01-2024)
  #15  
Old 02-23-2023, 06:25
New Tiger New Tiger is offline
Friend
 
Join Date: Mar 2018
Posts: 42
Rept. Given: 0
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 49
Thanks Rcvd at 108 Times in 18 Posts
New Tiger Reputation: 6
I was not aware of the calling convention in x64 but with the aid of the provided references I could solve the issue.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 01:07.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )