Issue with VirtualProtect

Windows specific questions.
UEZ
Posts: 586
Joined: May 05, 2017 19:59
Location: Germany

Issue with VirtualProtect

Postby UEZ » Jul 24, 2020 9:19

I want to port an Autoit script to Freebasic but I've problems with VirtualProtect.

Code: Select all

#Include Once "windows.bi"

Sub __MemoryDllCore()
   Static As Ubyte Ptr BinData
   Dim As Ushort iLen, iLines, p = 0

   Dim As String aBinary(1)
   
   Restore __OpCode:
   Read iLen
   iLen \= 2
   Read iLines
   
   BinData = Allocate(iLen)
   For i As Ulong = 0 To iLines - 1
      Read aBinary(0)
      For j As Ulong = 1 To Len(aBinary(0)) Step 2
         BinData[p] = Cubyte("&H" & Mid(aBinary(0), j, 2))
         p += 1
      Next
   Next
   Dim As DWORD old
   ? VirtualProtect(BinData, iLen, PAGE_EXECUTE_READWRITE, @old)
   
   ? "Error VP: " & GetLastError()
   Deallocate(BinData)
End Sub      

__MemoryDllCore()
Sleep



__OpCode:
Data 6648, 7
Data "FFFFFFFFFFFFFFB800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE05589E55156578B7D088B750C8B4D10FCF3A45F5E595DC35589E5578B7D088A450C8B4D10F3AA5F5DC359585A5153E8000000005B81EBAB114000898300114000899304114000E8000000005981E9C3114000518B9100114000E80B0000007573657233322E646C6C005850FFD2598B9104114000E80C0000004D657373616765426F784100595150FFD2898372114000E8000000005981E90D124000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80A0000006C737472636D70694100595150FFD2898309114000E8000000005981E957124000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80D0000005669727475616C416C6C6F6300595150FFD2898310114000E8000000005981E9A4124000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80C0000005669727475616C4672656500595150FFD2898317114000E8000000005981E9F012"
Data "4000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80F0000005669727475616C50726F7465637400595150FFD289831E114000E8000000005981E93F134000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80E00000052746C5A65726F4D656D6F727900595150FFD2898325114000E8000000005981E98D134000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80D0000004C6F61644C6962726172794100595150FFD289832C114000E8000000005981E9DA134000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80F00000047657450726F634164647265737300595150FFD2898333114000E8000000005981E929144000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80D00000049734261645265616450747200595150FFD289833A114000E8000000005981E976144000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80F00000047657450726F636573734865617000595150FFD2898341114000E8000000005981E9C5144000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2"
Data "598B9104114000E80A00000048656170416C6C6F6300595150FFD2898348114000E8000000005981E90F154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E809000000486561704672656500595150FFD289834F114000E8000000005981E958154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80C000000476C6F62616C416C6C6F6300595150FFD2898356114000E8000000005981E9A4154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80E000000476C6F62616C5265416C6C6F6300595150FFD2898364114000E8000000005981E9F2154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80B000000476C6F62616C4672656500595150FFD289835D114000E8000000005981E93D164000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80C000000467265654C69627261727900595150FFD289836B1140005B59585150E80E04000059C35990585A515250E8CC0500005A5AC35A585250E88E06000059C35589E557565383EC1C8B45108B40048945EC8B55108B020FB750148D740218C745F00000000066837806000F84B0000000837E"
Data "1000754C8B450C8B583885DB0F8E84000000C744240C04000000C744240800100000895C24048B45EC03460C890424E8FEF9FFFF83EC10894608895C2408C744240400000000890424E864FAFFFFEB46C744240C04000000C7442408001000008B4610894424048B45EC03460C890424E8BDF9FFFF83EC1089C78B55080356148B46108944240889542404893C24E808FAFFFF897E08FF45F083C6288B55108B020FB740063B45F00F8F50FFFFFF8D65F45B5E5F5DC35589E557565383EC1C8B55088B020FB750148D5C0218BF0000000066837806000F84E80000008B432489C2C1EA1D89D683E60189C2C1EA1E83E20189C1C1E91FA9000000027422C7442408004000008B4310894424048B4308890424E822F9FFFF83EC0CE99000000085F6741E85D2740D83F90119D283E2E083C240EB2983F90119D283E29083EA80EB1C85D2740D83F90119D283E2FE83C204EB0B83F90119D283E2F983C208F6432704740681CA000200008B4B1085C97522F6432440740A8B4D088B018B4820EB0EF643248074088B4D088B018B482485C9741D8D45F08944240C89542408894C24048B4308890424E894F8FFFF83EC104783C3288B55088B020FB7400639F80F8F18FFFFFF8D65F45B5E5F5DC35589E557565383EC048B45088B50048955F08B0083B8A400000000745789D30398A0000000833B00"
Data "744A8B7DF0033B8D4B08BE000000008B430483E808D1E883F80076280FB70189C2C1EA0C25FF0F000083FA0375068B550C0114074683C1028B430483E808D1E839F077D8035B04833B0075B683C4045B5E5F5DC35589E557565383EC1CC745F0010000008B45088B40048945EC8B55088B0283B884000000000F84410100008B7DEC03B880000000E9120100008B45EC03470C890424E8BFF7FFFF83EC048945E883F8FF750CC745F000000000E90E0100008B4D0883790800742EC7442408400000008B410C8D048504000000894424048B4108890424E8B6F7FFFF83EC0C8B550889420885C075268B4D088B410C8D04850400000089442404C7042440000000E87EF7FFFF83EC088B55088942088B4D088B510C8B41088B4DE8890C908B4508FF400C833F0074168B5DEC031F8B75EC037710EB11C745F000000000EB578B5DEC035F1089DE833B00744A833B0079190FB703894424048B55E8891424E8FEF6FFFF83EC088906EB1C8B45EC030383C002894424048B4DE8890C24E8E0F6FFFF83EC088906833E0074AB83C30483C604833B0075B6837DF000742483C714C744240414000000893C24E8B9F6FFFF83EC0885C0750A837F0C000F85CDFEFFFF8B45F08D65F45B5E5F5DC35589E557565383EC1C8B45088945F0B8000000008B550866813A4D5A0F85A20100008B75088B45F003"
Data "703CB800000000813E504500000F8588010000C744240C04000000C7442408002000008B4650894424048B4634890424E815F6FFFF83EC1089C785C07535C744240C04000000C7442408002000008B465089442404C7042400000000E8E9F5FFFF83EC1089C7B80000000085FF0F8428010000E803F6FFFFC744240814000000C744240400000000890424E8F2F5FFFF83EC0C89C3897804C7400C00000000C7400800000000C7401000000000C744240C04000000C7442408001000008B465089442404893C24E87EF5FFFF83EC10C744240C04000000C7442408001000008B465489442404893C24E85CF5FFFF83EC108945EC8B55F08B423C03465489442408895424048B45EC890424E8A3F5FFFF8B45EC8B55F003423C8903897834895C2408897424048B4508890424E8B4FAFFFF89F82B4634740C89442404891C24E8A0FCFFFF891C24E814FDFFFF85C0743E891C24E876FBFFFF8B0383782800742A89FA0350287427C744240800000000C744240401000000893C24FFD283EC0C85C0740BC743100100000089D8EB0D891C24E8DB000000B8000000008D65F45B5E5F5DC35589E583EC28895DF48975F8897DFC8B45088B50048955F0C745ECFFFFFFFF8B1083C278B800000000837A04000F848E0000008B5DF0031A837B18007406837B1400750FB800000000EB760FB73F897DEC"
Data "EB458B75F00373208B7DF0037B24C745E800000000837B1800762C8B45F00306894424048B450C890424E820F4FFFF83EC0885C074C4FF45E883C60483C7028B55E839531877D4B800000000837DECFF741EB8000000008B55EC3B531477118B45ECC1E00203431C8B55F003141089D08B5DF48B75F88B7DFC89EC5DC35589E5565383EC108B750885F60F84AC000000837E1000742A8B068B56048B48288D040AC744240800000000C744240400000000891424FFD083EC0CC7461000000000837E08007436BB00000000837E0C007E1D8B4608833C98FF740E8B0498890424E8CCF3FFFF83EC0443395E0C7FE38B4608890424E8AAF3FFFF83EC04837E0400741EC744240800800000C7442404000000008B4604890424E840F3FFFF83EC0CE862F3FFFF89742408C744240400000000890424E85CF3FFFF83EC0C8D65F85B5E5DC3"


VirtualProtect runs properly but is not successful error 126:

ERROR_MOD_NOT_FOUND

126 (0x7E)

The specified module could not be found.


How can I use VirtualProtect with the opcode properly in x86 mode?

The opcode is x86 assembler code.
Last edited by UEZ on Jul 24, 2020 14:42, edited 1 time in total.
MrSwiss
Posts: 3542
Joined: Jun 02, 2013 9:27
Location: Switzerland

Re: Issue with VirtualProtect

Postby MrSwiss » Jul 24, 2020 14:31

Not everybody around here is familiar, with AutoIt.
More information on: VirtualProtect's 'workings', is therefore needed ...
UEZ
Posts: 586
Joined: May 05, 2017 19:59
Location: Germany

Re: Issue with VirtualProtect

Postby UEZ » Jul 24, 2020 14:38

MrSwiss wrote:Not everybody around here is familiar, with Auto-It.
More information on: VirtualProtect's 'workings', is therefore needed ...

Currently there is no need for Autoit code, just the issue why VirtualProtect produces an error code 126.

With Autoit the return value of VirtualProtect is 1, same with FB, but with Autoit there is no error when calling GetLastError.

You can minimize the code to

Code: Select all

#Include Once "windows.bi"
Dim As Ubyte Ptr BinData
Dim As SIZE_T iLen = 1000
Dim As DWORD old
BinData = Allocate(iLen)
   
? VirtualProtect(BinData, iLen, PAGE_EXECUTE_READWRITE, @old), "Error VP: " & GetLastError()
Deallocate(BinData)

Sleep


If anybody wants to see the Autoit code I can post it.

Btw, running the code as x64 produces the expected result. Why not with x86?
jj2007
Posts: 1523
Joined: Oct 23, 2016 15:28
Location: Roma, Italia
Contact:

Re: Issue with VirtualProtect

Postby jj2007 » Jul 24, 2020 15:18

Compiled with GAS, Gcc32, Gcc64 on Win7-64:

Code: Select all

 1            Error VP: 0
srvaldez
Posts: 2464
Joined: Sep 25, 2005 21:54

Re: Issue with VirtualProtect

Postby srvaldez » Jul 24, 2020 16:36

I get the value of 1 both in 32 and 64-bit, which according to MS is ok https://docs.microsoft.com/en-us/window ... ualprotect
dodicat
Posts: 6559
Joined: Jan 10, 2006 20:30
Location: Scotland

Re: Issue with VirtualProtect

Postby dodicat » Jul 24, 2020 16:53

My 64 bit machine is er . . . kaput, I think describes it best.
So on 32 bit XP (with a real crt monitor), gas and gcc, I get the original error, 126.(fb 1.06)
I have ordered another machine from Ebay, Win 10 pro.
MrSwiss
Posts: 3542
Joined: Jun 02, 2013 9:27
Location: Switzerland

Re: Issue with VirtualProtect

Postby MrSwiss » Jul 24, 2020 17:16

dodicat wrote:So on 32 bit XP (with a real crt monitor), gas and gcc, I get the original error, 126.(fb 1.06)
IIRC, there has been a 'compatibility break' between FBC versions:
1.06 and 1.07 (which may cause differences).
See: changelog (ver: 1.07.1)
Yet another reason, to keep the compilers current.
jj2007
Posts: 1523
Joined: Oct 23, 2016 15:28
Location: Roma, Italia
Contact:

Re: Issue with VirtualProtect

Postby jj2007 » Jul 24, 2020 18:40

This has nothing to do with the compiler version - it is a simple straightforward WinAPI call. On WinXP-32 I get error 203, although the return value is 1. Which simply means there is no error. You can test this behaviour as follows:

Code: Select all

#Include Once "windows.bi"
Dim As Ubyte Ptr BinData
Dim As SIZE_T iLen = 1000
Dim As DWORD old
BinData = Allocate(iLen)
SetLastError(123)
? VirtualProtect(BinData, iLen, PAGE_EXECUTE_READWRITE, @old), "Error VP: " & GetLastError()
Deallocate(BinData)

Sleep
This will return 123 for GetLastError but 1 for VirtualProtect. So, @UEZ, if you get one for VirtualProtect you can safely ignore the error 126.
UEZ
Posts: 586
Joined: May 05, 2017 19:59
Location: Germany

Re: Issue with VirtualProtect

Postby UEZ » Jul 24, 2020 20:01

Thanks all for your replies.

The odd thing is that VirtualProtect returns 1 which means is successful but on the other hand the error flag was set.

When I use following code

Code: Select all

#Include Once "windows.bi"
SetLastError(0)
? GetLastError()
Dim As Ubyte Ptr BinData
Dim As SIZE_T iLen = 1000
Dim As DWORD old
? GetLastError()
BinData = Allocate(iLen)
? GetLastError()
? VirtualProtect(BinData, iLen, PAGE_EXECUTE_READWRITE, @old), "Error VP: " & GetLastError()
Deallocate(BinData)

Sleep


The the error is still 0 after VirtualProtect call. I don't know why it's set...

dodicat wrote:My 64 bit machine is er . . . kaput, I think describes it best.

Well, when it's "kaputt" then it's "kaputt" and you have to get a new one. If you don't play high end games then a standard one would be sufficient but you should have at least 8 GM ram with SSD. :-)

What I'm trying to port to FB is a code to call a DLL from the memory just with some inline assembler opcode and api calls. So need for external files or static libs.

Well, to understand the Autoit code you must have some knowledge with Autoit, therefor I don't know whether it makes sense to post the code.

There are many smart wrapper functions in Autoit which makes the coder's live more easy.

Btw, when I have a optcode and some reference addresses of that code how can I call it?

Let's say my opcode is in memory using Allocate which gives me the address and one function within the opcode is memory opcode + &h00A1.
There is the entry point for a function with 3 parameters.
How can I call it?

This is the code what it so far which is crashing.

MemDLLCall.bi

Code: Select all

#Include Once "windows.bi"

Sub __MemoryDllCore(iCall As Ubyte, Dll_Bin As Ubyte Ptr, iBinLen As Ulong, sFuncName As String = "")
   Static As Boolean bDllInit = False
   Static As Any Ptr pMDLoadLibrary, pMDGetFuncAddress, pMDFreeLibrary
   Static As HMODULE pModule
   Static As FARPROC pGetProcAddress, pLoadLibraryA
   Static As DWORD OldProtect, OldProtectDLL
   Static As Ubyte Ptr BinData
   Dim As Ushort iLen, iLines, p = 0
   If bDllInit = False Then
      Dim As String aBinary(1)
      
      Restore __OpCode:
      Read iLen
      iLen \= 2
      Read iLines
      Dim As DWORD old
      
      BinData = Allocate(iLen)
      ? VirtualProtect(BinData, iLen, PAGE_EXECUTE_READWRITE, @old)
      ? "Error VP: " & GetLastError()
      
      For i As Ulong = 0 To iLines - 1
         Read aBinary(0)
         For j As Ulong = 1 To Len(aBinary(0)) Step 2
            BinData[p] = Cubyte("&H" & Mid(aBinary(0), j, 2))
            p += 1
         Next
      Next
   
      'pLoadLibrary = GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA")
      
      pMDLoadLibrary = BinData + &h00A1 : pMDGetFuncAddress = BinData + &h0590 : pMDFreeLibrary = BinData + &h059F :
      pModule = LoadLibraryA("kernel32.dll") : pGetProcAddress = GetProcAddress(pModule, "GetProcAddress") : pLoadLibraryA = GetProcAddress(pModule, "LoadLibraryA")
            
      bDllInit = True
   End If
   
   Dim cpMDLoadLibrary As Function (Byval Lib As FARPROC, Byval ProcAddress As FARPROC, Byval ModBin As Any Ptr) As Any Ptr = pMDLoadLibrary
   Dim cpMDGetFuncAddress As Function(Byval ModBin As Ubyte Ptr, Byref sFuncName As String) As Any Ptr = pMDGetFuncAddress
   Dim cpMDFreeLibrary As Sub(Byval ModBin As Any Ptr) = pMDFreeLibrary
      
   Static As Any Ptr hModule
   
   Select Case iCall
      Case 0
         ? VirtualProtect(@Dll_Bin[0], iBinLen, PAGE_EXECUTE_READWRITE, @OldProtectDLL)
         ? "Error: " & GetLastError()
         hModule = cpMDLoadLibrary(pLoadLibraryA, pGetProcAddress, Dll_Bin)
         ? "hModule = " & Hex(hModule), hModule
      Case 1
         '? cpMDGetFuncAddress(@Dll_Bin[0], sFuncName)
         ? "huhuh"
      Case 2
         'cpMDFreeLibrary(hModule)
         ? "huhuh"
         VirtualFree(BinData, iLen, MEM_DECOMMIT)
         FreeLibrary(pModule)
         Deallocate(Dll_Bin)
         Deallocate(BinData)
'         ? VirtualProtect(@BinData(0), Ubound(BinData), OldProtect, NULL)
'         ? GetLastError()
'         ? VirtualProtect(@Dll_Bin(0), Ubound(Dll_Bin), OldProtectDLL, NULL)
'         ? GetLastError()
   End Select
End Sub


__OpCode:
Data 6648, 7
Data "FFFFFFFFFFFFFFB800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE0B800000000FFE05589E55156578B7D088B750C8B4D10FCF3A45F5E595DC35589E5578B7D088A450C8B4D10F3AA5F5DC359585A5153E8000000005B81EBAB114000898300114000899304114000E8000000005981E9C3114000518B9100114000E80B0000007573657233322E646C6C005850FFD2598B9104114000E80C0000004D657373616765426F784100595150FFD2898372114000E8000000005981E90D124000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80A0000006C737472636D70694100595150FFD2898309114000E8000000005981E957124000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80D0000005669727475616C416C6C6F6300595150FFD2898310114000E8000000005981E9A4124000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80C0000005669727475616C4672656500595150FFD2898317114000E8000000005981E9F012"
Data "4000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80F0000005669727475616C50726F7465637400595150FFD289831E114000E8000000005981E93F134000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80E00000052746C5A65726F4D656D6F727900595150FFD2898325114000E8000000005981E98D134000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80D0000004C6F61644C6962726172794100595150FFD289832C114000E8000000005981E9DA134000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80F00000047657450726F634164647265737300595150FFD2898333114000E8000000005981E929144000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80D00000049734261645265616450747200595150FFD289833A114000E8000000005981E976144000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80F00000047657450726F636573734865617000595150FFD2898341114000E8000000005981E9C5144000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2"
Data "598B9104114000E80A00000048656170416C6C6F6300595150FFD2898348114000E8000000005981E90F154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E809000000486561704672656500595150FFD289834F114000E8000000005981E958154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80C000000476C6F62616C416C6C6F6300595150FFD2898356114000E8000000005981E9A4154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80E000000476C6F62616C5265416C6C6F6300595150FFD2898364114000E8000000005981E9F2154000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80B000000476C6F62616C4672656500595150FFD289835D114000E8000000005981E93D164000518B9100114000E80D0000006B65726E656C33322E646C6C005850FFD2598B9104114000E80C000000467265654C69627261727900595150FFD289836B1140005B59585150E80E04000059C35990585A515250E8CC0500005A5AC35A585250E88E06000059C35589E557565383EC1C8B45108B40048945EC8B55108B020FB750148D740218C745F00000000066837806000F84B0000000837E"
Data "1000754C8B450C8B583885DB0F8E84000000C744240C04000000C744240800100000895C24048B45EC03460C890424E8FEF9FFFF83EC10894608895C2408C744240400000000890424E864FAFFFFEB46C744240C04000000C7442408001000008B4610894424048B45EC03460C890424E8BDF9FFFF83EC1089C78B55080356148B46108944240889542404893C24E808FAFFFF897E08FF45F083C6288B55108B020FB740063B45F00F8F50FFFFFF8D65F45B5E5F5DC35589E557565383EC1C8B55088B020FB750148D5C0218BF0000000066837806000F84E80000008B432489C2C1EA1D89D683E60189C2C1EA1E83E20189C1C1E91FA9000000027422C7442408004000008B4310894424048B4308890424E822F9FFFF83EC0CE99000000085F6741E85D2740D83F90119D283E2E083C240EB2983F90119D283E29083EA80EB1C85D2740D83F90119D283E2FE83C204EB0B83F90119D283E2F983C208F6432704740681CA000200008B4B1085C97522F6432440740A8B4D088B018B4820EB0EF643248074088B4D088B018B482485C9741D8D45F08944240C89542408894C24048B4308890424E894F8FFFF83EC104783C3288B55088B020FB7400639F80F8F18FFFFFF8D65F45B5E5F5DC35589E557565383EC048B45088B50048955F08B0083B8A400000000745789D30398A0000000833B00"
Data "744A8B7DF0033B8D4B08BE000000008B430483E808D1E883F80076280FB70189C2C1EA0C25FF0F000083FA0375068B550C0114074683C1028B430483E808D1E839F077D8035B04833B0075B683C4045B5E5F5DC35589E557565383EC1CC745F0010000008B45088B40048945EC8B55088B0283B884000000000F84410100008B7DEC03B880000000E9120100008B45EC03470C890424E8BFF7FFFF83EC048945E883F8FF750CC745F000000000E90E0100008B4D0883790800742EC7442408400000008B410C8D048504000000894424048B4108890424E8B6F7FFFF83EC0C8B550889420885C075268B4D088B410C8D04850400000089442404C7042440000000E87EF7FFFF83EC088B55088942088B4D088B510C8B41088B4DE8890C908B4508FF400C833F0074168B5DEC031F8B75EC037710EB11C745F000000000EB578B5DEC035F1089DE833B00744A833B0079190FB703894424048B55E8891424E8FEF6FFFF83EC088906EB1C8B45EC030383C002894424048B4DE8890C24E8E0F6FFFF83EC088906833E0074AB83C30483C604833B0075B6837DF000742483C714C744240414000000893C24E8B9F6FFFF83EC0885C0750A837F0C000F85CDFEFFFF8B45F08D65F45B5E5F5DC35589E557565383EC1C8B45088945F0B8000000008B550866813A4D5A0F85A20100008B75088B45F003"
Data "703CB800000000813E504500000F8588010000C744240C04000000C7442408002000008B4650894424048B4634890424E815F6FFFF83EC1089C785C07535C744240C04000000C7442408002000008B465089442404C7042400000000E8E9F5FFFF83EC1089C7B80000000085FF0F8428010000E803F6FFFFC744240814000000C744240400000000890424E8F2F5FFFF83EC0C89C3897804C7400C00000000C7400800000000C7401000000000C744240C04000000C7442408001000008B465089442404893C24E87EF5FFFF83EC10C744240C04000000C7442408001000008B465489442404893C24E85CF5FFFF83EC108945EC8B55F08B423C03465489442408895424048B45EC890424E8A3F5FFFF8B45EC8B55F003423C8903897834895C2408897424048B4508890424E8B4FAFFFF89F82B4634740C89442404891C24E8A0FCFFFF891C24E814FDFFFF85C0743E891C24E876FBFFFF8B0383782800742A89FA0350287427C744240800000000C744240401000000893C24FFD283EC0C85C0740BC743100100000089D8EB0D891C24E8DB000000B8000000008D65F45B5E5F5DC35589E583EC28895DF48975F8897DFC8B45088B50048955F0C745ECFFFFFFFF8B1083C278B800000000837A04000F848E0000008B5DF0031A837B18007406837B1400750FB800000000EB760FB73F897DEC"
Data "EB458B75F00373208B7DF0037B24C745E800000000837B1800762C8B45F00306894424048B450C890424E820F4FFFF83EC0885C074C4FF45E883C60483C7028B55E839531877D4B800000000837DECFF741EB8000000008B55EC3B531477118B45ECC1E00203431C8B55F003141089D08B5DF48B75F88B7DFC89EC5DC35589E5565383EC108B750885F60F84AC000000837E1000742A8B068B56048B48288D040AC744240800000000C744240400000000891424FFD083EC0CC7461000000000837E08007436BB00000000837E0C007E1D8B4608833C98FF740E8B0498890424E8CCF3FFFF83EC0443395E0C7FE38B4608890424E8AAF3FFFF83EC04837E0400741EC744240800800000C7442404000000008B4604890424E840F3FFFF83EC0CE862F3FFFF89742408C744240400000000890424E85CF3FFFF83EC0C8D65F85B5E5DC3"


And this is an example of a MD5 dll to call it from memory.

MemDllCall Example1.bas

Code: Select all

#Include "MemDLLCall.bi"

'Dim As OpCode MD5DLL

Dim As Ubyte aMD5DLL(Any)

Dim As Ushort iLen, iLines, p = 0, l = 0
Dim As String aBinary(1)
Restore __MD5_DLL:
Read iLen
Read iLines
iLen \= 2
Redim aMD5DLL(iLen)

Dim As Ubyte Ptr pMD5DLL= Allocate(iLen)

For i As Ushort = 0 To iLines - 1
   Read aBinary(0)
   For j As Ushort = 1 To Len(aBinary(0)) Step 2
      pMD5DLL[p] = Cubyte("&H" & Mid(aBinary(0), j, 2))
      p += 1
   Next
Next

'Dim As Long f
'f = FreeFile
'Open "c:\temp\md5.bin" For Binary Access Write As #f
'Put #f, 0, MD5DLL.bin(0), iLen \ 2
'Close #f


__MemoryDllCore(0, pMD5DLL, iLen)
__MemoryDllCore(1, pMD5DLL, iLen, "md5")
__MemoryDllCore(2, pMD5DLL, iLen)
Sleep

__MD5_DLL:
Data 6144, 7
Data "4D5A50000200000004000F00FFFF0000B80000000000000040001A0000000000535048494E5820432D2D20302E3233394A616E20313920323030370060000000BA0E000E1FB409CD21B8014CCD21466F722057696E3332206F6E6C79210D0A24504500004C010100000000000000000000000000E0008EA10B0100EF000A0000000000000000000000100000001000000000000000004000001000000002000001000000000000000400000000000000002000000002000000000000030001000080000000080000000001000010000000000000100000006C1800003E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000434F4445000000000010000000100000000A000000020000000000000000000000000000600000E00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
Data "00000000000000000000000031C040C20C00C85800005356578D45A850E83B000000FF750CFF75088D45A850E8590000008D45A850FF7510E88A0700005F5E5BC9C20C005589E55156578B7D088B750C8B4D10FCF3A45F5E595DC20C005589E58B4D0831C0894114894110C70101234567C7410489ABCDEFC74108FEDCBA98C7410C765432105DC20400C80C0000538B5D088B4310C1E80383E03F8945F88B4510C1E0030143103943107303FF43148B4510C1E81D0143146A40582B45F88945F4394510724550FF750C8B45F88D44031850E86DFFFFFF8D43185053E84E0000008B45F48945FC8B45FC83C03F39451076138B450C0345FC5053E8300000008345FC40EBE28365F800EB048365FC008B45102B45FC508B450C0345FC508B45F88D44031850E81AFFFFFF5BC9C20C00C84000005356576A40FF750C8D45C050E800FFFFFF8B45088B088B50048B70088B780C89D021F089D3F7D321FB09D801C1034DC081C178A46AD7C1C10701D189C821D089CBF7D321F309D801C7037DC481C756B7C7E8C1C70C01CF89F821C889FBF7D321D309D801C60375C881C6DB702024C1C61101FE89F021F889F3F7D321CB09D801C20355CC81C2EECEBDC1C1C21601F289D021F089D3F7D321FB09D801C1034DD081C1AF0F7CF5C1C10701D189C821D089CBF7D321F309D801C7037DD481C72AC687"
Data "47C1C70C01CF89F821C889FBF7D321D309D801C60375D881C6134630A8C1C61101FE89F021F889F3F7D321CB09D801C20355DC81C2019546FDC1C21601F289D021F089D3F7D321FB09D801C1034DE081C1D8988069C1C10701D189C821D089CBF7D321F309D801C7037DE481C7AFF7448BC1C70C01CF89F821C889FBF7D321D309D801C60375E881C6B15BFFFFC1C61101FE89F021F889F3F7D321CB09D801C20355EC81C2BED75C89C1C21601F289D021F089D3F7D321FB09D801C1034DF081C12211906BC1C10701D189C821D089CBF7D321F309D801C7037DF481C7937198FDC1C70C01CF89F821C889FBF7D321D309D801C60375F881C68E4379A6C1C61101FE89F021F889F3F7D321CB09D801C20355FC81C22108B449C1C21601F289D021F889FBF7D321F309D801C1034DC481C162251EF6C1C10501D189C821F089F3F7D321D309D801C7037DD881C740B340C0C1C70901CF89F821D089D3F7D321CB09D801C60375EC81C6515A5E26C1C60E01FE89F021C889CBF7D321FB09D801C20355C081C2AAC7B6E9C1C21401F289D021F889FBF7D321F309D801C1034DD481C15D102FD6C1C10501D189C821F089F3F7D321D309D801C7037DE881C753144402C1C70901CF89F821D089D3F7D321CB09D801C60375FC81C681E6A1D8C1C60E01FE89F021C889CBF7D321FB09D801C20355D081"
Data "C2C8FBD3E7C1C21401F289D021F889FBF7D321F309D801C1034DE481C1E6CDE121C1C10501D189C821F089F3F7D321D309D801C7037DF881C7D60737C3C1C70901CF89F821D089D3F7D321CB09D801C60375CC81C6870DD5F4C1C60E01FE89F021C889CBF7D321FB09D801C20355E081C2ED145A45C1C21401F289D021F889FBF7D321F309D801C1034DF481C105E9E3A9C1C10501D189C821F089F3F7D321D309D801C7037DC881C7F8A3EFFCC1C70901CF89F821D089D3F7D321CB09D801C60375DC81C6D9026F67C1C60E01FE89F021C889CBF7D321FB09D801C20355F081C28A4C2A8DC1C21401F289D031F031F801C1034DD481C14239FAFFC1C10401D189C831D031F001C7037DE081C781F67187C1C70B01CF89F831C831D001C60375EC81C622619D6DC1C61001FE89F031F831C801C20355F881C20C38E5FDC1C21701F289D031F031F801C1034DC481C144EABEA4C1C10401D189C831D031F001C7037DD081C7A9CFDE4BC1C70B01CF89F831C831D001C60375DC81C6604BBBF6C1C61001FE89F031F831C801C20355E881C270BCBFBEC1C21701F289D031F031F801C1034DF481C1C67E9B28C1C10401D189C831D031F001C7037DC081C7FA27A1EAC1C70B01CF89F831C831D001C60375CC81C68530EFD4C1C61001FE89F031F831C801C20355D881C2051D8804C1C21701F289D0"
Data "31F031F801C1034DE481C139D0D4D9C1C10401D189C831D031F001C7037DF081C7E599DBE6C1C70B01CF89F831C831D001C60375FC81C6F87CA21FC1C61001FE89F031F831C801C20355C881C26556ACC4C1C21701F289F8F7D009D031F001C1034DC081C1442229F4C1C10601D189F0F7D009C831D001C7037DDC81C797FF2A43C1C70A01CF89D0F7D009F831C801C60375F881C6A72394ABC1C60F01FE89C8F7D009F031F801C20355D481C239A093FCC1C21501F289F8F7D009D031F001C1034DF081C1C3595B65C1C10601D189F0F7D009C831D001C7037DCC81C792CC0C8FC1C70A01CF89D0F7D009F831C801C60375E881C67DF4EFFFC1C60F01FE89C8F7D009F031F801C20355C481C2D15D8485C1C21501F289F8F7D009D031F001C1034DE081C14F7EA86FC1C10601D189F0F7D009C831D001C7037DFC81C7E0E62CFEC1C70A01CF89D0F7D009F831C801C60375D881C6144301A3C1C60F01FE89C8F7D009F031F801C20355F481C2A111084EC1C21501F289F8F7D009D031F001C1034DD081C1827E53F7C1C10601D189F0F7D009C831D001C7037DEC81C735F23ABDC1C70A01CF89D0F7D009F831C801C60375C881C6BBD2D72AC1C60F01FE89C8F7D009F031F801C20355E481C291D386EBC1C21501F28B4508010801500401700801780C5F5E5BC9C20800C814000053E8400000"
Data "00800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008F45EC8B5D0C6A088D4310508D45F850E81EF8FFFF8B4310C1E80383E03F8945F483F838730B6A38582B45F48945F0EB096A78582B45F48945F0FF75F0FF75ECFF750CE831F8FFFF6A088D45F850FF750CE823F8FFFF6A1053FF7508E8D2F7FFFF5BC9C20800900000000000000000000000009E18000001000000010000000100000094180000981800009C18000006100000A618000000006D64352E646C6C006D643500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
Data "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"


Original Autoit code can be found here: https://www.autoitscript.com/forum/topi ... nt=1099337
jj2007
Posts: 1523
Joined: Oct 23, 2016 15:28
Location: Roma, Italia
Contact:

Re: Issue with VirtualProtect

Postby jj2007 » Jul 24, 2020 21:54

UEZ wrote:The odd thing is that VirtualProtect returns 1 which means is successful but on the other hand the error flag was set
This is standard practice in Windows. What counts is the return code of the API call; GetLastError is valid only if the return code says "it's an error". Windows uses its errors internally, and most of the time they are meaningless for the caller of the API.

In this case, the GetLastError code results from an earlier API call. I used SetLastError(123) to demonstrate that VirtualProtect does not set the error.
UEZ
Posts: 586
Joined: May 05, 2017 19:59
Location: Germany

Re: Issue with VirtualProtect

Postby UEZ » Jul 25, 2020 14:15

Thanks @jj2007.

UEZ wrote:Let's say my opcode is in memory using Allocate which gives me the address and one function within the opcode is memory opcode + &h00A1.
There is the entry point for a function with 3 parameters.
How can I call it?


Any idea on this?

Is this a valid approach?
(code extract from above)

Code: Select all

...
      pMDLoadLibrary = BinData + &h00A1 : pMDGetFuncAddress = BinData + &h0590 : pMDFreeLibrary = BinData + &h059F :
      pModule = LoadLibraryA("kernel32.dll") : pGetProcAddress = GetProcAddress(pModule, "GetProcAddress") : pLoadLibraryA = GetProcAddress(pModule, "LoadLibraryA")
            
      bDllInit = True
   End If
   
   Dim cpMDLoadLibrary As Function (Byval Lib As FARPROC, Byval ProcAddress As FARPROC, Byval ModBin As Any Ptr) As Any Ptr = pMDLoadLibrary
   Dim cpMDGetFuncAddress As Function(Byval ModBin As Ubyte Ptr, Byref sFuncName As String) As Any Ptr = pMDGetFuncAddress
   Dim cpMDFreeLibrary As Sub(Byval ModBin As Any Ptr) = pMDFreeLibrary
   ...

The first call doesn't crash in Case 0 but the 2nd one in Case 1 does... :-(

Return to “Windows”

Who is online

Users browsing this forum: No registered users and 3 guests