API Hooking for FreeStyle

PolyVector · Post by **PolyVector** » Sat Oct 02, 2004 11:45 pm

I need to hook a shared API in Windows9x to continue development on FreeStyle. Without this capability FreeStyle can't function properly in 9x! Here's what I know so far:

VirtualProtect_() won't allow me to modify permissions on a shared API...
I can bypass VirtualProtect_() by using an undocumented API called VxDCall()
With VxDCall() I can call _PageModifyPermissions directly and make shared memory writable

If anybody thinks they can help, I have code to access VxDCall() and _PageModifyPermissions... Although I'd rather PM it than post it here...

Sparkie · Post by **Sparkie** » Sun Oct 03, 2004 12:21 am

Not sure if this helps but have you tried VirtualProtectEx

MSDN SDK wrote:The VirtualProtect function changes the protection on a region of committed pages in the virtual address space of the calling process.

To change the access protection of any process, use the VirtualProtectEx function.

Client: Included in Windows XP, Windows 2000 Professional, Windows NT Workstation, Windows Me, Windows 98, and Windows 95.

PolyVector · Post by **PolyVector** » Sun Oct 03, 2004 11:50 am

no form of VirtualProtect will allow you to modify permissions of Shared memory

Windows Me/98/95: You cannot use VirtualProtectEx on any memory region located in the shared virtual address space (from 0x80000000 through 0xBFFFFFFF).

If anybody could help me getting this asm to work w/ PB it would be great:
It uses INT 2Eh to copy shared memory (on win9x)... It's the lowlevel equivilent of CopyMemory() on win9x

Code: Select all

                        i2E_RtlCopyMemory     equ     0000010Ah

                        mov     eax, i2E_RtlCopyMemory
                        lea     edx, stk
                        int     2Eh
                        ...
stk:                    dd      0BFF7xxxxh      ; edi (destination)
                        dd      offset vir_code ; esi (source)
                        dd      vir_size        ; ecx (length in bytes)

EDIT: SOLVED!
Here's the function if anybody's interested... It can copy ANY MEMORY on 9x... this includes protected/shared/whatever...

Code: Select all

Procedure Win9x_RtlCopyMemory(SourceMemory.l,DestinationMemory.l,Length.l)
  stk=AllocateMemory(3*4)
  PokeL(stk+0,DestinationMemory)
  PokeL(stk+4,SourceMemory)
  PokeL(stk+8,Length)
  MOV     eax, #i2E_RtlCopyMemory
  MOV     edx, stk
  INT     2Eh
  FreeMemory(Buffer)
EndProcedure

FloHimself · Post by **FloHimself** » Tue Oct 05, 2004 4:43 pm

solved polyvector?

Post by **Rings** » Tue Oct 05, 2004 5:50 pm

yes, win89's memory-handling is very secure

PolyVector · Post by **PolyVector** » Tue Oct 05, 2004 8:19 pm

solved polyvector?

Well I solved that one hurtle for 9x api hooking... Now I need to write a small code-generator to create functions in shared memory that check what the current process is and compare it with a list... And ever time i try code that fails I have to reboot

At least VMWare is my friend!
My work is never done!

PolyVector · Post by **PolyVector** » Sun Oct 10, 2004 5:42 am

Alright, this problem has been completely solved! Thanks for your help everyone!

blueznl · Post by **blueznl** » Sun Oct 10, 2004 9:49 am

gotta' love vmware! although i managed to crash the host now one time by doing something within vmware, security is not a 100% tight it appears