Showing posts with label gcc. Show all posts
Showing posts with label gcc. Show all posts

Sunday, October 4, 2015

Executing x86 machine code from char array in C/C++

The idea is:
  1. create bunch of char array in a file containing the machine code(not as const)
  2. mark the memory as executable with mprotect or VirtualProtect.
  3. declare typedef function with their correct parameters and pointing to the address of our char array
  4. call it
It's just pretty straightforward for a simple function, like a function that do x+1 or a*b, but function calling another function(e.x.: function calling strlen, malloc, etc.) needs the pointer to be calculated at first or the function will call wrong code(undefined berhaviour).

Okay so let's start. I've been make simple function that XOR 7303014 by x. This is the code


#include <stdio.h>
 
int foo_bar(int baz) {
 int foo=7303014;
 return foo^baz;
}
 
int main() {
 int val=1904132;
 int out=foo_bar(val);
 printf("%s",&out);
 return 0;
}


It looks simple right. It only prints string "bar" in the console. Now what we need is the foo_bar function as machine code. Open Hex Editor and open the executable then find the function.

Note: We are using x86 byte code for this. Take care of this if you're try to compile it as 64-bit code.
The highlighted hex is the foo_bar function that we need to get their machine code representation and put them in our new code. This is our char array declaration

char foo_bar[]={0x55, 0x89, 0xE5, 0x83, 0xEC, 0x10, 0xC7, 0x45, 0xFC, 0x66, 0x6F, 0x6F, 0x00, 0x8B, 0x45, 0x08, 0x8B, 0x55, 0xFC, 0x31, 0xD0, 0xC9, 0xC3};

Now we have completed point 1 above, now let's make some code to finish point 2, 3, and 4

typedef int (*foo_bar_t)(int );
 
int main() {
 foo_bar_t foo=(foo_bar_t)(void*)foo_bar;
 DWORD old_protect;
 VirtualProtect(foo,sizeof(foo_bar),PAGE_EXECUTE_READWRITE,&old_protect);
 int out=foo(0);
 printf("%s",&out);
 return 0;
}

Q: Why cast to void* first then cast it to foo_bar_t?
A: Visual Studio doesn't like casting foo_bar_t directly from char* so, cast it to void* first. GCC works fine without cast to void* above.

Ok that's our complete main function. Now let's explain it.

The point 2 is in the VirtualProtect function. VirtualProtect function mark address pointed by foo variable to be executable, readable, and writeable(see PAGE_EXECUTE_READWRITE). Without this call, point 4 will very likely to fail(throws Segmentation Fault/Access Violation)(be sure to include Windows.h)
The point 3 is above the main. The typedef.
Then, point 4 is below point 2. Again, calling the function without setting the memory protection would likely causes your program stop working.

Alright, this is the complete code


#include <stdio.h>
#include <windows.h>
 
typedef int (*foo_bar_t)(int );
 
char foo_bar[]={0x55, 0x89, 0xE5, 0x83, 0xEC, 0x10, 0xC7, 0x45, 0xFC, 0x66, 0x6F, 0x6F, 0x00, 0x8B, 0x45, 0x08, 0x8B, 0x55, 0xFC, 0x31, 0xD0, 0xC9, 0xC3};
 
int main() {
 foo_bar_t foo=(foo_bar_t)(void*)foo_bar;
 DWORD old_protect;
 VirtualProtect(foo,sizeof(foo_bar),PAGE_EXECUTE_READWRITE,&old_protect);
 int out=foo(0);
 printf("%s",&out);
 return 0;
}


Now let's compile it and run it.







Our program run without error. That means we've been successfully run our machine code. That's for today.

Challenge: Compile both complete code above and find out why it prints "bar" and "foo".
Posted by at No comments:
Labels: , , , , , ,

Friday, January 2, 2015

Run Windows 8 Metro Application from Desktop Application

After failed to create Rainmeter plugin which launch windows 8 application, i decide to make an application which launch windows 8 application from console application.

File: IApplicationAcitvationManager.h (For GCC/G++ Compiler)
// IApplicationActivationManager for MinGW
#pragma once
#ifdef _MSC_VER
#error "Not for Microsoft Compiler!"
#endif
#ifndef _SHLOBJIDL_H 
#include <shobjidl.h>
#endif
 
#ifdef __cplusplus
extern "C" {
#endif
const IID IID_IApplicationActivationManager={0x2e941141,0x7f97,0x4756,{0xba,0x1d,0x9d,0xec,0xde,0x89,0x4a,0x3d}};  // Visual Studio 2012 ShObjIdl.h:9159
const CLSID CLSID_ApplicationActivationManager={0x45BA127D,0x10A8,0x46EA,{0x8A,0xB7,0x56,0xEA,0x90,0x78,0x94,0x3C}}; // Visual Studio 2012 ShObjIdl.h:9399
 
typedef enum ACTIVATEOPTIONS {
 AO_NONE=0,
 AO_DESIGNMODE=1,
 AO_NOERRORUI=2,
 AO_NOSPLASHSCREEN=4
} ACTIVATEOPTIONS;
 
#define INTERFACE IApplicationActivationManager
DECLARE_INTERFACE_(IApplicationActivationManager,IUnknown) {
 STDMETHOD(QueryInterface)(THIS_ REFIID,PVOID*) PURE;
 STDMETHOD_(ULONG,AddRef)(THIS) PURE;
 STDMETHOD_(ULONG,Release)(THIS) PURE;
 // Activates the specified Windows Store app for the generic launch contract (Windows.Launch) in the current session.
 STDMETHOD(ActivateApplication)(THIS_ const wchar_t*,const wchar_t*,ACTIVATEOPTIONS,unsigned long*) PURE;
 // Activates the specified Windows Store app for the file contract (Windows.File).
 // IShellItem doesn't exist. Replace with LPVOID
 STDMETHOD(ActivateForFile)(THIS_ const wchar_t*,void*,const wchar_t*,unsigned long*) PURE;
 // Activates the specified Windows Store app for the protocol contract (Windows.Protocol).
 // IShellItem doesn't exist. Replace with LPVOID
 STDMETHOD(ActivateForProtocol)(THIS_ const wchar_t*,void*,unsigned long*) PURE;
};
#undef INTERFACE
#ifdef __cplusplus
}
#endif

And here's the application to launch Windows 8 Application from desktop(File Apptest.cpp)
#include <stdio.h>
#include <Windows.h>
#include <ShObjIdl.h>
#include <string>
#ifndef _MSC_VER
#include "IApplicationActivationManager.h"
extern "C" __declspec(dllimport) HRESULT __stdcall CoAllowSetForegroundWindow(IUnknown *pUnk,LPVOID lpvReserved);
#endif
 
int main(int argc,char** argv) {
 IApplicationActivationManager* _;
 std::string __;
 size_t ___;
 if(argc<2) {
  printf("usage: %s <app package id>\r\n",argv[0]);
  return 1;
 }
 __=argv[1];
 CoInitializeEx(nullptr,COINIT_APARTMENTTHREADED);
 CoCreateInstance(CLSID_ApplicationActivationManager,nullptr,CLSCTX_LOCAL_SERVER,IID_IApplicationActivationManager,(void**)&_);
 CoAllowSetForegroundWindow(_,nullptr);
 _->ActivateApplication(std::wstring(__.begin(),__.end()).c_str(),nullptr,AO_NONE,(DWORD*)&___);
 return 0;
}

Command Line i used to Compile: g++ -std=c++11 -o ConsoleApplication1.exe -L"%VSLIBDIR%" -static-libgcc -static-libstdc++ ConsoleApplication1/AppTest.cpp -lole32 -loleaut32
Set VSLIBDIR to your Windows 8 SDK Lib directory(for CoInitializeEx and CoAllowSetForegroundWindow)(Windows 8 SDK)

Note: Tested in Visual Studio 2012 and GCC v4.8.1
Note2: Enum app package id powershell command(source): 
$installedapps = get-AppxPackage
foreach ($app in $installedapps)
{
    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
    {
        $app.packagefamilyname + "!" + $id
    }
}
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Comments (Atom)