Verbosity in development

vid 26 Oct 2006, 21:47
PAGE_READWRITE works because older processors doesn't have implemented page-execute bit. newer ones have, so PAGE_READWRITE won't work anymore
Remy Vincent

Remy Vincent 27 Oct 2006, 11:55
I have done a very clear tutorial for VIRTUALPROTECT() function. It is very hard to be sure that it is working, without some DEBUG INFORMATION... But the DEBUG INFORMATION are there, prooving that the CODE SEGMENT rights ar really existing, they are really changed too, then they are really restored to previous value!!! it is 100% sure because DEBUG INFORMATION is displaying some "ON THE FLY" informations.

;===== FILES:

- GPF error when writing to CODE SEGMENT.

- Many debugging code.
- Writing to CODE SEGMENT works.

- Many debugging code.
- Writing to CODE SEGMENT works.
- Restoring previous bytes inside CODE SEGMENT works too.

- No debugging code anymore, so program is shorter.

- RETF instruction is used instead of JMP instruction.

- Substituing two functions, using two routines making it all!!

Description: TUTORIAL for VirtualProtect() routine, with many DEBUG INFORMATION...
Filename: FnSubst.zip
Filesize: 17.23 KB
Filename: FnSubst.zip
Filesize: 17.23 KB
Downloaded: 363 Time(s)

Remy Vincent

Remy Vincent 27 Oct 2006, 11:57
@Vid: SORRY, I have forgotten your last post, so I didn't check if PAGE_READWRITE is working with newer OS... I will check...
Verbosity in development

vid 27 Oct 2006, 13:02
let us know them please

by the way, it's matter of hardware, not OS
Remy Vincent

Remy Vincent 29 Oct 2006, 13:41

INCLUDE "C:\Prog\Fasm167\FasmW\INCLUDE\win32a.inc"

; Structure for  VirtualQuery()  function
   BaseAddress        dd  ?
   AllocationBase     dd  ?
   AllocationProtect  dd  ?
   RegionSize         dd  ?
   State              dd  ?
   Protect            dd  ?
   Type               dd  ?

   ;----- Debugging with usual  MessageBox()  function
   C_DEBUG_1  db  'DEBUG.1',0
   C_DEBUG_2  db  'DEBUG.2',0
   C_DEBUG_3  db  'DEBUG.3',0

   ;----- Debugging with  GetLastError()  function
   C_LastErrorTitle  db  'LastError INFORMATION...',0
   G_LastError       dd  ?

   ;----- Using  FormatMessage()  higher level function
   C_UsualTagMsg    db  '%1!c!  %2!u!  %3!i!  %4!#X!  %5!#x!  %6!u!  %7!d!  %8!i!',0
   G_USER_Arg_1     dd  ?
   G_USER_Arg_2     dd  ?
   G_USER_Arg_3     dd  ?
   G_USER_Arg_4     dd  ?
   G_USER_Arg_5     dd  ?
   G_USER_Arg_6     dd  ?
   G_USER_Arg_7     dd  ?
   G_USER_Arg_8     dd  ?
   G_FmtMsgBuf240   rb  240
   G_FmtMsgBuf320   rb  320
   G_FmtMsgAutoBuf  dd  ?      ;--- Auto buffer tested only once... It was working well!

   ;----- Debugging with  GetSystemInfo()  function
   C_SysInfoTitle  db  'System INFORMATION...',0
   C_SysInfoMsg    db  'DEBUG:%n%n' ,\
                       'OemId=0x%1!X!  PageSize=0x%2!X!  MinAppAddr=0x%3!X!  MaxAppAddr=0x%4!X!  ' ,\
                       'ActiveProcessorMask=0x%5!X!  NumberOfProcessors=0x%6!X!  ' ,\
                       'ProcessorType=0x%7!X!  AllocationGranularity=0x%8!X!  ' ,\
   G_SYSTEM_INFO  SYSTEM_INFO  0,0 , 00 , 00,00 , 00,00,00,00 , 0,0

   ;----- Debugging with  VirtualQuery()  function
   C_MemAttribTitle  db  'Memory attribute INFORMATION...',0
   C_MemAttribMsg    db  'BaseAddress=0x%1!X!  AllocationBase=0x%2!X!  AllocationProtect=0x%3!X!  ' ,\
                         'RegionSize=0x%4!X!  State=0x%5!X!  Protect=0x%6!X!  Type=0x%7!X!',0
   C_MemAttribMsgB   db  '%1!s!%n%n' ,\
                         'More debug INFO:%n%n' ,\
                         '( VirtualQuery:  Param1=0x%2!X! )%n%n' ,\
                         '( If changes:  OldProtect=0x%3!X! )',0

   C_Track01        db  'Music... Track 01',0
   C_Track02        db  'Music... Track 02',0
   C_Track03        db  'Music... Track 03',0
   C_Track04        db  'Music... Track 04',0

   C_Title          db  'OLLLLLD TITLE',0
   C_NewTitle       db  '--------------- NNEEEEEEEEEEWW TIIIIIIITLE ---------------',0

   G_OLD_Protect    dd  0x11114444
   G_ReadWritePtr   dd  ?

   G_KEEP_MyMuBePl  rb  4*3
   G_KEEP_AdjVolLe  rb  4*3

   ;----- Usual CALL

   stdcall MyMusicBeeingPlayed   ,C_Track01

   ;----- INDIRECT call

   stdcall RedirectCall_INSTALL   ,MyMusicBeeingPlayed,G_KEEP_MyMuBePl,NEW_TITLEPROC
   stdcall MyMusicBeeingPlayed   ,C_Track01
   stdcall RedirectCall_REMOVE   ,G_KEEP_MyMuBePl,MyMusicBeeingPlayed

   ;----- Usual call AGAIN

   stdcall MyMusicBeeingPlayed   ,C_Track01

   push    0
   call    [ExitProcess]


proc   MyMusicBeeingPlayed   , I_Message
 invoke  MessageBox   ,0,[I_Message],C_Title,MB_OK + MB_ICONEXCLAMATION

proc   NEW_TITLEPROC   , I_Message
 invoke  MessageBox   ,0,[I_Message],C_NewTitle,MB_OK + MB_ICONEXCLAMATION

proc   RedirectCall_INSTALL   , I_OldProc , I_KEEP_OldCode , I_NewProc
   ;----- Keep current code
   mov     esi,[I_OldProc]
   mov     edi,[I_KEEP_OldCode]
   mov     eax,[esi]
   mov     [edi],eax

   ;----- Enable write access
stdcall VirtualQuery_FormatMessage_MessageBox   ,Start
   invoke   VirtualProtect   ,[I_OldProc],20,PAGE_READWRITE,G_OLD_Protect
   mov      eax,[I_OldProc]
   mov      [G_ReadWritePtr],eax
stdcall VirtualQuery_FormatMessage_MessageBox   ,Start

   ;----- Install JMP
   mov     edi,[G_ReadWritePtr]
   mov     al,0x0E
   mov     al,0xB8
   stosb     ;--- Idem, SOLVED!!!
   mov     eax,[I_NewProc]
   stosd     ;--- Idem, SOLVED!!!
   mov     al,0x50
   stosb     ;--- Idem, SOLVED!!!
   mov     al,0xCB
   mov     [edi],al      ;--- Idem, SOLVED!!!

   ;----- Disable write access
   invoke  VirtualProtect   ,[I_OldProc],20,[G_OLD_Protect],G_OLD_Protect
stdcall VirtualQuery_FormatMessage_MessageBox   ,Start
stdcall GetLastError_FormatMessage_MessageBox


proc   RedirectCall_REMOVE   , I_OldCode , I_OldProc
   ;----- Enable write access
   invoke   VirtualProtect   ,[I_OldProc],20,PAGE_READWRITE,G_OLD_Protect

   ;----- Restore previous code
   mov     esi,[I_OldCode]
   mov     edi,[I_OldProc]
   mov     eax,[esi]
   mov     [edi],eax

   ;----- Disable write access
   invoke  VirtualProtect   ,[I_OldProc],20,[G_OLD_Protect],G_OLD_Protect


proc   GetLastError_FormatMessage_MessageBox
   ;--invoke   SetLastError   ,2--

   invoke  GetLastError
   MOV     [G_LastError] , EAX

   invoke  FormatMessage   ,FORMAT_MESSAGE_FROM_SYSTEM \
                           ,NULL,[G_LastError],LANG_NEUTRAL \

   invoke  MessageBox   ,0,G_FmtMsgBuf240,C_LastErrorTitle,MB_OK + MB_ICONEXCLAMATION

   ;----- Auto buffer tested only once... It was working well!
   ;--invoke  LocalFree   ,[G_FmtMsgAutoBuf]--


proc   VirtualQuery_FormatMessage_MessageBox   , I_Address
   ;----- Get  VirtualQuery()  informations
   invoke  VirtualQuery   ,[I_Address],G_MEMORY_BASIC_INFORMATION,4*7

   ;----- Format message 1
                           ,C_MemAttribMsg,0,LANG_NEUTRAL \

   ;----- Prepare parameters for message 2
   mov     [G_USER_Arg_1],G_FmtMsgBuf240

   mov     eax,[I_Address]
   mov     [G_USER_Arg_2],eax

   mov     eax,[G_OLD_Protect]
   mov     [G_USER_Arg_3],eax

   ;----- Format message 2
                           ,C_MemAttribMsgB,0,LANG_NEUTRAL \

   ;----- MessageBox
   invoke  MessageBox   ,0,G_FmtMsgBuf320,C_MemAttribTitle,MB_OK + MB_ICONEXCLAMATION



library  kernel , "KERNEL32.DLL" ,\
         user   , "USER32.DLL"

import  kernel ,\
   ExitProcess    , "ExitProcess"    ,\
   FormatMessage  , "FormatMessageA" ,\
   GetLastError   , "GetLastError"   ,\
   GetSystemInfo  , "GetSystemInfo"  ,\
   LocalFree      , "LocalFree"      ,\
   SetLastError   , "SetLastError"   ,\
   VirtualProtect , "VirtualProtect" ,\
   VirtualQuery   , "VirtualQuery"

import  user ,\
   MessageBox , "MessageBoxA"


I don't understand why VIRTUALQUERY() is not responding with my WINDOWS XP, all fields remain blank,... but with my WINDOWS 98, VIRTUALQUERY() is filling all his usual record... very strange
okasvi 29 Oct 2006, 14:23
for me, the bigger msgboxes with info from VirtualQuery()'s were empty too, BaseAddress=0x0 ....
xp sp2

maybe using VirtualQueryEx helps? thought it shouldnt have any other difference than making possible to query vmem of other processes, afaik.
Verbosity in development

vid 29 Oct 2006, 16:17
you are not checking returned values Exclamation
f0dder 29 Oct 2006, 18:14
Remy Vincent wrote:

I was planning to use the constant: PAGE_EXECUTE_READWRITE
but in fact, this constant is enough: PAGE_READWRITE

Until you try executing on a processor with NX capabilities... so better use the correct flag, PAGE_EXECUTE_READWRITE.

Remy Vincent

Remy Vincent 29 Oct 2006, 19:28
Sorry, but I can't produce a 100 lines DEMO with VIRTUALQUERY()
or even VIRTUALQUERYEX() working with WINXP... It's so frstrating,
I am using VirtualQueryEx with {GetCurrentProcess & CloseHandle} ,
and it's giving me the expected result on my WIN98, but on my WINXP: no
way... There are some new "concepts & notions" that are much too hard for
me... ALSO VirtualQueryEx with {GetCurrentProcessID} gives me many ZEROS
on both W98 and WXP!

Thank you anyway for you IDEA of using VirtualQueryEx,... I was just stopping
all this kinf of coding
Verbosity in development

vid 29 Oct 2006, 19:59
you are not checking returned values Exclamation Exclamation Exclamation

what does the function return?
Remy Vincent

Remy Vincent 29 Oct 2006, 22:03
it's because I use the "on the fly" debug function displaying last error, and the last error is often "no error"... sorry not to check permanently the last error...
Verbosity in development

vid 29 Oct 2006, 22:38
you should check for error always in your code, and on error at least display error message
Remy Vincent

Remy Vincent 30 Oct 2006, 12:41
vid wrote:
you should check for error always in your code, and on error at least display error message

I'm sorry, but if you start checking all errors, in fact you are "debugging the OS" you are using... Instead of learning another function of the OS...

How would you store a VirtualQuery() small DEMO program, if you were the creator of a small OS able to handle VirtualQuery() CALL ?? I'am sure that you would do quicly a try, and then in case an error occurs, you would use DEBUG information directly from the OS debug mode tools, instead of adding and adding "return value checking"... That the point: if you add and add returned error checking, in fact you debug the OSwithout any of the usual powerfull tools used to debug an OS!!
Verbosity in development

vid 30 Oct 2006, 13:31
oh, sorry. VirtualQuery doesn't return any errors. But others do, like VirtualProtect, and you are not checking these.

by the way:
MSDN reference of VirtualQuery() wrote:

Passing a kernel-mode pointer to this function can result in no information being returned, due to security issues. In this case, the return value is zero.
