VirtualProtect difficulties

[Magnum]

This isn't working right.

mov ebx,5 is supposed to be over written by NOPs.

Code Select Expand


.DATA

.data?

Old          dw      ?  ; address of region of committed pages
AddrToChange LPVOID  ?  ; size of the region

.code

start:

mov AddrToChange, offset codeToChange

; Reserve and commit in one step
invoke VirtualProtect,addr AddrToChange,4,PAGE_READWRITE,addr Old

mov word ptr [AddrToChange], 9090h ;

invoke VirtualProtect,addr AddrToChange,4,PAGE_EXECUTE,addr Old
 
codeToChange:
 
mov ebx,5 ; Over written  by 2 NOPs
 
invoke ExitProcess,0




[qWord]

think about this:

word ptr [AddrToChange]

[Magnum]

Is the size wrong ?

[dedndave]

3 problems that i can see

1) the pointer is the address of the code you want to change

Code Select Expand

invoke VirtualProtect,codeToChange,4,PAGE_EXECUTE,addr Old
you do not need ADDR or OFFSET for code labels, either

2) the code you are going to change has already been fetched
that means it is loaded into the queue and/or cache before you change it
and the changes you make will not be "noticed"

3) MOV EBX,5 is a 5 byte instruction
if you only overwrite the first 2 bytes, it will look like:
90h,90h,0,0,0
which is some kind of add, if i recall
if it weren't for the cached-code problem mentioned in (2), it would misalign the EIP counter and hang

[dedndave]

one more   :P

use PAGE_EXECUTE_READWRITE so you can write to the area

[dedndave]

ok - lol

Code Select Expand

Old dw ?
needs to be a dword

[dedndave]

try this...

Code Select Expand

INCLUDE \masm32\include\masm32rt.inc

.DATA?

Old dd ?

.CODE

codeToChange:
mov ebx,5 ; Over written  by 5 NOPs
print uhex$(ebx),13,10
inkey
invoke ExitProcess,0

Start:
invoke VirtualProtect,codeToChange,5,PAGE_EXECUTE_READWRITE,addr Old
mov ebx,90909090h
mov dword ptr codeToChange,ebx
mov byte ptr codeToChange+4,bl
jmp codeToChange

END Start

notice that, even though you specify only 5 bytes, it sets the flags for the entire 4 kB page

[qWord]

2) the code you are going to change has already been fetched
that means it is loaded into the queue and/or cache before you change it
and the changes you make will not be "noticed"

The catch is automatically invalidated - this is the reason why SMC is so slow.

General the code is right - the only problem are the wrong pointers.

[Magnum]

What I am looking for is an example of some code that will change some instructions in the code section based
on a test.

I have some anti-debug code that I would like to use it with.

I realize that it would only slow determined people.

[dedndave]

the code i posted above works
i modified it to display the contents of EBX
if it displays 90909090, that means the code was overwritten with nops
if it displays 00000005, that means the code was not overwritten

[Magnum]

Your code just wrote 4 nops.

I will change it to 5 and see what happens.

[dedndave]

it works, here
be sure you have the current code from above, as i updated it

Code Select Expand

mov ebx,90909090h
mov dword ptr codeToChange,ebx
mov byte ptr codeToChange+4,bl

[Magnum]

Your code does write 5 NOPs.

I don't understand how it works.

90909090h is 4 nops ?

[dedndave]

Code Select Expand

mov ebx,90909090h
mov dword ptr codeToChange,ebx ;<------ writes the first 4 NOP's
mov byte ptr codeToChange+4,bl ;<------ writes the 5th NOP

[Magnum]

I see, because 5 Nops would not fit in a 32 bit register.

I don't understand why those Nops are not permanently written.

I guess I don't understand the uses of VirtualProtect.