FORUMS

HTC’s New Ad Campaign And What It Really Means

HTC has just released three new blind test adverts comparing app loading … more

XDA Picks: Best Apps of the Week (June 27 – July 4)

Apps are at the front and center of any smartphone experience, and with over a … more

HTC One M9 Developer Edition Android 5.1 OTA

The Developer Edition of the HTC One M9 is receiving an over-the-air update to Android 5.1. … more

Index Project For XDA Device Subforums

Another ambitious project from the collaborative efforts of Recognized Contributors and Forum … more

[HACK] Using complete Windows API in Windows Store app (c++)

1,150 posts
Thanks Meter: 216
 
By mamaich, Retired Recognized Developer on 19th October 2012, 06:54 AM
Post Reply Subscribe to Thread Email Thread
As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
Writing here so this post can be indexed by google.
Partial code:
Code:
void DoThings()
{
	char *Tmp=(char*)GetTickCount64;
	Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);

	while(Tmp)
	{
		__try 
		{
			if(Tmp[0]=='M' && Tmp[1]=='Z')
				break;
		} __except(EXCEPTION_EXECUTE_HANDLER)
		{
		}
		Tmp-=0x1000;
	}

	if(Tmp==0)
		return;

	LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
	GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
	CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");

	HMODULE hUser=LoadLibraryA("user32.dll");
	MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
	MessageBoxA(0,"A native MessageBox!","Test",MB_OK);

	STARTUPINFO si;
	memset(&si,0,sizeof(si));
	si.cb=sizeof(si);

	PROCESS_INFORMATION pi;
	
	CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
}
Complete project is attached. It contains sources and compiled appx files for side-loading.
Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
The application should output a MessageBox, then execute cmd.exe.

A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).
Attached Files
File Type: zip App1.zip - [Click for QR Code] (6.15 MB, 2647 views)
Last edited by mamaich; 22nd October 2012 at 07:46 AM.
The Following 14 Users Say Thank You to mamaich For This Useful Post: [ View ]
 
 
19th October 2012, 04:55 PM |#2  
SkyKOG's Avatar
Senior Member
Flag India
Thanks Meter: 143
 
More
Works perfectly on my Windows 8 x64 Tablet ... its not ARM based though ...
20th October 2012, 10:26 AM |#3  
Account currently disabled
Flag Mumbai
Thanks Meter: 140
 
More
Can i use this to run a non-store app?

Here is the catch, I have managed to get the installed (not the installation) file from a kind member here on XDA. But when I paste the folder in:

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_1.0.927.0_x6 4__8wekyb3d8bbwe

The app isnt seen on the metro UI?
Any way to start a scanner of some sorts so that I can see the app in Metro.../?

THanx a ton!

Plz feel free to laugh a little at my noobish question...im stil learning.. :P
18th November 2012, 03:34 AM |#4  
Junior Member
Thanks Meter: 0
 
More
Works perfectly on my surface RT!

but type dir in CMD returns "access denied".
18th November 2012, 05:23 AM |#5  
Recognized Developer
Flag Denver
Thanks Meter: 548
 
Donate to Me
More
There are no code signature checks from the command prompt that you launch.


Code:
#include <iostream>
void main()
{
	std::cout << "Hello RT World!\n";
}
Compiled as an exe with info in http://stackoverflow.com/questions/1...al-studio-2012
Last edited by netham45; 18th November 2012 at 05:26 AM.
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ View ]
19th November 2012, 07:01 AM |#6  
OP Retired Recognized Developer
Thanks Meter: 216
 
Donate to Me
More
Open properties of your disk c:, go to the security tab and add "ALL APPLICATION PACKAGES" == full control. In this cage "dir" command would work, and your apps would be able to access whole filesystem.
29th November 2012, 03:45 PM |#7  
Senior Member
Thanks Meter: 111
 
More
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
30th November 2012, 05:04 AM |#8  
Recognized Developer
Flag Denver
Thanks Meter: 548
 
Donate to Me
More
Quote:
Originally Posted by Simplestas

Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?

Unless the dll is loading with a restricted security policy (such as through a Metro app) it is checked, yes.
30th November 2012, 10:32 PM |#9  
Senior Member
Thanks Meter: 34
 
More
Excellent work on the 'App1' technique of starting a cmd prompt from a modern app, and the fact it can run other unsigned cmd line apps.

Note that the cmd prompt still runs in the modern app container and probably has lots of restrictions
And also it only runs when the modern app is running and effectively freezes when the modern app goes into the background and suspends

Don't seem to be able to run win32 gui apps from the cmd prompt it starts -- they start but immediately terminate, presumably because the full win32 stuff cant initialise in a modern app container.

But can tum gui win32 api's, like the create dialog one, from the App1 modern app

Luckily we can also test, investigate and debug this on an intel Windows 8 system (dual monitor is best) when trying to work out what is going on, and then test on ARM after that.
Last edited by xsoliman3; 2nd December 2012 at 05:51 PM.
1st December 2012, 07:28 PM |#10  
Recognized Developer
Flag Seattle
Thanks Meter: 2,848
 
More
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.

@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes