Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,729,619 Members 46,416 Now Online
XDA Developers Android and Mobile Development Forum

[HACK] Using complete Windows API in Windows Store app (c++)

Tip us?
 
mamaich
Old
(Last edited by mamaich; 22nd October 2012 at 07:46 AM.)
#1  
Recognized Developer - OP
Thanks Meter 212
Posts: 1,150
Join Date: Apr 2004

 
DONATE TO ME
Default [HACK] Using complete Windows API in Windows Store app (c++)

As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
Writing here so this post can be indexed by google.
Partial code:
Code:
void DoThings()
{
	char *Tmp=(char*)GetTickCount64;
	Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);

	while(Tmp)
	{
		__try 
		{
			if(Tmp[0]=='M' && Tmp[1]=='Z')
				break;
		} __except(EXCEPTION_EXECUTE_HANDLER)
		{
		}
		Tmp-=0x1000;
	}

	if(Tmp==0)
		return;

	LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
	GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
	CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");

	HMODULE hUser=LoadLibraryA("user32.dll");
	MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
	MessageBoxA(0,"A native MessageBox!","Test",MB_OK);

	STARTUPINFO si;
	memset(&si,0,sizeof(si));
	si.cb=sizeof(si);

	PROCESS_INFORMATION pi;
	
	CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
}
Complete project is attached. It contains sources and compiled appx files for side-loading.
Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
The application should output a MessageBox, then execute cmd.exe.

A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).
Attached Files
File Type: zip App1.zip - [Click for QR Code] (6.15 MB, 1822 views)
...
The Following 14 Users Say Thank You to mamaich For This Useful Post: [ Click to Expand ]
 
SkyKOG
Old
#2  
SkyKOG's Avatar
Senior Member
Thanks Meter 142
Posts: 145
Join Date: Mar 2012
Location: India
Works perfectly on my Windows 8 x64 Tablet ... its not ARM based though ...
 
circleofomega
Old
#3  
Account currently disabled
Thanks Meter 140
Posts: 2,557
Join Date: Nov 2009
Location: Mumbai
Can i use this to run a non-store app?

Here is the catch, I have managed to get the installed (not the installation) file from a kind member here on XDA. But when I paste the folder in:

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_1.0.927.0_x6 4__8wekyb3d8bbwe

The app isnt seen on the metro UI?
Any way to start a scanner of some sorts so that I can see the app in Metro.../?

THanx a ton!

Plz feel free to laugh a little at my noobish question...im stil learning.. :P
 
yifengling0
Old
#4  
Junior Member
Thanks Meter 0
Posts: 2
Join Date: Mar 2006
Works perfectly on my surface RT!

but type dir in CMD returns "access denied".
 
netham45
Old
(Last edited by netham45; 18th November 2012 at 05:26 AM.)
#5  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
There are no code signature checks from the command prompt that you launch.


Code:
#include <iostream>
void main()
{
	std::cout << "Hello RT World!\n";
}
Compiled as an exe with info in http://stackoverflow.com/questions/1...al-studio-2012
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
mamaich
Old
#6  
Recognized Developer - OP
Thanks Meter 212
Posts: 1,150
Join Date: Apr 2004

 
DONATE TO ME
Open properties of your disk c:, go to the security tab and add "ALL APPLICATION PACKAGES" == full control. In this cage "dir" command would work, and your apps would be able to access whole filesystem.
...
 
Simplestas
Old
#7  
Senior Member
Thanks Meter 111
Posts: 143
Join Date: Sep 2010
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
 
netham45
Old
#8  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by Simplestas View Post
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
Unless the dll is loading with a restricted security policy (such as through a Metro app) it is checked, yes.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
 
xsoliman3
Old
(Last edited by xsoliman3; 2nd December 2012 at 05:51 PM.)
#9  
Member
Thanks Meter 32
Posts: 92
Join Date: Jan 2012
Excellent work on the 'App1' technique of starting a cmd prompt from a modern app, and the fact it can run other unsigned cmd line apps.

Note that the cmd prompt still runs in the modern app container and probably has lots of restrictions
And also it only runs when the modern app is running and effectively freezes when the modern app goes into the background and suspends

Don't seem to be able to run win32 gui apps from the cmd prompt it starts -- they start but immediately terminate, presumably because the full win32 stuff cant initialise in a modern app container.

But can tum gui win32 api's, like the create dialog one, from the App1 modern app

Luckily we can also test, investigate and debug this on an intel Windows 8 system (dual monitor is best) when trying to work out what is going on, and then test on ARM after that.
 
GoodDayToDie
Old
#10  
Recognized Developer
Thanks Meter 2638
Posts: 5,529
Join Date: Jan 2011
Location: Seattle
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.

@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...