Sony Updates AOSP Sources to Android 5.0.1

Just a few days ago, Sony did an utterly fantastic job by pushing out numerous device trees for … more

Stop Your Screen From Turning Off with KeepItOn

We all know the feeling of reading a news article orrather longdocument, when our screen … more

The XDA LG QPair Developer Challenge Voting Has Begun!

It seems like it was just yesterday that weannounced that we had paired up with LGto … more

Major Update for the Sony Smartwatch 2 Brings DND and More

With the wearables landscape now dominated by Android Wear and Pebble, its … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[HACK] Using complete Windows API in Windows Store app (c++)

OP mamaich

19th October 2012, 07:54 AM   |  #1  
OP Recognized Developer
Thanks Meter: 214
 
1,150 posts
Join Date:Joined: Apr 2004
Donate to Me
As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
Writing here so this post can be indexed by google.
Partial code:
Code:
void DoThings()
{
	char *Tmp=(char*)GetTickCount64;
	Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);

	while(Tmp)
	{
		__try 
		{
			if(Tmp[0]=='M' && Tmp[1]=='Z')
				break;
		} __except(EXCEPTION_EXECUTE_HANDLER)
		{
		}
		Tmp-=0x1000;
	}

	if(Tmp==0)
		return;

	LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
	GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
	CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");

	HMODULE hUser=LoadLibraryA("user32.dll");
	MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
	MessageBoxA(0,"A native MessageBox!","Test",MB_OK);

	STARTUPINFO si;
	memset(&si,0,sizeof(si));
	si.cb=sizeof(si);

	PROCESS_INFORMATION pi;
	
	CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
}
Complete project is attached. It contains sources and compiled appx files for side-loading.
Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
The application should output a MessageBox, then execute cmd.exe.

A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).
Attached Files
File Type: zip App1.zip - [Click for QR Code] (6.15 MB, 2203 views)
Last edited by mamaich; 22nd October 2012 at 08:46 AM.
The Following 14 Users Say Thank You to mamaich For This Useful Post: [ View ]
19th October 2012, 05:55 PM   |  #2  
SkyKOG's Avatar
Senior Member
Flag India
Thanks Meter: 142
 
145 posts
Join Date:Joined: Mar 2012
More
Works perfectly on my Windows 8 x64 Tablet ... its not ARM based though ...
20th October 2012, 11:26 AM   |  #3  
Account currently disabled
Flag Mumbai
Thanks Meter: 140
 
2,557 posts
Join Date:Joined: Nov 2009
More
Can i use this to run a non-store app?

Here is the catch, I have managed to get the installed (not the installation) file from a kind member here on XDA. But when I paste the folder in:

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_1.0.927.0_x6 4__8wekyb3d8bbwe

The app isnt seen on the metro UI?
Any way to start a scanner of some sorts so that I can see the app in Metro.../?

THanx a ton!

Plz feel free to laugh a little at my noobish question...im stil learning.. :P
18th November 2012, 04:34 AM   |  #4  
Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Mar 2006
Works perfectly on my surface RT!

but type dir in CMD returns "access denied".
18th November 2012, 06:23 AM   |  #5  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
There are no code signature checks from the command prompt that you launch.


Code:
#include <iostream>
void main()
{
	std::cout << "Hello RT World!\n";
}
Compiled as an exe with info in http://stackoverflow.com/questions/1...al-studio-2012
Last edited by netham45; 18th November 2012 at 06:26 AM.
The Following 2 Users Say Thank You to netham45 For This Useful Post: [ View ]
19th November 2012, 08:01 AM   |  #6  
OP Recognized Developer
Thanks Meter: 214
 
1,150 posts
Join Date:Joined: Apr 2004
Donate to Me
Open properties of your disk c:, go to the security tab and add "ALL APPLICATION PACKAGES" == full control. In this cage "dir" command would work, and your apps would be able to access whole filesystem.
29th November 2012, 04:45 PM   |  #7  
Senior Member
Thanks Meter: 111
 
143 posts
Join Date:Joined: Sep 2010
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
30th November 2012, 06:04 AM   |  #8  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by Simplestas

Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?

Unless the dll is loading with a restricted security policy (such as through a Metro app) it is checked, yes.
30th November 2012, 11:32 PM   |  #9  
Senior Member
Thanks Meter: 34
 
104 posts
Join Date:Joined: Jan 2012
Excellent work on the 'App1' technique of starting a cmd prompt from a modern app, and the fact it can run other unsigned cmd line apps.

Note that the cmd prompt still runs in the modern app container and probably has lots of restrictions
And also it only runs when the modern app is running and effectively freezes when the modern app goes into the background and suspends

Don't seem to be able to run win32 gui apps from the cmd prompt it starts -- they start but immediately terminate, presumably because the full win32 stuff cant initialise in a modern app container.

But can tum gui win32 api's, like the create dialog one, from the App1 modern app

Luckily we can also test, investigate and debug this on an intel Windows 8 system (dual monitor is best) when trying to work out what is going on, and then test on ARM after that.
Last edited by xsoliman3; 2nd December 2012 at 06:51 PM.
1st December 2012, 08:28 PM   |  #10  
Recognized Developer
Flag Seattle
Thanks Meter: 2,782
 
5,870 posts
Join Date:Joined: Jan 2011
More
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.

@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes