[HACK] Using complete Windows API in Windows Store app (c++)

Search This thread

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
224
83
mamaich-eng.blogspot.ru
As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
Writing here so this post can be indexed by google.
Partial code:
Code:
void DoThings()
{
	char *Tmp=(char*)GetTickCount64;
	Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);

	while(Tmp)
	{
		__try 
		{
			if(Tmp[0]=='M' && Tmp[1]=='Z')
				break;
		} __except(EXCEPTION_EXECUTE_HANDLER)
		{
		}
		Tmp-=0x1000;
	}

	if(Tmp==0)
		return;

	LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
	GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
	CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");

	HMODULE hUser=LoadLibraryA("user32.dll");
	MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
	MessageBoxA(0,"A native MessageBox!","Test",MB_OK);

	STARTUPINFO si;
	memset(&si,0,sizeof(si));
	si.cb=sizeof(si);

	PROCESS_INFORMATION pi;
	
	CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
}
Complete project is attached. It contains sources and compiled appx files for side-loading.
Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
The application should output a MessageBox, then execute cmd.exe.

A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).
 

Attachments

  • App1.zip
    6.2 MB · Views: 3,380
Last edited:

circleofomega

Senior Member
Nov 27, 2009
2,467
133
0
Mumbai
Can i use this to run a non-store app?

Here is the catch, I have managed to get the installed (not the installation) file from a kind member here on XDA. But when I paste the folder in:

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_1.0.927.0_x64__8wekyb3d8bbwe

The app isnt seen on the metro UI?
Any way to start a scanner of some sorts so that I can see the app in Metro.../?

THanx a ton!

Plz feel free to laugh a little at my noobish question...im stil learning.. :p
 

netham45

Inactive Recognized Developer
Jun 24, 2009
886
567
0
Denver
There are no code signature checks from the command prompt that you launch.
QGXnL.jpg


Code:
#include <iostream>
void main()
{
	std::cout << "Hello RT World!\n";
}

Compiled as an exe with info in http://stackoverflow.com/questions/...op-programs-be-built-using-visual-studio-2012
 
Last edited:

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
224
83
mamaich-eng.blogspot.ru
Open properties of your disk c:, go to the security tab and add "ALL APPLICATION PACKAGES" == full control. In this cage "dir" command would work, and your apps would be able to access whole filesystem.
 

Simplestas

Senior Member
Sep 2, 2010
143
112
0
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?
 

netham45

Inactive Recognized Developer
Jun 24, 2009
886
567
0
Denver
Sorry if it's unrelated, but does RT check signatures for loaded DLLs too? Can one run regedit and change some system CLSID to point to unsigned library, will it be loaded?

Unless the dll is loading with a restricted security policy (such as through a Metro app) it is checked, yes.
 

xsoliman3

Senior Member
Jan 25, 2012
113
34
0
Excellent work on the 'App1' technique of starting a cmd prompt from a modern app, and the fact it can run other unsigned cmd line apps.

Note that the cmd prompt still runs in the modern app container and probably has lots of restrictions
And also it only runs when the modern app is running and effectively freezes when the modern app goes into the background and suspends

Don't seem to be able to run win32 gui apps from the cmd prompt it starts -- they start but immediately terminate, presumably because the full win32 stuff cant initialise in a modern app container.

But can tum gui win32 api's, like the create dialog one, from the App1 modern app

Luckily we can also test, investigate and debug this on an intel Windows 8 system (dual monitor is best) when trying to work out what is going on, and then test on ARM after that.
 
Last edited:

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,931
0
Seattle
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.

@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.
 

dmags2

Member
Mar 3, 2011
24
2
0
@Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.

@xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.

Great seeing you again!

Anyways, I determined from some work with the VS Remote Debugger that the integrity checks are enforced in ZwCreateUserProcess. But, I bet LoadLibrary has its integrity checks in user-mode, since it normally doesn't access any functions using a call-gate to the kernel on Windows 7, which would mean we can modify it to allow us to load unsigned DLL's.

However, with this vulnerability, I had a different. What about allowing a native application to open, such as Notepad, and before it reaches the entrypoint, remotely injecting a different application to be ran (this would involve some sort of custom LoadLibrary + CreateRemoteThread pair of functions)? With the VS Debugger, you can already attach to any native process in user-mode and modify running code, data, and even the context (e.g. registers and similar data).
 
  • Like
Reactions: nosit1

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,931
0
Seattle
That suggestion is possible, and for trivial operations (i.e. replacing some strings in a program, or causing it to take one branch instead of another) people have already done so. Doing a wholesale replacement would be tricky, but should be possible (perhaps aided with WinDBG scripts or similar).
 

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
224
83
mamaich-eng.blogspot.ru
Doing a wholesale replacement would be tricky

Not so tricky, I've already made a prototype on desktop Win8. Just make an ARM DLL that implements a PE loader using only 2 WinAPI functions - LoadLibrary (used only to get kernel32 handle) and GetProcAddress. Inject that DLL code and data sections via debugger, fixup relocs (you can minimize their amount in your "loader DLL" by not using global variables, placing all code into one file, not using CRT at all, and so on, ARM makes it easy to create position-independent code), and call your injected code via debugger passing it the address of LoadLibrary and GetProcAddress as parameters. Your code than would do what you wish - load and execute an unsigned DLL that you specify.
With this trick you can load EXE files too, as all ARM EXEs contain relocs by default.

But this way is too inconvenient to the end-user, so should be avoided. I really think that MS left enough holes for us to "unlock" unsigned apps on retail WinRT devices.

I'm already thinking on buying an Asus tablet with 3G (instead of waiting for a better device that I wish), so after NY holidays I'll join your game :)
 

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,931
0
Seattle
Ah, that's a much more clever approach than actually trying to load the full program using the debugger itself... if it works. LoadLibrary triggers the same signature check that CreateProcess does (or rather, the system calls that they do will perform that check; if it was user-mode we could bypass it with the debugger). Your method may work, but since the desktop doesn't have the signature check anyhow, prototyping it there doesn't actually mean it will work on RT. Try it out and let us know how it goes, and if it works, posting your source would be awesome!
 

dmags2

Member
Mar 3, 2011
24
2
0
Ah, that's a much more clever approach than actually trying to load the full program using the debugger itself... if it works. LoadLibrary triggers the same signature check that CreateProcess does (or rather, the system calls that they do will perform that check; if it was user-mode we could bypass it with the debugger). Your method may work, but since the desktop doesn't have the signature check anyhow, prototyping it there doesn't actually mean it will work on RT. Try it out and let us know how it goes, and if it works, posting your source would be awesome!

He doesn't mean making a prototype and importing from kernel32.dll. He means manually mapping the PE file, then using either CreateRemoteThread or modifying the context of a thread already launched to run it once it's in the memory address of another process. It's basically DLL injection with our own implementation of LoadLibrary. It would work because LoadLibrary doesn't use any system calls except to map memory (and mapping memory doesn't have integrity checks of any sort, and it shouldn't be design -- e.g. VirtualAlloc).

A bigger problem I thought of is automating this. I took a quick peek with Wireshark at my remote debugging session and saw HTTP with what appeared to be a proprietary protocol. In order to automate this from another computer (or any mobile device for that matter), we would need to reverse engineer the protocol. Or, an alternative would be to hook into Visual Studio once the debugging session is launched (maybe just a nice VS plugin would work?).
 

dmags2

Member
Mar 3, 2011
24
2
0
Code:
void DoThings()
{
	char *Tmp=(char*)GetTickCount64;
	Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);

	while(Tmp)
	{
		__try 
		{
			if(Tmp[0]=='M' && Tmp[1]=='Z')
				break;
		} __except(EXCEPTION_EXECUTE_HANDLER)
		{
		}
		Tmp-=0x1000;
	}

	if(Tmp==0)
		return;

I was looking through the provided sample -- wouldn't our own GetModuleHandleA implementation be a better way of doing this? I'm just thinking should the alignment be changed in kernel32.dll it may be better to have something like this:

Code:
522     if (!name)
523     {
524         ret = NtCurrentTeb()->Peb->ImageBaseAddress;
525     }
526     else if (flags & GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS)
527     {
528         void *dummy;
529         if (!(ret = RtlPcToFileHeader( (void *)name, &dummy ))) status = STATUS_DLL_NOT_FOUND;
530     }

Source: http://source.winehq.org/source/dlls/kernel32/module.c#L504

Grabbing the Peb (NtCurrentTeb()->Peb) would involve pulling from the FS register at offset 0x30. Implementing this on ARM could be trickier, as I'm not sure of the inline assembly or availability of intrinsics (not to mention, it would be stored somewhere else than the FS register).

Now, for the PC, it appears __readfsdword is available as an intrinsic, so this *should* work on x86 installations of Windows 8.
 

smx06

Member
Nov 10, 2012
26
0
0
Not so tricky, I've already made a prototype on desktop Win8. Just make an ARM DLL that implements a PE loader using only 2 WinAPI functions - LoadLibrary (used only to get kernel32 handle) and GetProcAddress. Inject that DLL code and data sections via debu

I think this approach (of injecting own loader as far as understand) has such problem(even if implemented & automated)
Loaded exe can have own dependant dlls(any complicated-usefull proj has) that it cant load because of signing checks (and even more problems if it uses dynamic loading of own dlls and getprocaddress)

Or do i miss somth in your idea?
 

LocutusEstBorg

Senior Member
Jul 25, 2011
351
62
0
Will I be able to read/write to a parallel port using this method? Do the limited store apps have sufficient permissions to do that? Writing to a parallel port requires calling
Code:
hndleLPT = CreateFile("LPT1",(GENERIC_READ | GENERIC_WRITE), 0, 0, OPEN_EXISTING, 0, 0);
. Will this succeed?

Will I be able to successfully load this: http://www.highrez.co.uk/Downloads/InpOut32/default.htm ?

---------- Post added at 03:01 PM ---------- Previous post was at 02:11 PM ----------

This looks like an improved method to get the base address:
http://tedwvc.wordpress.com/2013/07/19/finding-the-kernel32-dll-module-handle-in-a-windows-store-app-using-approved-apis/
 
Last edited:

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,931
0
Seattle
You should be able to do that using CreateFile2, which is permitted in Store apps already (no need to use the rest of the Win32 API). As for the permissions, I don't know, but it will probably work.

I mean, assuming your computer *has* an LPT port. I haven't seen one of those in a while...
 

tonystuck

Member
Aug 30, 2013
34
10
0
how about the other way round? can a desktop app have access to the full windows 8 api (including those reserved for win store apps only)?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 15
    As we know, MS prohibits using most of standard Win32 API in Windows Store applications. Obviously there are lots of ways to overcome this limit and to call any API you like, if you are not going to publish your app on Windows Store. And here is one of them.
    Idea is really simple and rather old (lots of viruses use it): search for kernel32.dll base in memory, then parse its exports for LoadLibraryA and GetProcAddress, call them - and get profit.
    Writing here so this post can be indexed by google.
    Partial code:
    Code:
    void DoThings()
    {
    	char *Tmp=(char*)GetTickCount64;
    	Tmp=(char*)((~0xFFF)&(DWORD_PTR)Tmp);
    
    	while(Tmp)
    	{
    		__try 
    		{
    			if(Tmp[0]=='M' && Tmp[1]=='Z')
    				break;
    		} __except(EXCEPTION_EXECUTE_HANDLER)
    		{
    		}
    		Tmp-=0x1000;
    	}
    
    	if(Tmp==0)
    		return;
    
    	LoadLibraryA=(t_LLA*)PeGetProcAddressA(Tmp,"LoadLibraryA");
    	GetProcAddressA=(t_GPA*)PeGetProcAddressA(Tmp,"GetProcAddress");
    	CreateProcessA=(t_CPA*)PeGetProcAddressA(Tmp,"CreateProcessA");
    
    	HMODULE hUser=LoadLibraryA("user32.dll");
    	MessageBoxA=(t_MBA*)GetProcAddressA(hUser,"MessageBoxA");
    	MessageBoxA(0,"A native MessageBox!","Test",MB_OK);
    
    	STARTUPINFO si;
    	memset(&si,0,sizeof(si));
    	si.cb=sizeof(si);
    
    	PROCESS_INFORMATION pi;
    	
    	CreateProcessA("c:\\Windows\\system32\\cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi);
    }
    Complete project is attached. It contains sources and compiled appx files for side-loading.
    Code compiles fine for x86/x64 and ARM, tested on x86/x64. Can someone test it on ARM? Ability to sideload metro apps is required.
    The application should output a MessageBox, then execute cmd.exe.

    A note: Windows Store application runs in a sandbox and as a limited account, so most of API returns "access denied". You can check this in a launched CMD - it displays "access denied" even on a "dir" command because normally "modern ui" apps don't have even read access to c:\.
    To overcome this - add "all application packages" full control to the directories/objects you like (for example to c:\).
    2
    There are no code signature checks from the command prompt that you launch.
    QGXnL.jpg


    Code:
    #include <iostream>
    void main()
    {
    	std::cout << "Hello RT World!\n";
    }

    Compiled as an exe with info in http://stackoverflow.com/questions/...op-programs-be-built-using-visual-studio-2012
    1
    @Simplestas: LoadLibrary is also blocked, I'm afraid. One fo the first things I tried was creating a DLL compatible with the built-in rundll.exe program and using that. It failed to load the third-party library.

    @xsoliman3: Don't forget the debugger. You can't run it on the RT device right now, but there are (official) tools for debugging RT apps remotely. That should allow connecting to the child process and seeing what happens as it starts up.

    Great seeing you again!

    Anyways, I determined from some work with the VS Remote Debugger that the integrity checks are enforced in ZwCreateUserProcess. But, I bet LoadLibrary has its integrity checks in user-mode, since it normally doesn't access any functions using a call-gate to the kernel on Windows 7, which would mean we can modify it to allow us to load unsigned DLL's.

    However, with this vulnerability, I had a different. What about allowing a native application to open, such as Notepad, and before it reaches the entrypoint, remotely injecting a different application to be ran (this would involve some sort of custom LoadLibrary + CreateRemoteThread pair of functions)? With the VS Debugger, you can already attach to any native process in user-mode and modify running code, data, and even the context (e.g. registers and similar data).
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone