Quote:
Originally Posted by New Tiger
Thanks for your reply. I tried already CCF and Stud_PE. Both show that the section flag for read and write are already ticked, meaning you can write to the specified section but no way. I tried also to patch the VirtualProtect function using the same way in x32 OS's but it always returns zero !!!!
I used the same way as below:
PUSH ESP
PUSH 40 // code writable
PUSH 1000 // size of code to make writable
PUSH 401000 // start address of code to make writable
CALL VirtualProtect // xxxxxxxx is address of VirtualProtect
I did this in several x32 app's and worked just fine but in x64 no way
|
With my limited knowledge I will try to help
@New Tiger The calling convention in 64-bit is different from that of 32-bit.
The x64 Application Binary Interface (ABI) uses a four-register fast-call calling convention by default. Space is allocated on the call stack as a shadow store for callees to save those registers.
Meaning that the parameters are passed to the function through registers as a default which differs significantly from the 32-bit manner where the stack can be wholly used for passing the parameters.
Example:
Quote:
func1(int a, int b, int c, int d, int e, int f);
// a in RCX, b in RDX, c in R8, d in R9, f then e pushed on stack
|
The addresses and registers in your example are also 32-bit. Maybe my mistake but you should check them once again
Please read these 2 pages for more info:
Quote:
https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170
https://accu.org/journals/overload/22/120/orr_1897/
|
They highlight the differences in the 64-bit calling conventions.
Then the VirtualProtect should work just fine in 64-bit also