How to enable Code section (Read / Write) in x64

[Stingered]

Are you talking about the section headers? If so, then CFF explorer has this option to enable/disable the sections flags. Apologies if I misunderstand your question.

This might help you:

https://github.com/OsandaMalith/PESecInfo

[New Tiger]

Quote:

Originally Posted by Stingered

Are you talking about the section headers? If so, then CFF explorer has this option to enable/disable the sections flags. Apologies if I misunderstand your question.

This might help you:

https://github.com/OsandaMalith/PESecInfo

Thanks for your reply. I tried already CCF and Stud_PE. Both show that the section flag for read and write are already ticked, meaning you can write to the specified section but no way. I tried also to patch the VirtualProtect function using the same way in x32 OS's but it always returns zero !!!!
I used the same way as below:

PUSH ESP
PUSH 40 // code writable
PUSH 1000 // size of code to make writable
PUSH 401000 // start address of code to make writable
CALL VirtualProtect // xxxxxxxx is address of VirtualProtect

I did this in several x32 app's and worked just fine but in x64 no way

[Kerlingen]

Based on the original question, there are two ways:

• Use the VirtualProtect function to make the memory region writable.
• Edit the PE file header on disk and make the sections writable.

Both methods have been successfully used many times by many people.

Based on your second post, the most promising answer would be:

• First, read a book about x86 assembler.
• Next, read a book about Win32 programming.
• Next, read a book about x64 assembler.

Your very short text and code fragments already violate at least 4 core principles of x86/Win32/x64 assembly. Your problem definitely is not some write permission, but the basic understanding of the CPU architecture.

[New Tiger]

Quote:

Originally Posted by Kerlingen

Based on the original question, there are two ways:

• Use the VirtualProtect function to make the memory region writable.
• Edit the PE file header on disk and make the sections writable.

Both methods have been successfully used many times by many people.

Based on your second post, the most promising answer would be:

• First, read a book about x86 assembler.
• Next, read a book about Win32 programming.
• Next, read a book about x64 assembler.

Your very short text and code fragments already violate at least 4 core principles of x86/Win32/x64 assembly. Your problem definitely is not some write permission, but the basic understanding of the CPU architecture.

From this "Your very short text and code fragments already violate at least 4 core principles of x86/Win32/x64 assembly", It's clear that your brain is full with junky stuff sir!.
Also, based on yor answer, Mr VIP, in particular the last line "Your problem definitely is not some write permission, but the basic understanding of the CPU architecture" can you teach me Mr professional these fundamentals. Understand the question before you show off your muscles. It's real useful for you to keep this advice for your own as when I was handling these x32 stuff you were still asking for suckle, I don't know how admins promoted you to VIP here???????
Just get away! you're really very rude

[Stingered]

@New Tiger

Take a look at this link and see if it helps:

https://ethical.blue/textz/n/28

[Rasmus]

Quote:

Originally Posted by New Tiger

Thanks for your reply. I tried already CCF and Stud_PE. Both show that the section flag for read and write are already ticked, meaning you can write to the specified section but no way. I tried also to patch the VirtualProtect function using the same way in x32 OS's but it always returns zero !!!!
I used the same way as below:

PUSH ESP
PUSH 40 // code writable
PUSH 1000 // size of code to make writable
PUSH 401000 // start address of code to make writable
CALL VirtualProtect // xxxxxxxx is address of VirtualProtect

I did this in several x32 app's and worked just fine but in x64 no way

With my limited knowledge I will try to help
@New Tiger The calling convention in 64-bit is different from that of 32-bit.

The x64 Application Binary Interface (ABI) uses a four-register fast-call calling convention by default. Space is allocated on the call stack as a shadow store for callees to save those registers.

Meaning that the parameters are passed to the function through registers as a default which differs significantly from the 32-bit manner where the stack can be wholly used for passing the parameters.

Example:

Quote:

func1(int a, int b, int c, int d, int e, int f);
// a in RCX, b in RDX, c in R8, d in R9, f then e pushed on stack

The addresses and registers in your example are also 32-bit. Maybe my mistake but you should check them once again

Please read these 2 pages for more info:

Quote:

https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170
https://accu.org/journals/overload/22/120/orr_1897/

They highlight the differences in the 64-bit calling conventions.

Then the VirtualProtect should work just fine in 64-bit also