I will keep this blog for personal posts and minor applications.
Note: this is not a security bug, it is a direct consequence of allowing native and unsafe code in Windows Store apps. This is not a way to escape the AppContainer protection (you still can't access the user's files without the appropriate permissions).
As many of you already know, Windows Store apps (aka. Metro style apps) are restricted to a limited set of APIs:
- WinRT APIs (Windows.winmd)
- Some portions of the .NET Framework (.NET Core)
- A small set of Win32 APIs
In particular, .NET reflection is only allowed on public methods and properties (when it is used on framework DLLs). This restriction does not apply to your own code. In addition, restricted .NET types are not accessible, even if they are public.
Two important APIs that are not allowed on Store apps are VirtualAlloc and VirtualProtect, which can be used create executable regions of memory, and are necessary in order to implement jitters (on the fly compilation).
The following unsafe C# library makes it possible to gain access to all these APIs. It is composed of 100% pure C# code (although unsafe), but something similar could also be achieved using C++. No DLLs have been modified after the compilation, and the sample app passes the Store certification tests.
This workaround could be used to implement third-party virtual machines for Java, Python, etc. in addition to Microsoft’s .NET and Chakra.
How it works.
First, we need a GetObjectAddress function that returns an unsafe pointer to a managed object. This is done by saving a reference to the object inside a field of a custom class, ManagedReferenceHolder. Then, we take the address of (&) a marker field inside the same class. By incrementing the pointer, we get the address which contains the address to the managed object.
Now, we get the unsafe address of our assembly (GetObjectAddress(typeof(Example).Assembly)) and start scanning for the RuntimeAssembly.m_flags field. Once we find it, we set its value to ASSEMBLY_FLAGS_SAFE_REFLECTION (again, via unsafe byte manipulations, not via reflection). Now we can (almost) access private and internal members of the .NET Framework classes, provided that we unset the INVOCATION_FLAGS_NEED_SECURITY and INVOCATION_FLAGS_NON_W8P_FX_API values from the m_invocationFlags field of every MemberInfo (eg. FieldInfo, MethodInfo) that we want to invoke.
Another useful thing we can do is unsetting the APPX_FLAGS_API_CHECK and APPX_FLAGS_APPX_MODEL values of the AppDomain.s_flags. In this way, we can also load custom assemblies from a file.
Once we gain full access to the reflection, we can invoke the internal P/Invoke methods Microsoft.Win32.Win32Native.GetModuleHandle and GetProcAddress, which make it possible to get access to any Win32 function, including VirtualAlloc and VirtualProtect.
The example application allocates a portion of memory using VirtualAlloc with the PAGE_EXECUTE_READWRITE flag. Then it writes some x86 instructions, and generates a delegate for that code, using Marshal.GetDelegateForFunctionPointer.
Source code: https://github.com/antiufo/ApiUnlock
Note: although what has been described is technically feasible and cannot be statically detected by the Windows Store certification process, the terms of the Windows Store don't allow execution of code which was not already packaged inside the app, "in the context of the app itself". This would probably also apply to simple interpreters without native machine code generation.
FizzlerEx is a CSS3/Jquery selectors library for HtmlAgilityPack.
It contains a lot of useful selectors that make it easy to extract information from real-world HTML pages using .NET.
In particular, :split-* and :between(h1; hr), :after/:before(..) allow to handle documents where the HTML hierarchy does not reflect the represented data (eg. the structure of the elements is flat, and the subnodes of many entities are listed under the same parent)
Another useful addition is :select-parent, which navigates to the parent of the matched node(s).
More features (compared to original versions of Fizzler and HtmlAgilityPack)
- Noticeable performance improvements (compiled selectors caching, allocation-free nodes traversal)
- New selectors (has, not, contains, split, between, select-parent…)
- Root anchoring (/div > .example)
- VisualFizzler improvements (highlighting of single / all results, fixed performance issues and incorrect highlighting, automatically detect best type of paste: URL, html or selector)
TrackFolderChanges is a simple application that displays in real time any changes to the file system (you can also restrict the search to a specific folder and its subfolders).
New files and folders are displayed in green, modified files in blue and deleted ones in red. Note that items will appear as soon as there is something to show, unchanged folders are not displayed. Right click an item to copy its path or to open its parent folder.
The application is written in C# and the source code is available on Codeplex.
Download | Track Folder Changes 1.1
Guida TV è un applicazione per Windows che consente di consultare la lista dei programmi televisivi direttamente dal proprio desktop. I programmi sono disposti in ordine temporale, ed è possibile aggiungere regole personalizzate per evidenziare in automatico o nascondere determinati programmi, serie TV o generi di film.
Per molti film è inoltre disponibile la trama ed il trailer, oltre ovviamente a informazioni come genere, anno e valutazione.
Download | Guida TV 1.3.3
Download | Guida TV 1.3.3 (portable)
This library contains an Explorer-like theme for ToolStrip and MenuStrip.
How to use:
toolStrip1.Renderer = Antiufo.Controls.Windows7Renderer.Instance;
Download Windows 7 ToolStripRenderer (CodePlex)
Reddit is a great site, but opening every interesting link is time-consuming, so I decided to write an application that generates RSS feeds with full articles. This software downloads every popular page posted on Reddit, extracts the actual content (without navigational menus, ads, comments and social links) and then uploads the feeds to a web server. The feeds are updated once/twice a day.
Complete list of feeds: http://antiufo.altervista.org/feeds/
It’s still a beta version, so suggestions are welcome. Note: occasionally the program fails to recognize useless stuff and includes it in the final article.
You can read the comments page on Reddit by clicking the link at the bottom of each article:
The program is written in C# with .NET 4 and HtmlAgilityPack. It supports Reddit, StackExchange and a few forum engines.