Leaderboard

It's about running exe from memory as it's often called. So you have some binary data that you want to embed in your script and run afterward like some additional program. In this post I will try to explain how to do it. First to deal with mentioned binary as that's, in spite of the plainness of retrieving it, often insuperable. To avoid questions about that this is one way of getting it: Global $sModule = "E:Program filesGUIDGenGUIDGEN.EXE" ; change to yours wanted Global $hModule = FileOpen($sModule, 16) If @error Then Exit Global $bBinary = FileRead($hModule) FileClose($hModule) Global Const $MAX_LINESIZE = 4095 Global $iNewLine, $j Global $iChinkSize = 32 Global $sBinary For $i = 1 To BinaryLen($bBinary) Step $iChinkSize $j += 1 If 4*($j * $iChinkSize) > $MAX_LINESIZE - 129 Then $iNewLine = 1 EndIf If $iNewLine Then $iNewLine = 0 $j = 0 $sBinary = StringTrimRight($sBinary, 5) $sBinary &= @CRLF & '$bBinary &= "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF ContinueLoop EndIf If $i = 1 Then $sBinary &= '$bBinary = "' & BinaryMid($bBinary, $i, $iChinkSize) & '" & _' & @CRLF Else $sBinary &= ' "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF EndIf Next $sBinary = StringTrimRight($sBinary, 5) ClipPut($sBinary) ConsoleWrite($sBinary)Now for what's really important... Executable file causes a computer to perform indicated tasks according to encoded instructions. Files that we talk about are in PE format. When exe file is run special loader reads it and performs act of loading. That's how that particular exe gets in touch with a processor. Processor then executes different actions described by the opcodes. Main requirement for any PE file required by the loader is for it to actually exist. To be written on the drive. It can't be in the air. That's not allowed and when you think of it it's only logical. So how to run from memory? I'm gonna fool the system. It will think that all works as it should and will have no idea that it plays my game. There is more than way of doing that. Method described here has been used by different peoples before. When doing research for this post I have encountered many implementations. And I must say that I was very disappointed seeing that even the writers of the code often lack understanding of it. It's kind of pathetic when you see some code used and when asking author what's this or that you get answer "I don't know". And if you ask for the code to be explained by words (any fucking human language) coders fail terribly. How can you write code if you can't explain it?!? Anyway, this is the procedure: Start your script Create new process using CreateProcess function with CREATE_SUSPENDED flag Use GetThreadContext function to fill CONTEXT structure Read and interpret passed binary Allocate enough memory for the new module inside the victim process Simulate loader. Construct the new module (load) in place of allocated space. Make use of mentioned CONTEXT structure. Change entry point data and ImageBaseAddress data. Resume execution If all that went well windows should now be running not the original module but the new, saved in script as a variable. The script: RunBinary.au3 Script is well commented so it shouldn't be too hard to get a grip. New script is taking all possible advantages of PE format. That means if your module (embedded) has relocation directory it will run for sure.If not it could fail. When it will fail? Modules with no reloc directory (IMAGE_DIRECTORY_ENTRY_BASERELOC) ought to be loaded at precise address (stored within module; IMAGE_OPTIONAL_HEADER ImageBase). If for some reason not enough space can be allocated at that address within victim's memory space, function will fail. Thing is system makes rules, if we are not allowed to some memory space of a process there is nothing to do then to try again. So, try again if it fails. Maybe change the 'victim'. edit: 64bit support added. That means you can embed either x64 or x86 modules. If your AutoIt is x64 you embed x64 modules. If AutoIt is x86 embed x86. x64 AutoIt could also use embedded x86 modules but I don't like that because needed structures would have to be changed to something that's not meeting aesthetics standards .

That's not the problem you originally asked about, you changed the rules mid-game.

When you create the MsgBox, use $MB_TASKMODAL (8192) in the flag parameter and it will freeze your script until the message box is cleared.

@kylomas : your expression matches something like C1 C1 C1 C1 only (where 1 is the group value, not the expression). Use (?1) instead if 1 : If StringRegExp($string, "^([BCJLPX]\d)( (?1))*$") Then ConsoleWrite("ok")

Jewtus, And what does the Help file say is returned by WinWait? M23

Here is fixed and rewritten script to GUI message mode #include <GUIConstants.au3> #include <GuiConstantsEx.au3> $goldpump = GUICreate("MyFirstGUI", 400, 700, -1, -1) $idCheckbox = GUICtrlCreateCheckbox("Standard Checkbox", 34, 465, 185, 25) $Button_1 = GUICtrlCreateButton("START", 75, 650, 150) $Button_2 = GUICtrlCreateButton("Stop / Exit", 225, 650, 100) GUICtrlCreateGroup("Title 1", 34, 34, 325, 400) $radio1 = GUICtrlCreateRadio("Option 1", 50, 50, 160, 20) GUICtrlCreateLabel("Description 1", 50, 130) $radio2 = GUICtrlCreateRadio("Option 2", 50, 150, 160, 20) GUICtrlCreateLabel("Description 2", 50, 170) $radio3 = GUICtrlCreateRadio("Option 3", 50, 250, 160, 20) GUICtrlCreateLabel("Description 3", 50, 270) GUICtrlCreateGroup("", -99, -99, 1, 1) $InputVariable = GUICtrlCreateInput("40", 34, 500, 20, 20, $ES_NUMBER) GUICtrlSetLimit(-1, 2) GUICtrlCreateLabel("User defined number (40 being default)", 60, 502) GUISetState(@SW_SHOW) While 1 $msg = GUIGetMsg() Switch $msg Case $GUI_EVENT_CLOSE Exit Case $Button_1 DoScript() Case $Button_2 Exit EndSwitch WEnd Func DoScript() Local $number, $var1 = 0, $8 = 0, $9 = 0, $10 = 0 $number = GUICtrlRead($InputVariable) If IsChecked($idCheckbox) Then $var1 = 1 If IsChecked($radio1) Then $8 = 1 If IsChecked($radio2) Then $9 = 1 If IsChecked($radio3) Then $10 = 1 ; here do whatever want with these variables ... MsgBox(0,'Do', _ 'Number: ' & $number & @CRLF & _ 'CheckBox: ' & $var1 & @CRLF & _ 'Option1: ' & $8 & @CRLF & _ 'Option2: ' & $9 & @CRLF & _ 'Option3: ' & $10) ;~ MouseMove(1200, 400) EndFunc ;==>DoScript Func IsChecked($control) Return BitAND(GUICtrlRead($control), $GUI_CHECKED) = $GUI_CHECKED EndFunc ;==>IsChecked

Some hints for you: - don't mix OnEvent and Message GUI mode - instead of GDIPlus stuff use GUICtrlCreatePic() and GUICtrlSetImage() - ... more to come

1) If checkbox is checked $cbx_1 = GUICtrlCreateCheckbox() If IsChecked($cbx_1) Then ... Func IsChecked($control) Return BitAnd(GUICtrlRead($control),$GUI_CHECKED) = $GUI_CHECKED EndFunc 2) content of edit to variable $ed_1 = GUICtrlCreateInput() $value = GUICtrlRead($ed_1)

I figured I'd share a little example script on encrypting your data over TCP communcation. I put together a simple function that can be used to encrypt when sending, and decrypt when receiving. For added protection, one could also chop it in to segments to send seperatly and have packed back together when recieved to decode. The example script will show you what the encrypted data looks like as well as the decrypted result. To use it simply run the script and select server, then run the script again and select client. Once you have the server and client windows open you can send data from the client to the server and and server will show a message box with the encrypted and decrypted messages that it receives. The example script: #include <ButtonConstants.au3> #include <Crypt.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include <MsgBoxConstants.au3> OnAutoItExitRegister("Close") Global $ServerAddress = "127.0.0.1" Global $ServerPort = "12700" RunDemo() Func RunDemo() TCPStartup() Local $hGUI = GUICreate("Select Option", 250, 70) Local $idBtnServer = GUICtrlCreateButton("1. Server", 65, 10, 130, 22) Local $idBtnClient = GUICtrlCreateButton("2. Client", 65, 40, 130, 22) GUISetState(@SW_SHOW, $hGUI) While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE Close() Case $idBtnServer GUICtrlSetState($idBtnClient, $GUI_HIDE) GUICtrlSetState($idBtnServer, $GUI_DISABLE) TCPServer() Case $idBtnClient GUIDelete($hGUI) ClientGUI() EndSwitch Sleep(10) WEnd EndFunc Func ClientGUI() $Form1 = GUICreate("TCP Client", 236, 89, 192, 124) $InputCommand = GUICtrlCreateInput("", 8, 32, 217, 21) $ButtonSend = GUICtrlCreateButton("Send", 152, 56, 75, 25) $Label1 = GUICtrlCreateLabel("Send a command to server:", 8, 8, 134, 17) GUISetState(@SW_SHOW) While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE TCPCloseSocket($TCPConnector) Close() Case $ButtonSend $Message = GUICtrlRead($InputCommand) $TCPConnector = TCPConnect($ServerAddress, $ServerPort) TCPSend($TCPConnector, TCPCrypt(True, $Message)) EndSwitch WEnd EndFunc Func TCPServer() $TCPListener = TCPListen($ServerAddress, $ServerPort, 100) $TCPAccepted = 0 Do $TCPAccepted = TCPAccept($TCPListener) If GUIGetMsg() = $GUI_EVENT_CLOSE Then TCPCloseSocket($TCPListener) Close() EndIf Until $TCPAccepted <> -1 $TCPEncrypted = TCPRecv($TCPAccepted, 2048) $TCPReceived = TCPCrypt(False, $TCPEncrypted) MsgBox(0, "Packet Received", "Received Packet" & @CRLF & @CRLF & "Decrypted:" & @CRLF & " " & $TCPReceived & @CRLF & @CRLF & "Encrypted:" & @CRLF & " " & $TCPEncrypted) TCPCloseSocket($TCPListener) TCPServer() EndFunc #Region TCPCrypt Function Func TCPCrypt($TCPCrypt_Action, $TCPCrypt_Data) _Crypt_Startup() $TCPCrypt_Key = _Crypt_DeriveKey("YOURsuperSECRETpassKEYforDecryption", $CALG_AES_256) If $TCPCrypt_Action = True Then $TCPCrypt_Return = _Crypt_EncryptData($TCPCrypt_Data, $TCPCrypt_Key, $CALG_USERKEY) Else $TCPCrypt_Return = BinaryToString(_Crypt_DecryptData($TCPCrypt_Data, $TCPCrypt_Key, $CALG_USERKEY)) EndIf _Crypt_DestroyKey($TCPCrypt_Key) _Crypt_Shutdown() Return $TCPCrypt_Return EndFunc #EndRegion TCPCrypt Function Func Close() TCPShutdown() Exit EndFunc This is the basic function being used to encrypt and decrypt the data. ; Example Usage: ; Send: TCPSend($TCPSocket, TCPCrypt(True, $Message)) ; Receive: $sReceived = TCPCrypt(False, TCPRecv($TCPSocket, 2048)) #Region TCPCrypt Function Func TCPCrypt($TCPCrypt_Action, $TCPCrypt_Data) _Crypt_Startup() $TCPCrypt_Key = _Crypt_DeriveKey("YOURsuperSECRETpassKEYforDecryption", $CALG_AES_256) If $TCPCrypt_Action = True Then $TCPCrypt_Return = _Crypt_EncryptData($TCPCrypt_Data, $TCPCrypt_Key, $CALG_USERKEY) Else $TCPCrypt_Return = BinaryToString(_Crypt_DecryptData($TCPCrypt_Data, $TCPCrypt_Key, $CALG_USERKEY)) EndIf _Crypt_DestroyKey($TCPCrypt_Key) _Crypt_Shutdown() Return $TCPCrypt_Return EndFunc #EndRegion TCPCrypt Function Hope this helps...

Thanks!

Not all hard drives will return the serial number properly, but for those that do, you can use WMI. It will give you just about anything you want to know about your hard drive. ; Generated by AutoIt Scriptomatic $wbemFlagReturnImmediately = 0x10 $wbemFlagForwardOnly = 0x20 $colItems = "" $strComputer = "localhost" $Output="" $Output = $Output & "Computer: " & $strComputer & @CRLF $Output = $Output & "==========================================" & @CRLF $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2") $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_DiskDrive", "WQL", _ $wbemFlagReturnImmediately + $wbemFlagForwardOnly) If IsObj($colItems) then For $objItem In $colItems $Output = $Output & "Availability: " & $objItem.Availability & @CRLF $Output = $Output & "BytesPerSector: " & $objItem.BytesPerSector & @CRLF $strCapabilities = $objItem.Capabilities(0) $Output = $Output & "Capabilities: " & $strCapabilities & @CRLF $strCapabilityDescriptions = $objItem.CapabilityDescriptions(0) $Output = $Output & "CapabilityDescriptions: " & $strCapabilityDescriptions & @CRLF $Output = $Output & "Caption: " & $objItem.Caption & @CRLF $Output = $Output & "CompressionMethod: " & $objItem.CompressionMethod & @CRLF $Output = $Output & "ConfigManagerErrorCode: " & $objItem.ConfigManagerErrorCode & @CRLF $Output = $Output & "ConfigManagerUserConfig: " & $objItem.ConfigManagerUserConfig & @CRLF $Output = $Output & "CreationClassName: " & $objItem.CreationClassName & @CRLF $Output = $Output & "DefaultBlockSize: " & $objItem.DefaultBlockSize & @CRLF $Output = $Output & "Description: " & $objItem.Description & @CRLF $Output = $Output & "DeviceID: " & $objItem.DeviceID & @CRLF $Output = $Output & "ErrorCleared: " & $objItem.ErrorCleared & @CRLF $Output = $Output & "ErrorDescription: " & $objItem.ErrorDescription & @CRLF $Output = $Output & "ErrorMethodology: " & $objItem.ErrorMethodology & @CRLF $Output = $Output & "FirmwareRevision: " & $objItem.FirmwareRevision & @CRLF $Output = $Output & "Index: " & $objItem.Index & @CRLF $Output = $Output & "InstallDate: " & WMIDateStringToDate($objItem.InstallDate) & @CRLF $Output = $Output & "InterfaceType: " & $objItem.InterfaceType & @CRLF $Output = $Output & "LastErrorCode: " & $objItem.LastErrorCode & @CRLF $Output = $Output & "Manufacturer: " & $objItem.Manufacturer & @CRLF $Output = $Output & "MaxBlockSize: " & $objItem.MaxBlockSize & @CRLF $Output = $Output & "MaxMediaSize: " & $objItem.MaxMediaSize & @CRLF $Output = $Output & "MediaLoaded: " & $objItem.MediaLoaded & @CRLF $Output = $Output & "MediaType: " & $objItem.MediaType & @CRLF $Output = $Output & "MinBlockSize: " & $objItem.MinBlockSize & @CRLF $Output = $Output & "Model: " & $objItem.Model & @CRLF $Output = $Output & "Name: " & $objItem.Name & @CRLF $Output = $Output & "NeedsCleaning: " & $objItem.NeedsCleaning & @CRLF $Output = $Output & "NumberOfMediaSupported: " & $objItem.NumberOfMediaSupported & @CRLF $Output = $Output & "Partitions: " & $objItem.Partitions & @CRLF $Output = $Output & "PNPDeviceID: " & $objItem.PNPDeviceID & @CRLF $strPowerManagementCapabilities = $objItem.PowerManagementCapabilities(0) $Output = $Output & "PowerManagementCapabilities: " & $strPowerManagementCapabilities & @CRLF $Output = $Output & "PowerManagementSupported: " & $objItem.PowerManagementSupported & @CRLF $Output = $Output & "SCSIBus: " & $objItem.SCSIBus & @CRLF $Output = $Output & "SCSILogicalUnit: " & $objItem.SCSILogicalUnit & @CRLF $Output = $Output & "SCSIPort: " & $objItem.SCSIPort & @CRLF $Output = $Output & "SCSITargetId: " & $objItem.SCSITargetId & @CRLF $Output = $Output & "SectorsPerTrack: " & $objItem.SectorsPerTrack & @CRLF $Output = $Output & "SerialNumber: " & $objItem.SerialNumber & @CRLF $Output = $Output & "Signature: " & $objItem.Signature & @CRLF $Output = $Output & "Size: " & $objItem.Size & @CRLF $Output = $Output & "Status: " & $objItem.Status & @CRLF $Output = $Output & "StatusInfo: " & $objItem.StatusInfo & @CRLF $Output = $Output & "SystemCreationClassName: " & $objItem.SystemCreationClassName & @CRLF $Output = $Output & "SystemName: " & $objItem.SystemName & @CRLF $Output = $Output & "TotalCylinders: " & $objItem.TotalCylinders & @CRLF $Output = $Output & "TotalHeads: " & $objItem.TotalHeads & @CRLF $Output = $Output & "TotalSectors: " & $objItem.TotalSectors & @CRLF $Output = $Output & "TotalTracks: " & $objItem.TotalTracks & @CRLF $Output = $Output & "TracksPerCylinder: " & $objItem.TracksPerCylinder & @CRLF if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop $Output="" Next Else Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_DiskDrive" ) Endif Func WMIDateStringToDate($dtmDate) Return (StringMid($dtmDate, 5, 2) & "/" & _ StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _ & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2)) EndFunc

In case you had not noticed we have a new MVP, czardas. I am sure you will all join me in congratulating him on his new status. M23

And please extend your congratulations to Malkey as well - the invitation obviously took the slow boat to the Antipodes. M23

Another option, using less AutoIt, is to save the macro in that workbook then use the Excel functions in AutoIt to open the Excel spreadsheet, run that macro, save spreadsheet as something else, then...lather, rinse, repeat. When you create the macro in the first place it asks where to save it, make it "This Workbook" which I think is default anyway. Here's a piece that might work for you...using AutoIt ExcelCOM to import the CSV as opposed to using AutoIT to kick off a macro. See which works best, or consider jchd's suggestion following this post. #include <Excel.au3> $oExcel = _ExcelBookNew() ;Replace this with the line that opens your special workbook, instead of creating a new workbook, might want to make sure the proper sheet is activated first just in case $sCSVFile = "C:\test.csv" With $oExcel.ActiveSheet .QueryTables.Add("TEXT;" & $sCSVFile, $oExcel.ActiveSheet.Range("$A$1")) .QueryTables(1).TextFileCommaDelimiter = True .QueryTables(1).Refresh EndWith