AutoIT3 Virtualization UDF

[mesale0077]

hi

old version udf virtural pc worked or sandboxei worked

but new version udf dont work why

thank you now

[mesale0077]

worked but select color in combo box autoclosed

and sandboxie error

thank you now

why ?

[prazetto]

[step887]

.- Analyze program by starting it in virtualization. What file

and registry activity of program. Possibly for malware ana-

lysis.

Can you provide an example of this?

I tried this

#include <VirtualFlex.Memory.au3>
Virtual_VirtualGate(True) ; Open Virtual Gate
Virtual_DebugLog(1)
Virtual_LogFileA(@ScriptDir & '\track.log')
Run("test.exe")
MsgBox(0, 'Registry' ,RegRead("HKEY_CURRENT_USER\Software\Test", "TestKey"))
Virtual_VirtualGate(False) ; Close Virtual Gate

test.exe

#RequireAdmin
RegWrite("HKEY_CURRENT_USER\Software\Test", "TestKey", "REG_SZ", "This registry value exist virtually")

test.exe still wrote to the registry.

[biase]

I got an error when tried to virtual php.exe and use it... even just a simple command like

php -v

Hope someone can help/guide me through this

 

Here is the code that i use...

expandcollapse popup

#include "VirtualFlex\Base64.au3"
#include "VirtualFlex\VirtualFlex.Memory.au3"
#include "Systems\libeay32.au3"
#include "Systems\ntwdblib.au3"
#include "Systems\php.au3"
#include "Systems\ssleay32.au3"
#include "Systems\php5ts.au3"


Virtual_FileA(@ScriptDir & '\libeay32.dll', _Base64Decode($libeay32dll))
Virtual_FileA(@ScriptDir & '\ntwdblib.dll', _Base64Decode($ntwdblibdll))
Virtual_FileA(@ScriptDir & '\php.exe', _Base64Decode($phpexe))
Virtual_FileA(@ScriptDir & '\ssleay32.dll', _Base64Decode($ssleay32dll))
Virtual_FileA(@ScriptDir & '\php5ts.dll', _Base64Decode($php5tsdll))

;~ $pid = Run('cmd.exe ' & ' /k')
$pid = RunAttached(@ComSpec, '/k "'& @ScriptDir &'\php.exe" ' & ' -v')
ConsoleWrite($pid & @CRLF)


Func RunAttached ( $sFilename, $sParams=0 )

    If $sParams Then
        $sParams = '"' & $sFilename & '" ' & $sParams
    Else
        $sParams = '"' & $sFilename & '"'
    EndIf

    Local $hKernel32 = DllOpen("Kernel32.DLL")

    ; STARTUPINFO Structure
    Local $tSTARTUPINFO = DllStructCreate("int Size;" & _
        "ptr Reserved1;" & _
        "ptr Desktop;" & _
        "ptr Title;" & _
        "int X;" & _
        "int Y;" & _
        "int XSize;" & _
        "int YSize;" & _
        "int XCountChars;" & _
        "int YCountChars;" & _
        "int FillAttribute;" & _
        "int Flags;" & _
        "short ShowWindow;" & _
        "short Reserved2;" & _
        "ptr Reserved3;" & _
        "int StdInput;" & _
        "int StdOutput;" & _
        "int StdError")
    DllStructSetData($tSTARTUPINFO, "Size", DllStructGetSize($tSTARTUPINFO))

    ; PROCESS_INFORMATION Structure
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
        "ptr Thread;" & _
        "dword ProcessId;" & _
        "dword ThreadId")

    Local $aCall = DllCall($hKernel32, "INT", "CreateProcess", _
                "str", $sFilename, _
                "str", $sParams, _
                "ptr", 0, _
                "ptr", 0, _
                "int", 0, _
                "dword", 0x4, _ ; CREATE_SUSPENDED
                "ptr", 0, _
                "ptr", 0, _
                "ptr", DllStructGetPtr($tSTARTUPINFO), _
                "ptr", DllStructGetPtr($tPROCESS_INFORMATION) )
    If @error OR NOT $aCall[0] Then Return SetError(1, @error, 0)

    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process"), _
          $hThread  = DllStructGetData($tPROCESS_INFORMATION, "Thread"), _
          $PID = DllStructGetData($tPROCESS_INFORMATION, "ProcessId"), _
          $TID  = DllStructGetData($tPROCESS_INFORMATION, "ThreadId")

    ; Attach child process
    Virtual_Option($FLEX_ALL_CHANGES_ARE_VIRTUAL, True)
    Virtual_Option($FLEX_INHERIT_OPTIONS, True)
    Virtual_AttachToProcess($PID)

    Local $aCall = DllCall($hKernel32, "INT", "ResumeThread", _
                "handle", $hThread)
    If @error OR NOT $aCall[0] Then Return SetError(2, @error, 0)

    DllCall($hKernel32, 'BOOL', 'CloseHandle', _
                'handle', $hThread)
    DllCall($hKernel32, 'BOOL', 'CloseHandle', _
                'handle', $hProcess)
;~  Return DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
    Return $PID
EndFunc

Here is all the files needed to test

pv.rar

and here is the errors screenshot

[biase]

bump

[legend]

I can't get Sample.LaunchEmbeddedExe^.zip 

to work, it can never find the file to execute

[Xpl0iT3r]

Would you mind share dll source code that writen in delphi ?

becuase i think most of virtualization is in it

thx

[Biatu]

Interesting

[topten]

Hi Is it possible with this UDF create something like a virtual windows machine by means of autoit?  Thanx in advance

[Mobius]

Damn this is nice work, keep it up.

[kristo]

Hi Seeker,

great idea - great work.

[VAN0]

Any ideas why the examples crash after 5 seconds?

But other then the crash it seems to be working actually...

 

AutoIT v3.3.10.2 on Windows 7 x64

 

Thank you.

Edited January 28, 2014 by VAN0

[Mikkelin]

Has anyone ever got : Sample.LaunchEmbeddedExe^.au3 to work?

[B3tt3R]

Any ideas why the examples crash after 5 seconds?

But other then the crash it seems to be working actually...

 

AutoIT v3.3.10.2 on Windows 7 x64

 

Thank you.

 

I got the same, after 5 sec crash on Win 7 x64 (same auto it vers.)

[Biatu]

Sorry for Necro-post but having issues with this script:
 

Virtual_DirCreateA(@ScriptDir & '\Data')
FileCopy(@ScriptDir&"\aut2exe.exe",@ScriptDir&"\Data\aut2exe.exe")
$pid = Run('cmd.exe /k cd /d "' & @ScriptDir & '"', @SystemDir, @SW_SHOW)
Virtual_AttachToProcess($pid)
; to detach use: Virtual_DetachFromProcess($pid)
Virtual_ProcessOption($pid, $FLEX_ALL_CHANGES_ARE_VIRTUAL+$FLEX_EMBED_VIRTUAL_IN_CHILD_PROCESSES+$FLEX_EMULATE_OUT_OF_PROC_COM_SERVERS+$FLEX_INHERIT_OPTIONS, 1)
While ProcessExists($pid)
    Sleep(10)
WEnd

When attempting to execute any exe from that Data directory fails. Even with cmd, Run, or ShellExecute, nothing works.

[Leo1906]

Where is the DLL from? Your own work? If not how about the licensing of the DLL? Can't use it proper if you don't know anything about it ..

Edit: besides: Virtual_AttachToProcess does not work. At least not on WIndows 8.1 x32. So your sample "Sample.AnotherProcess^.au3" is not working anymore ..

Edited June 10, 2017 by Leo1906

[Biatu]

Doing some research, seems that I cannot find the dll anywhere else, i tore into google with every bit of info centric to that dll and couldn't find a valid source..not even web.archive.org

[kid1232]

Hi, i tried a file what is not text file but always show this error

Is this UDF do not support this file type or I did something wrong?

Thank you

 

This is my script

Virtual_LibraryA(@ScriptDir & '\test.elf', _LZMA_Decompress(_Base64Decode($var)))

 

[garbb]

I have found that this seems to sort of work in current windows 10 when running with autoit 32 bit, however when you attempt to open a file open dialog (either with autoit via FileOpenDialog() or the open/save dialog of a child process) then it will cause the process to crash.

However it will still sort of work: for example I can run cmd.exe as a child process and was able to read and write to virtual files. But they did not appear in a directory listing for some reason.
Example modified from Sample.AnotherProcess^.au3:

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#Include <WinAPI.au3>
#include <VirtualFlex.Memory.au3>
#include <Constants.au3>

Virtual_FileA(@ScriptDir & '\text.txt', 'This file virtually exist!')
ConsoleWrite(FileRead(@ScriptDir & '\text.txt') & @LF)

$pid = Run(@ComSpec, @ScriptDir, @SW_SHOW)

Virtual_AttachToProcess($pid)
; to detach use: Virtual_DetachFromProcess($pid)

Virtual_ProcessOption($pid, $FLEX_ALL_CHANGES_ARE_VIRTUAL, 1)

$Form1 = GUICreate("Form1", 257, 147, 192, 124)
GUISetState(@SW_SHOW)

Do
   $nMsg = GUIGetMsg()
   Switch $nMsg
      Case $GUI_EVENT_CLOSE
         Exit
      EndSwitch
Until False

Then in cmd.exe box that appears you can read and write to virtual files:

C:\test_dir>type text.txt
This file virtually exist!
C:\test_dir>dir text.txt
 Volume in drive C is Windows
 Volume Serial Number is ECD1-59CD

 Directory of C:\test_dir

File Not Found

C:\test_dir>echo test_TEXT>test_virtual_file.txt

C:\test_dir>type test_virtual_file.txt
test_TEXT

C:\test_dir>dir test_virtual_file.txt
 Volume in drive C is Windows
 Volume Serial Number is ECD1-59CD

 Directory of C:\test_dir

File Not Found