Run binary

[cefusabaya]

Hello!

How to change the working directory?

If an injection is in an autoit, and the program files are in another directory, then it does not load libraries, etc.

[youtuber]

I need to find the entry point of the exe file and I want to read the first two lines in hex format.

https://prnt.sc/10ex5ck

[Damnatio]

This isnt working anymore on Windows 11 24H2 with 64bit exe files

[Jos]

This?   

Please provide enough & clear information what you are doing and what isn't working.

[Damnatio]

3 minutes ago, Jos said:

This?   

Please provide enough & clear information what you are doing and what isn't working.

Sorry, if you try to load an x64.exe file into another x64.exe file youll get an error.

0xC0000141 -> STATUS_INVALID_ADDRESS -> The address handle that was given to the transport was invalid.

[SOLVE-SMART]

Hi @Damnatio 👋 ,

did you read the hint in the first post of the thread?

On 8/3/2009 at 2:14 PM, trancexx said:

edit:
64bit support added. That means you can embed either x64 or x86 modules.
If your AutoIt is x64 you embed x64 modules. If AutoIt is x86 embed x86.
x64 AutoIt could also use embedded x86 modules but I don't like that because needed structures would have to be changed to something that's not meeting aesthetics standards .

Does your AutoIt version match the executable arch?

Best regards
Sven

[Damnatio]

11 minutes ago, SOLVE-SMART said:

Hi @Damnatio 👋 ,

did you read the hint in the first post of the thread?

Does your AutoIt version match the executable arch?

Best regards
Sven

Its working completely fine on Windows 11 23H2 x32 and x64.

On Windows 11 24H2 (the newest version) x64 isnt working anymore.

[argumentum]

2 hours ago, Damnatio said:

On Windows 11 24H2 (the newest version) x64 isnt working anymore.

24H2 is ... what it is.
But you can always run the program from the drive so, no big deal.
And it was written in 2009, ..the user that wrote it does not actively use this forum since a long time now.

Sorry for the bad news.

[Damnatio]

#Region 12. FIX NTDLL for Win11 24H2
    $WinVer = RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion", "DisplayVersion")
    If $WinVer = "24H2" Then
        $ntdllbase = _WinAPI_GetModuleHandle("ntdll.dll")
        Local $Patch[4] = [0x48, 0x31, 0xC0, 0xC3]
        For $i = 0 To 3
            $pBuf = DllStructCreate("byte")
            DllStructSetData($pBuf, 1, $Patch[$i])
            $aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _
                    "handle", $hProcess, _
                    "ptr", $ntdllbase + 0x7BE0 + $i, _
                    "ptr", DllStructGetPtr($pBuf), _
                    "dword_ptr", DllStructGetSize($pBuf), _
                    "dword_ptr*", 0)
            ; Check for errors or failure
            If @error Or Not $aCall[0] Then
                DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0)
                Return SetError(12, 0, 0) ; failure while changing ntdll
            EndIf
        Next
    EndIf
    #EndRegion 12. FIX NTDLL for Win11 24H2

Do that after you've set the threadcontext and before you resume the thread.