trancexx Posted August 7, 2009 Author Posted August 7, 2009 I don't understand yet all things from your UDF. From all the executables that I tried to run from memory just one of them was succesfully, for others I got errors like 3,6,7. Anyway I like your UDF and examples, all work fine. >_< That's interesting. What system are you on? Try this: Is that working for you without making any modifications? Btw it's something that's impossible to do in AutoIt. Another brilliance of Mr. Wayne J. Radburn. Just play with it, you will see how really brilliant it is. ♡♡♡ . eMyvnE
JRSmile Posted August 7, 2009 Posted August 7, 2009 (edited) the udf works perfect, is it possible to add start parameters or to know the actual path were it is running in? because for dana (irc client) there has to be a conf file in the same directory as the exe i could sucessfully convert the binary to string and start it with your function but it does not see the config file... any clues? edit: i found ot that when it is compiled it does see the config file in the same dir, so i have to create the config file in the real file system there isn't a way to put this in ram to is it? Edited August 7, 2009 by JRSmile $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)
monoceres Posted August 7, 2009 Posted August 7, 2009 the udf works perfect,is it possible to add start parameters or to know the actual path were it is running in?because for dana (irc client) there has to be a conf file in the same directory as the exe i could sucessfully convert the binary to string and start it with your function but it does not see the config file... any clues?edit: i found ot that when it is compiled it does see the config file in the same dir, so i have to create the config file in the real file system there isn't a way to put this in ram to is it?The path for the exe run from memory will be the one that is used as the startup'er (standard is @AutoItExe), simple replace it with a an exe in the same dir as the program you wish to run from mem and it will be fine (it works when compiled because then @AutoItExe points to the compiled script). Broken link? PM me and I'll send you the file!
Andreik Posted August 7, 2009 Posted August 7, 2009 That's interesting. What system are you on? Try this: Is that working for you without making any modifications? Btw it's something that's impossible to do in AutoIt. Another brilliance of Mr. Wayne J. Radburn. Just play with it, you will see how really brilliant it is. When I made there tests I was using windows xp sp2. Now I tried your example on win xp 64 and get an error "The application failed to initialize properly (0xc000007b)."
trancexx Posted August 7, 2009 Author Posted August 7, 2009 When I made there tests I was using windows xp sp2. Now I tried your example on win xp 64 and get an error "The application failed to initialize properly (0xc000007b)."Yes. Well, that would be my mistake. Mea maxima culpa (I always liked the sound of that >_< ).Mostly for not explaining what I thought was obvious. ♡♡♡ . eMyvnE
Andreik Posted August 7, 2009 Posted August 7, 2009 Yes. Well, that would be my mistake. Mea maxima culpa (I always liked the sound of that >_< ).Mostly for not explaining what I thought was obvious.It would be nice to make your function something like _RunFromMemory($ExePath). In first part of function to create binary image and then run current function.
spudw2k Posted August 7, 2009 Posted August 7, 2009 (edited) It would be nice to make your function something like _RunFromMemory($ExePath). In first part of function to create binary image and then run current function.I thought the idea was to embed an exe (in bin form) in a script. It makes sense to embed an exe that doesn't exist on the client side. Why would you want to do it realtime when you could just run the exe? Edited August 7, 2009 by spudw2k Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF
monoceres Posted August 8, 2009 Posted August 8, 2009 I've been thinking of a fix myself. However I cannot seem to come up with a satisfying solution. I mean, it's easy just to unset the image randomization bit for the source pe, but it will require the exe to be copied which leaves us with some problems, first off, who is going to delete that exe? It's rude to just leave behind files like that, secondary it will require that we have read, write & executables right in the directory. So the solution I think is the best is to rebase the target exe, is that your solution? Broken link? PM me and I'll send you the file!
trancexx Posted August 9, 2009 Author Posted August 9, 2009 I've been thinking of a fix myself. However I cannot seem to come up with a satisfying solution. I mean, it's easy just to unset the image randomization bit for the source pe, but it will require the exe to be copied which leaves us with some problems, first off, who is going to delete that exe? It's rude to just leave behind files like that, secondary it will require that we have read, write & executables right in the directory.So the solution I think is the best is to rebase the target exe, is that your solution?Only question would be how to do it. I can think of two ways. First and the obvious one is to actually rewrote exe's code - move all pointers by the value of calculated offset. Imagine the job.Second one would be to fold space at the quantum level (Dune - David Lynch, if you haven't looked find time and do).What error you get for example No8? ♡♡♡ . eMyvnE
trancexx Posted August 9, 2009 Author Posted August 9, 2009 That being the size of the executable that is running the other? In that case, wouldn't be easy to just add an Install() of a few sizable files to eliminate the problem?Something like that might work. ♡♡♡ . eMyvnE
monoceres Posted August 9, 2009 Posted August 9, 2009 Only question would be how to do it. I can think of two ways. First and the obvious one is to actually rewrote exe's code - move all pointers by the value of calculated offset. Imagine the job.Second one would be to fold space at the quantum level (Dune - David Lynch, if you haven't looked find time and do).What error you get for example No8?Oh you clever SOB, I thought that was just debugging for Andreik!I actually also tried to change the ImageBase pointer, however when I did it I got errors that the C runtime couldn't be found. Hmm, must have overlooked something. Broken link? PM me and I'll send you the file!
trancexx Posted August 10, 2009 Author Posted August 10, 2009 I owe an explanation (and correction) on "Ebx" member of CONTEXT structure. That is pointer to PEB structure. Another structure that's not welcomely shared by Microsoft for some reason. There is an official explanation of it here.But something like this can also be found:expandcollapse popupLocal $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _ "byte ReadImageFileExecOptions;" & _ "byte BeingDebugged;" & _ "byte Spare;" & _ "ptr Mutant;" & _ "ptr ImageBaseAddress;" & _ "ptr LoaderData;" & _ "ptr ProcessParameters;" & _ "ptr SubSystemData;" & _ "ptr ProcessHeap;" & _ "ptr FastPebLock;" & _ "ptr FastPebLockRoutine;" & _ "ptr FastPebUnlockRoutine;" & _ "dword EnvironmentUpdateCount;" & _ "ptr KernelCallbackTable;" & _ "ptr EventLogSection;" & _ "ptr EventLog;" & _ "ptr FreeList;" & _ "dword TlsExpansionCounter;" & _ "ptr TlsBitmap;" & _ "dword TlsBitmapBits[2];" & _ "ptr ReadOnlySharedMemoryBase;" & _ "ptr ReadOnlySharedMemoryHeap;" & _ "ptr ReadOnlyStaticServerData;" & _ "ptr AnsiCodePageData;" & _ "ptr OemCodePageData;" & _ "ptr UnicodeCaseTableData;" & _ "dword NumberOfProcessors;" & _ "dword NtGlobalFlag;" & _ "ubyte Spare2[4];" & _ "int64 CriticalSectionTimeout;" & _ "dword HeapSegmentReserve;" & _ "dword HeapSegmentCommit;" & _ "dword HeapDeCommitTotalFreeThreshold;" & _ "dword HeapDeCommitFreeBlockThreshold;" & _ "dword NumberOfHeaps;" & _ "dword MaximumNumberOfHeaps;" & _ "ptr ProcessHeaps;" & _ "ptr GdiSharedHandleTable;" & _ "ptr ProcessStarterHelper;" & _ "ptr GdiDCAttributeList;" & _ "ptr LoaderLock;" & _ "dword OSMajorVersion;" & _ "dword OSMinorVersion;" & _ "dword OSBuildNumber;" & _ "dword OSPlatformId;" & _ "dword ImageSubSystem;" & _ "dword ImageSubSystemMajorVersion;" & _ "dword ImageSubSystemMinorVersion;" & _ "dword GdiHandleBuffer[34];" & _ "dword PostProcessInitRoutine;" & _ "dword TlsExpansionBitmap;" & _ "ubyte TlsExpansionBitmapBits[128];" & _ "dword SessionId") $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _ "ptr", $hProcess, _ "ptr", DllStructGetData($tCONTEXT, "Ebx"), _ "ptr", DllStructGetPtr($tPEB), _ "dword", DllStructGetSize($tPEB), _ "dword*", 0) Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")Correction would be that $hBaseAddress is not third element of that structure (it's sixth). ♡♡♡ . eMyvnE
IchBistTod Posted August 13, 2009 Posted August 13, 2009 I really dont mean to be a bother, i mean all your examples work on windows 7, however what must i do to make th eimage out of an exe, i have tried reading in binary mode and passing the data to the func but it doesnt work, and i missing something? [center][/center][center]=][u][/u][/center][center][/center]
trancexx Posted August 13, 2009 Author Posted August 13, 2009 I really dont mean to be a bother, i mean all your examples work on windows 7, however what must i do to make th eimage out of an exe, i have tried reading in binary mode and passing the data to the func but it doesnt work, and i missing something?Show the code. ♡♡♡ . eMyvnE
Xenobiologist Posted August 13, 2009 Posted August 13, 2009 Hi, looks good. What exe files can be used? The ones I tried all fail, although they are smaller than the Autoit.exe. Mega Scripts & functions Organize Includes Let Scite organize the include files Yahtzee The game "Yahtzee" (Kniffel, DiceLion) LoginWrapper Secure scripts by adding a query (authentication) _RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...) Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc. MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times
Xenobiologist Posted August 13, 2009 Posted August 13, 2009 Hi, looks good. What exe files can be used? The ones I tried all fail, although they are smaller than the Autoit.exe. Mega Scripts & functions Organize Includes Let Scite organize the include files Yahtzee The game "Yahtzee" (Kniffel, DiceLion) LoginWrapper Secure scripts by adding a query (authentication) _RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...) Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc. MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times
trancexx Posted August 13, 2009 Author Posted August 13, 2009 (edited) Hi,looks good. What exe files can be used? The ones I tried all fail, although they are smaller than the Autoit.exe.MegaWhat error number? System? Function? Edited August 13, 2009 by trancexx ♡♡♡ . eMyvnE
IchBistTod Posted August 13, 2009 Posted August 13, 2009 (edited) No Error, it just doesnt work. I am on windows 7 and all the examples work perfect. Here is my code. expandcollapse popup$file = FileOpen(FileOpenDialog("Select a File", @WorkingDir, "All Files (*.*)"), 16) $contents = FileRead($file) _RunExeFromMemory($contents) Func _RunExeFromMemory($bBinaryImage) #Region 1. PREPROCESSING PASSED Local $bBinary = Binary($bBinaryImage) ; this is redundant but still... ; Make structure out of binary data that was passed Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]") DllStructSetData($tBinary, 1, $bBinary) ; fill it ; Get pointer to it Local $pPointer = DllStructGetPtr($tBinary) #Region 2. CREATING NEW PROCESS ; STARTUPINFO structure (actually all that really matters is allocaed space) Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _ "ptr Reserved;" & _ "ptr Desktop;" & _ "ptr Title;" & _ "dword X;" & _ "dword Y;" & _ "dword XSize;" & _ "dword YSize;" & _ "dword XCountChars;" & _ "dword YCountChars;" & _ "dword FillAttribute;" & _ "dword Flags;" & _ "ushort ShowWindow;" & _ "ushort Reserved2;" & _ "ptr Reserved2;" & _ "ptr hStdInput;" & _ "ptr hStdOutput;" & _ "ptr hStdError") ; This is much important. This structure will hold very some important data. Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _ "ptr Thread;" & _ "dword ProcessId;" & _ "dword ThreadId") ; Create new process Local $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", _ "wstr", @AutoItExe, _ ; This (or better said - another instance of me) "ptr", 0, _ "ptr", 0, _ "ptr", 0, _ "int", 0, _ "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential "ptr", 0, _ "ptr", 0, _ "ptr", DllStructGetPtr($tSTARTUPINFO), _ "ptr", DllStructGetPtr($tPROCESS_INFORMATION)) If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed EndIf ; New process and thread handles: Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process") Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread") #Region 3. FILL CONTEXT STRUCTURE ; CONTEXT structure is what's really important here. It's very 'misterious' Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ "dword Dr0;" & _ "dword Dr1;" & _ "dword Dr2;" & _ "dword Dr3;" & _ "dword Dr6;" & _ "dword Dr7;" & _ "dword ControlWord;" & _ "dword StatusWord;" & _ "dword TagWord;" & _ "dword ErrorOffset;" & _ "dword ErrorSelector;" & _ "dword DataOffset;" & _ "dword DataSelector;" & _ "byte RegisterArea[80];" & _ "dword Cr0NpxState;" & _ "dword SegGs;" & _ "dword SegFs;" & _ "dword SegEs;" & _ "dword SegDs;" & _ "dword Edi;" & _ "dword Esi;" & _ "dword Ebx;" & _ "dword Edx;" & _ "dword Ecx;" & _ "dword Eax;" & _ ; manipulation point (will set address of entry point here) "dword Ebp;" & _ "dword Eip;" & _ "dword SegCs;" & _ "dword EFlags;" & _ "dword Esp;" & _ "dword SegS") DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER ; Fill tCONTEXT structure: $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", _ "ptr", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(2, 0, 0) ; GetThreadContext function or call to it failed EndIf #Region 4. READ PE-FORMAT ; Start processing passed binary data. 'Reading' PE format follows. Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) ; Move pointer $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic") ; Check if it's valid format If Not ($sMagic == "MZ") Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(3, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know. EndIf Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; Move pointer $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure ; Check signature If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(4, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword. EndIf Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) ; Get number of sections Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; Move pointer $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") ; Check if it's 32-bit application If $iMagic <> 267 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(5, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps. EndIf ; Extract entry point address Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address ; Move pointer $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them). Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers #Region 5. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED ; Clear old data. !This is where this whole function will fail with Vista and above! $aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _ "ptr", $hProcess, _ "ptr", $pOptionalHeaderImageBaseNEW) If @error Or $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; NtUnmapViewOfSection function or call to it failed EndIf #Region 6. ALLOCATE 'NEW' MEMORY SPACE ; Allocate proper size of memory at the proper place. !This is where the failure will occure if that new exe is e.g. bigger than AutoIt3.exe! $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "ptr", $hProcess, _ "ptr", $pOptionalHeaderImageBaseNEW, _ "dword", $iOptionalHeaderSizeOfImageNEW, _ "dword", 12288, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(7, 0, 0) ; VirtualAllocEx function or call to it failed EndIf Local $pRemoteCode = $aCall[0] ; from now on this is zero-point #Region 7. GET AND WRITE NEW PE-HEADERS Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers ; Write NEW headers $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", $pRemoteCode, _ "ptr", $pHEADERS_NEW, _ "dword", $iOptionalHeaderSizeOfHeadersNEW, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed EndIf #Region 8. WRITE SECTIONS ; Dealing with sections. Will write them too as they hold all needed data that PE loader reads Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData Local $iVirtualAddress For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfVirtualSizeAndPhysicalAddress;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") ; If there is data to write, write it where is should be written If $iSizeOfRawData Then $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", $pRemoteCode + $iVirtualAddress, _ "ptr", $pPointerToRawData, _ "dword", $iSizeOfRawData, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(9, $i, 0) ; WriteProcessMemory function or call to it while writting new sectuions failed EndIf EndIf ; Move pointer $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next #Region 9. NEW ENTRY POINT ; Entry point manipulation DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address #Region 10. SET NEW CONTEXT ; New context: $aCall = DllCall("kernel32.dll", "int", "SetThreadContext", _ "ptr", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed EndIf #Region 11. RESUME THREAD ; And that's it!. Continue execution $aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread) If @error Or $aCall[0] = -1 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(11, 0, 0) ; ResumeThread function or call to it failed EndIf #Region 12. RETURN SUCCESS ; All went well. Return, for example, new PID: Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId") EndFunc ;==>_RunExeFromMemory Edited August 13, 2009 by IchBistTod [center][/center][center]=][u][/u][/center][center][/center]
IchBistTod Posted August 14, 2009 Posted August 14, 2009 any help? tested on XP and its not working either. [center][/center][center]=][u][/u][/center][center][/center]
trancexx Posted August 14, 2009 Author Posted August 14, 2009 any help? tested on XP and its not working either.What do you think could be wrong? I see you read binary, that's important (reading is generally very important).You think you could fix it? I saw you had some ideas before. ♡♡♡ . eMyvnE
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now