Jump to content

Recommended Posts

Posted

Btw, you think you could dance to this? I'm just doing it :)

rofl. Reminds me of the Elaine dance ;)

Posted (edited)

There are few stalkers around that don't like me calling them idiots.

I'm glad you like the script.

Btw, you think you could dance to this? I'm just doing it :)

lol, no. I'm not the dancer type.

I have bad taste in music.

I,e- one of my song's

But yeah, I love this script, It must have been extremely painful to find all those dll functions etc.

But as I discovered, its pretty buggy to retrieve the binary data over the internet, but still, this allows you to include several programs in binary format into a script and decide which one you'd like to run!

So it's still pure awesome!!!

Thank you Trancexx!

Edited by System238
  • 1 month later...
Posted

This works amazingly well. I have started retooling many of my utilities to not install programs as temporary files.

Combined with my inline binary file generator, this is about as easy as it gets.

Thank you.

  • 3 weeks later...
Posted

@ trancexx

Hello, again I need your valuable support!

I've been trying redirect the output of a DOS program (hStdOutput), I've get to make the window to be hidden but still could not read data from the program's return.

Here's the part I added to hide the window and redirect the output:

DllStructSetData($tSTARTUPINFO, "Flags", BitOR(0x00000001, 0x00000100))
DllStructSetData($tSTARTUPINFO, "ShowWindow", 0)
DllStructSetData($tSTARTUPINFO, "hStdOutput", $hMailSlot)

I've searched on the web a way to redirect the output, but could not get much that could ever help me.

You know how to redirect "ptr hStdOutput?

http://forum.autoitbrasil.com/ (AutoIt v3 Brazil!!!)

Somewhere Out ThereJames Ingram

somewh10.png

dropbo10.pngDownload Dropbox - Simplify your life!
Your virtual HD wherever you go, anywhere!

  • 4 weeks later...
Posted (edited)

Very nice work, and I like the combination with InlineMe.

It occurred to me that it might be possible to use an include file with an external compiled script to compile your script as 64-bit, then embed that into the script and recompile as 32-bit. Then check which platform the script is running on and run the 64-bit version from memory. Theoretically, all you would have to do is set a Run_Before directive in your script and all the magic would happen automatically.

@trancexx mentioned it'd be necessary to change the structures when embedding a 64-bit program inside a 32-bit one, so that'd have to be done for this.

Here's an early draft.

In your script:

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Run_Before=Compile64bit.exe /before "%in%"
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

Compile64bit.exe /before "%in%":

  • Modify your script:
  • ...Disable #AutoIt3Wrapper_Run_Before=Compile64bit.exe /before "%in%"
  • ...Add #AutoIt3Wrapper_UseX64=y
  • Compile your script as X64
  • Modify your script:
  • ...Add #AutoIt3Wrapper_Run_After=Compile64bit.exe /after "%in%"
  • ...Remove #AutoIt3Wrapper_UseX64=y
  • ...Use InlineMe functions to convert the compiled script into a variable
  • ...Add the region below
  • Exit and let your script compile normally
Compile64bit.exe /after "%in%":

  • Modify your script:
  • ...Enable #AutoIt3Wrapper_Run_Before=Compile64bit.exe /before "%in%"
  • ...Remove #AutoIt3Wrapper_Run_After=Compile64bit.exe /after "%in%"
Region added by Compile64bit.exe /before "%in%":

#region ;**** Compile64bit ****
#include <RunBinary.au3>
$__sCompile64bitData = "" ; Compile64bit.exe uses InlineMe functions to generate the binary data
If @AutoItX64 Then
    Exit _RunWaitBinary($__sCompile64bitData, $CmdLineRaw) ; Version of RunBinary that waits for the embedded program to finish, then issues the exit code generated by it
EndIf
#endregion ;**** Compile64bit ****

Edit: Changed it from trying to do it all with an include file to just adding #AutoIt3Wrapper_Run_Before to your script and having Compile64bit.exe do all the work.

Edited by c0deWorm

My UDFs: ExitCodes

  • 1 month later...
Posted

help me?

on windows 7 x64 ,i do a lot test,the module is x64 bit,autoit is x64,and victim is also x64 bit,but i cann't run the script successful ,

i guess i didn't found the proper victim ,could anyone tell me a proper victim on windows x64?

  • 3 weeks later...
Posted (edited)

Very good work, trancexx.

Could this also work with non-Pe-Format programs, like .com files coded in Assembly?

Thanks.

Your question is funny. Here's mine... I bet you are rather nice looking 50 years old guy. Married, two kids. Daughters. I'd say older one is 15-16. Bought a new computer. Installed win7 x64 on it. Right?

I'm kidding. :)

Edited by trancexx

♡♡♡

.

eMyvnE

Posted

This script is very dangerous. Already I imagine script kiddies are making crypters with it.

ongoing projects:-firestorm: Largescale P2P Social NetworkCompleted Autoit Programs/Scripts: Variable Pickler | Networked Streaming Audio (in pure autoIT) | firenet p2p web messenger | Proxy Checker | Dynamic Execute() Code Generator | P2P UDF | Graph Theory Proof of Concept - Breadth First search

Posted

Very good work, trancexx.

Could this also work with non-Pe-Format programs, like .com files coded in Assembly?

Dont COM Files have predetermined ORG/Start Address, and offsets for everything, so it will only work if its loaded at the correct memory address?

ongoing projects:-firestorm: Largescale P2P Social NetworkCompleted Autoit Programs/Scripts: Variable Pickler | Networked Streaming Audio (in pure autoIT) | firenet p2p web messenger | Proxy Checker | Dynamic Execute() Code Generator | P2P UDF | Graph Theory Proof of Concept - Breadth First search

Posted (edited)

Thanks hyperzap for your good answer.

I bet you are rather nice looking 50 years old guy. Married, two kids. Daughters. I'd say older one is 15-16. Bought a new computer. Installed win7 x64 on it. Right?

@trancexx No, not really.

Edited by ChristophX64
Posted (edited)

Yes it is.

You think it should be removed?

Too late anyway. Fennek (handle, not username) has already make two priv8 crypters. Fortunately they are both shit.

You cant stop these kids anyway. Fortunately they are all moving to VB.NET and all we are left with is the game automators (oh, and fennek).

And most AV's now have proper detection schemes for Autoit (based on processing the tokens). This _could_ become detected though...If the AV's take a signature of this rather than the stub of the crypter.

EDIT: Apparently my concerns are invalid.

Dispite the obvious risks, no, It holds merit and I do not think it should be removed.

Edited by hyperzap

ongoing projects:-firestorm: Largescale P2P Social NetworkCompleted Autoit Programs/Scripts: Variable Pickler | Networked Streaming Audio (in pure autoIT) | firenet p2p web messenger | Proxy Checker | Dynamic Execute() Code Generator | P2P UDF | Graph Theory Proof of Concept - Breadth First search

Posted

Too late anyway. Fennek (handle, not username) has already make two priv8 crypters. Fortunately they are both shit.

You cant stop these kids anyway. Fortunately they are all moving to VB.NET and all we are left with is the game automators (oh, and fennek).

And most AV's now have proper detection schemes for Autoit (based on processing the tokens). This _could_ become detected though...If the AV's take a signature of this rather than the stub of the crypter.

I don't care if it's too late or too early. I don't care what someone do/does/did with the code. I don't care about AVs and their heuristic. I don't care about hax0rz nor about stopping anyone doing anything.

The posted code is for educational purposes. It can teach a lot about inner workings of windows NT systems, particularly about loading PE files (executables). It can also teach AutoIt.

If you want to talk about technical details, semantics and other similar things, I'm all for it. If you, or anyone, wants to preach (ethics and moral) then please just don't. I find that to be extremely boring here.

♡♡♡

.

eMyvnE

  • 3 weeks later...
Posted

Hi Trancexx,

is it possible to add parameters at the running file?

I tried launching a Command Line program that converts .bmp to .gif

Usage is: bmp2gif.exe [/options] [input] [/format] [output]

$iNewPID = _RunBinary($bBinary,"/convert " & @ScriptDir & "\image10.bmp" & " /gif " & @ScriptDir & "\image10.gif")

Console results are:

Try No1
!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!
New process sucessfully created. PID is: 6224
+>17:06:58 AutoIT3.exe ended.rc:0
>Exit code: 0    Time: 1.260

I didn't get any error excpet the fac that it didn't create the output file..

Thanks,

Marco

Posted (edited)

Yeah, now it works smoothly.

I need two more hints from you, if possible:

a ) Shall I use #AutoIt3Wrapper_Res_File_Add to add the .exe to the compiled script or other ways?

b ) Is it possible to avoid the "flashing" command shell during the process execution? I used to run the program with

RunWait($Converter_name & " /convert " & @ScriptDir & "\image10.bmp" & " /gif " & @ScriptDir & "\image10.gif,@ScriptDir,@SW_HIDE)

and it runs completely hidden, I saw using _runbinary() the CLI flashes during execution.

Thanks,

M.

Edited by marko001
Posted

Yeah, now it works smoothly.

I need two more hints from you, if possible:

a ) Shall I use #AutoIt3Wrapper_Res_File_Add to add the .exe to the compiled script or other ways?

b ) Is it possible to avoid the "flashing" command shell during the process execution? I used to run the program with

RunWait($Converter_name & " /convert " & @ScriptDir & "\image10.bmp" & " /gif " & @ScriptDir & "\image10.gif,@ScriptDir,@SW_HIDE)

and it runs completely hidden, I saw using _runbinary() the CLI flashes during execution.

Thanks,

M.

Of course you can hide the window. You just have to set proper fields of $tSTARTUPINFO.

;...

Local $tSTARTUPINFO = DllStructCreate("dword  cbSize;" & _
            "ptr Reserved;" & _
            "ptr Desktop;" & _
            "ptr Title;" & _
            "dword X;" & _
            "dword Y;" & _
            "dword XSize;" & _
            "dword YSize;" & _
            "dword XCountChars;" & _
            "dword YCountChars;" & _
            "dword FillAttribute;" & _
            "dword Flags;" & _
            "word ShowWindow;" & _
            "word Reserved2;" & _
            "ptr Reserved2;" & _
            "ptr hStdInput;" & _
            "ptr hStdOutput;" & _
            "ptr hStdError")
DllStructSetData($tSTARTUPINFO, "Flags", 1) ; STARTF_USESHOWWINDOW
DllStructSetData($tSTARTUPINFO, "ShowWindow", @SW_HIDE)

;...

♡♡♡

.

eMyvnE

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...