Jump to content

Recommended Posts

Posted

:D .... any other way out ? for Autoit Compiled execs...?

1) Code a READEOF Function

2) You have to know how AutoIT reads its Sourcecode.

3) Then you split interpreter (the actual AU3.exe) and the compiled binary script (the actual *.a3x) from a COMPILED AutoIT script.

4) Make a copy (copy is optional) of the program you want to inject to (VictimProgram).

5) Write the compiled binary Script to the EOF of the "VictimProgram".

6) Finally you inject the !!!INTERPRETER!!! (not the complete COMPILED AutoIT Script) to the VictimProgram (with the written EOF)

7) Enjoy

or

patch the stub.bin file so it would the SourceCode from somewhere else (Memory...)

Posted

1) Code a READEOF Function

2) You have to know how AutoIT reads its Sourcecode.

3) Then you split interpreter (the actual AU3.exe) and the compiled binary script (the actual *.a3x) from a COMPILED AutoIT script.

4) Make a copy (copy is optional) of the program you want to inject to (VictimProgram).

5) Write the compiled binary Script to the EOF of the "VictimProgram".

6) Finally you inject the !!!INTERPRETER!!! (not the complete COMPILED AutoIT Script) to the VictimProgram (with the written EOF)

7) Enjoy

or

patch the stub.bin file so it would the SourceCode from somewhere else (Memory...)

why?

Posted (edited)

thanks Snify, i had presumed it would be something similar to what you have outlined.

Now for the "because" or "Why":

I tried Themida but :D utter failure.

My intention (2 reasons):

(Reason 1) to defeat Autoit Decompiler Module which is available for download in underground forums.

Tried one more Autoit Packer - Autoit Camo : and though the size of exe bloats but atleast the Decompiler fails miserably. The very mention of Autoit Decompiler invokes sharp reactions and criticism but the truth is - it is out there.

(Reason 2) I am using this method for strengthening of detection by Anti Viruses, as this method is rarely used (as per the observation) and whenever "executing binary from memory" is used, the purpose/intention has always been suspicious.

Thanks again.

Regards

Delta Rocked

Edited by deltarocked
Posted (edited)

(Reason 1) to defeat Autoit Decompiler Module which is available for download in underground forums.

Tried one more Autoit Packer - Autoit Camo : and though the size of exe bloats but atleast the Decompiler fails miserably. The very mention of Autoit Decompiler invokes sharp reactions and criticism but the truth is - it is out there.

What do you mean the binary bloats after you use AutoIt3Camo? That is because you did not instruct it to use your software armoring tool of choice, so you end up with the default size of the interpreter plus the size of the a3x component.

Nothing is actually added by A3C that you don't tell it to, And it is not a packer at all, simply a build wrapper.

Vlad

Edited by Mobius

wtfpl-badge-1.png

  • 3 weeks later...
Posted (edited)

Hi all,

Just for curiosity i have try the script.

I have downloaded the RunBinary and change the line:

Global $sModule = "PathFile.exe"

I have this error:

"Error",

"Binary data seems to be corrupted!"

"MS-DOS header is wrong or missing"

The software tested is without GUI ( only command-line) , about 1MB. I can do anything or simply the script not work with all .exe?

Thanks

Edited by johnmcloud
Posted

#include <Constants.au3>

;------------------------------------------------------------------------

;įƒØįƒ”įƒ„įƒ›įƒœįƒįƒ” įƒ©įƒįƒ›įƒ¢įƒ•įƒ˜įƒ įƒ—įƒ•įƒ˜ įƒ“įƒ įƒ’įƒįƒ›įƒįƒ˜įƒ¢įƒįƒœįƒįƒ” įƒ©įƒįƒ›įƒ¢įƒ•įƒ˜įƒ įƒ—įƒ•įƒ˜įƒ” įƒ˜įƒ“ įƒœįƒįƒ›įƒ”įƒ įƒ˜

$Win = "window7pe_by_Alex751"

Local $cmd1 = ' /c @for /f "tokens=2 delims={}" %1 in ( '' bcdedit.exe /create /application OSLOADER /d ' & $Win & "') do set guid={%1}"

$iPID = Run(@ComSpec & $cmd1, "", @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD)

ProcessWait($iPID)

$Myread = StdoutRead($iPID)

$sTxt = $Myread

$sTxt = StringTrimLeft($sTxt, StringInStr($sTxt, "{"))

$sTxt = StringLeft($sTxt, StringInStr($sTxt, "}") - 1)

;įƒ’įƒįƒ›įƒįƒ¢įƒįƒœįƒ˜įƒšįƒ˜ įƒ©įƒįƒ›įƒ¢įƒ•įƒ˜įƒ įƒ—įƒ•įƒ˜įƒ” įƒ˜įƒ“ įƒœįƒįƒ›įƒ”įƒ įƒ˜ ($sTxt)

;------------------------------------------------------

;įƒ“įƒįƒ¬įƒ”įƒ įƒįƒ” įƒ˜įƒ“ įƒœįƒįƒ›įƒ”įƒ įƒ˜ įƒ¤įƒįƒ˜įƒšįƒØįƒ˜: ($sTxt)

$file = FileOpen("GUIGetMsg.txt", 1)

FileWriteLine($file, "The entry {"&$sTxt&"} was successfully created.")

; įƒØįƒ”įƒ˜įƒ¢įƒįƒœįƒįƒ” įƒ›įƒįƒœįƒįƒŖįƒ”įƒ›įƒ”įƒ‘įƒ˜

;------------------------------------------------------

;įƒ“įƒįƒ¬įƒ įƒįƒ” įƒ˜įƒ“ įƒ™įƒįƒ“įƒ˜ įƒ¤įƒįƒ˜įƒšįƒØįƒ˜

;įƒ“įƒįƒ¬įƒ”įƒ įƒįƒ” įƒ˜įƒ“ įƒœįƒįƒ›įƒ”įƒ įƒ˜ įƒ¤įƒįƒ˜įƒšįƒØįƒ˜: ($sTxt)

$file = FileOpen("GUIGetMsg.txt", 1)

FileWriteLine($file, "The entry {"&$sTxt&"} was successfully created.")

; įƒØįƒ”įƒ˜įƒ¢įƒįƒœįƒįƒ” įƒ›įƒįƒœįƒįƒŖįƒ”įƒ›įƒ”įƒ‘įƒ˜

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} device vhd=[D:]\Users\Alex751\windows7PE_from_bcd_boot.vhd,locate=custom:12000002', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} path \Windows\system32\winload.exe', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} description Windows7-PE***Copyright*2012*Alex751*', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} locale en-US', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} osdevice vhd=[D:]\Users\Alex751\windows7PE_from_bcd_boot.vhd,locate=custom:22000002', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} systemroot \Windows', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} resumeobject {d6b7fc8d-35ee-11e1-b8a7-806e6f6e6963}', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} nx OptIn', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} pae ForceEnable', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} detecthal Yes', "", @SW_HIDE)

RunWait(@ComSpec & ' /c bcdedit /set /displayorder {' &$sTxt& '} /addlast', "", @SW_HIDE)

MsgBox(0,"GUID","{"&$sTxt&"} įƒ©įƒįƒ›įƒ¢įƒ•įƒ˜įƒ įƒ—įƒ•įƒ˜įƒ”įƒ” įƒ˜įƒ“įƒ”įƒœįƒ—įƒ˜įƒ¤įƒ˜įƒ™įƒįƒ¢įƒįƒ įƒ˜")

FileClose($file)

  • 1 month later...
Posted

can a binary created from this method be executed with parameters?

if yes, how?

Heroes, there is no such thing

One day I'll discover what IE.au3 has of special for so many users using it.
C'mon there'sĀ InetReadĀ and WinHTTP, way better
happy.png

Posted

The function definition is as follows:

_RunBinary($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe)

Now make a guess yourself :)...

I find that a minutes ago, thanks ;)

Do you know how can I enable the $STDOUT_CHILD and hide the window with _runBinary?

and what is this: $sExeModule?

Heroes, there is no such thing

One day I'll discover what IE.au3 has of special for so many users using it.
C'mon there'sĀ InetReadĀ and WinHTTP, way better
happy.png

Posted

I'm not sure ;), this code is fu**ing complex and I guess only trancexx really understands it :)... maybe it's sufficient to add the STARTF_USESTDHANDLES flag to the STARTUPINFO structure?

As fas as I understand the code the $sExeModule is a generic exe you have to start (e.g. calc.exe) to set up a "process environment" in which the function injects your binary data to run.

Posted (edited)

I'm not sure ;), this code is fu**ing complex and I guess only trancexx really understands it :)... maybe it's sufficient to add the STARTF_USESTDHANDLES flag to the STARTUPINFO structure?

As fas as I understand the code the $sExeModule is a generic exe you have to start (e.g. calc.exe) to set up a "process environment" in which the function injects your binary data to run.

I found this:

BOOL WINAPI ShowWindow(

__in HWND hWnd,

__in int nCmdShow

);

hWnd=window handle (how can I know it?)

nCmdShow='SW_HIDE' or '0'

I just don't know how could I get the $STDOUT_CHILD from this process :D (Hope trancexx knows how to do it ;))

thanks for your time btw :)

Edited by DiOgO

Heroes, there is no such thing

One day I'll discover what IE.au3 has of special for so many users using it.
C'mon there'sĀ InetReadĀ and WinHTTP, way better
happy.png

Posted

Really A Nice work!thx! I wonder whether there is a way to comple other exe file into my script var binary code rather than fileinstall function .

č‘£å°å§ļ¼Œä½ å¾®ē¬‘ēš„ę—¶å€™å¾ˆē¾Žļ¼Œå°±åƒå®‰ę²³ę”„äø‹ļ¼Œęø…ę¾ˆēš„ę°“...

Posted

Really A Nice work!thx! I wonder whether there is a way to comple other exe file into my script var binary code rather than fileinstall function .

You can include the file as a variable holding its binary, then use FileWrite() to create the file where ever you want it.

FileToVariable(FileOpenDialog("Select File To Process", "", "All(*.*)"))

Func FileToVariable($File, $Compress = False)
    If $File = "" Then Exit
    Local $Variable = StringStripWS(InputBox("Varable Name", "Enter Var Name:", "Bin"), 3)
    If $Variable = "" Then Exit
    Local $Handle = FileOpen($File, 16)
    Local $Source = FileRead($Handle)
    FileClose($Handle)
    If $Compress Then $Source = _LZNTCompress($Source, 258)
    Local $StringLen = 120
    Local $String = String($Source)
    Local $Out = "Local $" & $Variable & " = '" & StringLeft($String, $StringLen - 2) & "'& _" & @CRLF
    $String = StringTrimLeft($String, $StringLen - 2)
    While StringLen($String) > $StringLen
        $Out &= " '" & StringLeft($String, $StringLen) & "'& _" & @CRLF
        $String = StringTrimLeft($String, $StringLen)
    WEnd
    If StringLen($String) <> 0 Then $Out &= " '" & $String & "'" & @CRLF
    ClipPut($Out)
EndFunc   ;==>FileToVariable

Func _LZNTCompress($vInput, $iCompressionFormatAndEngine = 2)
    If Not $iCompressionFormatAndEngine = 258 Then $iCompressionFormatAndEngine = 2
    Local $bBinary = Binary($vInput)

    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinary) & "]")
    DllStructSetData($tInput, 1, $bBinary)

    Local $a_Call = DllCall("ntdll.dll", "int", "RtlGetCompressionWorkSpaceSize", _
        "ushort", $iCompressionFormatAndEngine, _
        "dword*", 0, _
        "dword*", 0)

    If @error Or $a_Call[0] Then
         Return SetError(1, 0, "") ; error determining workspace buffer size
    EndIf

    Local $tWorkSpace = DllStructCreate("byte[" & $a_Call[2] & "]") ; workspace is needed for compression

    Local $tBuffer = DllStructCreate("byte[" & 16 * DllStructGetSize($tInput) & "]") ; initially oversizing buffer

    $a_Call = DllCall("ntdll.dll", "int", "RtlCompressBuffer", _
         "ushort", $iCompressionFormatAndEngine, _
         "ptr", DllStructGetPtr($tInput), _
         "dword", DllStructGetSize($tInput), _
         "ptr", DllStructGetPtr($tBuffer), _
         "dword", DllStructGetSize($tBuffer), _
         "dword", 4096, _
         "dword*", 0, _
         "ptr", DllStructGetPtr($tWorkSpace))

     If @error Or $a_Call[0] Then
          Return SetError(2, 0, "") ; error compressing
     EndIf

     Local $tOutput = DllStructCreate("byte[" & $a_Call[7] & "]", DllStructGetPtr($tBuffer))

     Return SetError(0, 0, DllStructGetData($tOutput, 1))

EndFunc   ;==>_LZNTCompress
Posted

You can include the file as a variable holding its binary, then use FileWrite() to create the file where ever you want it.

FileToVariable(FileOpenDialog("Select File To Process", "", "All(*.*)"))

Func FileToVariable($File, $Compress = False)
    If $File = "" Then Exit
    Local $Variable = StringStripWS(InputBox("Varable Name", "Enter Var Name:", "Bin"), 3)
    If $Variable = "" Then Exit
    Local $Handle = FileOpen($File, 16)
    Local $Source = FileRead($Handle)
    FileClose($Handle)
    If $Compress Then $Source = _LZNTCompress($Source, 258)
    Local $StringLen = 120
    Local $String = String($Source)
    Local $Out = "Local $" & $Variable & " = '" & StringLeft($String, $StringLen - 2) & "'& _" & @CRLF
    $String = StringTrimLeft($String, $StringLen - 2)
    While StringLen($String) > $StringLen
        $Out &= " '" & StringLeft($String, $StringLen) & "'& _" & @CRLF
        $String = StringTrimLeft($String, $StringLen)
    WEnd
    If StringLen($String) <> 0 Then $Out &= " '" & $String & "'" & @CRLF
    ClipPut($Out)
EndFunc   ;==>FileToVariable

Func _LZNTCompress($vInput, $iCompressionFormatAndEngine = 2)
    If Not $iCompressionFormatAndEngine = 258 Then $iCompressionFormatAndEngine = 2
    Local $bBinary = Binary($vInput)

    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinary) & "]")
    DllStructSetData($tInput, 1, $bBinary)

    Local $a_Call = DllCall("ntdll.dll", "int", "RtlGetCompressionWorkSpaceSize", _
        "ushort", $iCompressionFormatAndEngine, _
        "dword*", 0, _
        "dword*", 0)

    If @error Or $a_Call[0] Then
         Return SetError(1, 0, "") ; error determining workspace buffer size
    EndIf

    Local $tWorkSpace = DllStructCreate("byte[" & $a_Call[2] & "]") ; workspace is needed for compression

    Local $tBuffer = DllStructCreate("byte[" & 16 * DllStructGetSize($tInput) & "]") ; initially oversizing buffer

    $a_Call = DllCall("ntdll.dll", "int", "RtlCompressBuffer", _
         "ushort", $iCompressionFormatAndEngine, _
         "ptr", DllStructGetPtr($tInput), _
         "dword", DllStructGetSize($tInput), _
         "ptr", DllStructGetPtr($tBuffer), _
         "dword", DllStructGetSize($tBuffer), _
         "dword", 4096, _
         "dword*", 0, _
         "ptr", DllStructGetPtr($tWorkSpace))

     If @error Or $a_Call[0] Then
          Return SetError(2, 0, "") ; error compressing
     EndIf

     Local $tOutput = DllStructCreate("byte[" & $a_Call[7] & "]", DllStructGetPtr($tBuffer))

     Return SetError(0, 0, DllStructGetData($tOutput, 1))

EndFunc   ;==>_LZNTCompress
it wouldn't be the same as FileInstall? (create a file and execute?)

Heroes, there is no such thing

One day I'll discover what IE.au3 has of special for so many users using it.
C'mon there'sĀ InetReadĀ and WinHTTP, way better
happy.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...