169 replies to this topic

[trancexx]

It's about running exe from memory as it's often called.

So you have some binary data that you want to embed in your script and run afterward like some additional program. In this post I will try to explain how to do it.

First to deal with mentioned binary as that's, in spite of the plainness of retrieving it, often insuperable. To avoid questions about that this is one way of getting it:

AutoIt        expandcollapse  popup

Global $sModule = "E:Program filesGUIDGenGUIDGEN.EXE" ; change to yours wanted

Global $hModule = FileOpen($sModule, 16)
If @error Then Exit

Global $bBinary = FileRead($hModule)
FileClose($hModule)

Global Const $MAX_LINESIZE = 4095
Global $iNewLine, $j
Global $iChinkSize = 32
Global $sBinary


For $i = 1 To BinaryLen($bBinary) Step $iChinkSize

    $j += 1

    If 4*($j * $iChinkSize) > $MAX_LINESIZE - 129 Then
        $iNewLine = 1
    EndIf

    If $iNewLine Then
        $iNewLine = 0
        $j = 0
        $sBinary = StringTrimRight($sBinary, 5)
        $sBinary &= @CRLF & '$bBinary &= "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF
        ContinueLoop
    EndIf

    If $i = 1 Then
        $sBinary &= '$bBinary = "' & BinaryMid($bBinary, $i, $iChinkSize) & '" & _' & @CRLF
    Else
        $sBinary &= '       "' & StringTrimLeft(BinaryMid($bBinary, $i, $iChinkSize), 2) & '" & _' & @CRLF
    EndIf

Next

$sBinary = StringTrimRight($sBinary, 5)

ClipPut($sBinary)

ConsoleWrite($sBinary)

Now for what's really important...
Executable file causes a computer to perform indicated tasks according to encoded instructions. Files that we talk about are in PE format.
When exe file is run special loader reads it and performs act of loading. That's how that particular exe gets in touch with a processor. Processor then executes different actions described by the opcodes.
Main requirement for any PE file required by the loader is for it to actually exist. To be written on the drive. It can't be in the air. That's not allowed and when you think of it it's only logical.

So how to run from memory?
I'm gonna fool the system. It will think that all works as it should and will have no idea that it plays my game.
There is more than way of doing that. Method described here has been used by different peoples before. When doing research for this post I have encountered many implementations. And I must say that I was very disappointed seeing that even the writers of the code often lack understanding of it. It's kind of pathetic when you see some code used and when asking author what's this or that you get answer "I don't know". And if you ask for the code to be explained by words (any fucking human language) coders fail terribly. How can you write code if you can't explain it?!?

Anyway, this is the procedure:

• Start your script
• Create new process using CreateProcess function with CREATE_SUSPENDED flag
• Use GetThreadContext function to fill CONTEXT structure
• Read and interpret passed binary
• Allocate enough memory for the new module inside the victim process
• Simulate loader. Construct the new module (load) in place of allocated space.
• Make use of mentioned CONTEXT structure. Change entry point data and ImageBaseAddress data.
• Resume execution

If all that went well windows should now be running not the original module but the new, saved in script as a variable.
Script:
 RunBinary.au3   27.46K   2581 downloads

Script is well commented so it shouldn't be too hard to get a grip.

New script is taking all possible advantages of PE format. That means if your module (embedded) has relocation directory it will run for sure.If not it could fail.

When it will fail?
Modules with no reloc directory (IMAGE_DIRECTORY_ENTRY_BASERELOC) ought to be loaded at precise address (stored within module; IMAGE_OPTIONAL_HEADER ImageBase). If for some reason not enough space can be allocated at that address within victim's memory space, function will fail. Thing is system makes rules, if we are not allowed to some memory space of a process there is nothing to do then to try again. So, try again if it fails. Maybe change the 'victim'.




edit:
64bit support added. That means you can embed either x64 or x86 modules.
If your AutoIt is x64 you embed x64 modules. If AutoIt is x86 embed x86.
x64 AutoIt could also use embedded x86 modules but I don't like that because needed structures would have to be changed to something that's not meeting aesthetics standards .

Edited by trancexx, 05 October 2012 - 12:06 PM.

[Manko]

Really interesting post trancexx!

But beeing able to reach ring 0, by manipulating context structure, sounds too fantastic... Isn't such things protected, atleast on w2k and up?

Thanks for making the CONTEXT struct available on autoit, It makes me remember my days playing around with "debugging" AsProtect...

Thanks also for making this interesting method available!

BUT, I was wondering... This scheme doesn't work if the app we want to run, statically uses other dlls than the dummy of our choice.. right?
We would have to load those dlls and manually fill in IAT...? Would that be enough? Also if dlls conflict they would be rebased...
Maybe we would have to do all IAT for safetys sake...

Realized it is paused before loader does all dll loading mapping for us.

I'm glad I'm on vacation, otherwise I might dive headfirst into this...

PS. Speaking of vacation... I was in split last summer. Some hot week! 36-40 degrees in the shade, almost all the time. Also, the nights were wonderful! DS.

/Manko [EDIT: Just to mention, Ive been to split... And I was too hasty about problems with scheme...]

Edited by Manko, 03 August 2009 - 01:10 PM.

[trancexx]

I'm glad I'm on vacation, otherwise I might dive headfirst into this...

PS. Speaking of vacation... I was in split last summer. Some hot week! 36-40 degrees in the shade, almost all the time. Also, the nights were wonderful! DS.

Yeah, it's pretty much the same now. My advice is to find some nice beach, get undressed an enjoy.
Nights are made for sin - don't you wonderful to me now

[Ascend4nt]

Wow, great work trancexx! Where there's a will there's a way

[trancexx]

I will show the ultimate (Vista working) solution if you help me take this topic to page 2
Why then and not now?
This method gives the whole new possibilities to jerks that do malware ( ). But fortunately some 1337 haxor is usually just a kid. And kids are known for their impatience. That said I'm expecting that mentioned haxor is not going to read page 2 of this topic because by reading post 1 and scrolling page up and down few times he/she will likely be off of this due to the accumulated boredness.
Anyway, I left more than one clue already on how to do it, so if you figured out wait for page 2 to see if we are on the same wave length.

[Ascend4nt]

Anyway, I left more than one clue already on how to do it, so if you figured out wait for page 2 to see if we are on the same wave length.

lol, I don't think you and I ever will be on the same wave length. But as for the 'impatient hax0r' haha, you don't think they'd perhaps see the mention of a 2nd page? (hmm... guess there's the option to edit posts..).

[trancexx]

That's the plan (blueprint, design, device, draft, drawing, idea, intent, layout, map, plot, program, projection, road map, scheme... )

[Ascend4nt]

someone's been using a thesaurus..

[trancexx]

someone's been using a thesaurus..

Are you saying that I'm smoking pot (marijuana, grass, weed)?!?

...see how I used etymology to conclude that

Anyways, enough small talk, it's not productive.

edit: missing word

Edited by trancexx, 05 August 2009 - 08:48 PM.

[monoceres]

Educational, brilliant and absolutely fantastic as usual trancexx.

What happens when the exe that is being run from memory has completely different dependency and stuff? Say for example that the exe has some function from lets say advapi32 in it's IAT and the startup exe doesn't, wouldn't that screw up execution? What about resources.

Oh and btw which forum setting are you using, hopefully you are using the standard setting so we don't have to wait too long for the complete solution

[trancexx]

Educational, brilliant and absolutely fantastic as usual trancexx.

What happens when the exe that is being run from memory has completely different dependency and stuff? Say for example that the exe has some function from lets say advapi32 in it's IAT and the startup exe doesn't, wouldn't that screw up execution? What about resources.

Oh and btw which forum setting are you using, hopefully you are using the standard setting so we don't have to wait too long for the complete solution

Hey, nice to see you. Hope your batteries are charged.

I see you are on Vista. There is no problem about running anything. All should work. Except, of course, if some particular OS is targeted when compiling (function not existing before maybe) and run on system without that function. But that's more general problem.
All sections are written - the clone is made. That includes resources section as well.
That also means that even compressed modules (any method or tool) plays.

20 posts per page, that's my setting lol

[JRSmile]

im just trying to enhance the post count by one, just to see what is on page "10"

[Ascend4nt]

rofl. This is all very ridiculous. And what is everyone gonna replace their comments with when it finally does 'rolllover' to the 2nd page? Perhaps we can discuss the state of the economy.

[monoceres]

Hey, nice to see you. Hope your batteries are charged.

Heh, you noticed And yes, ready to do wonders and such!

20 posts per page, that's my setting lol

Puh. I have it on 40.



Anyways, solving it for Vista is simple. So for anyone very curious read this and remember that address randomization is a link-time option (Hope this won't violate your "loosing kiddies idea" )

Edit: Fixed terminology

Edited by monoceres, 05 August 2009 - 11:34 PM.

[trancexx]

Anyways, solving it for Vista is simple. So for anyone very curious read this and remember that address randomization is a link-time option (Hope this won't violate your "loosing kiddies idea" )

Edit: Fixed terminology

Must-read for everyone.

[Andreik]

I replace the path with @SystemDir & "\calc.exe" and then to run from memory and I get error number 3.

Global $sModule = "E:\Program files\GUIDGen\GUIDGEN.EXE" 

[Manko]

I replace the path with @SystemDir & "\calc.exe" and then to run from memory and I get error number 3.

Global $sModule = "E:\Program files\GUIDGen\GUIDGEN.EXE" 

Unfortunately many windows apps run at base 0x10000000 instead of 0x40000000. In this case, therefore, there is an obvious incompatibility. It can be worked around, I'm sure, but I'm too lazy... Vacation and all...

/Manko

[trancexx]

Error 3 is pre-execution error. It's indicating that MS-DOS header is missing or is messed up.
@Andreik, deal with it. It's a banal thing.

[Suirad]

General failure will be if the size of the new exe is bigger than AutoIt's size. That would require allocating more memory to work (I'm not doing that

That being the size of the executable that is running the other? In that case, wouldn't be easy to just add an Install() of a few sizable files to eliminate the problem?

[Andreik]

Error 3 is pre-execution error. It's indicating that MS-DOS header is missing or is messed up.
@Andreik, deal with it. It's a banal thing.

I don't understand yet all things from your UDF. From all the executables that I tried to run from memory just one of them was succesfully, for others I got errors like 3,6,7.

Anyway I like your UDF and examples, all work fine.