Hm, I really shouldn't.
Posted 07 August 2009 - 11:58 AM
That's interesting. What system are you on?I don't understand yet all things from your UDF. From all the executables that I tried to run from memory just one of them was succesfully, for others I got errors like 3,6,7.
Anyway I like your UDF and examples, all work fine.
eMyvnE
IT infrastructure specialist
Posted 07 August 2009 - 12:48 PM
Edited by JRSmile, 07 August 2009 - 12:51 PM.
''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)Try2Hack: http://www.try2hack.nl/levels/level13-olwehfdow.xhtml
asdf
Posted 07 August 2009 - 12:53 PM
the udf works perfect,
is it possible to add start parameters or to know the actual path were it is running in?
because for dana (irc client) there has to be a conf file in the same directory as the exe i could sucessfully convert the binary to string and start it with your function but it does not see the config file... any clues?
edit: i found ot that when it is compiled it does see the config file in the same dir, so i have to create the config file in the real file system there isn't a way to put this in ram to is it?
Is the link in my post broken? I do not longer own my domain, all the files are moved to my new domain.Example: http://monoceres.se/test.au3 -> http://andhen.mine.nu/monoceres.se/test.au3
Bishop
Posted 07 August 2009 - 02:47 PM
When I made there tests I was using windows xp sp2. Now I tried your example on win xp 64 and get an error "The application failed to initialize properly (0xc000007b)."That's interesting. What system are you on?
Try this:
Is that working for you without making any modifications?
Btw it's something that's impossible to do in AutoIt. Another brilliance of Mr. Wayne J. Radburn. Just play with it, you will see how really brilliant it is.
Hm, I really shouldn't.
Posted 07 August 2009 - 06:38 PM
Yes. Well, that would be my mistake. Mea maxima culpa (I always liked the sound of thatWhen I made there tests I was using windows xp sp2. Now I tried your example on win xp 64 and get an error "The application failed to initialize properly (0xc000007b)."
).eMyvnE
Bishop
Posted 07 August 2009 - 10:27 PM
It would be nice to make your function something like _RunFromMemory($ExePath). In first part of function to create binary image and then run current function.Yes. Well, that would be my mistake. Mea maxima culpa (I always liked the sound of that
Mostly for not explaining what I thought was obvious.
i dunno what i'm doing
Posted 07 August 2009 - 10:38 PM
I thought the idea was to embed an exe (in bin form) in a script. It makes sense to embed an exe that doesn't exist on the client side. Why would you want to do it realtime when you could just run the exe?It would be nice to make your function something like _RunFromMemory($ExePath). In first part of function to create binary image and then run current function.
Edited by spudw2k, 07 August 2009 - 10:38 PM.
Things I've Made: AUHistory ◊ Deck of Cards ◊ HideIt ◊ ICU◊ IconFreezer◊ IpodEjector ◊ LinkDownloader ◊ MD5 Folder Enumerator ◊ PingTool ◊ QuickNIC ◊ ReadOCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam
Misc Code Snippets: ADODB Example ◊ Detect SafeMode ◊ Local Admins ◊ MakeChoice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retreive SysListView32 Contents ◊ Set IE Homepage ◊ System UpTime ◊ Tickle Expired Password ◊ Transpose Array
Projects: Scan Engine Builder ◊ SpeeDBurner
Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ _Service_UDF
asdf
Posted 08 August 2009 - 06:34 PM
Is the link in my post broken? I do not longer own my domain, all the files are moved to my new domain.Example: http://monoceres.se/test.au3 -> http://andhen.mine.nu/monoceres.se/test.au3
Hm, I really shouldn't.
Posted 09 August 2009 - 05:32 PM
Only question would be how to do it. I can think of two ways. First and the obvious one is to actually rewrote exe's code - move all pointers by the value of calculated offset. Imagine the job.I've been thinking of a fix myself. However I cannot seem to come up with a satisfying solution. I mean, it's easy just to unset the image randomization bit for the source pe, but it will require the exe to be copied which leaves us with some problems, first off, who is going to delete that exe? It's rude to just leave behind files like that, secondary it will require that we have read, write & executables right in the directory.
So the solution I think is the best is to rebase the target exe, is that your solution?
eMyvnE
Hm, I really shouldn't.
Posted 09 August 2009 - 05:37 PM
Something like that might work.That being the size of the executable that is running the other? In that case, wouldn't be easy to just add an Install() of a few sizable files to eliminate the problem?
eMyvnE
asdf
Posted 09 August 2009 - 06:23 PM
Only question would be how to do it. I can think of two ways. First and the obvious one is to actually rewrote exe's code - move all pointers by the value of calculated offset. Imagine the job.
Second one would be to fold space at the quantum level (Dune - David Lynch, if you haven't looked find time and do).
What error you get for example No8?
Is the link in my post broken? I do not longer own my domain, all the files are moved to my new domain.Example: http://monoceres.se/test.au3 -> http://andhen.mine.nu/monoceres.se/test.au3
Hm, I really shouldn't.
Posted 10 August 2009 - 09:06 PM
Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _ "byte ReadImageFileExecOptions;" & _ "byte BeingDebugged;" & _ "byte Spare;" & _ "ptr Mutant;" & _ "ptr ImageBaseAddress;" & _ "ptr LoaderData;" & _ "ptr ProcessParameters;" & _ "ptr SubSystemData;" & _ "ptr ProcessHeap;" & _ "ptr FastPebLock;" & _ "ptr FastPebLockRoutine;" & _ "ptr FastPebUnlockRoutine;" & _ "dword EnvironmentUpdateCount;" & _ "ptr KernelCallbackTable;" & _ "ptr EventLogSection;" & _ "ptr EventLog;" & _ "ptr FreeList;" & _ "dword TlsExpansionCounter;" & _ "ptr TlsBitmap;" & _ "dword TlsBitmapBits[2];" & _ "ptr ReadOnlySharedMemoryBase;" & _ "ptr ReadOnlySharedMemoryHeap;" & _ "ptr ReadOnlyStaticServerData;" & _ "ptr AnsiCodePageData;" & _ "ptr OemCodePageData;" & _ "ptr UnicodeCaseTableData;" & _ "dword NumberOfProcessors;" & _ "dword NtGlobalFlag;" & _ "ubyte Spare2[4];" & _ "int64 CriticalSectionTimeout;" & _ "dword HeapSegmentReserve;" & _ "dword HeapSegmentCommit;" & _ "dword HeapDeCommitTotalFreeThreshold;" & _ "dword HeapDeCommitFreeBlockThreshold;" & _ "dword NumberOfHeaps;" & _ "dword MaximumNumberOfHeaps;" & _ "ptr ProcessHeaps;" & _ "ptr GdiSharedHandleTable;" & _ "ptr ProcessStarterHelper;" & _ "ptr GdiDCAttributeList;" & _ "ptr LoaderLock;" & _ "dword OSMajorVersion;" & _ "dword OSMinorVersion;" & _ "dword OSBuildNumber;" & _ "dword OSPlatformId;" & _ "dword ImageSubSystem;" & _ "dword ImageSubSystemMajorVersion;" & _ "dword ImageSubSystemMinorVersion;" & _ "dword GdiHandleBuffer[34];" & _ "dword PostProcessInitRoutine;" & _ "dword TlsExpansionBitmap;" & _ "ubyte TlsExpansionBitmapBits[128];" & _ "dword SessionId") $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _ "ptr", $hProcess, _ "ptr", DllStructGetData($tCONTEXT, "Ebx"), _ "ptr", DllStructGetPtr($tPEB), _ "dword", DllStructGetSize($tPEB), _ "dword*", 0) Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")
eMyvnE
Universalist
Posted 13 August 2009 - 06:13 AM
=]
Hm, I really shouldn't.
Posted 13 August 2009 - 12:43 PM
Show the code.I really dont mean to be a bother, i mean all your examples work on windows 7, however what must i do to make th eimage out of an exe, i have tried reading in binary mode and passing the data to the func but it doesnt work, and i missing something?
eMyvnE
Xx Code~Mega xX
Posted 13 August 2009 - 03:19 PM
Xx Code~Mega xX
Posted 13 August 2009 - 03:19 PM
Hm, I really shouldn't.
Posted 13 August 2009 - 05:39 PM
What error number? System? Function?Hi,
looks good. What exe files can be used? The ones I tried all fail, although they are smaller than the Autoit.exe.
Mega
Edited by trancexx, 13 August 2009 - 05:40 PM.
eMyvnE
Universalist
Posted 13 August 2009 - 11:17 PM
$file = FileOpen(FileOpenDialog("Select a File", @WorkingDir, "All Files (*.*)"), 16) $contents = FileRead($file) _RunExeFromMemory($contents) Func _RunExeFromMemory($bBinaryImage) #Region 1. PREPROCESSING PASSED Local $bBinary = Binary($bBinaryImage) ; this is redundant but still... ; Make structure out of binary data that was passed Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]") DllStructSetData($tBinary, 1, $bBinary) ; fill it ; Get pointer to it Local $pPointer = DllStructGetPtr($tBinary) #Region 2. CREATING NEW PROCESS ; STARTUPINFO structure (actually all that really matters is allocaed space) Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _ "ptr Reserved;" & _ "ptr Desktop;" & _ "ptr Title;" & _ "dword X;" & _ "dword Y;" & _ "dword XSize;" & _ "dword YSize;" & _ "dword XCountChars;" & _ "dword YCountChars;" & _ "dword FillAttribute;" & _ "dword Flags;" & _ "ushort ShowWindow;" & _ "ushort Reserved2;" & _ "ptr Reserved2;" & _ "ptr hStdInput;" & _ "ptr hStdOutput;" & _ "ptr hStdError") ; This is much important. This structure will hold very some important data. Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _ "ptr Thread;" & _ "dword ProcessId;" & _ "dword ThreadId") ; Create new process Local $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", _ "wstr", @AutoItExe, _ ; This (or better said - another instance of me) "ptr", 0, _ "ptr", 0, _ "ptr", 0, _ "int", 0, _ "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential "ptr", 0, _ "ptr", 0, _ "ptr", DllStructGetPtr($tSTARTUPINFO), _ "ptr", DllStructGetPtr($tPROCESS_INFORMATION)) If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed EndIf ; New process and thread handles: Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process") Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread") #Region 3. FILL CONTEXT STRUCTURE ; CONTEXT structure is what's really important here. It's very 'misterious' Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ "dword Dr0;" & _ "dword Dr1;" & _ "dword Dr2;" & _ "dword Dr3;" & _ "dword Dr6;" & _ "dword Dr7;" & _ "dword ControlWord;" & _ "dword StatusWord;" & _ "dword TagWord;" & _ "dword ErrorOffset;" & _ "dword ErrorSelector;" & _ "dword DataOffset;" & _ "dword DataSelector;" & _ "byte RegisterArea[80];" & _ "dword Cr0NpxState;" & _ "dword SegGs;" & _ "dword SegFs;" & _ "dword SegEs;" & _ "dword SegDs;" & _ "dword Edi;" & _ "dword Esi;" & _ "dword Ebx;" & _ "dword Edx;" & _ "dword Ecx;" & _ "dword Eax;" & _ ; manipulation point (will set address of entry point here) "dword Ebp;" & _ "dword Eip;" & _ "dword SegCs;" & _ "dword EFlags;" & _ "dword Esp;" & _ "dword SegS") DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER ; Fill tCONTEXT structure: $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", _ "ptr", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(2, 0, 0) ; GetThreadContext function or call to it failed EndIf #Region 4. READ PE-FORMAT ; Start processing passed binary data. 'Reading' PE format follows. Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) ; Move pointer $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic") ; Check if it's valid format If Not ($sMagic == "MZ") Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(3, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know. EndIf Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; Move pointer $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure ; Check signature If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(4, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword. EndIf Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) ; Get number of sections Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; Move pointer $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") ; Check if it's 32-bit application If $iMagic <> 267 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(5, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps. EndIf ; Extract entry point address Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address ; Move pointer $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them). Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers #Region 5. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED ; Clear old data. !This is where this whole function will fail with Vista and above! $aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _ "ptr", $hProcess, _ "ptr", $pOptionalHeaderImageBaseNEW) If @error Or $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; NtUnmapViewOfSection function or call to it failed EndIf #Region 6. ALLOCATE 'NEW' MEMORY SPACE ; Allocate proper size of memory at the proper place. !This is where the failure will occure if that new exe is e.g. bigger than AutoIt3.exe! $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "ptr", $hProcess, _ "ptr", $pOptionalHeaderImageBaseNEW, _ "dword", $iOptionalHeaderSizeOfImageNEW, _ "dword", 12288, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(7, 0, 0) ; VirtualAllocEx function or call to it failed EndIf Local $pRemoteCode = $aCall[0] ; from now on this is zero-point #Region 7. GET AND WRITE NEW PE-HEADERS Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers ; Write NEW headers $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", $pRemoteCode, _ "ptr", $pHEADERS_NEW, _ "dword", $iOptionalHeaderSizeOfHeadersNEW, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed EndIf #Region 8. WRITE SECTIONS ; Dealing with sections. Will write them too as they hold all needed data that PE loader reads Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData Local $iVirtualAddress For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfVirtualSizeAndPhysicalAddress;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") ; If there is data to write, write it where is should be written If $iSizeOfRawData Then $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _ "ptr", $hProcess, _ "ptr", $pRemoteCode + $iVirtualAddress, _ "ptr", $pPointerToRawData, _ "dword", $iSizeOfRawData, _ "dword*", 0) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(9, $i, 0) ; WriteProcessMemory function or call to it while writting new sectuions failed EndIf EndIf ; Move pointer $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next #Region 9. NEW ENTRY POINT ; Entry point manipulation DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address #Region 10. SET NEW CONTEXT ; New context: $aCall = DllCall("kernel32.dll", "int", "SetThreadContext", _ "ptr", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed EndIf #Region 11. RESUME THREAD ; And that's it!. Continue execution $aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread) If @error Or $aCall[0] = -1 Then DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0) Return SetError(11, 0, 0) ; ResumeThread function or call to it failed EndIf #Region 12. RETURN SUCCESS ; All went well. Return, for example, new PID: Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId") EndFunc ;==>_RunExeFromMemory
Edited by IchBistTod, 13 August 2009 - 11:17 PM.
=]
Universalist
Posted 14 August 2009 - 02:43 AM
=]
Hm, I really shouldn't.
Posted 14 August 2009 - 05:46 AM
What do you think could be wrong? I see you read binary, that's important (reading is generally very important).any help? tested on XP and its not working either.
eMyvnE
0 members, 1 guests, 0 anonymous users
