Jump to content
trancexx

Subrogation

Recommended Posts

trancexx

I finally have some more space in the attachments folder. In the past I've had to sacrifice, delete lots of scripts I posted to be able to post more. That was shit.

So, what's the subrogation in this context?
It's a technique of loading dll file embedded in your script as a string or perhaps stored on a remote server. Purpose is to be able to call functions from some dll without it needed to be written on the HD.
As you will see in the script I'm attaching you choose some existing file (in my case I'm going with explorer.exe) then out of embedded dll you construct new fully functional module on the fundaments of the choosen.
After that you call functions from embedded module but now (and that's the beauty) you call from subrogated.
Pseudo/pseudo-expressed example from the script below would be:

Subrogor = "explorer.exe"
Subrogee = "kernel32.dll"
Subrogate(byref Subrogor, Subrogee)
DllCall(Subrogor, FunctionFromSubrogee)

There are different problems with (only) some dlls to embed.
It can be used both for 32 and 64 bit dlls with no difference.
Script:

Subrogation.au3


This technique (mild) is used in this script.

edit:
New script.

Edited by trancexx
  • Like 4

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
James

This is a friendlier example of Subrogation than the XM Player :D

The awesome thing is, I'm understanding what is happening and how it works! I'm going to spend many hours playing with this. Now that I can subrogate the DLL I need into my new project, I can have everything I need from it.

Thanks trancexx!

James Posted Image

Share this post


Link to post
Share on other sites
trancexx

This looks quite interesting, but I'm having trouble understanding how this is any different from MemoryDLL.

Subtitle says a lot.

Still, there are huge differences. For example, AutoIt is understood by many, opcodes only by some.

Is there a limit on what programs can be the Subrogor? Can I use the compiled script itself (@ScriptName) or svchost.exe?

If you can get module handle (_WinAPI_GetModuleHandle) of the subrogor than it can't/shouldn't be used.

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
trancexx

I've made an update.

It should work on almost any dll now.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
JFX

Works on Windows 8, with both interpreters, thanks.

Share this post


Link to post
Share on other sites
KnutJ

Thank you TranceXX,

i did a lot of extensive testing with the memorydll.au3 - to no avail.

then, today, after some days, i found this thread by purpose, but i don't know how :-D ... and it works... it simply works.

thank you for saving my day(s)

 


rsRVpv.gif

Share this post


Link to post
Share on other sites
Biatu

Is there a way to use this UDF in tandem with RunBinary or simiar to preload dll's in memory required by the application?


What is what? What is what.

Share this post


Link to post
Share on other sites
Biatu

How can I use this if explorer.exe is not in the system? I've tried many others with no luck.


What is what? What is what.

Share this post


Link to post
Share on other sites
trancexx
On ‎18‎.‎1‎.‎2017‎. at 0:07 AM, Biatu said:

How can I use this if explorer.exe is not in the system? I've tried many others with no luck.

Surely there is some executable available.

What system is that?


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
Biatu
3 hours ago, trancexx said:

Surely there is some executable available.

What system is that?

Well I will be running this in WinPE, so explorer.exe wont always be available. I tried other window's essentials like svchost, winload, cmd, rundll32, etc and no go, all return @Error 6. It seems that every thing I try gives that error.


What is what? What is what.

Share this post


Link to post
Share on other sites
Mugen

Try "winlogon.exe", it works here with Windows 7 and 10.

Share this post


Link to post
Share on other sites
Biatu
16 minutes ago, Mugen said:

Try "winlogon.exe", it works here with Windows 7 and 10.

Ok thanks! That should do it.

Edit: Wait no, still error 6, im using build 10.0.14986

Edited by Biatu

What is what? What is what.

Share this post


Link to post
Share on other sites
Biatu

Created this function to test it...
 

#Include "Subrogation.au3"
#Include <File.au3>
#Include <Array.au3>
$aArray=_FileListToArrayRec("C:\Windows\system32\","*.exe",1,0,0,0)
;_ArrayDisplay($aArray)
$vBin=BinDll("C:\windows\system32\kernel32.dll")
$iFailed=0
$iSuccess=0
For $i=1 To $aArray[0]
        $hDll=DllFromMemory($vBin,"C:\Windows\system32\"&$aArray[$i])
        If @error Then
            ConsoleWrite($aArray[$i]&",Error "&@Error&@CRLF)
            $iFailed+=1
        Else
            ConsoleWrite($aArray[$i]&",Success"&@CRLF)
            DllClose($hDll)
            $iSuccess+=1
        EndIf
    ;EndIf
Next
ConsoleWrite("-"&$iFailed&" Failed"&@CRLF)
ConsoleWrite("-"&$iSuccess&" Succedded"&@CRLF)
Sleep(10000)

 


What is what? What is what.

Share this post


Link to post
Share on other sites
BisherSH

Hello,

I wrote a script which is  using SQLite3.dll , and I would like to embed the dll in the compiled exe file ,

Looks like your script is exactly what I need , I copied the code to my script and made the $sSubrogee  points to SQLite3.dll

and the $sSubrogor point to my compiled application

but it didn't work !

 

I am new to AutoIT , could you please point me to the right way to do this ?

Thanks

Edited by BisherSH

Share this post


Link to post
Share on other sites
BisherSH

I am able to make it work  if the dll file exist ,

But what I need actually is to embed the whole dll inside the exe file NOT the dll path, is it possible ?

Share this post


Link to post
Share on other sites
Leo1906

Thanks for this nice function @trancexx:)

It works really well with normally created dll's (using visual studio an c++).

But I noticed that this won't work if you try to encrypt the dll using Themida for example. Why is that so? Is there a way to get crypted dll's to work?

Share this post


Link to post
Share on other sites
BisherSH

Hi @Leo1906 , could you please give me an example of how to use the file inside my code ?

Share this post


Link to post
Share on other sites
trancexx
On ‎9‎.‎2‎.‎2017‎. at 0:32 PM, BisherSH said:

I am able to make it work  if the dll file exist ,

But what I need actually is to embed the whole dll inside the exe file NOT the dll path, is it possible ?

How difficult could that be?? Did you try? Can you show the code?

Nobody is helping you much because it's trivial. There are scripts around that do the job for you. All you have to do is cherry pick.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
Mugen

Hi Trancexx,

One thing I wonder about, I use a dll that uses cdecl calling convention.
Well it works :)

But should I change the DllMain simulation accordingly to

If $iEntryPoint Then DllCallAddress("bool:cdecl", $pEntryFunc, "ptr", $pBaseAddress, "dword", 1, "ptr", 0) ; DLL_PROCESS_ATTACH

or does it not matters here?

Share this post


Link to post
Share on other sites
trancexx
10 hours ago, Mugen said:

Hi Trancexx,

One thing I wonder about, I use a dll that uses cdecl calling convention.
Well it works :)

But should I change the DllMain simulation accordingly to

If $iEntryPoint Then DllCallAddress("bool:cdecl", $pEntryFunc, "ptr", $pBaseAddress, "dword", 1, "ptr", 0) ; DLL_PROCESS_ATTACH

or does it not matters here?

You shouldn't. DllMain is always stdcall.

  • Like 1

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×