Sign in to follow this  
Followers 0
IchBistTod

Executing from memory. 64 bit system, 32 bit app.

2 posts in this topic

okay. I managed to get it all the way to error 10 by using the same exe running form to execute, just copying it to a diff name and pumping the file....

oh and having it use 32 bit binary Dlls, which are surprisingly in wow64(its all backwards lol).

anyways here is how far I have got. (i got the idea for usign dll open then dll call from when i was trying register a 32 bit active x component and had to use the 32 bit version of the register, cuz they are both regsrv32(or whatever it is, but both have 32 onthem, but one is 64 bit, but its int he system32 folder, where as 32 bit was in the wow64 folder)

here is the code

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
$sModuleToRun = @ScriptDir&"\Au3Info.exe" ; <-yours here
_RunExeFromMemory(FileRead($sModuleToRun))
MsgBox(0, '', "Error = " & @error)


Func _RunExeFromMemory($bBinaryImage, $iCompressed = 0)
$dll = DllOpen("C:\windows\SysWOW64\kernel32.dll")
$ntdll = DllOpen("C:\windows\SysWOW64\ntdll.dll")
    #Region 1. PREPROCESSING PASSED
    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]")
    DllStructSetData($tInput, 1, $bBinaryImage)

    Local $pPointer

    If $iCompressed Then
        ; Buffer for decompressed data
        Local $tBuffer = DllStructCreate("byte[" & 16 * DllStructGetSize($tInput) & "]") ; oversizing it

        ; Decompression follows:
        Local $aCall = DllCall($ntdll, "int", "RtlDecompressBuffer", _
                "ushort", 2, _
                "ptr", DllStructGetPtr($tBuffer), _
                "dword", DllStructGetSize($tBuffer), _
                "ptr", DllStructGetPtr($tInput), _
                "dword", DllStructGetSize($tInput), _
                "dword*", 0)

        If @error Or $aCall[0] Then ; If any troubles try original data anyway
            $pPointer = DllStructGetPtr($tInput)
        Else
            $pPointer = DllStructGetPtr($tBuffer)
        EndIf
    Else
        ; Not compressed
        $pPointer = DllStructGetPtr($tInput)
    EndIf

    #Region 2. CREATING NEW PROCESS
    ; STARTUPINFO structure (actually all that really matters is allocaed space)
    Local $tSTARTUPINFO = DllStructCreate("dword  cbSize;" & _
            "ptr Reserved;" & _
            "ptr Desktop;" & _
            "ptr Title;" & _
            "dword X;" & _
            "dword Y;" & _
            "dword XSize;" & _
            "dword YSize;" & _
            "dword XCountChars;" & _
            "dword YCountChars;" & _
            "dword FillAttribute;" & _
            "dword Flags;" & _
            "ushort ShowWindow;" & _
            "ushort Reserved2;" & _
            "ptr Reserved2;" & _
            "ptr hStdInput;" & _
            "ptr hStdOutput;" & _
            "ptr hStdError")

    ; This is much important. This structure will hold some very important data.
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
            "ptr Thread;" & _
            "dword ProcessId;" & _
            "dword ThreadId")

    ; Create new process
    FileCopy(@ScriptFullPath, @ScriptDir&"\2.exe")
    for $i=9999 to 29999
    FileWrite(@ScriptDir&"\2.exe", Binary(0)&$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I*$I)

        Next
    $aCall = DllCall($dll, "int", "CreateProcessW", _
            "wstr", @ScriptDir&"\2.exe", _ ; try something else too (now only range plays, giving us a space)
            "ptr", 0, _
            "ptr", 0, _
            "ptr", 0, _
            "int", 0, _
            "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential
            "ptr", 0, _
            "ptr", 0, _
            "ptr", DllStructGetPtr($tSTARTUPINFO), _
            "ptr", DllStructGetPtr($tPROCESS_INFORMATION))

    If @error Or Not $aCall[0] Then
        Return SetError(2, 0, 0) ; CreateProcess function or call to it failed
    EndIf

    ; New process and thread handles:
    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
    Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
    MsgBox(64, "", $hProcess)

    MsgBox(64, "", $hthread)


    #Region 3. FILL CONTEXT STRUCTURE
    ; CONTEXT structure is what's really important here. It's very 'misterious'
    Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _
            "dword Dr0;" & _
            "dword Dr1;" & _
            "dword Dr2;" & _
            "dword Dr3;" & _
            "dword Dr6;" & _
            "dword Dr7;" & _
            "dword ControlWord;" & _
            "dword StatusWord;" & _
            "dword TagWord;" & _
            "dword ErrorOffset;" & _
            "dword ErrorSelector;" & _
            "dword DataOffset;" & _
            "dword DataSelector;" & _
            "byte RegisterArea[80];" & _
            "dword Cr0NpxState;" & _
            "dword SegGs;" & _
            "dword SegFs;" & _
            "dword SegEs;" & _
            "dword SegDs;" & _
            "dword Edi;" & _
            "dword Esi;" & _
            "dword Ebx;" & _ ; this is pointer to another structure whose third element will be altered
            "dword Edx;" & _
            "dword Ecx;" & _
            "dword Eax;" & _ ; another manipulation point (will set address of entry point here)
            "dword Ebp;" & _
            "dword Eip;" & _
            "dword SegCs;" & _
            "dword EFlags;" & _
            "dword Esp;" & _
            "dword SegS")

    DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER

    ; Fill tCONTEXT structure:

    $aCall = DllCall($dll, "int", "GetThreadContext", _
            "ptr", $hThread, _
            "ptr", DllStructGetPtr($tCONTEXT))


    If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed
    EndIf

    #Region 4. READ PE-FORMAT
    ; Start processing passed binary data. 'Reading' PE format follows.
    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    ; Move pointer
    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

    Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")

    ; Check if it's valid format
    If Not ($sMagic == "MZ") Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(4, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know.
    EndIf

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)

    ; Move pointer
    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

    ; Check signature
    If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword.
    EndIf

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    ; Get number of sections
    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

    ; Move pointer
    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    ; Move pointer
    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER

    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

    ; Check if it's 32-bit application
    If $iMagic <> 267 Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(6, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps.
    EndIf

    ; Extract entry point address
    Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address

    ; Move pointer
    $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them - find PE specification if you are interested).

    Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory
    Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers

    #Region 5. GET AND THEN CHANGE BASE ADDRESS
    ; Read base address
    Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _
            "byte ReadImageFileExecOptions;" & _
            "byte BeingDebugged;" & _
            "byte Spare;" & _
            "ptr Mutant;" & _
            "ptr ImageBaseAddress;" & _
            "ptr LoaderData;" & _
            "ptr ProcessParameters;" & _
            "ptr SubSystemData;" & _
            "ptr ProcessHeap;" & _
            "ptr FastPebLock;" & _
            "ptr FastPebLockRoutine;" & _
            "ptr FastPebUnlockRoutine;" & _
            "dword EnvironmentUpdateCount;" & _
            "ptr KernelCallbackTable;" & _
            "ptr EventLogSection;" & _
            "ptr EventLog;" & _
            "ptr FreeList;" & _
            "dword TlsExpansionCounter;" & _
            "ptr TlsBitmap;" & _
            "dword TlsBitmapBits[2];" & _
            "ptr ReadOnlySharedMemoryBase;" & _
            "ptr ReadOnlySharedMemoryHeap;" & _
            "ptr ReadOnlyStaticServerData;" & _
            "ptr AnsiCodePageData;" & _
            "ptr OemCodePageData;" & _
            "ptr UnicodeCaseTableData;" & _
            "dword NumberOfProcessors;" & _
            "dword NtGlobalFlag;" & _
            "ubyte Spare2[4];" & _
            "int64 CriticalSectionTimeout;" & _
            "dword HeapSegmentReserve;" & _
            "dword HeapSegmentCommit;" & _
            "dword HeapDeCommitTotalFreeThreshold;" & _
            "dword HeapDeCommitFreeBlockThreshold;" & _
            "dword NumberOfHeaps;" & _
            "dword MaximumNumberOfHeaps;" & _
            "ptr ProcessHeaps;" & _
            "ptr GdiSharedHandleTable;" & _
            "ptr ProcessStarterHelper;" & _
            "ptr GdiDCAttributeList;" & _
            "ptr LoaderLock;" & _
            "dword OSMajorVersion;" & _
            "dword OSMinorVersion;" & _
            "dword OSBuildNumber;" & _
            "dword OSPlatformId;" & _
            "dword ImageSubSystem;" & _
            "dword ImageSubSystemMajorVersion;" & _
            "dword ImageSubSystemMinorVersion;" & _
            "dword GdiHandleBuffer[34];" & _
            "dword PostProcessInitRoutine;" & _
            "dword TlsExpansionBitmap;" & _
            "ubyte TlsExpansionBitmapBits[128];" & _
            "dword SessionId")

    $aCall = DllCall($dll, "int", "ReadProcessMemory", _
            "ptr", $hProcess, _
            "ptr", DllStructGetData($tCONTEXT, "Ebx"), _
            "ptr", DllStructGetPtr($tPEB), _
            "dword", DllStructGetSize($tPEB), _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure
    EndIf

    Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")

    ; Short version of the above
    #cs
        $aCall = DllCall($dll, "int", "ReadProcessMemory", _
        "ptr", $hProcess, _
        "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _
        "ptr*", 0, _
        "dword", 4, _
        "dword*", 0)

        If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while reading base address of the process
        EndIf

        Local $hBaseAddress = $aCall[3]
    #ce

    ; Write new base address
    $aCall = DllCall($dll, "int", "WriteProcessMemory", _
            "ptr", $hProcess, _
            "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _
            "ptr*", $pOptionalHeaderImageBaseNEW, _
            "dword", 4, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it failed while writting new base address
    EndIf

    #Region 6. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED
    ; Clear old data.
    $aCall = DllCall($ntdll, "int", "NtUnmapViewOfSection", _
            "ptr", $hProcess, _
            "ptr", $hBaseAddress)

    If @error Or $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(9, 0, 0) ; NtUnmapViewOfSection function or call to it failed
    EndIf

    #Region 7. ALLOCATE 'NEW' MEMORY SPACE
    ; Allocate proper size of memory at the proper place.
    $aCall = DllCall($dll, "ptr", "VirtualAllocEx", _
            "ptr", $hProcess, _
            "ptr", $pOptionalHeaderImageBaseNEW, _
            "dword", $iOptionalHeaderSizeOfImageNEW, _
            "dword", FileGetSize(@ScriptDir&"\2.exe"), _ ; MEM_COMMIT|MEM_RESERVE
            "dword", 64) ; PAGE_EXECUTE_READWRITE

    If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(10, 0, 0) ; VirtualAllocEx function or call to it failed
    EndIf

    Local $pRemoteCode = $aCall[0] ; from now on this is zero-point

    #Region 8. GET AND WRITE NEW PE-HEADERS
    Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers
    Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers

    ; Write NEW headers
    $aCall = DllCall($dll, "int", "WriteProcessMemory", _
            "ptr", $hProcess, _
            "ptr", $pRemoteCode, _
            "ptr", $pHEADERS_NEW, _
            "dword", $iOptionalHeaderSizeOfHeadersNEW, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(11, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed
    EndIf

    #Region 9. WRITE SECTIONS
    ; Dealing with sections. Will write them too as they hold all needed data that PE loader reads
    Local $tIMAGE_SECTION_HEADER
    Local $iSizeOfRawData, $pPointerToRawData
    Local $iVirtualAddress

    For $i = 1 To $iNumberOfSections

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfVirtualSizeAndPhysicalAddress;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
        $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")

        ; If there is data to write, write it where is should be written
        If $iSizeOfRawData Then

            $aCall = DllCall($dll, "int", "WriteProcessMemory", _
                    "ptr", $hProcess, _
                    "ptr", $pRemoteCode + $iVirtualAddress, _
                    "ptr", $pPointerToRawData, _
                    "dword", $iSizeOfRawData, _
                    "dword*", 0)

            If @error Or Not $aCall[0] Then
                DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
                Return SetError(12, $i, 0) ; WriteProcessMemory function or call to it while writting new sections failed
            EndIf

        EndIf

        ; Move pointer
        $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

    Next

    #Region 10. NEW ENTRY POINT
    ; Entry point manipulation
    DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address

    #Region 11. SET NEW CONTEXT
    ; New context:
    $aCall = DllCall($dll, "int", "SetThreadContext", _
            "ptr", $hThread, _
            "ptr", DllStructGetPtr($tCONTEXT))

    If @error Or Not $aCall[0] Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(13, 0, 0) ; SetThreadContext function or call to it failed
    EndIf

    #Region 12. RESUME THREAD
    ; And that's it!. Continue execution
    $aCall = DllCall($dll, "int", "ResumeThread", "ptr", $hThread)

    If @error Or $aCall[0] = -1 Then
        DllCall($dll, "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(14, 0, 0) ; ResumeThread function or call to it failed
    EndIf

    #Region 13. RETURN SUCCESS
    ; All went well. Return, for example, new PID:
    Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")

EndFunc

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites



bump


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0