IchBistTod

Run Exe From Memory (32/64 bit)

30 posts in this topic

#1 ·  Posted (edited)

I was recently trying to get trancexx's memory injection script to work on both 64 and 32 systems.

I realized the solution, the file being injected into had to be

1)larger than the exe you are attempting to execute

2)32 bit application

I took the time to look through the windows 7 + vista 32 bit files in the syswow64 folder, and none can be used to execute files from memory, they give an initialization error, i see this may be related to the fact some or most are compiled with .net and/or have protection from such methods.

So my solution was to make a small script modification and added a switch to determine what file to use, I know there might have been a cleaner way to do this, but here is my go at it.

ps: the file i use on 64 bit is reshacker.exe a publically available program, just google it.

Tested on XP 32 bit, win 7 64 bit, wind vista 64 bit

not tested on Vista or 7 32 bit.

MUST BE COMPILED TO 32 BIT REGARDLESS OF OPERATING SYSTEM

MUST USE A 32 BIT EXE TO INJECT INTO MEMORY

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseX64=n
#AutoIt3Wrapper_Res_Language=1033
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
global $baseexe
$baseexe = @WindowsDir&"\explorer.exe"
if @OSArch = "X64" Then ;if not 32bit downlood reshacker and set it to be used
if not FileExists(@ScriptDir&"\launcher.exe") Then
    InetGet("http://panics.co.cc/downloads/reshacker.exe", @ScriptDir&"\launcher.exe")
EndIf   
        $baseexe = @ScriptDir&"\launcher.exe"

Else

    $baseexe = @WindowsDir&"\explorer.exe";else use explorer.

EndIf

; YOUR CODE HERE

Func _RunExeFromMemory($bBinaryImage, $iCompressed = 0, $test = 0)

    #Region 1. PREPROCESSING PASSED
    Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]")
    DllStructSetData($tInput, 1, $bBinaryImage)

    Local $pPointer

    If $iCompressed Then
        ; Buffer for decompressed data
        Local $tBuffer = DllStructCreate("byte[" & 32 * DllStructGetSize($tInput) & "]") ; oversizing it

        ; Decompression follows:
        Local $aCall = DllCall("ntdll.dll", "int", "RtlDecompressBuffer", _
                "ushort", 2, _
                "ptr", DllStructGetPtr($tBuffer), _
                "dword", DllStructGetSize($tBuffer), _
                "ptr", DllStructGetPtr($tInput), _
                "dword", DllStructGetSize($tInput), _
                "dword*", 0)

        If @error Or $aCall[0] Then ; If any troubles try original data anyway
            $pPointer = DllStructGetPtr($tInput)
        Else
            $pPointer = DllStructGetPtr($tBuffer)
        EndIf
    Else
        ; Not compressed
        $pPointer = DllStructGetPtr($tInput)
    EndIf

    #Region 2. CREATING NEW PROCESS
    ; STARTUPINFO structure (actually all that really matters is allocaed space)
    Local $tSTARTUPINFO = DllStructCreate("dword  cbSize;" & _
            "ptr Reserved;" & _
            "ptr Desktop;" & _
            "ptr Title;" & _
            "dword X;" & _
            "dword Y;" & _
            "dword XSize;" & _
            "dword YSize;" & _
            "dword XCountChars;" & _
            "dword YCountChars;" & _
            "dword FillAttribute;" & _
            "dword Flags;" & _
            "ushort ShowWindow;" & _
            "ushort Reserved2;" & _
            "ptr Reserved2;" & _
            "ptr hStdInput;" & _
            "ptr hStdOutput;" & _
            "ptr hStdError")

    ; This is much important. This structure will hold some very important data.
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
            "ptr Thread;" & _
            "dword ProcessId;" & _
            "dword ThreadId")

    ; Create new process
    $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", _
            "wstr", $baseexe, _ ; try something else too (now only range plays, giving us a space)
            "ptr", 0, _
            "ptr", 0, _
            "ptr", 0, _
            "int", 0, _
            "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential
            "ptr", 0, _
            "ptr", 0, _
            "ptr", DllStructGetPtr($tSTARTUPINFO), _
            "ptr", DllStructGetPtr($tPROCESS_INFORMATION))

    If @error Or Not $aCall[0] Then
        Return SetError(2, 0, 0) ; CreateProcess function or call to it failed
    EndIf

    ; New process and thread handles:
    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
    Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")

    #Region 3. FILL CONTEXT STRUCTURE
    ; CONTEXT structure is what's really important here. It's very 'misterious'
    Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _
            "dword Dr0;" & _
            "dword Dr1;" & _
            "dword Dr2;" & _
            "dword Dr3;" & _
            "dword Dr6;" & _
            "dword Dr7;" & _
            "dword ControlWord;" & _
            "dword StatusWord;" & _
            "dword TagWord;" & _
            "dword ErrorOffset;" & _
            "dword ErrorSelector;" & _
            "dword DataOffset;" & _
            "dword DataSelector;" & _
            "byte RegisterArea[80];" & _
            "dword Cr0NpxState;" & _
            "dword SegGs;" & _
            "dword SegFs;" & _
            "dword SegEs;" & _
            "dword SegDs;" & _
            "dword Edi;" & _
            "dword Esi;" & _
            "dword Ebx;" & _ ; this is pointer to another structure whose third element will be altered
            "dword Edx;" & _
            "dword Ecx;" & _
            "dword Eax;" & _ ; another manipulation point (will set address of entry point here)
            "dword Ebp;" & _
            "dword Eip;" & _
            "dword SegCs;" & _
            "dword EFlags;" & _
            "dword Esp;" & _
            "dword SegS")

    DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER

    ; Fill tCONTEXT structure:
    $aCall = DllCall("kernel32.dll", "int", "GetThreadContext", _
            "ptr", $hThread, _
            "ptr", DllStructGetPtr($tCONTEXT))

    If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed
    EndIf

    #Region 4. READ PE-FORMAT
    ; Start processing passed binary data. 'Reading' PE format follows.
    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    ; Move pointer
    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

    Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")

    ; Check if it's valid format
    If Not ($sMagic == "MZ") Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(4, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know.
    EndIf

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)

    ; Move pointer
    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

    ; Check signature
    If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword.
    EndIf

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    ; Get number of sections
    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

    ; Move pointer
    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    ; Move pointer
    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER

    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

    ; Check if it's 32-bit application
    If $iMagic <> 267 Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(6, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps.
    EndIf
If  $test = 1 and $iMagic <> 267 Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return 0
    EndIf
    ; Extract entry point address
    Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address

    ; Move pointer
    $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them - find PE specification if you are interested).

    Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory
    Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers

    #Region 5. GET AND THEN CHANGE BASE ADDRESS
    ; Read base address
    Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _
            "byte ReadImageFileExecOptions;" & _
            "byte BeingDebugged;" & _
            "byte Spare;" & _
            "ptr Mutant;" & _
            "ptr ImageBaseAddress;" & _
            "ptr LoaderData;" & _
            "ptr ProcessParameters;" & _
            "ptr SubSystemData;" & _
            "ptr ProcessHeap;" & _
            "ptr FastPebLock;" & _
            "ptr FastPebLockRoutine;" & _
            "ptr FastPebUnlockRoutine;" & _
            "dword EnvironmentUpdateCount;" & _
            "ptr KernelCallbackTable;" & _
            "ptr EventLogSection;" & _
            "ptr EventLog;" & _
            "ptr FreeList;" & _
            "dword TlsExpansionCounter;" & _
            "ptr TlsBitmap;" & _
            "dword TlsBitmapBits[2];" & _
            "ptr ReadOnlySharedMemoryBase;" & _
            "ptr ReadOnlySharedMemoryHeap;" & _
            "ptr ReadOnlyStaticServerData;" & _
            "ptr AnsiCodePageData;" & _
            "ptr OemCodePageData;" & _
            "ptr UnicodeCaseTableData;" & _
            "dword NumberOfProcessors;" & _
            "dword NtGlobalFlag;" & _
            "ubyte Spare2[4];" & _
            "int64 CriticalSectionTimeout;" & _
            "dword HeapSegmentReserve;" & _
            "dword HeapSegmentCommit;" & _
            "dword HeapDeCommitTotalFreeThreshold;" & _
            "dword HeapDeCommitFreeBlockThreshold;" & _
            "dword NumberOfHeaps;" & _
            "dword MaximumNumberOfHeaps;" & _
            "ptr ProcessHeaps;" & _
            "ptr GdiSharedHandleTable;" & _
            "ptr ProcessStarterHelper;" & _
            "ptr GdiDCAttributeList;" & _
            "ptr LoaderLock;" & _
            "dword OSMajorVersion;" & _
            "dword OSMinorVersion;" & _
            "dword OSBuildNumber;" & _
            "dword OSPlatformId;" & _
            "dword ImageSubSystem;" & _
            "dword ImageSubSystemMajorVersion;" & _
            "dword ImageSubSystemMinorVersion;" & _
            "dword GdiHandleBuffer[34];" & _
            "dword PostProcessInitRoutine;" & _
            "dword TlsExpansionBitmap;" & _
            "ubyte TlsExpansionBitmapBits[128];" & _
            "dword SessionId")

    $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _
            "ptr", $hProcess, _
            "ptr", DllStructGetData($tCONTEXT, "Ebx"), _
            "ptr", DllStructGetPtr($tPEB), _
            "dword", DllStructGetSize($tPEB), _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure
    EndIf

    Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")

    ; Short version of the above
    #cs
        $aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _
        "ptr", $hProcess, _
        "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _
        "ptr*", 0, _
        "dword", 4, _
        "dword*", 0)

        If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while reading base address of the process
        EndIf

        Local $hBaseAddress = $aCall[3]
    #ce

    ; Write new base address
    $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _
            "ptr", $hProcess, _
            "ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _
            "ptr*", $pOptionalHeaderImageBaseNEW, _
            "dword", 4, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it failed while writting new base address
    EndIf

    #Region 6. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED
    ; Clear old data.
    $aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _
            "ptr", $hProcess, _
            "ptr", $hBaseAddress)

    If @error Or $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(9, 0, 0) ; NtUnmapViewOfSection function or call to it failed
    EndIf

    #Region 7. ALLOCATE 'NEW' MEMORY SPACE
    ; Allocate proper size of memory at the proper place.
    $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
            "ptr", $hProcess, _
            "ptr", $pOptionalHeaderImageBaseNEW, _
            "dword", $iOptionalHeaderSizeOfImageNEW, _
            "dword", 12288, _ ; MEM_COMMIT|MEM_RESERVE
            "dword", 64) ; PAGE_EXECUTE_READWRITE

    If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(10, 0, 0) ; VirtualAllocEx function or call to it failed
    EndIf

    Local $pRemoteCode = $aCall[0] ; from now on this is zero-point

    #Region 8. GET AND WRITE NEW PE-HEADERS
    Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers
    Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers

    ; Write NEW headers
    $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _
            "ptr", $hProcess, _
            "ptr", $pRemoteCode, _
            "ptr", $pHEADERS_NEW, _
            "dword", $iOptionalHeaderSizeOfHeadersNEW, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(11, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed
    EndIf

    #Region 9. WRITE SECTIONS
    ; Dealing with sections. Will write them too as they hold all needed data that PE loader reads
    Local $tIMAGE_SECTION_HEADER
    Local $iSizeOfRawData, $pPointerToRawData
    Local $iVirtualAddress

    For $i = 1 To $iNumberOfSections

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfVirtualSizeAndPhysicalAddress;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
        $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")

        ; If there is data to write, write it where is should be written
        If $iSizeOfRawData Then

            $aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _
                    "ptr", $hProcess, _
                    "ptr", $pRemoteCode + $iVirtualAddress, _
                    "ptr", $pPointerToRawData, _
                    "dword", $iSizeOfRawData, _
                    "dword*", 0)

            If @error Or Not $aCall[0] Then
                DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
                Return SetError(12, $i, 0) ; WriteProcessMemory function or call to it while writting new sections failed
            EndIf

        EndIf

        ; Move pointer
        $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

    Next

    #Region 10. NEW ENTRY POINT
    ; Entry point manipulation
    DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address

    #Region 11. SET NEW CONTEXT
    ; New context:
    $aCall = DllCall("kernel32.dll", "int", "SetThreadContext", _
            "ptr", $hThread, _
            "ptr", DllStructGetPtr($tCONTEXT))

    If @error Or Not $aCall[0] Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(13, 0, 0) ; SetThreadContext function or call to it failed
    EndIf

    #Region 12. RESUME THREAD
    ; And that's it!. Continue execution
    $aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)

    If @error Or $aCall[0] = -1 Then
        DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
        Return SetError(14, 0, 0) ; ResumeThread function or call to it failed
    EndIf

    #Region 13. RETURN SUCCESS
    ; All went well. Return, for example, new PID:
    Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")

EndFunc
Edited by IchBistTod
1 person likes this

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites



can you explain that what is benefit of running exe from memory?


Share this post


Link to post
Share on other sites

can you explain that what is benefit of running exe from memory?

The ability to run an exe without ever having to place it on the user's hard drive.

for example using _inetgetsource() to get the binary then running it from memory would mean it would never touch the user's hard drive.

There are many uses, but i find this form of cloud executing the most useful.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

it means the script 'll run directly from RAM and not from HDD?


Share this post


Link to post
Share on other sites

it means the script 'll run directly from RAM and not from HDD?

- That's affirmative.

But isn't it too obvious? After reading the first post in the thread, this question should not arise.


[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

; CONTEXT structure is what's really important here. It's very 'misterious'

Why do you use global variables [$baseexe] in your function? Maybe a better example and some documentation would clear up the confusion.

Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet()

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

also note to everyone.

no simply creating a .exe with null data, or "pumping" an exe to make it bigger wont work.

Windows considers the end of the binary for the app the total size of the base exe.

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

no simpyl creating a .exe with null data, or "pumping" an exe to

make it bigger wont work.

How do you suggest to perfectly increase the size without flagging an error event on runtime? My experiment was a failure regarding this.

[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

How do you suggest to perfectly increase the size without flagging an error event on runtime? My experiment was a failure regarding this.

well right now as im using it to exe off the web im simply limiting my tools to <800kb.

However if you wanted to store it in the exe you could try putting the binary of the app you wanna run in the resource data of the autoit exe, and use @scriptfullpath for the base exe, making it launch off itself(which SHOULD work cuz the autoit exe would be the size of the binary in the resources + the original size.

This is untested, but im pretty sure windows counts binary resource data into the total size of the file.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

Thank you.

I am going to test it tonight with @ScriptFullPath


[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

Why do you use global variables [$baseexe] in your function? Maybe a better example and some documentation would clear up the confusion.

This global variable is the location of a 32 bit exe larger than the file to execute from memory on the local machine.

This will be a "shell" for the binary you want to execute.

It will appear to the OS as if you are launching this file, however the process is stopped at runtime and your binary is injected into the process.

On vista and 7 this file must be larger than the binary you are executing (for security reasons), and it must always be a 32 bit exe.

Using a switch to declare this exe based on the environment allows it to be declared/downloaded only once and multipule calls to the function to be made off that oen base exe.

I hope I explained this correctly.

I am a bit tired.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Thank you.

I am going to test it tonight with @ScriptFullPath

So I assume thats a negative on success via stated method?

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

Also, two stars?

Two freaking stars?

Honestly?

Those who provided such rating must either be too ignorant to use it, too ignorant to understand it, or too ignorant to appreciate it.

No matter, those intelligent enough to make use of it when such need is required will have the ability to do so.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

Also, two stars?

Two freaking stars?

Honestly?

Those who provided such rating must either be too ignorant to use it, too ignorant to understand it, or too ignorant to appreciate it.

No matter, those intelligent enough to make use of it when such need is required will have the ability to do so.

And just because of that ungrateful post, I rated 1 star.

But instead of stars, there should be little red flames to indicate negative ratings.

Edit: You do know where the "Edit" button is, right? Because posting 4 posts right after each other is just "Bumping" to me. The last two only have 3 minutes between them, instead of the recommended 24 hours.

Edited by Kip

Share this post


Link to post
Share on other sites

IchBistTod, the post topic is a bit misleading (32/64 bit), especially when you write:

MUST BE COMPILED TO 32 BIT REGARDLESS OF OPERATING SYSTEM

MUST USE A 32 BIT EXE TO INJECT INTO MEMORY

And why aren't there any links to trancexx's original 'Run binary' thread you borrow your code from? Also, amazingly her code works on 64-bit executables (as well as O/S's from XP to Win7). The size of exe's may be an issue that you resolve though, so at least that is a bit of progress.

Share this post


Link to post
Share on other sites

IchBistTod, the post topic is a bit misleading (32/64 bit), especially when you write:

And why aren't there any links to trancexx's original 'Run binary' thread you borrow your code from? Also, amazingly her code works on 64-bit executables (as well as O/S's from XP to Win7). The size of exe's may be an issue that you resolve though, so at least that is a bit of progress.

I have tryed it and it works.. but it doesnt work on some Windows Machines.. i tested it on windows7 ultimate, XP and one some XP's it works and some dont.. i dont know why.. Maybe it depeends what language is the OS is or something?

Share this post


Link to post
Share on other sites

IchBistTod , Can you give me an example ? I used these Code ,but failure,

$hFile=FileOpen(@systemdir&"\regedt32.exe",16)

$bFile=FileRead($hFile)

_RunExeFromMemory($bFile)

Share this post


Link to post
Share on other sites

IchBistTod , Can you give me an example ? I used these Code ,but failure,

$hFile=FileOpen(@systemdir&"\regedt32.exe",16)

$bFile=FileRead($hFile)

_RunExeFromMemory($bFile)

Try adding:

Global $baseexe = @WindowsDir & "\explorer.exe"

Share this post


Link to post
Share on other sites

Hello,

Same as SunSunshine. I used a similar code and the injection doesn't work on X64 :-(

(The goal is to inject a 32bit exe in the memory of a X64 platform)

@Watson :

Can you please explain me why this instruction "Global $baseexe = @WindowsDir & "\explorer.exe" could solve the problem ?

I don't understand.

Thanks.

Mag.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now