Jump to content

prazetto
 Share

Recommended Posts

.- Analyze program by starting it in virtualization. What file

and registry activity of program. Possibly for malware ana-

lysis.

Can you provide an example of this?

I tried this

#include <VirtualFlex.Memory.au3>
Virtual_VirtualGate(True) ; Open Virtual Gate
Virtual_DebugLog(1)
Virtual_LogFileA(@ScriptDir & '\track.log')
Run("test.exe")
MsgBox(0, 'Registry' ,RegRead("HKEY_CURRENT_USER\Software\Test", "TestKey"))
Virtual_VirtualGate(False) ; Close Virtual Gate

test.exe

#RequireAdmin
RegWrite("HKEY_CURRENT_USER\Software\Test", "TestKey", "REG_SZ", "This registry value exist virtually")

test.exe still wrote to the registry.

Link to comment
Share on other sites

  • 3 weeks later...

I got an error when tried to virtual php.exe and use it... even just a simple command like

php -v

Hope someone can help/guide me through this

 

Here is the code that i use...

#include "VirtualFlex\Base64.au3"
#include "VirtualFlex\VirtualFlex.Memory.au3"
#include "Systems\libeay32.au3"
#include "Systems\ntwdblib.au3"
#include "Systems\php.au3"
#include "Systems\ssleay32.au3"
#include "Systems\php5ts.au3"


Virtual_FileA(@ScriptDir & '\libeay32.dll', _Base64Decode($libeay32dll))
Virtual_FileA(@ScriptDir & '\ntwdblib.dll', _Base64Decode($ntwdblibdll))
Virtual_FileA(@ScriptDir & '\php.exe', _Base64Decode($phpexe))
Virtual_FileA(@ScriptDir & '\ssleay32.dll', _Base64Decode($ssleay32dll))
Virtual_FileA(@ScriptDir & '\php5ts.dll', _Base64Decode($php5tsdll))

;~ $pid = Run('cmd.exe ' & ' /k')
$pid = RunAttached(@ComSpec, '/k "'& @ScriptDir &'\php.exe" ' & ' -v')
ConsoleWrite($pid & @CRLF)


Func RunAttached ( $sFilename, $sParams=0 )

    If $sParams Then
        $sParams = '"' & $sFilename & '" ' & $sParams
    Else
        $sParams = '"' & $sFilename & '"'
    EndIf

    Local $hKernel32 = DllOpen("Kernel32.DLL")

    ; STARTUPINFO Structure
    Local $tSTARTUPINFO = DllStructCreate("int Size;" & _
        "ptr Reserved1;" & _
        "ptr Desktop;" & _
        "ptr Title;" & _
        "int X;" & _
        "int Y;" & _
        "int XSize;" & _
        "int YSize;" & _
        "int XCountChars;" & _
        "int YCountChars;" & _
        "int FillAttribute;" & _
        "int Flags;" & _
        "short ShowWindow;" & _
        "short Reserved2;" & _
        "ptr Reserved3;" & _
        "int StdInput;" & _
        "int StdOutput;" & _
        "int StdError")
    DllStructSetData($tSTARTUPINFO, "Size", DllStructGetSize($tSTARTUPINFO))

    ; PROCESS_INFORMATION Structure
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
        "ptr Thread;" & _
        "dword ProcessId;" & _
        "dword ThreadId")

    Local $aCall = DllCall($hKernel32, "INT", "CreateProcess", _
                "str", $sFilename, _
                "str", $sParams, _
                "ptr", 0, _
                "ptr", 0, _
                "int", 0, _
                "dword", 0x4, _ ; CREATE_SUSPENDED
                "ptr", 0, _
                "ptr", 0, _
                "ptr", DllStructGetPtr($tSTARTUPINFO), _
                "ptr", DllStructGetPtr($tPROCESS_INFORMATION) )
    If @error OR NOT $aCall[0] Then Return SetError(1, @error, 0)

    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process"), _
          $hThread  = DllStructGetData($tPROCESS_INFORMATION, "Thread"), _
          $PID = DllStructGetData($tPROCESS_INFORMATION, "ProcessId"), _
          $TID  = DllStructGetData($tPROCESS_INFORMATION, "ThreadId")

    ; Attach child process
    Virtual_Option($FLEX_ALL_CHANGES_ARE_VIRTUAL, True)
    Virtual_Option($FLEX_INHERIT_OPTIONS, True)
    Virtual_AttachToProcess($PID)

    Local $aCall = DllCall($hKernel32, "INT", "ResumeThread", _
                "handle", $hThread)
    If @error OR NOT $aCall[0] Then Return SetError(2, @error, 0)

    DllCall($hKernel32, 'BOOL', 'CloseHandle', _
                'handle', $hThread)
    DllCall($hKernel32, 'BOOL', 'CloseHandle', _
                'handle', $hProcess)
;~  Return DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
    Return $PID
EndFunc

Here is all the files needed to test

pv.rar

and here is the errors screenshot

post-58691-0-49055100-1369130239_thumb.p

post-58691-0-07453600-1369130240_thumb.p

Link to comment
Share on other sites

  • 3 weeks later...
  • 6 months later...
  • 4 weeks later...
  • 3 weeks later...
  • 5 months later...
  • 1 month later...
  • 2 years later...

Sorry for Necro-post but having issues with this script:
 

Virtual_DirCreateA(@ScriptDir & '\Data')
FileCopy(@ScriptDir&"\aut2exe.exe",@ScriptDir&"\Data\aut2exe.exe")
$pid = Run('cmd.exe /k cd /d "' & @ScriptDir & '"', @SystemDir, @SW_SHOW)
Virtual_AttachToProcess($pid)
; to detach use: Virtual_DetachFromProcess($pid)
Virtual_ProcessOption($pid, $FLEX_ALL_CHANGES_ARE_VIRTUAL+$FLEX_EMBED_VIRTUAL_IN_CHILD_PROCESSES+$FLEX_EMULATE_OUT_OF_PROC_COM_SERVERS+$FLEX_INHERIT_OPTIONS, 1)
While ProcessExists($pid)
    Sleep(10)
WEnd

When attempting to execute any exe from that Data directory fails. Even with cmd, Run, or ShellExecute, nothing works.

What is what? What is what.

Link to comment
Share on other sites

  • 1 month later...

Where is the DLL from? Your own work? If not how about the licensing of the DLL? Can't use it proper if you don't know anything about it ..

Edit: besides: Virtual_AttachToProcess does not work. At least not on WIndows 8.1 x32. So your sample "Sample.AnotherProcess^.au3" is not working anymore ..

Edited by Leo1906
Link to comment
Share on other sites

  • 1 month later...

Doing some research, seems that I cannot find the dll anywhere else, i tore into google with every bit of info centric to that dll and couldn't find a valid source..not even web.archive.org

What is what? What is what.

Link to comment
Share on other sites

  • 1 year later...
  • 3 years later...

I have found that this seems to sort of work in current windows 10 when running with autoit 32 bit, however when you attempt to open a file open dialog (either with autoit via FileOpenDialog() or the open/save dialog of a child process) then it will cause the process to crash.

However it will still sort of work: for example I can run cmd.exe as a child process and was able to read and write to virtual files. But they did not appear in a directory listing for some reason.
Example modified from Sample.AnotherProcess^.au3:

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#Include <WinAPI.au3>
#include <VirtualFlex.Memory.au3>
#include <Constants.au3>

Virtual_FileA(@ScriptDir & '\text.txt', 'This file virtually exist!')
ConsoleWrite(FileRead(@ScriptDir & '\text.txt') & @LF)

$pid = Run(@ComSpec, @ScriptDir, @SW_SHOW)

Virtual_AttachToProcess($pid)
; to detach use: Virtual_DetachFromProcess($pid)

Virtual_ProcessOption($pid, $FLEX_ALL_CHANGES_ARE_VIRTUAL, 1)

$Form1 = GUICreate("Form1", 257, 147, 192, 124)
GUISetState(@SW_SHOW)

Do
   $nMsg = GUIGetMsg()
   Switch $nMsg
      Case $GUI_EVENT_CLOSE
         Exit
      EndSwitch
Until False

Then in cmd.exe box that appears you can read and write to virtual files:

C:\test_dir>type text.txt
This file virtually exist!
C:\test_dir>dir text.txt
 Volume in drive C is Windows
 Volume Serial Number is ECD1-59CD

 Directory of C:\test_dir

File Not Found

C:\test_dir>echo test_TEXT>test_virtual_file.txt

C:\test_dir>type test_virtual_file.txt
test_TEXT

C:\test_dir>dir test_virtual_file.txt
 Volume in drive C is Windows
 Volume Serial Number is ECD1-59CD

 Directory of C:\test_dir

File Not Found

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...