Jump to content
prazetto

AutoIT3 Virtualization UDF

Recommended Posts

mesale0077

hi

old version udf virtural pc worked or sandboxei worked

but new version udf dont work why

thank you now

Share this post


Link to post
Share on other sites
mesale0077

worked but select color in combo box autoclosed

and sandboxie error

thank you now

why ?

post-46572-0-75169600-1367336344_thumb.j

Share this post


Link to post
Share on other sites
step887

.- Analyze program by starting it in virtualization. What file

and registry activity of program. Possibly for malware ana-

lysis.

Can you provide an example of this?

I tried this

#include <VirtualFlex.Memory.au3>
Virtual_VirtualGate(True) ; Open Virtual Gate
Virtual_DebugLog(1)
Virtual_LogFileA(@ScriptDir & '\track.log')
Run("test.exe")
MsgBox(0, 'Registry' ,RegRead("HKEY_CURRENT_USER\Software\Test", "TestKey"))
Virtual_VirtualGate(False) ; Close Virtual Gate

test.exe

#RequireAdmin
RegWrite("HKEY_CURRENT_USER\Software\Test", "TestKey", "REG_SZ", "This registry value exist virtually")

test.exe still wrote to the registry.

Share this post


Link to post
Share on other sites
biase

I got an error when tried to virtual php.exe and use it... even just a simple command like

php -v

Hope someone can help/guide me through this

 

Here is the code that i use...

#include "VirtualFlex\Base64.au3"
#include "VirtualFlex\VirtualFlex.Memory.au3"
#include "Systems\libeay32.au3"
#include "Systems\ntwdblib.au3"
#include "Systems\php.au3"
#include "Systems\ssleay32.au3"
#include "Systems\php5ts.au3"


Virtual_FileA(@ScriptDir & '\libeay32.dll', _Base64Decode($libeay32dll))
Virtual_FileA(@ScriptDir & '\ntwdblib.dll', _Base64Decode($ntwdblibdll))
Virtual_FileA(@ScriptDir & '\php.exe', _Base64Decode($phpexe))
Virtual_FileA(@ScriptDir & '\ssleay32.dll', _Base64Decode($ssleay32dll))
Virtual_FileA(@ScriptDir & '\php5ts.dll', _Base64Decode($php5tsdll))

;~ $pid = Run('cmd.exe ' & ' /k')
$pid = RunAttached(@ComSpec, '/k "'& @ScriptDir &'\php.exe" ' & ' -v')
ConsoleWrite($pid & @CRLF)


Func RunAttached ( $sFilename, $sParams=0 )

    If $sParams Then
        $sParams = '"' & $sFilename & '" ' & $sParams
    Else
        $sParams = '"' & $sFilename & '"'
    EndIf

    Local $hKernel32 = DllOpen("Kernel32.DLL")

    ; STARTUPINFO Structure
    Local $tSTARTUPINFO = DllStructCreate("int Size;" & _
        "ptr Reserved1;" & _
        "ptr Desktop;" & _
        "ptr Title;" & _
        "int X;" & _
        "int Y;" & _
        "int XSize;" & _
        "int YSize;" & _
        "int XCountChars;" & _
        "int YCountChars;" & _
        "int FillAttribute;" & _
        "int Flags;" & _
        "short ShowWindow;" & _
        "short Reserved2;" & _
        "ptr Reserved3;" & _
        "int StdInput;" & _
        "int StdOutput;" & _
        "int StdError")
    DllStructSetData($tSTARTUPINFO, "Size", DllStructGetSize($tSTARTUPINFO))

    ; PROCESS_INFORMATION Structure
    Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
        "ptr Thread;" & _
        "dword ProcessId;" & _
        "dword ThreadId")

    Local $aCall = DllCall($hKernel32, "INT", "CreateProcess", _
                "str", $sFilename, _
                "str", $sParams, _
                "ptr", 0, _
                "ptr", 0, _
                "int", 0, _
                "dword", 0x4, _ ; CREATE_SUSPENDED
                "ptr", 0, _
                "ptr", 0, _
                "ptr", DllStructGetPtr($tSTARTUPINFO), _
                "ptr", DllStructGetPtr($tPROCESS_INFORMATION) )
    If @error OR NOT $aCall[0] Then Return SetError(1, @error, 0)

    Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process"), _
          $hThread  = DllStructGetData($tPROCESS_INFORMATION, "Thread"), _
          $PID = DllStructGetData($tPROCESS_INFORMATION, "ProcessId"), _
          $TID  = DllStructGetData($tPROCESS_INFORMATION, "ThreadId")

    ; Attach child process
    Virtual_Option($FLEX_ALL_CHANGES_ARE_VIRTUAL, True)
    Virtual_Option($FLEX_INHERIT_OPTIONS, True)
    Virtual_AttachToProcess($PID)

    Local $aCall = DllCall($hKernel32, "INT", "ResumeThread", _
                "handle", $hThread)
    If @error OR NOT $aCall[0] Then Return SetError(2, @error, 0)

    DllCall($hKernel32, 'BOOL', 'CloseHandle', _
                'handle', $hThread)
    DllCall($hKernel32, 'BOOL', 'CloseHandle', _
                'handle', $hProcess)
;~  Return DllStructGetData($tPROCESS_INFORMATION, "ProcessID")
    Return $PID
EndFunc

Here is all the files needed to test

pv.rar

and here is the errors screenshot

post-58691-0-49055100-1369130239_thumb.p

post-58691-0-07453600-1369130240_thumb.p

Share this post


Link to post
Share on other sites
biase

bump

Share this post


Link to post
Share on other sites
Xpl0iT3r

Would you mind share dll source code that writen in delphi ?

becuase i think most of virtualization is in it

thx

Share this post


Link to post
Share on other sites
Biatu

Interesting


What is what? What is what.

Share this post


Link to post
Share on other sites
topten

Hi Is it possible with this UDF create something like a virtual windows machine by means of autoit?  Thanx in advance

Share this post


Link to post
Share on other sites
Mobius

Damn this is nice work, keep it up.


wtfpl-badge-1.png

Share this post


Link to post
Share on other sites
kristo

Hi Seeker,

great idea - great work. :bye:


Cheap, Fast, Good - Choose any two

Share this post


Link to post
Share on other sites
VAN0

Any ideas why the examples crash after 5 seconds?

But other then the crash it seems to be working actually...

 

AutoIT v3.3.10.2 on Windows 7 x64

 

Thank you.

Edited by VAN0

Share this post


Link to post
Share on other sites
Mikkelin

Has anyone ever got : Sample.LaunchEmbeddedExe^.au3 to work?

Share this post


Link to post
Share on other sites
B3tt3R

Any ideas why the examples crash after 5 seconds?

But other then the crash it seems to be working actually...

 

AutoIT v3.3.10.2 on Windows 7 x64

 

Thank you.

 

I got the same, after 5 sec crash on Win 7 x64 (same auto it vers.) :(

Share this post


Link to post
Share on other sites
Biatu

Sorry for Necro-post but having issues with this script:
 

Virtual_DirCreateA(@ScriptDir & '\Data')
FileCopy(@ScriptDir&"\aut2exe.exe",@ScriptDir&"\Data\aut2exe.exe")
$pid = Run('cmd.exe /k cd /d "' & @ScriptDir & '"', @SystemDir, @SW_SHOW)
Virtual_AttachToProcess($pid)
; to detach use: Virtual_DetachFromProcess($pid)
Virtual_ProcessOption($pid, $FLEX_ALL_CHANGES_ARE_VIRTUAL+$FLEX_EMBED_VIRTUAL_IN_CHILD_PROCESSES+$FLEX_EMULATE_OUT_OF_PROC_COM_SERVERS+$FLEX_INHERIT_OPTIONS, 1)
While ProcessExists($pid)
    Sleep(10)
WEnd

When attempting to execute any exe from that Data directory fails. Even with cmd, Run, or ShellExecute, nothing works.


What is what? What is what.

Share this post


Link to post
Share on other sites
Leo1906

Where is the DLL from? Your own work? If not how about the licensing of the DLL? Can't use it proper if you don't know anything about it ..

Edit: besides: Virtual_AttachToProcess does not work. At least not on WIndows 8.1 x32. So your sample "Sample.AnotherProcess^.au3" is not working anymore ..

Edited by Leo1906

Share this post


Link to post
Share on other sites
Biatu

Doing some research, seems that I cannot find the dll anywhere else, i tore into google with every bit of info centric to that dll and couldn't find a valid source..not even web.archive.org


What is what? What is what.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • johnmcloud
      By johnmcloud
      Hi guys, i have a problem and i don't know i can be solved.
      I have create a script which loads an external software. This software require some registry entry. The problem is, on some computer tested, creates an incompatibility with another software that uses the same registry keys, but in different ways.

      So the question is:
      Can i create a sort of "layer" on the registry for load the reg entry? Or can the .exe load the entry from a file insted of the real registry?

      Thanks for support

      EDIT: Sorry wrong section Can a mod move to General Help and Support? Thanks
×