meme18 Posted January 10, 2018 Posted January 10, 2018 Hello At the moment i save my dll with fileinstall to hdd and create remote thread to process like this: FileInstall("my.dll", @ScriptDir & "\my.dll", 1) $PID = ProcessExists( "notepad.exe" ) $ProcessId = $PID $DllPath = @ScriptDir & "\my.dll" $Kernel32 = DllOpen("kernel32.dll") $DLL_Path = DllStructCreate("char[255]") DllCall($Kernel32, "DWORD", "GetFullPathNameA", "str", $DllPath, "DWORD", 255, "ptr", DllStructGetPtr($DLL_Path), "int", 0) $hProcess = DllCall($Kernel32, "DWORD", "OpenProcess", "DWORD", 0x1F0FFF, "int", 0, "DWORD", $ProcessId) $hModule = DllCall($Kernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll") $lpStartAddress = DllCall($Kernel32, "DWORD", "GetProcAddress", "DWORD", $hModule[0], "str", "LoadLibraryA") $lpParameter = DllCall($Kernel32, "DWORD", "VirtualAllocEx", "int", $hProcess[0], "int", 0, "ULONG_PTR", DllStructGetSize($DLL_Path), "DWORD", 0x3000, "int", 4) DllCall("kernel32.dll", "BOOL", "WriteProcessMemory", "int", $hProcess[0], "DWORD", $lpParameter[0], "str", DllStructGetData($DLL_Path, 1), "ULONG_PTR", DllStructGetSize($DLL_Path), "int", 0) $hThread = DllCall($Kernel32, "int", "CreateRemoteThread", "DWORD", $hProcess[0], "int", 0, "int", 0, "DWORD", $lpStartAddress[0], "DWORD", $lpParameter[0], "int", 0, "int", 0) DllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hProcess[0]) DllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hModule) DllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hThread) DllClose($Kernel32) Is it possible to have dll as binary string like this...: $DllBinary = '0x565841FE0000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000' And use this sting, not a local file. Would be nice if someone can tell if this is possible or not.
funkey Posted January 10, 2018 Posted January 10, 2018 Programming today is a race between software engineers striving tobuild bigger and better idiot-proof programs, and the Universetrying to produce bigger and better idiots.So far, the Universe is winning.
meme18 Posted January 10, 2018 Author Posted January 10, 2018 THX, i tried that with include MemoryDllCall.au3. But i think i do something wrong, very wrong. Big problem is that my knowledge is not good in case of dll files. Maybe someone can help me: $PID = ProcessExists( "notepad.exe" ) $ProcessId = $PID $DllBinary = '0x565841FE0000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000' MemoryDllCall($Kernel32, "DWORD", "md5", "str", $DllBinary, "DWORD", 255, "ptr", DllStructGetPtr($DLL_Path), "int", 0) $hProcess = MemoryDllCall($Kernel32, "DWORD", "OpenProcess", "DWORD", 0x1F0FFF, "int", 0, "DWORD", $ProcessId) $hModule = MemoryDllCall($Kernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll") $lpStartAddress = MemoryDllCall($Kernel32, "DWORD", "GetProcAddress", "DWORD", $hModule[0], "str", "LoadLibraryA") $lpParameter = MemoryDllCall($Kernel32, "DWORD", "VirtualAllocEx", "int", $hProcess[0], "int", 0, "ULONG_PTR", DllStructGetSize($DLL_Path), "DWORD", 0x3000, "int", 4) MemoryDllCall("kernel32.dll", "BOOL", "WriteProcessMemory", "int", $hProcess[0], "DWORD", $lpParameter[0], "str", DllStructGetData($DLL_Path, 1), "ULONG_PTR", DllStructGetSize($DLL_Path), "int", 0) $hThread = MemoryDllCall($Kernel32, "int", "CreateRemoteThread", "DWORD", $hProcess[0], "int", 0, "int", 0, "DWORD", $lpStartAddress[0], "DWORD", $lpParameter[0], "int", 0, "int", 0) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hProcess[0]) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hModule) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hThread) DllClose($Kernel32)
meme18 Posted January 10, 2018 Author Posted January 10, 2018 Somehow im not able to edit my earlier post. I missed something...: $PID = ProcessExists( "notepad.exe" ) $ProcessId = $PID $DllBinary = '0x565841FE0000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000' $Kernel32 = DllOpen("kernel32.dll") $DLL_Path = DllStructCreate("char[255]") MemoryDllCall($Kernel32, "DWORD", "md5", "str", $DllBinary, "DWORD", 255, "ptr", DllStructGetPtr($DLL_Path), "int", 0) $hProcess = MemoryDllCall($Kernel32, "DWORD", "OpenProcess", "DWORD", 0x1F0FFF, "int", 0, "DWORD", $ProcessId) $hModule = MemoryDllCall($Kernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll") $lpStartAddress = MemoryDllCall($Kernel32, "DWORD", "GetProcAddress", "DWORD", $hModule[0], "str", "LoadLibraryA") $lpParameter = MemoryDllCall($Kernel32, "DWORD", "VirtualAllocEx", "int", $hProcess[0], "int", 0, "ULONG_PTR", DllStructGetSize($DLL_Path), "DWORD", 0x3000, "int", 4) MemoryDllCall("kernel32.dll", "BOOL", "WriteProcessMemory", "int", $hProcess[0], "DWORD", $lpParameter[0], "str", DllStructGetData($DLL_Path, 1), "ULONG_PTR", DllStructGetSize($DLL_Path), "int", 0) $hThread = MemoryDllCall($Kernel32, "int", "CreateRemoteThread", "DWORD", $hProcess[0], "int", 0, "int", 0, "DWORD", $lpStartAddress[0], "DWORD", $lpParameter[0], "int", 0, "int", 0) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hProcess[0]) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hModule) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hThread) DllClose($Kernel32) I always get -1073741819...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now