meme18 Posted January 10, 2018 Share Posted January 10, 2018 Hello At the moment i save my dll with fileinstall to hdd and create remote thread to process like this: FileInstall("my.dll", @ScriptDir & "\my.dll", 1) $PID = ProcessExists( "notepad.exe" ) $ProcessId = $PID $DllPath = @ScriptDir & "\my.dll" $Kernel32 = DllOpen("kernel32.dll") $DLL_Path = DllStructCreate("char[255]") DllCall($Kernel32, "DWORD", "GetFullPathNameA", "str", $DllPath, "DWORD", 255, "ptr", DllStructGetPtr($DLL_Path), "int", 0) $hProcess = DllCall($Kernel32, "DWORD", "OpenProcess", "DWORD", 0x1F0FFF, "int", 0, "DWORD", $ProcessId) $hModule = DllCall($Kernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll") $lpStartAddress = DllCall($Kernel32, "DWORD", "GetProcAddress", "DWORD", $hModule[0], "str", "LoadLibraryA") $lpParameter = DllCall($Kernel32, "DWORD", "VirtualAllocEx", "int", $hProcess[0], "int", 0, "ULONG_PTR", DllStructGetSize($DLL_Path), "DWORD", 0x3000, "int", 4) DllCall("kernel32.dll", "BOOL", "WriteProcessMemory", "int", $hProcess[0], "DWORD", $lpParameter[0], "str", DllStructGetData($DLL_Path, 1), "ULONG_PTR", DllStructGetSize($DLL_Path), "int", 0) $hThread = DllCall($Kernel32, "int", "CreateRemoteThread", "DWORD", $hProcess[0], "int", 0, "int", 0, "DWORD", $lpStartAddress[0], "DWORD", $lpParameter[0], "int", 0, "int", 0) DllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hProcess[0]) DllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hModule) DllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hThread) DllClose($Kernel32) Is it possible to have dll as binary string like this...: $DllBinary = '0x565841FE0000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000' And use this sting, not a local file. Would be nice if someone can tell if this is possible or not. Link to comment Share on other sites More sharing options...
funkey Posted January 10, 2018 Share Posted January 10, 2018 Programming today is a race between software engineers striving tobuild bigger and better idiot-proof programs, and the Universetrying to produce bigger and better idiots.So far, the Universe is winning. Link to comment Share on other sites More sharing options...
meme18 Posted January 10, 2018 Author Share Posted January 10, 2018 THX, i tried that with include MemoryDllCall.au3. But i think i do something wrong, very wrong. Big problem is that my knowledge is not good in case of dll files. Maybe someone can help me: $PID = ProcessExists( "notepad.exe" ) $ProcessId = $PID $DllBinary = '0x565841FE0000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000' MemoryDllCall($Kernel32, "DWORD", "md5", "str", $DllBinary, "DWORD", 255, "ptr", DllStructGetPtr($DLL_Path), "int", 0) $hProcess = MemoryDllCall($Kernel32, "DWORD", "OpenProcess", "DWORD", 0x1F0FFF, "int", 0, "DWORD", $ProcessId) $hModule = MemoryDllCall($Kernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll") $lpStartAddress = MemoryDllCall($Kernel32, "DWORD", "GetProcAddress", "DWORD", $hModule[0], "str", "LoadLibraryA") $lpParameter = MemoryDllCall($Kernel32, "DWORD", "VirtualAllocEx", "int", $hProcess[0], "int", 0, "ULONG_PTR", DllStructGetSize($DLL_Path), "DWORD", 0x3000, "int", 4) MemoryDllCall("kernel32.dll", "BOOL", "WriteProcessMemory", "int", $hProcess[0], "DWORD", $lpParameter[0], "str", DllStructGetData($DLL_Path, 1), "ULONG_PTR", DllStructGetSize($DLL_Path), "int", 0) $hThread = MemoryDllCall($Kernel32, "int", "CreateRemoteThread", "DWORD", $hProcess[0], "int", 0, "int", 0, "DWORD", $lpStartAddress[0], "DWORD", $lpParameter[0], "int", 0, "int", 0) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hProcess[0]) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hModule) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hThread) DllClose($Kernel32) Link to comment Share on other sites More sharing options...
meme18 Posted January 10, 2018 Author Share Posted January 10, 2018 Somehow im not able to edit my earlier post. I missed something...: $PID = ProcessExists( "notepad.exe" ) $ProcessId = $PID $DllBinary = '0x565841FE0000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000' $Kernel32 = DllOpen("kernel32.dll") $DLL_Path = DllStructCreate("char[255]") MemoryDllCall($Kernel32, "DWORD", "md5", "str", $DllBinary, "DWORD", 255, "ptr", DllStructGetPtr($DLL_Path), "int", 0) $hProcess = MemoryDllCall($Kernel32, "DWORD", "OpenProcess", "DWORD", 0x1F0FFF, "int", 0, "DWORD", $ProcessId) $hModule = MemoryDllCall($Kernel32, "DWORD", "GetModuleHandleA", "str", "kernel32.dll") $lpStartAddress = MemoryDllCall($Kernel32, "DWORD", "GetProcAddress", "DWORD", $hModule[0], "str", "LoadLibraryA") $lpParameter = MemoryDllCall($Kernel32, "DWORD", "VirtualAllocEx", "int", $hProcess[0], "int", 0, "ULONG_PTR", DllStructGetSize($DLL_Path), "DWORD", 0x3000, "int", 4) MemoryDllCall("kernel32.dll", "BOOL", "WriteProcessMemory", "int", $hProcess[0], "DWORD", $lpParameter[0], "str", DllStructGetData($DLL_Path, 1), "ULONG_PTR", DllStructGetSize($DLL_Path), "int", 0) $hThread = MemoryDllCall($Kernel32, "int", "CreateRemoteThread", "DWORD", $hProcess[0], "int", 0, "int", 0, "DWORD", $lpStartAddress[0], "DWORD", $lpParameter[0], "int", 0, "int", 0) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hProcess[0]) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hModule) MemoryDllCall($Kernel32, "BOOL", "CloseHandle", "DWORD", $hThread) DllClose($Kernel32) I always get -1073741819... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now