w0uter Posted February 6, 2006 Share Posted February 6, 2006 (edited) the dll is 2.048 bytes small and only affects autoit. b/c it doesnt need a fixed point it the code it can now also be used without compiling. MemExecute -> Redirects Autoits code flow to a pointer. (takes an dword/int32) MemLoadLib -> Gets the offset of an function. (takes 2 strings, DLL-name & Function name) MemFreeLib -> Frees the dll loaded into the memory. (takes an dword/int32) i think valik is gonna hate me for my MemExecute i remember something like "i dont want that exposed to the public" anyways here is an example script expandcollapse popup#region _Mem() Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0) Local $av_Return[2] = [DllOpen('kernel32.dll') ] Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid) If @error Then DllClose($av_Return[0]) SetError(1) Return 0 EndIf $av_Return[1] = $ai_Handle[0] Return $av_Return EndFunc;==>_MemOpen Func _MemWrite($ah_Mem, $i_Address, $v_Inject) Local $av_Call = DllCall($ah_Mem[0], 'int', 'WriteProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Inject), 'int', DllStructGetSize($v_Inject), 'int', '') Return $av_Call[0] EndFunc;==>_MemWrite Func _MemClose($ah_Mem) Local $av_Ret = DllCall($ah_Mem[0], 'int', 'CloseHandle', 'int', $ah_Mem[1]) DllClose($ah_Mem[0]) Return $av_Ret[0] EndFunc;==>_MemClose Func _MemCreate($1, $2 = 0, $3 = 0, $4 = 0, $5 = 0, $6 = 0, $7 = 0, $8 = 0, $9 = 0, $10 = 0, $11 = 0, $12 = 0, $13 = 0, $14 = 0, $15 = 0, _ $16 = 0, $17 = 0, $18 = 0, $19 = 0, $20 = 0, $21 = 0, $22 = 0, $23 = 0, $24 = 0, $25 = 0, $26 = 0, $27 = 0, $28 = 0, $29 = 0, _ $30 = 0, $31 = 0, $32 = 0, $33 = 0, $34 = 0, $35 = 0, $36 = 0, $37 = 0, $38 = 0, $39 = 0, $40 = 0, $41 = 0, $42 = 0, $43 = 0, _ $44 = 0, $45 = 0, $46 = 0, $47 = 0, $48 = 0, $49 = 0, $50 = 0, $51 = 0, $52 = 0, $53 = 0, $54 = 0, $55 = 0, $56 = 0, $57 = 0, _ $58 = 0, $59 = 0, $60 = 0, $61 = 0, $62 = 0, $63 = 0, $64 = 0, $65 = 0, $66 = 0, $67 = 0, $68 = 0, $69 = 0, $70 = 0, $71 = 0, _ $72 = 0, $73 = 0, $74 = 0, $75 = 0, $76 = 0, $77 = 0, $78 = 0, $79 = 0, $80 = 0, $81 = 0, $82 = 0, $83 = 0, $84 = 0, $85 = 0, _ $86 = 0, $87 = 0, $88 = 0, $89 = 0, $90 = 0, $91 = 0, $92 = 0, $93 = 0, $94 = 0, $95 = 0, $96 = 0, $97 = 0, $98 = 0, $99 = 0) If IsString($1) Then $1 = StringSplit($1, '') Local $v_Helper = DllStructCreate('byte[' & UBound($1) & ']') For $i = 1 To UBound($1) - 1 DllStructSetData($v_Helper, 1, Asc($1[$i]), $i) Next Else Local $v_Helper = DllStructCreate('byte[' & @NumParams & ']') For $i = 1 To @NumParams DllStructSetData($v_Helper, 1, Eval($i), $i) Next EndIf Return $v_Helper EndFunc;==>_MemCreate Func _MemRev($v_DWORD) If UBound($v_DWORD) = 4 Then Return '0x' & Hex($v_DWORD[3], 2) & Hex($v_DWORD[2], 2) & Hex($v_DWORD[1], 2) & Hex($v_DWORD[0], 2) Local $v_Ret[4] = ['0x' & StringMid(Hex($v_DWORD, 8), 7, 2), '0x' & StringMid(Hex($v_DWORD, 8), 5, 2), '0x' & StringMid(Hex($v_DWORD, 8), 3, 2), '0x' & StringMid(Hex($v_DWORD, 8), 1, 2) ] Return $v_Ret EndFunc;==>_MemRev Func _MemAlloc($ah_Mem, $i_Size, $i_Address = 0, $i_AT = 4096, $i_Protect = 0x40) Switch @OSVersion Case "WIN_ME", "WIN_98", "WIN_95" $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAlloc', 'int', $i_Address, 'int', $i_Size, 'int', BitOR($i_AT, 0x8000000), 'int', $i_Protect) Case Else $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAllocEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', $i_Size, 'int', $i_AT, 'int', $i_Protect) EndSwitch Return $av_Alloc[0] EndFunc;==>_MemAlloc Func _MemFree($ah_Mem, $i_Address) Switch @OSVersion Case "WIN_ME", "WIN_98", "WIN_95" $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFree', 'int', $i_Address, 'int', 0, 'int', 0x8000) Case Else $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFreeEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', 0, 'int', 0x8000) EndSwitch Return $av_Free[0] EndFunc;==>_MemFree Func _MemText($ah_Mem, $s_Text) Local $i_Size = StringLen($s_Text) + 1 Local $i_Addr = _MemAlloc($ah_Mem, $i_Size) _MemWrite($ah_Mem, $i_Addr, _MemCreate($s_Text)) Return $i_Addr EndFunc;==>_MemText #endregion ;open $h_Open = _MemOpen(@AutoItPID) ;allocate & write text $i_Text = _MemRev(_MemText($h_Open, "Example Of Flow Contorol")) $i_Title = _MemRev(_MemText($h_Open, "My Title")) ;alloc code $i_Alloc = _MemAlloc($h_Open, 19) ;open the plugin $h_Plugin = PluginOpen('AU3_Plugin.dll') ;get offset of messagebox $h_Mbox_handle = MemLoadLib("user32.dll", "MessageBoxA") $h_Mbox_offset = _MemRev(@extended) #cs 10001093 6A 00 PUSH 0 10001095 68 44332211 PUSH 11223344 10001097 68 44332211 PUSH 11223344 1000109C 6A 00 PUSH 0 10001093 B8 44332211 MOV EAX,11223344 10001098 FFD0 CALL NEAR EAX 1000109A C3 RETN #ce _MemWrite($h_Open, $i_Alloc, _MemCreate( 0x6A, 0x00, _ 0x68, $i_Title[0], $i_Title[1], $i_Title[2], $i_Title[3], _ 0x68, $i_Text[0], $i_Text[1], $i_Text[2], $i_Text[3], _ 0x6A, 0x00, _ 0xB8, $h_Mbox_offset[0], $h_Mbox_offset[1], $h_Mbox_offset[2], $h_Mbox_offset[3], _ 0xFF, 0xD0, _ 0xC3 )) ;execute our alloced code MemExecute($i_Alloc) ;tell windows that it doesnt need to keep the user32.dll in our memory for us MemFreeLib($h_Mbox_handle) ;close the plugin PluginClose($h_Plugin) ;restore original _MemFree($h_Open, _MemRev($i_Text)) _MemFree($h_Open, _MemRev($i_Title)) _MemFree($h_Open, $i_Alloc) _MemClose($h_Open)AU3_Plugin.zip Edited February 6, 2006 by w0uter My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll Link to comment Share on other sites More sharing options...
Valik Posted February 7, 2006 Share Posted February 7, 2006 I don't necessarily hate you. I do, however, think it's amusing you've done in a Dll what I can do in AutoIt. This is something I did quite a long time ago, too. I would prefer this information not be publicly available which is why I've never shown my techniques to anybody outside of the rest of the development team. However, I don't have a problem with the "public" figuring things out on their own. I think you're opening the door to malicious scripts but it was inevitable that somebody other than myself would figure out how to do this stuff. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now