Memory Plugin (Still A Baby)

[w0uter]

the dll is 2.048 bytes small and only affects autoit.

b/c it doesnt need a fixed point it the code it can now also be used without compiling.

MemExecute -> Redirects Autoits code flow to a pointer. (takes an dword/int32)

MemLoadLib -> Gets the offset of an function. (takes 2 strings, DLL-name & Function name)

MemFreeLib -> Frees the dll loaded into the memory. (takes an dword/int32)

i think valik is gonna hate me for my MemExecute

i remember something like "i dont want that exposed to the public"

anyways here is an example script

expandcollapse popup

#region _Mem()

Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0)
    Local $av_Return[2] = [DllOpen('kernel32.dll') ]
    Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid)
    If @error Then
        DllClose($av_Return[0])
        SetError(1)
        Return 0
    EndIf
    $av_Return[1] = $ai_Handle[0]
    Return $av_Return
EndFunc;==>_MemOpen

Func _MemWrite($ah_Mem, $i_Address, $v_Inject)
    Local $av_Call = DllCall($ah_Mem[0], 'int', 'WriteProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Inject), 'int', DllStructGetSize($v_Inject), 'int', '')
    Return $av_Call[0]
EndFunc;==>_MemWrite

Func _MemClose($ah_Mem)
    Local $av_Ret = DllCall($ah_Mem[0], 'int', 'CloseHandle', 'int', $ah_Mem[1])
    DllClose($ah_Mem[0])
    Return $av_Ret[0]
EndFunc;==>_MemClose

Func _MemCreate($1, $2 = 0, $3 = 0, $4 = 0, $5 = 0, $6 = 0, $7 = 0, $8 = 0, $9 = 0, $10 = 0, $11 = 0, $12 = 0, $13 = 0, $14 = 0, $15 = 0, _
        $16 = 0, $17 = 0, $18 = 0, $19 = 0, $20 = 0, $21 = 0, $22 = 0, $23 = 0, $24 = 0, $25 = 0, $26 = 0, $27 = 0, $28 = 0, $29 = 0, _
        $30 = 0, $31 = 0, $32 = 0, $33 = 0, $34 = 0, $35 = 0, $36 = 0, $37 = 0, $38 = 0, $39 = 0, $40 = 0, $41 = 0, $42 = 0, $43 = 0, _
        $44 = 0, $45 = 0, $46 = 0, $47 = 0, $48 = 0, $49 = 0, $50 = 0, $51 = 0, $52 = 0, $53 = 0, $54 = 0, $55 = 0, $56 = 0, $57 = 0, _
        $58 = 0, $59 = 0, $60 = 0, $61 = 0, $62 = 0, $63 = 0, $64 = 0, $65 = 0, $66 = 0, $67 = 0, $68 = 0, $69 = 0, $70 = 0, $71 = 0, _
        $72 = 0, $73 = 0, $74 = 0, $75 = 0, $76 = 0, $77 = 0, $78 = 0, $79 = 0, $80 = 0, $81 = 0, $82 = 0, $83 = 0, $84 = 0, $85 = 0, _
        $86 = 0, $87 = 0, $88 = 0, $89 = 0, $90 = 0, $91 = 0, $92 = 0, $93 = 0, $94 = 0, $95 = 0, $96 = 0, $97 = 0, $98 = 0, $99 = 0)
    If IsString($1) Then
        $1 = StringSplit($1, '')
        Local $v_Helper = DllStructCreate('byte[' & UBound($1) & ']')
        For $i = 1 To UBound($1) - 1
            DllStructSetData($v_Helper, 1, Asc($1[$i]), $i)
        Next
    Else
        Local $v_Helper = DllStructCreate('byte[' & @NumParams & ']')
        For $i = 1 To @NumParams
            DllStructSetData($v_Helper, 1, Eval($i), $i)
        Next
    EndIf
    Return $v_Helper
EndFunc;==>_MemCreate

Func _MemRev($v_DWORD)
    If UBound($v_DWORD) = 4 Then Return '0x' & Hex($v_DWORD[3], 2) & Hex($v_DWORD[2], 2) & Hex($v_DWORD[1], 2) & Hex($v_DWORD[0], 2)
    Local $v_Ret[4] = ['0x' & StringMid(Hex($v_DWORD, 8), 7, 2), '0x' & StringMid(Hex($v_DWORD, 8), 5, 2), '0x' & StringMid(Hex($v_DWORD, 8), 3, 2), '0x' & StringMid(Hex($v_DWORD, 8), 1, 2) ]
    Return $v_Ret
EndFunc;==>_MemRev

Func _MemAlloc($ah_Mem, $i_Size, $i_Address = 0, $i_AT = 4096, $i_Protect = 0x40)
    Switch @OSVersion
        Case "WIN_ME", "WIN_98", "WIN_95"
            $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAlloc', 'int', $i_Address, 'int', $i_Size, 'int', BitOR($i_AT, 0x8000000), 'int', $i_Protect)
        Case Else
            $av_Alloc = DllCall($ah_Mem[0], 'int', 'VirtualAllocEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', $i_Size, 'int', $i_AT, 'int', $i_Protect)
    EndSwitch
    Return $av_Alloc[0]
EndFunc;==>_MemAlloc

Func _MemFree($ah_Mem, $i_Address)
    Switch @OSVersion
        Case "WIN_ME", "WIN_98", "WIN_95"
            $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFree', 'int', $i_Address, 'int', 0, 'int', 0x8000)
        Case Else
            $av_Free = DllCall($ah_Mem[0], 'int', 'VirtualFreeEx', 'int', $ah_Mem[1], 'int', $i_Address, 'int', 0, 'int', 0x8000)
    EndSwitch
    Return $av_Free[0]
EndFunc;==>_MemFree

Func _MemText($ah_Mem, $s_Text)
    Local $i_Size = StringLen($s_Text) + 1
    Local $i_Addr = _MemAlloc($ah_Mem, $i_Size)
    _MemWrite($ah_Mem, $i_Addr, _MemCreate($s_Text))
    Return $i_Addr
EndFunc;==>_MemText

#endregion

;open
$h_Open = _MemOpen(@AutoItPID)

;allocate & write text
$i_Text = _MemRev(_MemText($h_Open, "Example Of Flow Contorol"))
$i_Title = _MemRev(_MemText($h_Open, "My Title"))

;alloc code 
$i_Alloc = _MemAlloc($h_Open, 19)

;open the plugin
$h_Plugin = PluginOpen('AU3_Plugin.dll')

;get offset of messagebox
$h_Mbox_handle = MemLoadLib("user32.dll", "MessageBoxA")
$h_Mbox_offset = _MemRev(@extended)

#cs
10001093      6A 00                    PUSH 0
10001095      68 44332211                PUSH 11223344
10001097      68 44332211                PUSH 11223344
1000109C      6A 00                    PUSH 0

10001093      B8 44332211                MOV EAX,11223344
10001098      FFD0                      CALL NEAR EAX
1000109A      C3                          RETN
#ce

_MemWrite($h_Open, $i_Alloc, _MemCreate(    0x6A, 0x00, _
                                            0x68, $i_Title[0], $i_Title[1], $i_Title[2], $i_Title[3], _
                                            0x68, $i_Text[0], $i_Text[1], $i_Text[2], $i_Text[3], _
                                            0x6A, 0x00, _
                                            0xB8, $h_Mbox_offset[0], $h_Mbox_offset[1], $h_Mbox_offset[2], $h_Mbox_offset[3], _
                                            0xFF, 0xD0, _
                                            0xC3  ))

;execute our alloced code
MemExecute($i_Alloc)

;tell windows that it doesnt need to keep the user32.dll in our memory for us
MemFreeLib($h_Mbox_handle)

;close the plugin
PluginClose($h_Plugin)

;restore original
_MemFree($h_Open, _MemRev($i_Text))
_MemFree($h_Open, _MemRev($i_Title))
_MemFree($h_Open, $i_Alloc)
_MemClose($h_Open)

AU3_Plugin.zip

Edited February 6, 2006 by w0uter

[Valik]

I don't necessarily hate you. I do, however, think it's amusing you've done in a Dll what I can do in AutoIt. This is something I did quite a long time ago, too.

I would prefer this information not be publicly available which is why I've never shown my techniques to anybody outside of the rest of the development team. However, I don't have a problem with the "public" figuring things out on their own. I think you're opening the door to malicious scripts but it was inevitable that somebody other than myself would figure out how to do this stuff.