xroot Posted July 29, 2008 Posted July 29, 2008 Running an "exe" from memory sounds interesting. Reading all about the PE file format, and other examples, I tried and failed. I get an error "299" ERROR_PARTIAL_COPY on a WriteProcessMemory call. The compete error message is: "Only part of a ReadProcessMemory or WriteProcessMemory request was completed". With the same code logic I wrote this com dll wrapper and it works just fine. Not sure why the au3 fails and the com dll works? I quess this will be work in progress. Here is how you run the wrapper. $exe=ObjCreate("RunPE.RunPEc") $fp=FileOpen(@SYSTEMDIR&"\notepad.exe",16) ;Open any "exe" you want in binary $exe.RunPE(StringMid(FileRead($fp),3)) ;bypass 0x just send the binary(bytes) FileClose($fp) Be sure to register the RunPe.dll.RunPE.zip
JRSmile Posted July 29, 2008 Posted July 29, 2008 i will use this at its best by utilizing cui programs which interact with my main process via tcp ip, or window message struck handshake, don't know yet but the possebillities are great. $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)
JRSmile Posted July 29, 2008 Posted July 29, 2008 (edited) while playing around with your com object, i found out that every time i utillize your function a cmd.exe is spawned, can you tell my why this is necessary? Edited July 29, 2008 by JRSmile $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)
Michel Claveau Posted July 30, 2008 Posted July 30, 2008 (edited) Hi! Impossible to obtain something for me. I launch example ("C:\Windows\System32\notepad.exe",16) ; data are in mem (302082 bytes), but .RunPE give... nothing. Perhaps because I use vista? Perhaps I use a french Windows? Perhaps other thing? Any idea? Edited July 30, 2008 by Michel Claveau
xroot Posted July 30, 2008 Author Posted July 30, 2008 I have not tested the dll on Vista and most likely not to work. What ever you run with the dll the "cmd" is what's fired. You will not see the program you ran (notepad.exe). I set up the process with a CreateProcess with "cmd.exe" in CREATE_SUSPENDED mode. I then do all the ReadMemory, MoveMemory, VirtualAllocEx, WriteMemory, of (notepad.exe) then ResumeThread, done.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now