Sign in to follow this  
Followers 0
xroot

PE File Format

6 posts in this topic

Running an "exe" from memory sounds interesting. Reading all about the PE file format,

and other examples, I tried and failed. I get an error "299" ERROR_PARTIAL_COPY

on a WriteProcessMemory call. The compete error message is:

"Only part of a ReadProcessMemory or WriteProcessMemory request was completed".

With the same code logic I wrote this com dll wrapper and it works just fine.

Not sure why the au3 fails and the com dll works? I quess this will be work in progress.

Here is how you run the wrapper.

$exe=ObjCreate("RunPE.RunPEc")

$fp=FileOpen(@SYSTEMDIR&"\notepad.exe",16) ;Open any "exe" you want in binary

$exe.RunPE(StringMid(FileRead($fp),3)) ;bypass 0x just send the binary(bytes)

FileClose($fp)

Be sure to register the RunPe.dll.

RunPE.zip

Share this post


Link to post
Share on other sites



I can only see this being used badly.

Share this post


Link to post
Share on other sites

i will use this at its best by utilizing cui programs which interact with my main process via tcp ip, or window message struck handshake, don't know yet but the possebillities are great.


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

while playing around with your com object, i found out that every time i utillize your function a cmd.exe is spawned, can you tell my why this is necessary?

Edited by JRSmile

$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Hi!

Impossible to obtain something for me.

I launch example ("C:\Windows\System32\notepad.exe",16) ; data are in mem (302082 bytes), but .RunPE give... nothing.

Perhaps because I use vista? Perhaps I use a french Windows? Perhaps other thing?

Any idea?

Edited by Michel Claveau

Share this post


Link to post
Share on other sites

I have not tested the dll on Vista and most likely not to work.

What ever you run with the dll the "cmd" is what's fired. You will

not see the program you ran (notepad.exe). I set up the process

with a CreateProcess with "cmd.exe" in CREATE_SUSPENDED mode.

I then do all the ReadMemory, MoveMemory, VirtualAllocEx,

WriteMemory, of (notepad.exe) then ResumeThread, done.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0