Sign in to follow this  
Followers 0
jpam

Execute from mem

37 posts in this topic

#1 ·  Posted (edited)

would it be cool if your AutoIt compiled exe is wrapped into a small assembler program

and executed from memory ?

with only a few kB more !

Test program; executefrommem.zip

Execute From Mem Creator

efmc.zip

It has now Icon support

This little tool Creates a asm .exe and add's your autoit .exe file into it

when you run the new .exe file it execute the autoit .exe from memory

i made it to prevent decompiling autoit .exe file's

try'ed to add some encrypion to the program, but autoit .exe files don't like any encryption

when they are executed from mem ,

normal asm .exe files are running fine when they are encrypted.

still working for a solution for autoit files

http://prospeed-jan.xprofan.com/

happy newyear !

:)

Edited by jpam

Share this post


Link to post
Share on other sites



This is fuc*king brilliant!


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

It would be nice to have it translated to AutoIt.

It goes something like this:

CreateProcess -> GetThreadContext -> GetModuleHandle -> ZwUnmapViewOfSection -> VirtualAlloc(Ex) -> WriteProcessMemory -> SetThreadContext -> ResumeThread ...

BitDefender AV calls that "ProcessHijack" but nevertheless.

@FireFox, what's with you???


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

It goes something like this:

CreateProcess -> GetThreadContext -> GetModuleHandle -> ZwUnmapViewOfSection -> VirtualAlloc(Ex) -> WriteProcessMemory -> SetThreadContext -> ResumeThread ...

that's correct,

but i don't want to do that in autoit

i made it for not allow to decompile AutoIt exe files

@firefox;

i did not make any double post :)

Share this post


Link to post
Share on other sites

that's correct,

but i don't want to do that in autoit

i made it for not allow to decompile AutoIt exe files

Well, this is not gonna stop decompilation. Even though that bullshits are often written by idiots with low level of programing knowledge, if you look at the hex dump of your app, it can be seen that for example, you used upx for original program and more important, location of a3x is easily detected.

But running exe file from memory is, well... huge!!!

Be a pal and teach us. :)

@jpam

Perhaps not but Its the same website...

I thought that you could make 1post and regroup all your script to it wich using your website .... :D

Never mind, continue....

Cheers, FireFox.

:o

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Does this work on vista too?

On XP, this works, but i think all anti-virus software will recognize this as Process Hijacking or other virus-like behaviour ;(


*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Does this work on vista too?

On XP, this works, but i think all anti-virus software will recognize this as Process Hijacking or other virus-like behaviour ;(

I can live with that problem. :)

Theres a thread about someone asking about running autoit script or dll from memory sometime ago. Forgot which thread that was.

I will be waiting for your final product, jpam. :o

In the meantime, Happy New Year Everyone.:D :D :D

Edited by MyDream

Share this post


Link to post
Share on other sites

Happy new year,every one. lol

Cheers :)

Share this post


Link to post
Share on other sites

Does this work on vista too?

On XP, this works, but i think all anti-virus software will recognize this as Process Hijacking or other virus-like behaviour ;(

Yes, it works on Vista.

About AV, apparently they don't, except mentioned BitDefender, but maybe even that could be dealt with if jpam would like to share his knowledge. :)


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

even if you wont share it would be cool as a command line app.

run_from_mem.exe program_in.exe program_out.exe

then program_out.exe being the app that runs the autoit exe from memory.

Share this post


Link to post
Share on other sites

efmc.zip uploaded

This little tool Creates a asm .exe and add's your autoit .exe file into it

when you run the new .exe file it execute the autoit .exe from memory

i made it to prevent decompiling autoit .exe file's

try'ed to add some encrypion to the program, but autoit .exe files don't like any encryption

when they are executed from mem ,

normal asm .exe files are running fine when they are encrypted.

still working for a solution for autoit files

http://prospeed-jan.xprofan.com/list-all-downloads.php

:)

Share this post


Link to post
Share on other sites

efmc.zip uploaded

This little tool Creates a asm .exe and add's your autoit .exe file into it

when you run the new .exe file it execute the autoit .exe from memory

i made it to prevent decompiling autoit .exe file's

try'ed to add some encrypion to the program, but autoit .exe files don't like any encryption

when they are executed from mem ,

normal asm .exe files are running fine when they are encrypted.

still working for a solution for autoit files

http://prospeed-jan.xprofan.com/list-all-downloads.php

:lmao:

I think that people are afraid of you.

That new app is creating executables that cannot be executed, at least not with me :)

If you need more informations about my system or whatever, say it.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

yes it doesnt have a icon, and yes its a few kb more, this works perfect for me.

is there anyway you can make it accept command line? for example:

efmc in out encrypt

where in is the in file out is the fiel to create and encryption is 1 to encrypt and 0 to not encrypt?

Share this post


Link to post
Share on other sites

I think that people are afraid of you.

That new app is creating executables that cannot be executed, at least not with me :)

If you need more informations about my system or whatever, say it.

Why should people be afraid for me ?

what os are you using ?

one thing to mention is that the destination dir must be the scriptdir, the savedialog points to that dir !

Share this post


Link to post
Share on other sites

yes it doesnt have a icon, and yes its a few kb more, this works perfect for me.

is there anyway you can make it accept command line? for example:

efmc in out encrypt

where in is the in file out is the fiel to create and encryption is 1 to encrypt and 0 to not encrypt?

To add icon support is no problem.

i could exract the icon from the autoit app

or i can make it so that if you trow an icon in the scripdir, it automatic uses that icon.

It's no problem to add a commandline option too

but why do you want a commandline option ?

Share this post


Link to post
Share on other sites

Why should people be afraid for me ?

what os are you using ?

one thing to mention is that the destination dir must be the scriptdir, the savedialog points to that dir !

I don't know. How else would you explain something this good not to have desired attention?

Windows XP Professional 5.1.2600 Service Pack 3 Build 2600

I've tried everything, but just can't get it to work :)

New app is created but when I start it it just exit regardless of initial file. I even redownloaded EFMC from your site couple of times thinking that something is wrong there.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

#NoTrayIcon
MsgBox(4096, "Test", "This box will time out in 10 seconds", 10)=

This simple code wont run after wrapping with EFMC. Anyone knows why? :)

Share this post


Link to post
Share on other sites

#NoTrayIcon
MsgBox(4096, "Test", "This box will time out in 10 seconds", 10)=

This simple code wont run after wrapping with EFMC. Anyone knows why? :)

there are more people having problems, i am trying to find the bug

it's probably the generated db file

Share this post


Link to post
Share on other sites

I would like a command line option because I have made my own compiler that has lots of custom features, and i would like to add an "execute from memory" checkbox in. =]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0