snify Posted November 23, 2011 Posted November 23, 2011 On 11/22/2011 at 1:07 PM, 'deltarocked said: .... any other way out ? for Autoit Compiled execs...?1) Code a READEOF Function2) You have to know how AutoIT reads its Sourcecode.3) Then you split interpreter (the actual AU3.exe) and the compiled binary script (the actual *.a3x) from a COMPILED AutoIT script.4) Make a copy (copy is optional) of the program you want to inject to (VictimProgram).5) Write the compiled binary Script to the EOF of the "VictimProgram".6) Finally you inject the !!!INTERPRETER!!! (not the complete COMPILED AutoIT Script) to the VictimProgram (with the written EOF)7) Enjoyorpatch the stub.bin file so it would the SourceCode from somewhere else (Memory...)
Skitty Posted November 23, 2011 Posted November 23, 2011 On 11/23/2011 at 4:03 PM, 'snify said: 1) Code a READEOF Function2) You have to know how AutoIT reads its Sourcecode.3) Then you split interpreter (the actual AU3.exe) and the compiled binary script (the actual *.a3x) from a COMPILED AutoIT script.4) Make a copy (copy is optional) of the program you want to inject to (VictimProgram).5) Write the compiled binary Script to the EOF of the "VictimProgram".6) Finally you inject the !!!INTERPRETER!!! (not the complete COMPILED AutoIT Script) to the VictimProgram (with the written EOF)7) Enjoyorpatch the stub.bin file so it would the SourceCode from somewhere else (Memory...)why?
snify Posted November 23, 2011 Posted November 23, 2011 On 11/23/2011 at 4:05 PM, 'THAT1ANONYMOUSEDUDE said: why?because.
DeltaRocked Posted November 28, 2011 Posted November 28, 2011 (edited) thanks Snify, i had presumed it would be something similar to what you have outlined.Now for the "because" or "Why":I tried Themida but utter failure.My intention (2 reasons):(Reason 1) to defeat Autoit Decompiler Module which is available for download in underground forums.Tried one more Autoit Packer - Autoit Camo : and though the size of exe bloats but atleast the Decompiler fails miserably. The very mention of Autoit Decompiler invokes sharp reactions and criticism but the truth is - it is out there.(Reason 2) I am using this method for strengthening of detection by Anti Viruses, as this method is rarely used (as per the observation) and whenever "executing binary from memory" is used, the purpose/intention has always been suspicious.Thanks again.RegardsDelta Rocked Edited November 28, 2011 by deltarocked
Skitty Posted December 3, 2011 Posted December 3, 2011 Ok, so I long ago I had discovered how to set the show/hide parameter, now I wan't to know how I can set the working directory, anyone?
KaFu Posted December 3, 2011 Posted December 3, 2011 Take a look at FileChangeDir(). OS: Win10-22H2 - 64bit - German, AutoIt Version: 3.3.16.1, AutoIt Editor: SciTE, Website: https://funk.eu AMT - Auto-Movie-Thumbnailer (2024-Oct-13) BIC - Batch-Image-Cropper (2023-Apr-01) COP - Color Picker (2009-May-21) DCS - Dynamic Cursor Selector (2024-Oct-13) HMW - Hide my Windows (2024-Oct-19) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2018-Sep-16) SMF - Search my Files (2025-May-18) - THE file info and duplicates search tool SSD - Set Sound Device (2017-Sep-16)
Skitty Posted December 3, 2011 Posted December 3, 2011 (edited) On 12/3/2011 at 3:16 PM, 'KaFu said: Take a look at FileChangeDir().bah, I didn't think it would work... thanks.. Edited December 3, 2011 by THAT1ANONYMOUSEDUDE
Mobius Posted December 9, 2011 Posted December 9, 2011 (edited) On 11/28/2011 at 7:08 AM, 'deltarocked said: (Reason 1) to defeat Autoit Decompiler Module which is available for download in underground forums.Tried one more Autoit Packer - Autoit Camo : and though the size of exe bloats but atleast the Decompiler fails miserably. The very mention of Autoit Decompiler invokes sharp reactions and criticism but the truth is - it is out there.What do you mean the binary bloats after you use AutoIt3Camo? That is because you did not instruct it to use your software armoring tool of choice, so you end up with the default size of the interpreter plus the size of the a3x component.Nothing is actually added by A3C that you don't tell it to, And it is not a packer at all, simply a build wrapper.Vlad Edited December 9, 2011 by Mobius
DeltaRocked Posted December 26, 2011 Posted December 26, 2011 Hi Mobius, will check this out. Regards Deltarocked
johnmcloud Posted December 28, 2011 Posted December 28, 2011 (edited) Hi all, Just for curiosity i have try the script. I have downloaded the RunBinary and change the line: Global $sModule = "PathFile.exe" I have this error: "Error", "Binary data seems to be corrupted!" "MS-DOS header is wrong or missing" The software tested is without GUI ( only command-line) , about 1MB. I can do anything or simply the script not work with all .exe? Thanks Edited December 28, 2011 by johnmcloud
Allex751 Posted January 8, 2012 Posted January 8, 2012 #include <Constants.au3> ;------------------------------------------------------------------------ ;შექმნას ჩამტვირთვი და გამოიტანოს ჩამტვირთვის იდ ნომერი $Win = "window7pe_by_Alex751" Local $cmd1 = ' /c @for /f "tokens=2 delims={}" %1 in ( '' bcdedit.exe /create /application OSLOADER /d ' & $Win & "') do set guid={%1}" $iPID = Run(@ComSpec & $cmd1, "", @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) ProcessWait($iPID) $Myread = StdoutRead($iPID) $sTxt = $Myread $sTxt = StringTrimLeft($sTxt, StringInStr($sTxt, "{")) $sTxt = StringLeft($sTxt, StringInStr($sTxt, "}") - 1) ;გამოტანილი ჩამტვირთვის იდ ნომერი ($sTxt) ;------------------------------------------------------ ;დაწეროს იდ ნომერი ფაილში: ($sTxt) $file = FileOpen("GUIGetMsg.txt", 1) FileWriteLine($file, "The entry {"&$sTxt&"} was successfully created.") ; შეიტანოს მონაცემები ;------------------------------------------------------ ;დაწროს იდ კოდი ფაილში ;დაწეროს იდ ნომერი ფაილში: ($sTxt) $file = FileOpen("GUIGetMsg.txt", 1) FileWriteLine($file, "The entry {"&$sTxt&"} was successfully created.") ; შეიტანოს მონაცემები RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} device vhd=[D:]\Users\Alex751\windows7PE_from_bcd_boot.vhd,locate=custom:12000002', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} path \Windows\system32\winload.exe', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} description Windows7-PE***Copyright*2012*Alex751*', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} locale en-US', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} osdevice vhd=[D:]\Users\Alex751\windows7PE_from_bcd_boot.vhd,locate=custom:22000002', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} systemroot \Windows', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} resumeobject {d6b7fc8d-35ee-11e1-b8a7-806e6f6e6963}', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} nx OptIn', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} pae ForceEnable', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set {' &$sTxt& '} detecthal Yes', "", @SW_HIDE) RunWait(@ComSpec & ' /c bcdedit /set /displayorder {' &$sTxt& '} /addlast', "", @SW_HIDE) MsgBox(0,"GUID","{"&$sTxt&"} ჩამტვირთვისს იდენთიფიკატორი") FileClose($file)
Kyan Posted February 17, 2012 Posted February 17, 2012 can a binary created from this method be executed with parameters?if yes, how? Heroes, there is no such thing Reveal hidden contents One day I'll discover what IE.au3 has of special for so many users using it.C'mon there's InetRead and WinHTTP, way better
KaFu Posted February 17, 2012 Posted February 17, 2012 The function definition is as follows: _RunBinary($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe) Now make a guess yourself ... OS: Win10-22H2 - 64bit - German, AutoIt Version: 3.3.16.1, AutoIt Editor: SciTE, Website: https://funk.eu AMT - Auto-Movie-Thumbnailer (2024-Oct-13) BIC - Batch-Image-Cropper (2023-Apr-01) COP - Color Picker (2009-May-21) DCS - Dynamic Cursor Selector (2024-Oct-13) HMW - Hide my Windows (2024-Oct-19) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2018-Sep-16) SMF - Search my Files (2025-May-18) - THE file info and duplicates search tool SSD - Set Sound Device (2017-Sep-16)
Kyan Posted February 17, 2012 Posted February 17, 2012 On 2/17/2012 at 10:35 PM, 'KaFu said: The function definition is as follows:_RunBinary($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe)Now make a guess yourself ...I find that a minutes ago, thanks Do you know how can I enable the $STDOUT_CHILD and hide the window with _runBinary?and what is this: $sExeModule? Heroes, there is no such thing Reveal hidden contents One day I'll discover what IE.au3 has of special for so many users using it.C'mon there's InetRead and WinHTTP, way better
KaFu Posted February 17, 2012 Posted February 17, 2012 I'm not sure , this code is fu**ing complex and I guess only trancexx really understands it ... maybe it's sufficient to add the STARTF_USESTDHANDLES flag to the STARTUPINFO structure?As fas as I understand the code the $sExeModule is a generic exe you have to start (e.g. calc.exe) to set up a "process environment" in which the function injects your binary data to run. OS: Win10-22H2 - 64bit - German, AutoIt Version: 3.3.16.1, AutoIt Editor: SciTE, Website: https://funk.eu AMT - Auto-Movie-Thumbnailer (2024-Oct-13) BIC - Batch-Image-Cropper (2023-Apr-01) COP - Color Picker (2009-May-21) DCS - Dynamic Cursor Selector (2024-Oct-13) HMW - Hide my Windows (2024-Oct-19) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2018-Sep-16) SMF - Search my Files (2025-May-18) - THE file info and duplicates search tool SSD - Set Sound Device (2017-Sep-16)
Kyan Posted February 18, 2012 Posted February 18, 2012 (edited) On 2/17/2012 at 11:52 PM, 'KaFu said: I'm not sure , this code is fu**ing complex and I guess only trancexx really understands it ... maybe it's sufficient to add the STARTF_USESTDHANDLES flag to the STARTUPINFO structure?As fas as I understand the code the $sExeModule is a generic exe you have to start (e.g. calc.exe) to set up a "process environment" in which the function injects your binary data to run.I found this:BOOL WINAPI ShowWindow( __in HWND hWnd, __in int nCmdShow);hWnd=window handle (how can I know it?)nCmdShow='SW_HIDE' or '0'I just don't know how could I get the $STDOUT_CHILD from this process (Hope trancexx knows how to do it )thanks for your time btw Edited February 18, 2012 by DiOgO Heroes, there is no such thing Reveal hidden contents One day I'll discover what IE.au3 has of special for so many users using it.C'mon there's InetRead and WinHTTP, way better
czyt Posted February 18, 2012 Posted February 18, 2012 Really A Nice work!thx! I wonder whether there is a way to comple other exe file into my script var binary code rather than fileinstall function . 董小姐,你微笑的时候很美,就像安河桥下,清澈的水...
Skitty Posted February 18, 2012 Posted February 18, 2012 On 2/18/2012 at 11:19 AM, 'czyt said: Really A Nice work!thx! I wonder whether there is a way to comple other exe file into my script var binary code rather than fileinstall function . You can include the file as a variable holding its binary, then use FileWrite() to create the file where ever you want it. expandcollapse popupFileToVariable(FileOpenDialog("Select File To Process", "", "All(*.*)")) Func FileToVariable($File, $Compress = False) If $File = "" Then Exit Local $Variable = StringStripWS(InputBox("Varable Name", "Enter Var Name:", "Bin"), 3) If $Variable = "" Then Exit Local $Handle = FileOpen($File, 16) Local $Source = FileRead($Handle) FileClose($Handle) If $Compress Then $Source = _LZNTCompress($Source, 258) Local $StringLen = 120 Local $String = String($Source) Local $Out = "Local $" & $Variable & " = '" & StringLeft($String, $StringLen - 2) & "'& _" & @CRLF $String = StringTrimLeft($String, $StringLen - 2) While StringLen($String) > $StringLen $Out &= " '" & StringLeft($String, $StringLen) & "'& _" & @CRLF $String = StringTrimLeft($String, $StringLen) WEnd If StringLen($String) <> 0 Then $Out &= " '" & $String & "'" & @CRLF ClipPut($Out) EndFunc ;==>FileToVariable Func _LZNTCompress($vInput, $iCompressionFormatAndEngine = 2) If Not $iCompressionFormatAndEngine = 258 Then $iCompressionFormatAndEngine = 2 Local $bBinary = Binary($vInput) Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinary) & "]") DllStructSetData($tInput, 1, $bBinary) Local $a_Call = DllCall("ntdll.dll", "int", "RtlGetCompressionWorkSpaceSize", _ "ushort", $iCompressionFormatAndEngine, _ "dword*", 0, _ "dword*", 0) If @error Or $a_Call[0] Then Return SetError(1, 0, "") ; error determining workspace buffer size EndIf Local $tWorkSpace = DllStructCreate("byte[" & $a_Call[2] & "]") ; workspace is needed for compression Local $tBuffer = DllStructCreate("byte[" & 16 * DllStructGetSize($tInput) & "]") ; initially oversizing buffer $a_Call = DllCall("ntdll.dll", "int", "RtlCompressBuffer", _ "ushort", $iCompressionFormatAndEngine, _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "ptr", DllStructGetPtr($tBuffer), _ "dword", DllStructGetSize($tBuffer), _ "dword", 4096, _ "dword*", 0, _ "ptr", DllStructGetPtr($tWorkSpace)) If @error Or $a_Call[0] Then Return SetError(2, 0, "") ; error compressing EndIf Local $tOutput = DllStructCreate("byte[" & $a_Call[7] & "]", DllStructGetPtr($tBuffer)) Return SetError(0, 0, DllStructGetData($tOutput, 1)) EndFunc ;==>_LZNTCompress
Kyan Posted February 18, 2012 Posted February 18, 2012 On 2/18/2012 at 12:28 PM, 'THAT1ANONYMOUSEDUDE said: You can include the file as a variable holding its binary, then use FileWrite() to create the file where ever you want it. expandcollapse popupFileToVariable(FileOpenDialog("Select File To Process", "", "All(*.*)")) Func FileToVariable($File, $Compress = False) If $File = "" Then Exit Local $Variable = StringStripWS(InputBox("Varable Name", "Enter Var Name:", "Bin"), 3) If $Variable = "" Then Exit Local $Handle = FileOpen($File, 16) Local $Source = FileRead($Handle) FileClose($Handle) If $Compress Then $Source = _LZNTCompress($Source, 258) Local $StringLen = 120 Local $String = String($Source) Local $Out = "Local $" & $Variable & " = '" & StringLeft($String, $StringLen - 2) & "'& _" & @CRLF $String = StringTrimLeft($String, $StringLen - 2) While StringLen($String) > $StringLen $Out &= " '" & StringLeft($String, $StringLen) & "'& _" & @CRLF $String = StringTrimLeft($String, $StringLen) WEnd If StringLen($String) <> 0 Then $Out &= " '" & $String & "'" & @CRLF ClipPut($Out) EndFunc ;==>FileToVariable Func _LZNTCompress($vInput, $iCompressionFormatAndEngine = 2) If Not $iCompressionFormatAndEngine = 258 Then $iCompressionFormatAndEngine = 2 Local $bBinary = Binary($vInput) Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinary) & "]") DllStructSetData($tInput, 1, $bBinary) Local $a_Call = DllCall("ntdll.dll", "int", "RtlGetCompressionWorkSpaceSize", _ "ushort", $iCompressionFormatAndEngine, _ "dword*", 0, _ "dword*", 0) If @error Or $a_Call[0] Then Return SetError(1, 0, "") ; error determining workspace buffer size EndIf Local $tWorkSpace = DllStructCreate("byte[" & $a_Call[2] & "]") ; workspace is needed for compression Local $tBuffer = DllStructCreate("byte[" & 16 * DllStructGetSize($tInput) & "]") ; initially oversizing buffer $a_Call = DllCall("ntdll.dll", "int", "RtlCompressBuffer", _ "ushort", $iCompressionFormatAndEngine, _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "ptr", DllStructGetPtr($tBuffer), _ "dword", DllStructGetSize($tBuffer), _ "dword", 4096, _ "dword*", 0, _ "ptr", DllStructGetPtr($tWorkSpace)) If @error Or $a_Call[0] Then Return SetError(2, 0, "") ; error compressing EndIf Local $tOutput = DllStructCreate("byte[" & $a_Call[7] & "]", DllStructGetPtr($tBuffer)) Return SetError(0, 0, DllStructGetData($tOutput, 1)) EndFunc ;==>_LZNTCompressit wouldn't be the same as FileInstall? (create a file and execute?) Heroes, there is no such thing Reveal hidden contents One day I'll discover what IE.au3 has of special for so many users using it.C'mon there's InetRead and WinHTTP, way better
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now