Adele Posted January 30, 2015 Share Posted January 30, 2015 (edited) Could we run the program being @SW_HIDE state directly? I have tried WinSetState but it appears on the screen a few seconds. Great job. Edited January 30, 2015 by Adele Link to comment Share on other sites More sharing options...
kadanefewi Posted February 13, 2015 Share Posted February 13, 2015 Good afternoon. I'm trying to use it to run either rar.exe or 7z.exe to decompress from command line a few files, but I'm not able to pass arguments to those 2 executables using this command: $iNewPID = _RunBinary($bBinary, " x test.rar") The same structure to pass arguements to a command line executable works fine with other executables that I've tested, but there's something particular about these 2, which I don't know what it is, that makes them show me the parameters information (similar to running rar -help, for example). Any ideas on how to solve them? If for instance I load from memory cmd.exe and then call rar.exe, it works, but it's not what I'm intending to do. Thanks. Link to comment Share on other sites More sharing options...
Biatu Posted August 12, 2016 Share Posted August 12, 2016 On 2/12/2015 at 8:21 PM, kadanefewi said: Good afternoon. I'm trying to use it to run either rar.exe or 7z.exe to decompress from command line a few files, but I'm not able to pass arguments to those 2 executables using this command: $iNewPID = _RunBinary($bBinary, " x test.rar") The same structure to pass arguements to a command line executable works fine with other executables that I've tested, but there's something particular about these 2, which I don't know what it is, that makes them show me the parameters information (similar to running rar -help, for example). Any ideas on how to solve them? If for instance I load from memory cmd.exe and then call rar.exe, it works, but it's not what I'm intending to do. Thanks. try this: $iNewPID = _RunBinary($bBinary& " x test.rar") What is what? What is what. Link to comment Share on other sites More sharing options...
Leo1906 Posted September 7, 2016 Share Posted September 7, 2016 Is there a problem with the forum, because I'm not able to load page 9 of this thread ..? I would like to know if there has been solution to the stdout streams of the files executed, as requestet on page 8? Would be really nice .. Link to comment Share on other sites More sharing options...
Biatu Posted September 10, 2016 Share Posted September 10, 2016 On 9/7/2016 at 3:00 PM, Leo1906 said: Is there a problem with the forum, because I'm not able to load page 9 of this thread ..? I would like to know if there has been solution to the stdout streams of the files executed, as requestet on page 8? Would be really nice .. Page 9...same. What is what? What is what. Link to comment Share on other sites More sharing options...
meoit Posted October 31, 2016 Share Posted October 31, 2016 Hello @trancexx ! I try unRAR command line but unsuccessful ;.......script written by trancexx (trancexx at yahoo dot com) ; https://www.autoitscript.com/forum/topic/99412-run-binary/ ; For this example just browse to some executable you wish to run from memory ;Global $sModule = FileOpenDialog("", "", "Executable modules (*.exe)") ;If @error Then Exit Global $bBinary = FileRead(@ScriptDir & '\UnRAR.exe') Global $iNewPID ; Try 10 times in case of failures For $i = 1 To 10 ConsoleWrite("Try No" & $i & @CRLF) $iNewPID = _RunBinary($bBinary, ' x ' & @ScriptDir & '\TestFile.rar -o+ -y "' & @DesktopDir & '"');, "", @SystemDir & "\calc.exe") ; if it fails on for example XP, try another 'victim'. If Not @error Then ExitLoop Next Can you help me?. Thanks. Link to comment Share on other sites More sharing options...
Skysnake Posted January 30, 2017 Share Posted January 30, 2017 There is a problem with page 9 of this thread. Page 8 works, and page 10 works. Page 9 does not load. argumentum and 123456 2 Skysnake Why is the snake in the sky? Link to comment Share on other sites More sharing options...
Biatu Posted April 27, 2017 Share Posted April 27, 2017 @trancexx, would you happen to have a solution for getting STD handles? I tried setting bInherentHandels flag, but still can't write to the STDIN. I just trying to do something basic, like echo "Hello world" to cmd.exe as a test. in the end I'm looking for ways to pipe data from one program to another. Thank you What is what? What is what. Link to comment Share on other sites More sharing options...
Biatu Posted April 27, 2017 Share Posted April 27, 2017 @trancexx, would you happen to have a solution for getting STD handles? I tried setting bInherentHandels flag, but still can't write to the STDIN. I just trying to do something basic, like echo "Hello world" to cmd.exe as a test. in the end I'm looking for ways to pipe data from one program to another. Edit: Another solution I was looking into, is shared libraries. Can I use your Subrogation to load shared libraries that may be needed by X program being loaded with this function. Thank you What is what? What is what. Link to comment Share on other sites More sharing options...
PedroWarlock Posted June 20, 2017 Share Posted June 20, 2017 English by google translator How do I run a binary AUDIO using only _SoundOpen and _SoundPlay? I need to use these functions since I use winmm.dll to play video as well and would like to play videos in binary as well. Example of running a sound in binary ( WinApi_PlaySound) expandcollapse popup#include <APIMiscConstants.au3> #include <GUIConstantsEx.au3> #include <MsgBoxConstants.au3> #include <WinAPIMisc.au3> Local Const $sWav = @ScriptDir & '\Extras\Airplane.wav' ; Read Airplane.wav to memory Local $dWav = FileRead($sWav) If @error Then MsgBox(BitOR($MB_ICONERROR, $MB_SYSTEMMODAL), 'Error', 'Unable to read "' & $sWav & '"') Exit EndIf Local $tWav = DllStructCreate('byte[' & BinaryLen($dWav) & ']') DllStructSetData($tWav, 1, $dWav) Local $pWav = DllStructGetPtr($tWav) ; Create GUI Local $hForm = GUICreate('Test ' & StringReplace(@ScriptName, '.au3', '()'), 200, 200) Local $idButton = GUICtrlCreateButton('Play', 70, 70, 60, 60) GUISetState(@SW_SHOW) Local $bPlay = False While 1 Switch GUIGetMsg() Case $GUI_EVENT_CLOSE ExitLoop Case $idButton $bPlay = Not $bPlay If $bPlay Then _WinAPI_PlaySound($pWav, BitOR($SND_ASYNC, $SND_LOOP, $SND_MEMORY)) ;~ _WinAPI_PlaySound($sWav, BitOR($SND_ASYNC, $SND_LOOP)) GUICtrlSetData($idButton, 'Stop') Else _WinAPI_PlaySound('') GUICtrlSetData($idButton, 'Play') EndIf EndSwitch WEnd Link to comment Share on other sites More sharing options...
colegero Posted November 15, 2017 Share Posted November 15, 2017 (edited) Hi mates, tell me why my binary code does not start expandcollapse popupGlobal $bBinary = "0x4D5A90000300000004000000FFFF0000B8000000000000004000000000000000" & _ "0000000000000000000000000000000000000000000000000000000080000000" & _ "0E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F" & _ "742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000" & _ "504500004C01030094D05C590000000000000000E00022000B01300000100000" & _ "0008000000000000C22F00000020000000400000000040000020000000020000" & _ "0400000000000000040000000000000000800000000200000000000002004085" & _ "0000100000100000000010000010000000000000100000000000000000000000" & _ "702F00004F000000004000008C05000000000000000000000000000000000000" & _ "006000000C000000382E00001C00000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000020000008000000" & _ "0000000000000000082000004800000000000000000000002E74657874000000" & _ "C80F000000200000001000000002000000000000000000000000000020000060" & _ "2E727372630000008C0500000040000000060000001200000000000000000000" & _ "00000000400000402E72656C6F6300000C000000006000000002000000180000" & _ "0000000000000000000000004000004200000000000000000000000000000000" & _ "A42F000000000000480000000200050084210000FC0B00000100000004000006" & _ "802D0000B8000000000000000000000000000000000000000000000000000000" & _ "000000000000000000000000000000005E02147D0100000402281300000A0000" & _ "022803000006002A133002002B0000000100001100032C0B027B0100000414FE" & _ "032B01160A062C0E00027B010000046F1400000A00000203281500000A002A86" & _ "0002731600000A7D010000040217281700000A000272010000706F1800000A00" & _ "2A5600720D0000707237000070161F10281900000A262A2602281A00000A0000" & _ "2A000000133002003900000002000011007E0200000414FE010A062C22007255" & _ "000070D004000002281B00000A6F1C00000A731D00000A0B078002000004007E" & _ "020000040C2B00082A000000133001000B00000003000011007E030000040A2B" & _ "00062A22000280030000042A133001000B00000004000011007E040000040A2B" & _ "00062A2202281E00000A002A56730A000006281F00000A740500000280040000" & _ "042A000042534A4201000100000000000C00000076322E302E35303732370000" & _ "000005006C00000020040000237E00008C040000E804000023537472696E6773" $bBinary &= "00000000740900008C00000023555300000A0000100000002347554944000000" & _ "100A0000EC01000023426C6F6200000000000000020000015715A20109010000" & _ "00FA013300160000010000002700000005000000040000000B00000002000000" & _ "1F00000015000000040000000200000003000000040000000100000003000000" & _ "010000000000A70201000000000006001602DA0306008302DA0306004A01A803" & _ "0F003004000006008B0140030600F90140030600DA01400306006A0240030600" & _ "3602400306004F0240030600A201400306007701BB0306000801BB030600BD01" & _ "40030A00F10259040E008A03BB0206008B04EA020600DA00EA020E0016017203" & _ "06002D01A8030600ED00DA0306006203FA03060052032B030E00C500BB020E00" & _ "5E01BB020E00A500160306004800EA020E008B03BB020A00D10259040A003A00" & _ "59040A00DA0259040A00CD0459040A009E0459040A006E0459040A0007035904" & _ "06007800EA0206005400EA020600DC0440030E00B00016030000000007000000" & _ "00000100010001001000010095033D000100010080011000E202950345000200" & _ "04000000100001043F044500020005000001100050043F046900040009000100" & _ "800479001100F6027D0011009500810011002600850050200000000086189B03" & _ "06000100682000000000C400BD00150001009F20000000008100AB0406000200" & _ "C120000000009100020389000200D7200000000083189B0306000200E4200000" & _ "000093085E038D0002002C210000000093087D00920002004321000000009308" & _ "8900970002004C2100000000960892049D00030063210000000086189B030600" & _ "03006C21000000009118A1038900030000000100B10200000100A10209009B03" & _ "010011009B03060019009B030A0029009B03100031009B03100039009B031000" & _ "41009B03100049009B03100051009B03100059009B03100061009B0315006900" & _ "9B03100071009B03100091009B03060099009B031A00A1009B030600A9009B03" & _ "0600C9009B03200079009B030600D900BD0006007900BD001500E1009B030600" & _ "E90036002A00F900BF0410000101C804300089009B0306002101660046002101" & _ "D8044F00B1009B035500D1009B03060039011900670029009300E2012E000B00" & _ "B1002E001300BA002E001B00D9002E002300E2002E002B00ED002E003300ED00" & _ "2E003B00ED002E004300E2002E004B00F3002E005300ED002E005B00ED002E00" & _ "63000B012E006B00350149009300E20180007300420183007B00470183008300" & _ "420183008B004201A3008B004201A3007B00880126003E005D00620004000100" & _ "0500030000006203A20000009D00A70000009604AC0002000600030002000700" $bBinary &= "0500010008000500020009000700048000000100000000000000000000000000" & _ "9503000002000000000000000000000070001000000000000200000000000000" & _ "0000000070005904000000000200000000000000000000007000EA0200000000" & _ "00000000010000000B0400000000000000466F726D31003C4D6F64756C653E00" & _ "6D73636F726C69620053796E6368726F6E697A65640064656661756C74496E73" & _ "74616E6365007365745F4175746F5363616C654D6F64650049446973706F7361" & _ "626C650052756E74696D655479706548616E646C65004765745479706546726F" & _ "6D48616E646C650054797065006765745F43756C74757265007365745F43756C" & _ "74757265007265736F7572636543756C74757265004170706C69636174696F6E" & _ "53657474696E67734261736500446973706F736500456469746F7242726F7773" & _ "61626C6553746174650053544154687265616441747472696275746500436F6D" & _ "70696C657247656E657261746564417474726962757465004775696441747472" & _ "69627574650047656E657261746564436F646541747472696275746500446562" & _ "75676765724E6F6E55736572436F646541747472696275746500446562756767" & _ "61626C6541747472696275746500456469746F7242726F777361626C65417474" & _ "72696275746500436F6D56697369626C6541747472696275746500417373656D" & _ "626C795469746C6541747472696275746500417373656D626C7954726164656D" & _ "61726B41747472696275746500417373656D626C7946696C6556657273696F6E" & _ "41747472696275746500417373656D626C79436F6E66696775726174696F6E41" & _ "747472696275746500417373656D626C794465736372697074696F6E41747472" & _ "696275746500436F6D70696C6174696F6E52656C61786174696F6E7341747472" & _ "696275746500417373656D626C7950726F647563744174747269627574650041" & _ "7373656D626C79436F7079726967687441747472696275746500417373656D62" & _ "6C79436F6D70616E794174747269627574650052756E74696D65436F6D706174" & _ "6962696C6974794174747269627574650076616C7565004572726F722E657865" & _ "00646973706F73696E670053797374656D2E436F6D706F6E656E744D6F64656C" & _ "00436F6E7461696E6572436F6E74726F6C0050726F6772616D0053797374656D" & _ "00466F726D007265736F757263654D616E004D61696E004D657373616765426F" & _ "7849636F6E0053797374656D2E436F6E66696775726174696F6E005379737465" & _ "6D2E476C6F62616C697A6174696F6E0053797374656D2E5265666C656374696F" & _ "6E0043756C74757265496E666F006765745F5265736F757263654D616E616765" $bBinary &= "720053797374656D2E436F6465446F6D2E436F6D70696C65720049436F6E7461" & _ "696E6572004572726F72002E63746F72002E6363746F720053797374656D2E44" & _ "6961676E6F73746963730053797374656D2E52756E74696D652E496E7465726F" & _ "7053657276696365730053797374656D2E52756E74696D652E436F6D70696C65" & _ "7253657276696365730053797374656D2E5265736F7572636573004572726F72" & _ "2E50726F706572746965732E5265736F75726365732E7265736F757263657300" & _ "446562756767696E674D6F646573004572726F722E50726F7065727469657300" & _ "53657474696E67730053797374656D2E57696E646F77732E466F726D73004D65" & _ "7373616765426F78427574746F6E7300636F6D706F6E656E7473004F626A6563" & _ "74006765745F44656661756C74004469616C6F67526573756C7400496E697469" & _ "616C697A65436F6D706F6E656E74007365745F546578740053686F77004D6573" & _ "73616765426F78006765745F417373656D626C7900000000000B46006F007200" & _ "6D00310000294D0069007300730069006E00670020006D007300760063007200" & _ "3100300030002E0064006C006C00001D43007200690074006900630061006C00" & _ "20006500720072006F00720000354500720072006F0072002E00500072006F00" & _ "70006500720074006900650073002E005200650073006F007500720063006500" & _ "73000000C57F35046E31314B9464B5FC14FAFF08000420010108032000010520" & _ "01011111042001010E0420010102052002010E0E052001011161030701020520" & _ "010111790D00041180850E0E11808911808D0707030212591259080001128091" & _ "118095052000128099072002010E128099040701125D04070112140800011280" & _ "9D12809D08B77A5C561934E08903061241030612590306125D03061214030000" & _ "010400001259040000125D05000101125D04000012140408001259040800125D" & _ "04080012140801000800000000001E01000100540216577261704E6F6E457863" & _ "657074696F6E5468726F7773010801000701000000000A0100054572726F7200" & _ "0005010000000017010012436F7079726967687420C2A9202032303137000029" & _ "01002435363462663537392D346666622D346130312D613663652D3163653463" & _ "6663343936363500000C010007312E302E302E30000004010000004001003353" & _ "797374656D2E5265736F75726365732E546F6F6C732E5374726F6E676C795479" & _ "7065645265736F757263654275696C64657207342E302E302E3000005901004B" & _ "4D6963726F736F66742E56697375616C53747564696F2E456469746F72732E53" & _ "657474696E677344657369676E65722E53657474696E677353696E676C654669" $bBinary &= "6C6547656E657261746F720831312E302E302E30000008010002000000000000" & _ "B4000000CECAEFBE01000000910000006C53797374656D2E5265736F75726365" & _ "732E5265736F757263655265616465722C206D73636F726C69622C2056657273" & _ "696F6E3D322E302E302E302C2043756C747572653D6E65757472616C2C205075" & _ "626C69634B6579546F6B656E3D62373761356335363139333465303839235379" & _ "7374656D2E5265736F75726365732E52756E74696D655265736F757263655365" & _ "7402000000000000000000000050414450414450B40000000000000094D05C59" & _ "00000000020000001C010000542E0000541000005253445305C5361A4166D940" & _ "9041D6E46D5E62BF01000000433A5C55736572735C676F726E6F5C446F63756D" & _ "656E74735C56697375616C2053747564696F20323031355C50726F6A65637473" & _ "5C4572726F725C4572726F725C6F626A5C44656275675C4572726F722E706462" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "00000000000000000000000000000000982F00000000000000000000B22F0000" & _ "002000000000000000000000000000000000000000000000A42F000000000000" & _ "0000000000005F436F724578654D61696E006D73636F7265652E646C6C000000" & _ "0000FF2500204000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000020010000000200000801800000050000080" & _ "0000000000000000000000000000010001000000380000800000000000000000" & _ "0000000000000100000000008000000000000000000000000000000000000100" & _ "010000006800008000000000000000000000000000000100000000008C030000" & _ "90400000FC0200000000000000000000FC0234000000560053005F0056004500" & _ "5200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100" & _ "000001000000000000000100000000003F000000000000000400000001000000" & _ "000000000000000000000000440000000100560061007200460069006C006500" & _ "49006E0066006F00000000002400040000005400720061006E0073006C006100" & _ "740069006F006E00000000000000B0045C020000010053007400720069006E00" $bBinary &= "6700460069006C00650049006E0066006F000000380200000100300030003000" & _ "3000300034006200300000001A000100010043006F006D006D0065006E007400" & _ "730000000000000022000100010043006F006D00700061006E0079004E006100" & _ "6D0065000000000000000000340006000100460069006C006500440065007300" & _ "6300720069007000740069006F006E00000000004500720072006F0072000000" & _ "300008000100460069006C006500560065007200730069006F006E0000000000" & _ "31002E0030002E0030002E003000000034000A00010049006E00740065007200" & _ "6E0061006C004E0061006D00650000004500720072006F0072002E0065007800" & _ "650000004800120001004C006500670061006C0043006F007000790072006900" & _ "670068007400000043006F0070007900720069006700680074002000A9002000" & _ "2000320030003100370000002A00010001004C006500670061006C0054007200" & _ "6100640065006D00610072006B00730000000000000000003C000A0001004F00" & _ "72006900670069006E0061006C00460069006C0065006E0061006D0065000000" & _ "4500720072006F0072002E0065007800650000002C0006000100500072006F00" & _ "64007500630074004E0061006D006500000000004500720072006F0072000000" & _ "340008000100500072006F006400750063007400560065007200730069006F00" & _ "6E00000031002E0030002E0030002E0030000000380008000100410073007300" & _ "65006D0062006C0079002000560065007200730069006F006E00000031002E00" & _ "30002E0030002E00300000009C430000EA0100000000000000000000EFBBBF3C" & _ "3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D22555446" & _ "2D3822207374616E64616C6F6E653D22796573223F3E0D0A0D0A3C617373656D" & _ "626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F6674" & _ "2D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E" & _ "30223E0D0A20203C617373656D626C794964656E746974792076657273696F6E" & _ "3D22312E302E302E3022206E616D653D224D794170706C69636174696F6E2E61" & _ "7070222F3E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A73" & _ "6368656D61732D6D6963726F736F66742D636F6D3A61736D2E7632223E0D0A20" & _ "2020203C73656375726974793E0D0A2020202020203C72657175657374656450" & _ "726976696C6567657320786D6C6E733D2275726E3A736368656D61732D6D6963" & _ "726F736F66742D636F6D3A61736D2E7633223E0D0A20202020202020203C7265" & _ "71756573746564457865637574696F6E4C6576656C206C6576656C3D22617349" $bBinary &= "6E766F6B6572222075694163636573733D2266616C7365222F3E0D0A20202020" & _ "20203C2F72657175657374656450726976696C656765733E0D0A202020203C2F" & _ "73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A3C2F617373" & _ "656D626C793E0000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "002000000C000000C43F00000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" & _ "0000000000000000000000000000000000000000000000000000000000000000" Global $iNewPID For $i = 1 To 10 ConsoleWrite("Try No" & $i & @CRLF) $iNewPID = _RunBinary($bBinary) If Not @error Then ExitLoop Next Switch @error Case 0 ConsoleWrite("New process sucessfully created. PID is: " & $iNewPID & @CRLF) Case 1 MsgBox(48, "Error", "New process couldn't be created!" & @CRLF & "Check if the path is correct.") Case 2 MsgBox(48, "Error", "Wrong AutoIt!" & @CRLF & "Should be x64 for x64 and x86 for x86.") Case 3 MsgBox(48, "Error", "GetThreadContext function failed!" & @CRLF & "Something is wrong.") Case 4 MsgBox(48, "Error", "Binary data seems to be corrupted!" & @CRLF & "MS-DOS header is wrong or missing.") Case 5 MsgBox(48, "Error", "Binary data seems to be corrupted!" & @CRLF & "PE signature is wrong.") Case 6 MsgBox(48, "Error", "Wrong AutoIt!" & @CRLF & "Should be x64 for x64 and x86 for x86.") Case 7 MsgBox(48, "Error", "Internal error!" & @CRLF & "Failure while writting new module binary.") Case 8 MsgBox(48, "Error", "Internal error!" & @CRLF & "Failure while filling PEB structure.") Case 9 MsgBox(48, "Error", "Internal error!" & @CRLF & "Failure while changing base address.") Case 10 MsgBox(48, "Error", "Internal error!" & @CRLF & "Failure with SetThreadContext function.") Case 11 MsgBox(48, "Error", "Internal error!" & @CRLF & "Failure with ResumeThread function.") Case 101 If @extended Then MsgBox(48, "Error", "Error!" & @CRLF & "Not enough space available at desired address. Try again maybe, or change the 'victim'.") Else MsgBox(48, "Error", "Error!" & @CRLF & "Executable you try to run is not relocatable. This lowers the possibility of running it in this fassion." & @CRLF & "Try again or find another 'victim', maybe you'll get lucky.") EndIf Case 102 MsgBox(48, "Error", "Itanium architecture!" & @CRLF & "No solution. Sorry." & @CRLF & "How did you manage to end up here is beyond my comprehension.") EndSwitch ; FUNCTION Func _RunBinary($bBinaryImage, $sCommandLine = "", $sExeModule = @AutoItExe) #Region 1. DETERMINE INTERPRETER TYPE Local $fAutoItX64 = @AutoItX64 #Region 2. PREDPROCESSING PASSED Local $bBinary = Binary($bBinaryImage) ; this is redundant but still... ; Make structure out of binary data that was passed Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]") DllStructSetData($tBinary, 1, $bBinary) ; fill it ; Get pointer to it Local $pPointer = DllStructGetPtr($tBinary) #Region 3. CREATING NEW PROCESS ; STARTUPINFO structure (actually all that really matters is allocated space) Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _ "ptr Reserved;" & _ "ptr Desktop;" & _ "ptr Title;" & _ "dword X;" & _ "dword Y;" & _ "dword XSize;" & _ "dword YSize;" & _ "dword XCountChars;" & _ "dword YCountChars;" & _ "dword FillAttribute;" & _ "dword Flags;" & _ "word ShowWindow;" & _ "word Reserved2;" & _ "ptr Reserved2;" & _ "ptr hStdInput;" & _ "ptr hStdOutput;" & _ "ptr hStdError") ; This is much important. This structure will hold very some important data. Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _ "ptr Thread;" & _ "dword ProcessId;" & _ "dword ThreadId") ; Create new process Local $aCall = DllCall("kernel32.dll", "bool", "CreateProcessW", _ "wstr", $sExeModule, _ "wstr", $sCommandLine, _ "ptr", 0, _ "ptr", 0, _ "int", 0, _ "dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential "ptr", 0, _ "ptr", 0, _ "ptr", DllStructGetPtr($tSTARTUPINFO), _ "ptr", DllStructGetPtr($tPROCESS_INFORMATION)) ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; CreateProcess function or call to it failed ; Get new process and thread handles: Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process") Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread") ; Check for 'wrong' bit-ness. Not because it could't be implemented, but besause it would be uglyer (structures) If $fAutoItX64 And _RunBinary_IsWow64Process($hProcess) Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(2, 0, 0) EndIf #Region 4. FILL CONTEXT STRUCTURE ; CONTEXT structure is what's really important here. It's processor specific. Local $iRunFlag, $tCONTEXT If $fAutoItX64 Then If @OSArch = "X64" Then $iRunFlag = 2 $tCONTEXT = DllStructCreate("align 16; uint64 P1Home; uint64 P2Home; uint64 P3Home; uint64 P4Home; uint64 P5Home; uint64 P6Home;" & _ ; Register parameter home addresses "dword ContextFlags; dword MxCsr;" & _ ; Control flags "word SegCS; word SegDs; word SegEs; word SegFs; word SegGs; word SegSs; dword EFlags;" & _ ; Segment Registers and processor flags "uint64 Dr0; uint64 Dr1; uint64 Dr2; uint64 Dr3; uint64 Dr6; uint64 Dr7;" & _ ; Debug registers "uint64 Rax; uint64 Rcx; uint64 Rdx; uint64 Rbx; uint64 Rsp; uint64 Rbp; uint64 Rsi; uint64 Rdi; uint64 R8; uint64 R9; uint64 R10; uint64 R11; uint64 R12; uint64 R13; uint64 R14; uint64 R15;" & _ ; Integer registers "uint64 Rip;" & _ ; Program counter "uint64 Header[4]; uint64 Legacy[16]; uint64 Xmm0[2]; uint64 Xmm1[2]; uint64 Xmm2[2]; uint64 Xmm3[2]; uint64 Xmm4[2]; uint64 Xmm5[2]; uint64 Xmm6[2]; uint64 Xmm7[2]; uint64 Xmm8[2]; uint64 Xmm9[2]; uint64 Xmm10[2]; uint64 Xmm11[2]; uint64 Xmm12[2]; uint64 Xmm13[2]; uint64 Xmm14[2]; uint64 Xmm15[2];" & _ ; Floating point state (types are not correct for simplicity reasons!!!) "uint64 VectorRegister[52]; uint64 VectorControl;" & _ ; Vector registers (type for VectorRegister is not correct for simplicity reasons!!!) "uint64 DebugControl; uint64 LastBranchToRip; uint64 LastBranchFromRip; uint64 LastExceptionToRip; uint64 LastExceptionFromRip") ; Special debug control registers Else $iRunFlag = 3 ; FIXME - Itanium architecture ; Return special error number: DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(102, 0, 0) EndIf Else $iRunFlag = 1 $tCONTEXT = DllStructCreate("dword ContextFlags;" & _ ; Control flags "dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;" & _ ; CONTEXT_DEBUG_REGISTERS "dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;" & _ ; CONTEXT_FLOATING_POINT "dword SegGs; dword SegFs; dword SegEs; dword SegDs;" & _ ; CONTEXT_SEGMENTS "dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;" & _ ; CONTEXT_INTEGER "dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;" & _ ; CONTEXT_CONTROL "byte ExtendedRegisters[512]") ; CONTEXT_EXTENDED_REGISTERS EndIf ; Define CONTEXT_FULL Local $CONTEXT_FULL Switch $iRunFlag Case 1 $CONTEXT_FULL = 0x10007 Case 2 $CONTEXT_FULL = 0x100007 Case 3 $CONTEXT_FULL = 0x80027 EndSwitch ; Set desired access DllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL) ; Fill CONTEXT structure: $aCall = DllCall("kernel32.dll", "bool", "GetThreadContext", _ "handle", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed EndIf ; Pointer to PEB structure Local $pPEB Switch $iRunFlag Case 1 $pPEB = DllStructGetData($tCONTEXT, "Ebx") Case 2 $pPEB = DllStructGetData($tCONTEXT, "Rdx") Case 3 ; NEVER BE - Itanium architecture EndSwitch #Region 5. READ PE-FORMAT ; Start processing passed binary data. 'Reading' PE format follows. ; First is IMAGE_DOS_HEADER Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "word BytesOnLastPage;" & _ "word Pages;" & _ "word Relocations;" & _ "word SizeofHeader;" & _ "word MinimumExtra;" & _ "word MaximumExtra;" & _ "word SS;" & _ "word SP;" & _ "word Checksum;" & _ "word IP;" & _ "word CS;" & _ "word Relocation;" & _ "word Overlay;" & _ "char Reserved[8];" & _ "word OEMIdentifier;" & _ "word OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) ; Save this pointer value (it's starting address of binary image headers) Local $pHEADERS_NEW = $pPointer ; Move pointer $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header ; Get "Magic" Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic") ; Check if it's valid format If Not ($sMagic == "MZ") Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(4, 0, 0) ; MS-DOS header missing. EndIf ; In place of IMAGE_NT_SIGNATURE Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; Move pointer $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure ; Check signature If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword. EndIf ; In place of IMAGE_FILE_HEADER Local $tIMAGE_FILE_HEADER = DllStructCreate("word Machine;" & _ "word NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "word SizeOfOptionalHeader;" & _ "word Characteristics", _ $pPointer) ; I could check here if the module is relocatable ; Local $fRelocatable ; If BitAND(DllStructGetData($tIMAGE_FILE_HEADER, "Characteristics"), 1) Then $fRelocatable = False ; But I won't (will check data in IMAGE_DIRECTORY_ENTRY_BASERELOC instead) ; Get number of sections Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; Move pointer $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure ; In place of IMAGE_OPTIONAL_HEADER Local $tMagic = DllStructCreate("word Magic;", $pPointer) Local $iMagic = DllStructGetData($tMagic, 1) Local $tIMAGE_OPTIONAL_HEADER If $iMagic = 267 Then ; x86 version If $fAutoItX64 Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; incompatible versions EndIf $tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _ "byte MajorLinkerVersion;" & _ "byte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "word MajorOperatingSystemVersion;" & _ "word MinorOperatingSystemVersion;" & _ "word MajorImageVersion;" & _ "word MinorImageVersion;" & _ "word MajorSubsystemVersion;" & _ "word MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "word Subsystem;" & _ "word DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER ElseIf $iMagic = 523 Then ; x64 version If Not $fAutoItX64 Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; incompatible versions EndIf $tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;" & _ "byte MajorLinkerVersion;" & _ "byte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "uint64 ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "word MajorOperatingSystemVersion;" & _ "word MinorOperatingSystemVersion;" & _ "word MajorImageVersion;" & _ "word MinorImageVersion;" & _ "word MajorSubsystemVersion;" & _ "word MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "word Subsystem;" & _ "word DllCharacteristics;" & _ "uint64 SizeOfStackReserve;" & _ "uint64 SizeOfStackCommit;" & _ "uint64 SizeOfHeapReserve;" & _ "uint64 SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) ; Move pointer $pPointer += 112 ; size of $tIMAGE_OPTIONAL_HEADER Else DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(6, 0, 0) ; incompatible versions EndIf ; Extract entry point address Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address ; And other interesting informations Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers ; Move pointer $pPointer += 8 ; skipping IMAGE_DIRECTORY_ENTRY_EXPORT $pPointer += 8 ; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT $pPointer += 24 ; skipping IMAGE_DIRECTORY_ENTRY_RESOURCE, IMAGE_DIRECTORY_ENTRY_EXCEPTION, IMAGE_DIRECTORY_ENTRY_SECURITY ; Base Relocation Directory Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress; dword Size", $pPointer) ; Collect data Local $pAddressNewBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "VirtualAddress") Local $iSizeBaseReloc = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_BASERELOC, "Size") Local $fRelocatable If $pAddressNewBaseReloc And $iSizeBaseReloc Then $fRelocatable = True If Not $fRelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF) ; nothing can be done here ; Move pointer $pPointer += 88 ; size of the structures before IMAGE_SECTION_HEADER (16 of them). #Region 6. ALLOCATE 'NEW' MEMORY SPACE Local $fRelocate Local $pZeroPoint If $fRelocatable Then ; If the module can be relocated then allocate memory anywhere possible $pZeroPoint = _RunBinary_AllocateExeSpace($hProcess, $iOptionalHeaderSizeOfImageNEW) ; In case of failure try at original address If @error Then $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then _RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW) ; Try now $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then ; Return special error number: DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(101, 1, 0) EndIf EndIf EndIf $fRelocate = True Else ; And if not try where it should be $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then _RunBinary_UnmapViewOfSection($hProcess, $pOptionalHeaderImageBaseNEW) ; Try now $pZeroPoint = _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW) If @error Then ; Return special error number: DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(101, 0, 0) EndIf EndIf EndIf ; If there is new ImageBase value, save it DllStructSetData($tIMAGE_OPTIONAL_HEADER, "ImageBase", $pZeroPoint) #Region 7. CONSTRUCT THE NEW MODULE ; Allocate enough space (in our space) for the new module Local $tModule = DllStructCreate("byte[" & $iOptionalHeaderSizeOfImageNEW & "]") ; Get pointer Local $pModule = DllStructGetPtr($tModule) ; Headers Local $tHeaders = DllStructCreate("byte[" & $iOptionalHeaderSizeOfHeadersNEW & "]", $pHEADERS_NEW) ; Write headers to $tModule DllStructSetData($tModule, 1, DllStructGetData($tHeaders, 1)) ; Write sections now. $pPointer is currently in place of sections Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData Local $iVirtualAddress, $iVirtualSize Local $tRelocRaw ; Loop through sections For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfVirtualSizeAndPhysicalAddress;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "word NumberOfRelocations;" & _ "word NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ; Collect data $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = $pHEADERS_NEW + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") $iVirtualSize = DllStructGetData($tIMAGE_SECTION_HEADER, "UnionOfVirtualSizeAndPhysicalAddress") If $iVirtualSize And $iVirtualSize < $iSizeOfRawData Then $iSizeOfRawData = $iVirtualSize ; If there is data to write, write it If $iSizeOfRawData Then DllStructSetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pModule + $iVirtualAddress), 1, DllStructGetData(DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData), 1)) EndIf ; Relocations If $fRelocate Then If $iVirtualAddress <= $pAddressNewBaseReloc And $iVirtualAddress + $iSizeOfRawData > $pAddressNewBaseReloc Then $tRelocRaw = DllStructCreate("byte[" & $iSizeBaseReloc & "]", $pPointerToRawData + ($pAddressNewBaseReloc - $iVirtualAddress)) EndIf EndIf ; Move pointer $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next ; Fix relocations If $fRelocate Then _RunBinary_FixReloc($pModule, $tRelocRaw, $pZeroPoint, $pOptionalHeaderImageBaseNEW, $iMagic = 523) ; Write newly constructed module to allocated space inside the $hProcess $aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _ "handle", $hProcess, _ "ptr", $pZeroPoint, _ "ptr", $pModule, _ "dword_ptr", $iOptionalHeaderSizeOfImageNEW, _ "dword_ptr*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(7, 0, 0) ; failure while writting new module binary EndIf #Region 8. PEB ImageBaseAddress MANIPULATION ; PEB structure definition Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _ "byte ReadImageFileExecOptions;" & _ "byte BeingDebugged;" & _ "byte Spare;" & _ "ptr Mutant;" & _ "ptr ImageBaseAddress;" & _ "ptr LoaderData;" & _ "ptr ProcessParameters;" & _ "ptr SubSystemData;" & _ "ptr ProcessHeap;" & _ "ptr FastPebLock;" & _ "ptr FastPebLockRoutine;" & _ "ptr FastPebUnlockRoutine;" & _ "dword EnvironmentUpdateCount;" & _ "ptr KernelCallbackTable;" & _ "ptr EventLogSection;" & _ "ptr EventLog;" & _ "ptr FreeList;" & _ "dword TlsExpansionCounter;" & _ "ptr TlsBitmap;" & _ "dword TlsBitmapBits[2];" & _ "ptr ReadOnlySharedMemoryBase;" & _ "ptr ReadOnlySharedMemoryHeap;" & _ "ptr ReadOnlyStaticServerData;" & _ "ptr AnsiCodePageData;" & _ "ptr OemCodePageData;" & _ "ptr UnicodeCaseTableData;" & _ "dword NumberOfProcessors;" & _ "dword NtGlobalFlag;" & _ "byte Spare2[4];" & _ "int64 CriticalSectionTimeout;" & _ "dword HeapSegmentReserve;" & _ "dword HeapSegmentCommit;" & _ "dword HeapDeCommitTotalFreeThreshold;" & _ "dword HeapDeCommitFreeBlockThreshold;" & _ "dword NumberOfHeaps;" & _ "dword MaximumNumberOfHeaps;" & _ "ptr ProcessHeaps;" & _ "ptr GdiSharedHandleTable;" & _ "ptr ProcessStarterHelper;" & _ "ptr GdiDCAttributeList;" & _ "ptr LoaderLock;" & _ "dword OSMajorVersion;" & _ "dword OSMinorVersion;" & _ "dword OSBuildNumber;" & _ "dword OSPlatformId;" & _ "dword ImageSubSystem;" & _ "dword ImageSubSystemMajorVersion;" & _ "dword ImageSubSystemMinorVersion;" & _ "dword GdiHandleBuffer[34];" & _ "dword PostProcessInitRoutine;" & _ "dword TlsExpansionBitmap;" & _ "byte TlsExpansionBitmapBits[128];" & _ "dword SessionId") ; Fill the structure $aCall = DllCall("kernel32.dll", "bool", "ReadProcessMemory", _ "ptr", $hProcess, _ "ptr", $pPEB, _ ; pointer to PEB structure "ptr", DllStructGetPtr($tPEB), _ "dword_ptr", DllStructGetSize($tPEB), _ "dword_ptr*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(8, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure EndIf ; Change base address within PEB DllStructSetData($tPEB, "ImageBaseAddress", $pZeroPoint) ; Write the changes $aCall = DllCall("kernel32.dll", "bool", _RunBinary_LeanAndMean(), _ "handle", $hProcess, _ "ptr", $pPEB, _ "ptr", DllStructGetPtr($tPEB), _ "dword_ptr", DllStructGetSize($tPEB), _ "dword_ptr*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(9, 0, 0) ; failure while changing base address EndIf #Region 9. NEW ENTRY POINT ; Entry point manipulation Switch $iRunFlag Case 1 DllStructSetData($tCONTEXT, "Eax", $pZeroPoint + $iEntryPointNEW) Case 2 DllStructSetData($tCONTEXT, "Rcx", $pZeroPoint + $iEntryPointNEW) Case 3 ; FIXME - Itanium architecture EndSwitch #Region 10. SET NEW CONTEXT ; New context: $aCall = DllCall("kernel32.dll", "bool", "SetThreadContext", _ "handle", $hThread, _ "ptr", DllStructGetPtr($tCONTEXT)) If @error Or Not $aCall[0] Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed EndIf #Region 11. RESUME THREAD ; And that's it!. Continue execution: $aCall = DllCall("kernel32.dll", "dword", "ResumeThread", "handle", $hThread) ; Check for errors or failure If @error Or $aCall[0] = -1 Then DllCall("kernel32.dll", "bool", "TerminateProcess", "handle", $hProcess, "dword", 0) Return SetError(11, 0, 0) ; ResumeThread function or call to it failed EndIf #Region 12. CLOSE OPEN HANDLES AND RETURN PID DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hProcess) DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hThread) ; All went well. Return new PID: Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId") EndFunc Func _RunBinary_LeanAndMean() Local $aArr[18] = ["W", "r", "i", "t", "e", "P", "r", "o", "c", "e", "s", "s", "M", "e", "m", "o", "r", "y"], $sOut For $sChar In $aArr $sOut &= $sChar Next Return $sOut EndFunc Func _RunBinary_FixReloc($pModule, $tData, $pAddressNew, $pAddressOld, $fImageX64) Local $iDelta = $pAddressNew - $pAddressOld ; dislocation value Local $iSize = DllStructGetSize($tData) ; size of data Local $pData = DllStructGetPtr($tData) ; addres of the data structure Local $tIMAGE_BASE_RELOCATION, $iRelativeMove Local $iVirtualAddress, $iSizeofBlock, $iNumberOfEntries Local $tEnries, $iData, $tAddress Local $iFlag = 3 + 7 * $fImageX64 ; IMAGE_REL_BASED_HIGHLOW = 3 or IMAGE_REL_BASED_DIR64 = 10 While $iRelativeMove < $iSize ; for all data available $tIMAGE_BASE_RELOCATION = DllStructCreate("dword VirtualAddress; dword SizeOfBlock", $pData + $iRelativeMove) $iVirtualAddress = DllStructGetData($tIMAGE_BASE_RELOCATION, "VirtualAddress") $iSizeofBlock = DllStructGetData($tIMAGE_BASE_RELOCATION, "SizeOfBlock") $iNumberOfEntries = ($iSizeofBlock - 8) / 2 $tEnries = DllStructCreate("word[" & $iNumberOfEntries & "]", DllStructGetPtr($tIMAGE_BASE_RELOCATION) + 8) ; Go through all entries For $i = 1 To $iNumberOfEntries $iData = DllStructGetData($tEnries, 1, $i) If BitShift($iData, 12) = $iFlag Then ; check type $tAddress = DllStructCreate("ptr", $pModule + $iVirtualAddress + BitAND($iData, 0xFFF)) ; the rest of $iData is offset DllStructSetData($tAddress, 1, DllStructGetData($tAddress, 1) + $iDelta) ; this is what's this all about EndIf Next $iRelativeMove += $iSizeofBlock WEnd Return 1 ; all OK! EndFunc Func _RunBinary_AllocateExeSpaceAtAddress($hProcess, $pAddress, $iSize) ; Allocate Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "handle", $hProcess, _ "ptr", $pAddress, _ "dword_ptr", $iSize, _ "dword", 0x1000, _ ; MEM_COMMIT "dword", 64) ; PAGE_EXECUTE_READWRITE ; Check for errors or failure If @error Or Not $aCall[0] Then ; Try differently $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "handle", $hProcess, _ "ptr", $pAddress, _ "dword_ptr", $iSize, _ "dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate EndIf Return $aCall[0] EndFunc Func _RunBinary_AllocateExeSpace($hProcess, $iSize) ; Allocate space Local $aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _ "handle", $hProcess, _ "ptr", 0, _ "dword_ptr", $iSize, _ "dword", 0x3000, _ ; MEM_COMMIT|MEM_RESERVE "dword", 64) ; PAGE_EXECUTE_READWRITE ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Unable to allocate Return $aCall[0] EndFunc Func _RunBinary_UnmapViewOfSection($hProcess, $pAddress) DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _ "ptr", $hProcess, _ "ptr", $pAddress) ; Check for errors only If @error Then Return SetError(1, 0, 0) ; Failure Return 1 EndFunc Func _RunBinary_IsWow64Process($hProcess) Local $aCall = DllCall("kernel32.dll", "bool", "IsWow64Process", _ "handle", $hProcess, _ "bool*", 0) ; Check for errors or failure If @error Or Not $aCall[0] Then Return SetError(1, 0, 0) ; Failure Return $aCall[2] EndFunc Edited November 15, 2017 by colegero Link to comment Share on other sites More sharing options...
BrewManNH Posted November 15, 2017 Share Posted November 15, 2017 What error are you getting? If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
colegero Posted November 15, 2017 Share Posted November 15, 2017 And so with any binary code ((( Link to comment Share on other sites More sharing options...
iamtheky Posted November 16, 2017 Share Posted November 16, 2017 What is on page 9?? That is an amazing break of IPB, i want to see the code. Biatu 1 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Deye Posted July 19, 2018 Share Posted July 19, 2018 (edited) reserved .. Edited July 23, 2018 by Deye Link to comment Share on other sites More sharing options...
LionSpain Posted November 6, 2018 Share Posted November 6, 2018 when i try execute x64 file said always MS-DOS header is wrong or missing I compiled x86 and execute x86 msgbox Worked! I compiled x64 and execute x64 msgbox No worked! (MS-DOS header is wrong or missing) Link to comment Share on other sites More sharing options...
Renderer Posted February 25, 2019 Share Posted February 25, 2019 Does this also work for any other type of file (txt, png, etc.)? If yes, then what should be different in this code? Link to comment Share on other sites More sharing options...
Developers Jos Posted February 25, 2019 Developers Share Posted February 25, 2019 5 minutes ago, Renderer said: Does this also work for any other type of file (txt, png, etc.)? If yes, then what should be different in this code? How does running a binary apply to these file extensions? Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Renderer Posted February 26, 2019 Share Posted February 26, 2019 22 hours ago, Jos said: How does running a binary apply to these file extensions? Jos I just wanted to know how could I run the data from inside of a file without having it saved on the disk. Something like File Open -> Retain Data -> File Delete -> Display the Retained Data. Link to comment Share on other sites More sharing options...
iamtheky Posted February 26, 2019 Share Posted February 26, 2019 use fileopen with the proper flag --> instead of 'retain data' use fileread --> FileDelete --> msgbox ?? ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now