i've created a nice wrapper program using this idea. however, your code does not work with programs created with MASM.
i have tried two separate .exe's that were made by two separate people and they write in assembly and compiled the programs using MASM, version 5.00.1823.
the .exe's run perfectly, but if they are used with the code above they won't run.
they never execute and the program ends.
any ideas? we have some very important uses for this code and we are stuck right now.
best,
Mike
EDIT:
this doesn't seem to work for programs that are compiled with MASM. this code fails to run them.
i have a simple DIALOG.exe program that i can post for testing if needed.
any thoughts appreciated-
the programs created with MASM32 (version 10.0, linker 5.12) don't have a VERSION tab in their properties (right click on the .exe) but they ARE 32 bit programs. also, they don't have a .code section, just the .text section and the other sections.
the simple DIALOG.exe program that comes with the MASM32 will not run using this RunPE code posted here.
best,
Mike
EDIT AGAIN!:
a simple DIALOG.exe that was compiled with MASM can be downloaded here:
http://win32assembly.online.fr/files/tut10-2.zip
best,
Mike
Simple: 'RunPE'
You could try to manipulate the import table of the PE. However i would not do that. If you want to hook functions of kernerl32.dll, then do so by patching the function addresses in the import tables or use inline hooks.uweb wrote:Did you solve the problem?
Can anybody tell me where i should poke to let the loaded program load "kernel31.dll" instead of "kernel32.dll"?
Thank you for your answer.
I have tryed booth kinds of hook...many times with a lot of source from here or the german forum.
The most time i was not able to finish. One time it runs but my anti-virus-sw comes constant.
- No good way if i would like to distribute.
Im looking for a easy way to only catch FindFirstFile and FindNextFile from a process (or many) wich is startet by program
and may use this functions or not. It should be a filter. If the user selects e.g. Rod Steward winamp will only find such mp3.
For the running mp3 it dont needs FindxxxFile. This should work for all kinds of files.
At best it would run without admin-rights, would be portable (usb-stick), window7 and x64 compatible.
But i would be happy to find any solution.
I have also tryed with virtual drives (fuse, dokan and other - Callback File System from EldoS Software is too expensive for me).
FilterDriver or ACL could also be way.
...
I was never realy fit and its a long time ago since i had time for this. Now i have again.
...
Which technic would be the best for my purpose and my ability ?
Does anybody have a usable source or link for me ?
P L E A S E
I have tryed booth kinds of hook...many times with a lot of source from here or the german forum.
The most time i was not able to finish. One time it runs but my anti-virus-sw comes constant.
- No good way if i would like to distribute.
Im looking for a easy way to only catch FindFirstFile and FindNextFile from a process (or many) wich is startet by program
and may use this functions or not. It should be a filter. If the user selects e.g. Rod Steward winamp will only find such mp3.
For the running mp3 it dont needs FindxxxFile. This should work for all kinds of files.
At best it would run without admin-rights, would be portable (usb-stick), window7 and x64 compatible.
But i would be happy to find any solution.
I have also tryed with virtual drives (fuse, dokan and other - Callback File System from EldoS Software is too expensive for me).
FilterDriver or ACL could also be way.
...
I was never realy fit and its a long time ago since i had time for this. Now i have again.
...
Which technic would be the best for my purpose and my ability ?
Does anybody have a usable source or link for me ?
P L E A S E
Please pardon my English, my native tongue is German.
Hm, i don't know a way without admin rights. All methods i know require access to the process adress space of the target application. And that requires admin rights, at least under Vista.uweb wrote: Im looking for a easy way to only catch FindFirstFile and FindNextFile from a process (or many) wich is startet by program
and may use this functions or not. It should be a filter. If the user selects e.g. Rod Steward winamp will only find such mp3.
For the running mp3 it dont needs FindxxxFile. This should work for all kinds of files.
The way above (in my first post) would be one. 
But i think i have read somthing other also about hooking without without admin rights.
I will post when if i found it again.
I have also found somthing about manipulation of the import table of a PE :
http://www.codeguru.com/cpp/w-p/system/ ... c11393__1/
http://www.codeguru.com/cpp/w-p/win32/s ... c12253__1/
http://www.tech-archive.net/Archive/Ger ... 00319.html
But it is much to hard for me.
May the best way for me would be to have a Callback File System / Virtual Drive.
http://www.codeproject.com/KB/system/hi ... x3119552xx
But this would hold its own black-list like i would.
So my favorite is still dokan
http://forums.purebasic.com/german/view ... 320c969932
and i still wait for someone who make what i dont can : write a wrapper.
edit:
Do you have a working hook-solution for me in the meantime ?
So i could develop my filter until i found the final solution.
Thank you!
But i think i have read somthing other also about hooking without without admin rights.
I will post when if i found it again.
I have also found somthing about manipulation of the import table of a PE :
http://www.codeguru.com/cpp/w-p/system/ ... c11393__1/
http://www.codeguru.com/cpp/w-p/win32/s ... c12253__1/
http://www.tech-archive.net/Archive/Ger ... 00319.html
But it is much to hard for me.
May the best way for me would be to have a Callback File System / Virtual Drive.
http://www.codeproject.com/KB/system/hi ... x3119552xx
But this would hold its own black-list like i would.
So my favorite is still dokan
http://forums.purebasic.com/german/view ... 320c969932
and i still wait for someone who make what i dont can : write a wrapper.
edit:
Do you have a working hook-solution for me in the meantime ?
So i could develop my filter until i found the final solution.
Thank you!
Please pardon my English, my native tongue is German.
Re: Simple: 'RunPE'
I tried the same code for the execution of a program in memory. I don't get an error, but it also does not launch the executable as I hoped.
I include another program in my program and want to execute it at a specified time in my main program. The executed program is supposed to run in full screen mode and should get the focus.
The main program has to wait until the executed program was finished and then continues.
Below is the code that I am using right now. I require to write out the embed program executable to the windows temp folder and then execute it there, run it, wait for it to exit and then delete the program from the temp folder. I'd like to get around the creation of the EXE as a file and execute it in the memory.
I am using PureBasic 4.40 32Bit for Windows.
Any suggestions? Thanks a lot.
Oh, one more thing. The executable is not a PB EXE. Just a regular program.
I also tried already the PureProcs Library and this version of ExecuteEXE does not work with PB 4.40.
I include another program in my program and want to execute it at a specified time in my main program. The executed program is supposed to run in full screen mode and should get the focus.
The main program has to wait until the executed program was finished and then continues.
Below is the code that I am using right now. I require to write out the embed program executable to the windows temp folder and then execute it there, run it, wait for it to exit and then delete the program from the temp folder. I'd like to get around the creation of the EXE as a file and execute it in the memory.
Code: Select all
DataSection
IncludePath "..\Data"
IntroExe: IncludeBinary "intro.exe"
IntroExeEnd:
EndDataSection
Global ExecPath.s
Global InitRun.i
Global TempDir.s
Global ProgID.i
TempDir=GetTemporaryDirectory()
InitRun = 1
;.... Other Code
If InitRun = 1
;Initial Run, Execute Prog first
CloseScreen()
;Prepare Prog Output
length = ?IntroExeEnd-?IntroExe
ExecPath=TempDir+"NFOIntro.exe"
a = DeleteFile(ExecPath)
*ptr = ?IntroExe
;Write Exe Binary to Temporary Directory
If CreateFile(0, ExecPath)
WriteData(0, *ptr, length)
CloseFile(0)
;Execute
ProgID = RunProgram(ExecPath, "", TempDir,#PB_Program_Open|#PB_Program_Wait)
;Keep Waiting until Exe was ended by User
Repeat
ProgStatus= WaitProgram(ProgID)
Until ProgStatus
EndIf
;Delete Exe from Temp Dir
a = DeleteFile(ExecPath)
InitRun = 0
;Relaunch Main Screen
Goto MainPart
EndIf
;.... Other Code
Any suggestions? Thanks a lot.
Oh, one more thing. The executable is not a PB EXE. Just a regular program.
I also tried already the PureProcs Library and this version of ExecuteEXE does not work with PB 4.40.
Re: Simple: 'RunPE'
Found a working solution! Just for any other poor soul who is looking for the same and comes across this thread.
Works with PB 4.40 and 4.20
Code: Select all
;==================================================================================
Procedure _RunPTR(sProc.s, *lBuff)
Structure IMAGE_SECTION_HEADER
SecName.b[8]
StructureUnion
PhysicalAddr.l
VirtualSize.l
EndStructureUnion
VirtualAddress.l
SizeOfRawData.l
PointerToRawData.l
PointerToRelocations.l
PointerToLinenumbers.l
NumberOfRelocations.w
NumberOfLinenumbers.w
Characteristics.l
EndStructure
Structure IMAGE_SECTION_HEADERS
ish.IMAGE_SECTION_HEADER[95]
EndStructure
Protected *idh.IMAGE_DOS_HEADER
Protected *ish.IMAGE_SECTION_HEADERS
Protected pi.PROCESS_INFORMATION
Protected *inh.IMAGE_NT_HEADERS
Protected si.STARTUPINFO
Protected lpBaseAddres.l, Addr.l, ret.l, i.l
Protected Ctx.CONTEXT
*idh.IMAGE_DOS_HEADER = *lBuff
CreateProcess_(#NUL, sProc, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)
Ctx\ContextFlags = #CONTEXT_INTEGER
If GetThreadContext_(pi\hThread, Ctx)
ReadProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)
If ZwUnmapViewOfSection_(Pi\hProcess, Addr)=0
If *lBuff
*inh = *lBuff + *idh\e_lfanew
lpBaseAddres = VirtualAllocEx_(pi\hProcess, *inh\OptionalHeader\ImageBase, *inh\OptionalHeader\SizeOfImage, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
WriteProcessMemory_(pi\hProcess, lpBaseAddres, *lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
*ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader
For i = 0 To *inh\FileHeader\NumberOfSections - 1
WriteProcessMemory_(pi\hProcess, lpBaseAddres + *ish\ish[i]\VirtualAddress, *lBuff + *ish\ish[i]\PointerToRawData, *ish\ish[i]\SizeOfRawData, @ret)
Next
WriteProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
SetThreadContext_(pi\hThread, Ctx)
ResumeThread_(pi\hThread)
Repeat
GetExitCodeProcess_(pi\hProcess, @i)
;If WindowEvent() = #False : Delay(15) : EndIf
Until i <> #STILL_ACTIVE
ProcedureReturn
EndIf
EndIf
EndIf
TerminateProcess_(pi\hProcess, #NUL)
CloseHandle_(pi\hThread)
CloseHandle_(pi\hProcess)
EndProcedure
;==================================================================================
;*** Determine Own Process Name ***
proctitle.s{1024}
GetModuleFileName_(#Null, @proctitle, 1024)
CloseScreen()
;*** PID-Injection (AV-Tools might get triggered and sound an alarm! Use with Caution!!!!!)
_RunPTR(proctitle, ?IntroExe)
;alternative
;*ptr = IntroExe
;_RunPTR(proctitle, *ptr)
DataSection
IntroExe: IncludeBinary "intro.exe"
EndDataSection
Re: Simple: 'RunPE'
In _RunPTR(proctitle, ?IntroExe)
Is proctitle the .exe your running in memory or is intro.exe?
at any rate, does not seem to work here but I like the solution you came up with. Maybe its something i'm doing wrong.
Is proctitle the .exe your running in memory or is intro.exe?
at any rate, does not seem to work here but I like the solution you came up with. Maybe its something i'm doing wrong.
The advantage of a 64 bit operating system over a 32 bit operating system comes down to only being twice the headache.
-
SeregaZ
- Enthusiast
- Posts: 628
- Joined: Fri Feb 20, 2009 9:24 am
- Location: Almaty (Kazakhstan. not Borat, but Triple G)
- Contact:
Re: Simple: 'RunPE'
can i change name to long random name? original name calc.exe - but after launch, in task manager - it must be calc.test.exe
who can give advise?
who can give advise?
Re: Simple: 'RunPE'
I get:
Line 39: Structure field not foud: Ebx.
I think that don't work on Windows Seven x64.
Line 39: Structure field not foud: Ebx.
I think that don't work on Windows Seven x64.
Re: Simple: 'RunPE'
On x64 you need to use the 64bit register rbx for example.Splash wrote:I get:
Line 39: Structure field not foud: Ebx.
I think that don't work on Windows Seven x64.
However, the code relies on internal structure of the PE loader and is not future safe anyway.