Simple: 'RunPE'

hipy001 · Post by **hipy001** » Mon Jun 01, 2009 9:43 pm

Simple: 'RunPE' "Execute from memory"
Works: Tested on Windows sp3 & Windows Vista & Windows 7

Structure IMAGE_SECTION_HEADER
  SecName.b[8]
  StructureUnion
    PhysicalAddr.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure

Structure IMAGE_SECTION_HEADERS
  ish.IMAGE_SECTION_HEADER[95]
EndStructure

Procedure RunPE(sProc.s, lBuff)

  *idh.IMAGE_DOS_HEADER  = lBuff
  *ish.IMAGE_SECTION_HEADERS
  pi.PROCESS_INFORMATION
  *inh.IMAGE_NT_HEADERS
  si.STARTUPINFO
  lpBaseAddres.l
  Ctx.CONTEXT
  Addr.l
  ret.l
  i.l
  
  CreateProcess_(#NUL, sProc, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)
  Ctx\ContextFlags = #CONTEXT_INTEGER
  If GetThreadContext_(pi\hThread, Ctx) = 0      : Goto EndThread : EndIf
  
  ReadProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)
  If ZwUnmapViewOfSection_(Pi\hProcess, Addr)    : Goto EndThread : EndIf
  If lBuff = 0                                   : Goto EndThread : EndIf
  *inh = lBuff + *idh\e_lfanew
  
  lpBaseAddres = VirtualAllocEx_(pi\hProcess, *inh\OptionalHeader\ImageBase, *inh\OptionalHeader\SizeOfImage, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
  WriteProcessMemory_(pi\hProcess, lpBaseAddres, lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
  *ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader
  
  For i = 0 To *inh\FileHeader\NumberOfSections - 1
    WriteProcessMemory_(pi\hProcess, lpBaseAddres + *ish\ish[i]\VirtualAddress, lBuff + *ish\ish[i]\PointerToRawData, *ish\ish[i]\SizeOfRawData, @ret)
  Next
  
  WriteProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
  Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
  SetThreadContext_(pi\hThread, Ctx)
  ResumeThread_(pi\hThread)
  End
  
  EndThread:
  TerminateProcess_(pi\hProcess, #NUL)
  CloseHandle_(pi\hThread)
  CloseHandle_(pi\hProcess)
EndProcedure

Procedure Run()
 If ReadFile(0, "C:\1.exe") = 0 : End : EndIf
    lBuf = AllocateMemory(Lof(0))
    ReadData(0, lBuf, Lof(0))
    CloseFile(0)
 ;-----------------------
    File.s = Space(1024)
    GetModuleFileName_(0, File, 1024)
    RunPE(File, lBuf)
EndProcedure

Run()

Post by **idle** » Tue Jun 02, 2009 1:51 am

That's been asked for a few times.
Thanks could be useful.

DoubleDutch · Post by **DoubleDutch** » Tue Jun 02, 2009 2:11 am

Thanks.

fsw · Post by **fsw** » Tue Jun 02, 2009 5:52 am

Welcome "AntiVirus Program Activator"

This code works as good as the other ones:

http://www.purebasic.fr/english/viewtop ... 2&start=90

Some Antivirus Programs identify it as a virus

+18 · Post by **+18** » Tue Jun 02, 2009 12:56 pm

Why this error occured for me?

test on : 4.30+xp sp3

DoubleDutch · Post by **DoubleDutch** » Tue Jun 02, 2009 1:04 pm

Turn off your antivirus - it is blocking the linking of the file.

ts-soft · Post by **ts-soft** » Tue Jun 02, 2009 1:45 pm

fsw wrote:This code works as good as the other ones:

http://www.purebasic.fr/english/viewtop ... 2&start=90

No, the difference is, this program works, the other does'nt work on most
PC.

The Problem with Antivirus is another thing

SFSxOI · Post by **SFSxOI** » Tue Jun 02, 2009 5:55 pm

All you need to do for the antivirus is add it to the antivirus exclusions so it wont be scanned.

Is there an example of real world usage someone could show us? I'm still not clear on the usefulness of executing a .exe in memory like this.

+18 · Post by **+18** » Tue Jun 02, 2009 5:58 pm

this error is very eccentric
if i make a exe from this code, it's work but from compiler run directly don't work

Thanks to hipy001 for sharing this cool code
it is better if masters provide an improvment that

Trond · Post by **Trond** » Tue Jun 02, 2009 7:01 pm

I've always wondered whether it was simply possible to shellexecute a named pipe for this purpose.

hipy001 · Post by **hipy001** » Tue Jun 02, 2009 7:24 pm

if you want it not detect antivirus Change All Apis To:

Ex:
OpenLibrary(0, "kernel32.dll")
lsAllocEx = GetFunction(0, "VirtualAllocEx")
CloseLibrary(0)

CallFunctionFast(lsAllocEx , ...................)

Sorry for my bad English

fsw · Post by **fsw** » Tue Jun 02, 2009 7:59 pm

Assuming that ZwUnmapViewOfSection is the one causing the AV troubles maybe changing it to NtUnmapViewOfSection would help.

Because MSDN says:

Note If the call to this function occurs in user mode, you should use the name "NtUnmapViewOfSection" instead of "ZwUnmapViewOfSection".

EDIT:
Just tried this and "Avira Antivir Personal" goes still off

ts-soft · Post by **ts-soft** » Tue Jun 02, 2009 9:29 pm

Here a small enhancement with parameters:

first the included test.exe

Code: Select all

Define.s para1, para2
para1 = ProgramParameter()
para2 = ProgramParameter()

OpenWindow(0, #PB_Ignore, #PB_Ignore, 140, 50, para1, #PB_Window_SystemMenu)

TextGadget(#PB_Any, 10, 10, 120, 20, para2)

Repeat : Until WaitWindowEvent() = #PB_Event_CloseWindow

here the modified RunPE(lBuff, parameters.s)

Code: Select all

EnableExplicit

Structure IMAGE_SECTION_HEADER
  SecName.b[8]
  StructureUnion
    PhysicalAddr.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure

Structure IMAGE_SECTION_HEADERS
  ish.IMAGE_SECTION_HEADER[95]
EndStructure

Procedure RunPE(lBuff, parameters.s)
  Protected *idh.IMAGE_DOS_HEADER  = lBuff
  Protected *ish.IMAGE_SECTION_HEADERS
  Protected pi.PROCESS_INFORMATION
  Protected *inh.IMAGE_NT_HEADERS
  Protected si.STARTUPINFO
  Protected lpBaseAddres.l
  Protected Ctx.CONTEXT
  Protected Addr.l, ret.l, i.l

  CreateProcess_(#NUL, ProgramFilename() + " " + parameters, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)
  Ctx\ContextFlags = #CONTEXT_INTEGER
  If GetThreadContext_(pi\hThread, Ctx) = 0      : Goto EndThread : EndIf
 
  ReadProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)
  If ZwUnmapViewOfSection_(Pi\hProcess, Addr)    : Goto EndThread : EndIf
  If lBuff = 0                                   : Goto EndThread : EndIf
  *inh = lBuff + *idh\e_lfanew
 
  lpBaseAddres = VirtualAllocEx_(pi\hProcess, *inh\OptionalHeader\ImageBase, *inh\OptionalHeader\SizeOfImage, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
  WriteProcessMemory_(pi\hProcess, lpBaseAddres, lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
  *ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader
 
  For i = 0 To *inh\FileHeader\NumberOfSections - 1
    WriteProcessMemory_(pi\hProcess, lpBaseAddres + *ish\ish[i]\VirtualAddress, lBuff + *ish\ish[i]\PointerToRawData, *ish\ish[i]\SizeOfRawData, @ret)
  Next
 
  WriteProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
  Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
  SetThreadContext_(pi\hThread, Ctx)
  ResumeThread_(pi\hThread)
  ProcedureReturn 
 
  EndThread:
  TerminateProcess_(pi\hProcess, #NUL)
  CloseHandle_(pi\hThread)
  CloseHandle_(pi\hProcess)
EndProcedure

DataSection
  file: IncludeBinary "test.exe"
EndDataSection

RunPE(?file, "para1 para2")

SFSxOI · Post by **SFSxOI** » Thu Jun 04, 2009 11:11 am

when ever I try to use this I always get an error that the app failed to start because MSVCR80.dll was not found (which is a kinda odd and unexpected error). Works OK with the test.exe above, but for any other .exe I get this error. Is that normal for this? Running Vista, and running the code in admin mode.

cas · Post by **cas** » Thu Jun 18, 2009 10:33 pm

Can we modify this code to allow dll load and open from memory? :roll:

Thanks