Simple: 'RunPE'

[Mike Yurgalavage]

i've created a nice wrapper program using this idea. however, your code does not work with programs created with MASM.

i have tried two separate .exe's that were made by two separate people and they write in assembly and compiled the programs using MASM, version 5.00.1823.

the .exe's run perfectly, but if they are used with the code above they won't run.

they never execute and the program ends.

any ideas? we have some very important uses for this code and we are stuck right now.

best,
Mike


EDIT:

this doesn't seem to work for programs that are compiled with MASM. this code fails to run them.

i have a simple DIALOG.exe program that i can post for testing if needed.

any thoughts appreciated-

the programs created with MASM32 (version 10.0, linker 5.12) don't have a VERSION tab in their properties (right click on the .exe) but they ARE 32 bit programs. also, they don't have a .code section, just the .text section and the other sections.

the simple DIALOG.exe program that comes with the MASM32 will not run using this RunPE code posted here.

best,
Mike

EDIT AGAIN!:

a simple DIALOG.exe that was compiled with MASM can be downloaded here:

http://win32assembly.online.fr/files/tut10-2.zip

best,
Mike

[uweb]

Did you solve the problem?

Can anybody tell me where i should poke to let the loaded program load "kernel31.dll" instead of "kernel32.dll"?

[Thorium]

Did you solve the problem?

Can anybody tell me where i should poke to let the loaded program load "kernel31.dll" instead of "kernel32.dll"?

You could try to manipulate the import table of the PE. However i would not do that. If you want to hook functions of kernerl32.dll, then do so by patching the function addresses in the import tables or use inline hooks.

[uweb]

Thank you for your answer.
I have tryed booth kinds of hook...many times with a lot of source from here or the german forum.
The most time i was not able to finish. One time it runs but my anti-virus-sw comes constant.
- No good way if i would like to distribute.

Im looking for a easy way to only catch FindFirstFile and FindNextFile from a process (or many) wich is startet by program
and may use this functions or not. It should be a filter. If the user selects e.g. Rod Steward winamp will only find such mp3.
For the running mp3 it dont needs FindxxxFile. This should work for all kinds of files.

At best it would run without admin-rights, would be portable (usb-stick), window7 and x64 compatible.

But i would be happy to find any solution.

I have also tryed with virtual drives (fuse, dokan and other - Callback File System from EldoS Software is too expensive for me).

FilterDriver or ACL could also be way.
...

I was never realy fit and its a long time ago since i had time for this. Now i have again.
...


Which technic would be the best for my purpose and my ability ?

Does anybody have a usable source or link for me ?

P L E A S E

[Thorium]

Im looking for a easy way to only catch FindFirstFile and FindNextFile from a process (or many) wich is startet by program
and may use this functions or not. It should be a filter. If the user selects e.g. Rod Steward winamp will only find such mp3.
For the running mp3 it dont needs FindxxxFile. This should work for all kinds of files.

Hm, i don't know a way without admin rights. All methods i know require access to the process adress space of the target application. And that requires admin rights, at least under Vista.

[uweb]

The way above (in my first post) would be one.

But i think i have read somthing other also about hooking without without admin rights.
I will post when if i found it again.

I have also found somthing about manipulation of the import table of a PE :

http://www.codeguru.com/cpp/w-p/system/ ... c11393__1/
http://www.codeguru.com/cpp/w-p/win32/s ... c12253__1/
http://www.tech-archive.net/Archive/Ger ... 00319.html


But it is much to hard for me.
May the best way for me would be to have a Callback File System / Virtual Drive.


http://www.codeproject.com/KB/system/hi ... x3119552xx

But this would hold its own black-list like i would.


So my favorite is still dokan

http://forums.purebasic.com/german/view ... 320c969932


and i still wait for someone who make what i dont can : write a wrapper.


edit:


Do you have a working hook-solution for me in the meantime ?
So i could develop my filter until i found the final solution.
Thank you!

[RoySAC]

I tried the same code for the execution of a program in memory. I don't get an error, but it also does not launch the executable as I hoped.
I include another program in my program and want to execute it at a specified time in my main program. The executed program is supposed to run in full screen mode and should get the focus.
The main program has to wait until the executed program was finished and then continues.

Below is the code that I am using right now. I require to write out the embed program executable to the windows temp folder and then execute it there, run it, wait for it to exit and then delete the program from the temp folder. I'd like to get around the creation of the EXE as a file and execute it in the memory.

Code: Select all

  DataSection
    IncludePath  "..\Data"
    IntroExe: IncludeBinary "intro.exe"
    IntroExeEnd:
  EndDataSection

  Global ExecPath.s
  Global InitRun.i
  Global TempDir.s
  Global ProgID.i

  TempDir=GetTemporaryDirectory()
  InitRun = 1

;.... Other Code

If InitRun = 1
    ;Initial Run, Execute Prog first
    CloseScreen()

    ;Prepare Prog Output
    length = ?IntroExeEnd-?IntroExe
    ExecPath=TempDir+"NFOIntro.exe"
    a = DeleteFile(ExecPath)
    
    *ptr = ?IntroExe
   ;Write Exe Binary to Temporary Directory
    If CreateFile(0, ExecPath) 
       WriteData(0, *ptr, length)
       CloseFile(0)

      ;Execute 
       ProgID = RunProgram(ExecPath, "", TempDir,#PB_Program_Open|#PB_Program_Wait)

      ;Keep Waiting until Exe was ended by User
       Repeat 
         ProgStatus= WaitProgram(ProgID)
       Until ProgStatus
    EndIf  
    ;Delete Exe from Temp Dir
    a = DeleteFile(ExecPath)

    InitRun = 0
    ;Relaunch Main Screen
    Goto MainPart    
EndIf

;.... Other Code

I am using PureBasic 4.40 32Bit for Windows.

Any suggestions? Thanks a lot.
Oh, one more thing. The executable is not a PB EXE. Just a regular program.

I also tried already the PureProcs Library and this version of ExecuteEXE does not work with PB 4.40.

[RoySAC]

Found a working solution! Just for any other poor soul who is looking for the same and comes across this thread.

Code: Select all

;==================================================================================
 Procedure   _RunPTR(sProc.s, *lBuff)

       Structure IMAGE_SECTION_HEADER
          SecName.b[8]
          StructureUnion
             PhysicalAddr.l
             VirtualSize.l
          EndStructureUnion
          VirtualAddress.l
          SizeOfRawData.l
          PointerToRawData.l
          PointerToRelocations.l
          PointerToLinenumbers.l
          NumberOfRelocations.w
          NumberOfLinenumbers.w
          Characteristics.l
       EndStructure

       Structure IMAGE_SECTION_HEADERS
          ish.IMAGE_SECTION_HEADER[95]
       EndStructure

       Protected   *idh.IMAGE_DOS_HEADER
       Protected   *ish.IMAGE_SECTION_HEADERS
       Protected   pi.PROCESS_INFORMATION
       Protected   *inh.IMAGE_NT_HEADERS
       Protected   si.STARTUPINFO
       Protected   lpBaseAddres.l, Addr.l, ret.l, i.l
       Protected   Ctx.CONTEXT

       *idh.IMAGE_DOS_HEADER  = *lBuff

       CreateProcess_(#NUL, sProc, #NUL, #NUL, #False, #CREATE_SUSPENDED, #NUL, #NUL, @si, @pi)

       Ctx\ContextFlags = #CONTEXT_INTEGER

       If GetThreadContext_(pi\hThread, Ctx)

          ReadProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @Addr, 4, #NUL)

          If ZwUnmapViewOfSection_(Pi\hProcess, Addr)=0

             If *lBuff
                *inh = *lBuff + *idh\e_lfanew

                lpBaseAddres = VirtualAllocEx_(pi\hProcess, *inh\OptionalHeader\ImageBase, *inh\OptionalHeader\SizeOfImage, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
                WriteProcessMemory_(pi\hProcess, lpBaseAddres, *lBuff, *inh\OptionalHeader\SizeOfHeaders, @ret)
                *ish = *inh\OptionalHeader + *inh\FileHeader\SizeOfOptionalHeader

                For i = 0 To *inh\FileHeader\NumberOfSections - 1
                   WriteProcessMemory_(pi\hProcess, lpBaseAddres + *ish\ish[i]\VirtualAddress, *lBuff + *ish\ish[i]\PointerToRawData, *ish\ish[i]\SizeOfRawData, @ret)
                Next

                WriteProcessMemory_(pi\hProcess, Ctx\Ebx + 8, @lpBaseAddres, 4, #NUL)
                Ctx\Eax = lpBaseAddres + *inh\OptionalHeader\AddressOfEntryPoint
                SetThreadContext_(pi\hThread, Ctx)
                ResumeThread_(pi\hThread)

                Repeat
                   GetExitCodeProcess_(pi\hProcess, @i)
                   ;If WindowEvent() = #False : Delay(15) : EndIf
                Until i <> #STILL_ACTIVE

                ProcedureReturn
             EndIf

          EndIf

       EndIf

       TerminateProcess_(pi\hProcess, #NUL)
       CloseHandle_(pi\hThread)
       CloseHandle_(pi\hProcess)

    EndProcedure
;==================================================================================

    ;*** Determine Own Process Name ***
    proctitle.s{1024}
    GetModuleFileName_(#Null, @proctitle, 1024)
    CloseScreen()
    ;*** PID-Injection (AV-Tools might get triggered and sound an alarm! Use with Caution!!!!!)
    _RunPTR(proctitle, ?IntroExe)

    ;alternative
    ;*ptr = IntroExe
    ;_RunPTR(proctitle, *ptr)

DataSection
 IntroExe: IncludeBinary "intro.exe"
EndDataSection
    

Works with PB 4.40 and 4.20

[SFSxOI]

In _RunPTR(proctitle, ?IntroExe)

Is proctitle the .exe your running in memory or is intro.exe?

at any rate, does not seem to work here but I like the solution you came up with. Maybe its something i'm doing wrong.

[SeregaZ]

can i change name to long random name? original name calc.exe - but after launch, in task manager - it must be calc.test.exe
who can give advise?

[Splash]

I get:
Line 39: Structure field not foud: Ebx.

I think that don't work on Windows Seven x64.

[Thorium]

I get:
Line 39: Structure field not foud: Ebx.

I think that don't work on Windows Seven x64.

On x64 you need to use the 64bit register rbx for example.
However, the code relies on internal structure of the PE loader and is not future safe anyway.