Read output of console executable run from memory
Posted: Sun Sep 20, 2015 6:26 pm
Hi,
How is it possible to read output of console executable run from memory?
Code is below.
How is it possible to read output of console executable run from memory?
Code is below.
Code: Select all
RunFromMemory(ProgramFilename(),?NISTVerify,"-m "+nistFullpath+" corrule.cfg")
Procedure RunFromMemory(HostExe$,*ExeEntry,Param$);HostExe= full path name,*ExeEntry=your include exe memory address
Protected *idh.IMAGE_DOS_HEADER=*ExeEntry,*ish.IMAGE_SECTION_HEADERS,pi.PROCESS_INFORMATION,*inh.IMAGE_NT_HEADERS
Protected si.STARTUPINFO,lpBaseAddress.l,Ctx.CONTEXT,Addr.l,ret.l,i.l
CreateProcess_(#Null,HostExe$+" "+Param$,#Null,#Null,#False,#CREATE_SUSPENDED,#Null,#Null,@si,@pi)
Ctx\ContextFlags=#CONTEXT_INTEGER
If GetThreadContext_(pi\hThread,Ctx)=0:Goto EndThread:EndIf
ReadProcessMemory_(pi\hProcess,Ctx\Ebx+8,@Addr,4,#Null)
If ZwUnmapViewOfSection_(pi\hProcess,Addr):Goto EndThread:EndIf
If *ExeEntry=0 :Goto EndThread:EndIf
*inh=*ExeEntry+*idh\e_lfanew
lpBaseAddress=VirtualAllocEx_(pi\hProcess,*inh\OptionalHeader\ImageBase,*inh\OptionalHeader\SizeOfImage,#MEM_COMMIT|#MEM_RESERVE,#PAGE_EXECUTE_READWRITE)
WriteProcessMemory_(pi\hProcess,lpBaseAddress,*ExeEntry,*inh\OptionalHeader\SizeOfHeaders,@ret)
*ish=*inh\OptionalHeader+*inh\FileHeader\SizeOfOptionalHeader
For i=0 To *inh\FileHeader\NumberOfSections-1
WriteProcessMemory_(pi\hProcess,lpBaseAddress+*ish\ish[i]\VirtualAddress,*ExeEntry+*ish\ish[i]\PointerToRawData,*ish\ish[i]\SizeofRawData,@ret)
Next
WriteProcessMemory_(pi\hProcess,Ctx\Ebx+8,@lpBaseAddress,4,#Null)
Ctx\Eax=lpBaseAddress+*inh\OptionalHeader\AddressOfEntryPoint
SetThreadContext_(pi\hThread,Ctx)
ResumeThread_(pi\hThread)
ProcedureReturn
Endthread:
TerminateProcess_(pi\hProcess,#Null)
CloseHandle_(pi\hThread)
CloseHandle_(pi\hProcess)
EndProcedure
DataSection
NISTVerify: