flat assembler
Message board for the users of flat assembler.
Index
> Windows > Launch Executable from Memory ? Goto page Previous 1, 2, 3, 4, 5 Next |
Author |
|
typedef 18 Mar 2011, 21:35
PM me of what you found....
|
|||
18 Mar 2011, 21:35 |
|
ctl3d32 19 Mar 2011, 02:45
There is a static library in MASM32 forum. One of there days i will try to convert it. For those who want it, here is the link: http://www.masm32.com/board/index.php?topic=3150.0
Share your knowledge! Free Assange! edit: Sorry... Last edited by ctl3d32 on 19 Mar 2011, 11:29; edited 1 time in total |
|||
19 Mar 2011, 02:45 |
|
Tyler 19 Mar 2011, 03:52
Quote:
Get it right, Assange. |
|||
19 Mar 2011, 03:52 |
|
Overflowz 05 Apr 2011, 19:18
First of all, I must say really sorry for writing [SOLVED] thing on topic because what I though was just theory. I'd better ask someone before I do something. I'm still stuck here. I'm learning PE things but I can't get it right so.. I'm trying easy way first. Loading functions from memory libs. I did something like this, I've found kernel base address, then I go to PE header and Export Data Directory. But I don't understand what should I do there now.. Here's code and can anybody finish this for me ? I'm trying a lot but I really can't figure out because I think it's really hard for me I guess. Here's what I'm trying first.
Code: push esi ;/ xor eax,eax ;| mov eax,[fs:0x30] ;| mov eax,[eax+0x0c] ;| Get KERNELBASE.. mov esi,[eax+0x1c] ;| lodsd ;| mov eax,[eax+0x8] ;\ pop esi mov ecx,[eax+0x3c] add eax,ecx ;PE Header mov ecx,[eax+0x78] add eax,ecx ;IMAGE_EXPORT_DIRECTORY ret How should I check for functions now ? Just someone give me little example how to get just 1 function from it and call. I've tried google but without luck. also, I can't understand Iczelions tutorial about EXPORT TABLE.. and also, I had this idea when I wrote solved. 1)Allocate memory for EXE which are inside resources. 2)Copy resource's EXE in memory 3)Start current process with CREATE_SUSPEND state. 4)ReadProcessMemory of allocated EXE's space. 5)WriteProcessMemory on current process with allocated EXE's data. 6)Resume Process. But I can't figure out how to do this and don't know if this would work. Both things will be good for me, how to execute from memory and call function from memory too. Regards and very very thanks to this forum and people here. |
|||
05 Apr 2011, 19:18 |
|
typedef 05 Apr 2011, 23:20
Try these
CreateFileMapping MapViewOfFile with FILE_MAP_EXECUTE CopyMemory/RtlCopyMemory UnMapViewOfFile "To have a file with executable permissions, an application must call CreateFileMapping with either PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_READ, and then call MapViewOfFile with FILE_MAP_EXECUTE | FILE_MAP_WRITE or FILE_MAP_EXECUTE | FILE_MAP_READ." - MSDN : http://msdn.microsoft.com/en-us/library/aa366761%28v=vs.85%29.aspx Ex. http://msdn.microsoft.com/en-us/library/aa366551%28v=vs.85%29.aspx Last edited by typedef on 06 Apr 2011, 00:42; edited 1 time in total |
|||
05 Apr 2011, 23:20 |
|
vid 05 Apr 2011, 23:41
Overflowz: Do you need your dropper to execute your payload in separate process, or can it be within same process? By "without extracting" you mean you don't want to code PE loader yourself but you want to use some existing loader which supports this? Note that such unusual activity might be easily picked up by heuristic scanner.
|
|||
05 Apr 2011, 23:41 |
|
Overflowz 06 Apr 2011, 00:09
typedef
I've saw lot of examples which were using that API calls but I don't understand none of them, even after read MSND.. vid Nope, I'm not writing viruses.. I'm just learning the way how to do that, thats all.. I'm interested how to do it myself and I know there are lot of examples and I have lot of them and trying to study on them but I can't figure out... I need just small example how those things could work. Regards. |
|||
06 Apr 2011, 00:09 |
|
ctl3d32 06 Apr 2011, 10:38
Take a look at my previous post. It does exactly what you want. You'll just have to port it from MASM.
|
|||
06 Apr 2011, 10:38 |
|
sinsi 06 Apr 2011, 11:15
Maybe this could help, to see how much work is involved...
What Goes On Inside Windows 2000: Solving the Mysteries of the Loader The problem can be that windows changes things as it 'evolves' so if it works in XPSP2 it's broken in XPSP3. ctl3d32, that was my thought too, that's not the only example. MASM to FASM and vice versa is easy (thanks Tomasz ). |
|||
06 Apr 2011, 11:15 |
|
Overflowz 06 Apr 2011, 12:10
ctl3d32
I'm sorry but I can't understand that.. That's hard way I guess.. Here's another one what I'm trying right now but I'm getting ERROR_NOACCESS on VirtualProtect API.. Can someone fix this for me ? I've tried alot but without success.. Thank you. Code: format PE GUI 4.0 include 'WIN32A.INC' entry main section '.data' data readable writeable fname db 'msg1.exe',0 hFile dd ? nSize dd ? alloc dd ? rbytes dd ? lpBytesRead dd ? lpBuffer dd ? junk dd ? pHandle dd ? pinfo PROCESS_INFORMATION sinfo STARTUPINFO section '.text' code readable executable proc main invoke CreateFile,fname,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 mov [hFile],eax invoke GetFileSize,eax,0 mov [nSize],eax invoke GlobalAlloc,0,eax mov [alloc],eax invoke ReadFile,[hFile],eax,[nSize],lpBytesRead,0 invoke CloseHandle,[hFile] invoke GetModuleFileName,0,lpBuffer,100 invoke CreateProcess,lpBuffer,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo mov eax,[pinfo.hThread] push eax invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId] mov [pHandle],eax invoke ReadProcessMemory,[pHandle],0x400000,junk,[nSize],0 invoke GetCurrentProcessId invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READWRITE,0 invoke WriteProcessMemory,eax,0x400000,junk,[nSize],0 pop eax invoke ResumeThread,eax ret endp section '.idata' import data readable library user32,'user32.dll',\ kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' section '.reloc' fixups data discardable readable at first, everything is okay here (No errors in debugger). Problem is after calling WriteProcessMemory but it was giving same error "ERROR_NOACCESS" and I've tried VirtualProtect but still same thing.. Any suggestions ? Regards. |
|||
06 Apr 2011, 12:10 |
|
typedef 06 Apr 2011, 13:43
what is in junk ? It looks like a pointer to me not any kind of data.
|
|||
06 Apr 2011, 13:43 |
|
typedef 06 Apr 2011, 13:49
Try using one of these flags for VirtualProtect
PAGE_EXECUTE_READ or PAGE_EXECUTE_READWRITE As this page says http://msdn.microsoft.com/en-us/library/aa366786%28v=vs.85%29.aspx |
|||
06 Apr 2011, 13:49 |
|
Overflowz 06 Apr 2011, 14:25
typedef
junk is just data where ReadProcessMemory saves data there. and also, I've got same problem, it says ERROR_INVALID_PARAMETER. Code: invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_EXECUTE_READWRITE,0 and also, I've tried this too but same result. Code: invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_EXECUTE_READWRITE,somebufferhere |
|||
06 Apr 2011, 14:25 |
|
vid 06 Apr 2011, 14:35
|
|||
06 Apr 2011, 14:35 |
|
Overflowz 06 Apr 2011, 14:39
P.S I've done this and works perfect now but It's not writing data in process.. It executes still same process, not another one. Here's what I've done and shows no errors..
Code: invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_READWRITE,somebufferhere Any help ? |
|||
06 Apr 2011, 14:39 |
|
Overflowz 06 Apr 2011, 14:42
vid
I'm sorry, I don't understand too much English and programming and also MSDN.. Just trying everything with guessing.. |
|||
06 Apr 2011, 14:42 |
|
typedef 06 Apr 2011, 21:35
Code: invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ + PAGE_READWRITE,somebufferhere NOT Code: invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_READWRITE,somebufferhere You are ORing two values if you use bit OR, use '+' for logical or |
|||
06 Apr 2011, 21:35 |
|
LocoDelAssembly 06 Apr 2011, 23:48
typedef, no, keep using "OR", if you by mistake set the same flag twice (e.g. by using two symbols sharing some or all the flags), then you'll end up setting the incorrect flags. For instance, doing "PAGE_EXECUTE_READ OR PAGE_EXECUTE_READ" will result in 0x20 while "PAGE_EXECUTE_READ + PAGE_EXECUTE_READ" will result in 0x40 which is the value for PAGE_EXECUTE_READWRITE.
Finally, logical or (which can't be used here, BTW), is "|", not "+". |
|||
06 Apr 2011, 23:48 |
|
typedef 07 Apr 2011, 00:27
LocoDelAssembly wrote:
I was just trying to point out to him that in C++ we use combined flags like MB_OK | MB_ICONERROR in FASM its MB_OK + MB_ICONERROR because the MSDN documentation is in C++ not FASM.......... and he used OR because when I posted, I meant he could use EITHER PAGE_XXX OR PAGE_XXX.. That's why he used OR because he thought it was part of the code. .... If he knows what he's doing then let him use OR. Do you have a hard time understanding me ? Sorry If I confused you. But what you said about same flag is true. |
|||
07 Apr 2011, 00:27 |
|
Goto page Previous 1, 2, 3, 4, 5 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.