ITKnightMare
asked on
PE Memory Loader XP Crash Help
This proggy is supposed to create a new thread and load up the sections in the pe file format to the memory and resume the thread from it's suspended creation.
But... uhm, the moment it gets to ResumeThread, XP gives me a STOP 8E error saying my RAM might be messed up.
Most of the part in this code I just stare and drool on not even having heard of the function VirtualProtectEx etc. but figured I'll ask the experts ^_^
'Code provided by Ark
Option Explicit
'========Main staff for any API code :)===========
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
'=======Thread context staff===========
Const SIZE_OF_80387_REGISTERS = 80
Private Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(1 To SIZE_OF_80387_REGISTERS) As Byte
Cr0NpxState As Long
End Type
'==========Note: WIN32API.TXT contain incorrect structure for CONTEXT type. This one is correct========
Private Type CONTEXT86
ContextFlags As Long
'These are selected by CONTEXT_DEBUG_REGISTERS
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
'These are selected by CONTEXT_FLOATING_POINT
FloatSave As FLOATING_SAVE_AREA
'These are selected by CONTEXT_SEGMENTS
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
'These are selected by CONTEXT_INTEGER
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
'These are selected by CONTEXT_CONTROL
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
End Type
Private Const CONTEXT_X86 = &H10000
Private Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1) 'SS:SP, CS:IP, FLAGS, BP
Private Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2) 'AX, BX, CX, DX, SI, DI
Private Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4) 'DS, ES, FS, GS
Private Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8) '387 state
Private Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7
Private Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS)
Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Private Declare Function SuspendThread Lib "kernel32" (ByVal hThread As Long) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
'========Process creation and memory access staff=========
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long 'LPBYTE
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function ZwUnmapViewOfSection Lib "ntdll.dll" (ByVal hProcess As Long, ByVal BaseAddress As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const CREATE_SUSPENDED = &H4
Private Const MEM_COMMIT As Long = &H1000&
Private Const MEM_RESERVE As Long = &H2000&
Private Const PAGE_NOCACHE As Long = &H200
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Const PAGE_EXECUTE_WRITECOPY As Long = &H80
Private Const PAGE_EXECUTE_READ As Long = &H20
Private Const PAGE_EXECUTE As Long = &H10
Private Const PAGE_READONLY As Long = &H2
Private Const PAGE_WRITECOPY As Long = &H8
Private Const PAGE_NOACCESS As Long = &H1
Private Const PAGE_READWRITE As Long = &H4
'==========PE staff==============
Private Enum ImageSignatureTypes
IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ
IMAGE_OS2_SIGNATURE = &H454E ''\\ NE
IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE
IMAGE_VXD_SIGNATURE = &H454C ''\\ LE
IMAGE_NT_SIGNATURE = &H4550 ''\\ PE00
End Enum
Private Type IMAGE_DOS_HEADER
e_magic As Integer ' Magic number
e_cblp As Integer ' Bytes on last page of file
e_cp As Integer ' Pages in file
e_crlc As Integer ' Relocations
e_cparhdr As Integer ' Size of header in paragraphs
e_minalloc As Integer ' Minimum extra paragraphs needed
e_maxalloc As Integer ' Maximum extra paragraphs needed
e_ss As Integer ' Initial (relative) SS value
e_sp As Integer ' Initial SP value
e_csum As Integer ' Checksum
e_ip As Integer ' Initial IP value
e_cs As Integer ' Initial (relative) CS value
e_lfarlc As Integer ' File address of relocation table
e_ovno As Integer ' Overlay number
e_res(0 To 3) As Integer ' Reserved words
e_oemid As Integer ' OEM identifier (for e_oeminfo)
e_oeminfo As Integer ' OEM information; e_oemid specific
e_res2(0 To 9) As Integer ' Reserved words
e_lfanew As Long ' File address of new exe header
End Type
' MSDOS File header
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
characteristics As Integer
End Type
' Directory format.
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
' Optional header format.
Const IMAGE_NUMBEROF_DIRECTORY_E NTRIES = 16
Private Type IMAGE_OPTIONAL_HEADER
' Standard fields.
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
' NT additional fields.
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersio n As Integer
MinorOperatingSystemVersio n As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_E NTRIES - 1) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
' Section header
Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Type IMAGE_SECTION_HEADER
SecName As String * IMAGE_SIZEOF_SHORT_NAME
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
characteristics As Long
End Type
'=============Code======== ========
Const OFFSET_4 = 4294967296#
Public Function RunExe(abExeFile() As Byte) As Long
Dim idh As IMAGE_DOS_HEADER
Dim inh As IMAGE_NT_HEADERS
Dim ish As IMAGE_SECTION_HEADER
Dim pi As PROCESS_INFORMATION
Dim si As STARTUPINFO
Dim context As CONTEXT86
Dim ImageBase As Long, ret As Long, i As Long
Dim addr As Long, lOffset As Long
CopyMemory idh, abExeFile(0), Len(idh)
If idh.e_magic <> IMAGE_DOS_SIGNATURE Then
MsgBox "MZ signature not found!", vbCritical, "File load error"
Exit Function
End If
CopyMemory inh, abExeFile(idh.e_lfanew), Len(inh)
If inh.Signature <> IMAGE_NT_SIGNATURE Then
MsgBox "PE signature not found!", vbCritical, "File load error"
Exit Function
End If
si.cb = Len(si)
If CreateProcess(vbNullString , "cmd", 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then Exit Function
context.ContextFlags = CONTEXT86_INTEGER
If GetThreadContext(pi.hThrea d, context) = 0 Then GoTo ClearProcess
Call ReadProcessMemory(pi.hProc ess, ByVal context.Ebx + 8, addr, 4, 0)
If addr = 0 Then GoTo ClearProcess
If ZwUnmapViewOfSection(pi.hP rocess, addr) Then GoTo ClearProcess
ImageBase = VirtualAllocEx(pi.hProcess , ByVal inh.OptionalHeader.ImageBa se, inh.OptionalHeader.SizeOfI mage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
If ImageBase = 0 Then GoTo ClearProcess
Call WriteProcessMemory(pi.hPro cess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfH eaders, ret)
lOffset = idh.e_lfanew + Len(inh)
For i = 0 To inh.FileHeader.NumberOfSec tions - 1
CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)
Debug.Print ish.SecName
Call WriteProcessMemory(pi.hPro cess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRaw Data), ish.SizeOfRawData, ret)
Debug.Print Err.LastDllError
Call VirtualProtectEx(pi.hProce ss, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristic s), addr)
Next i
Call WriteProcessMemory(pi.hPro cess, ByVal context.Ebx + 8, ImageBase, 4, ret)
context.Eax = ImageBase + inh.OptionalHeader.Address OfEntryPoi nt
Call SetThreadContext(pi.hThrea d, context)
Call ResumeThread(pi.hThread)
Exit Function
ClearProcess:
CloseHandle pi.hThread
CloseHandle pi.hProcess
End Function
Private Function Protect(ByVal characteristics As Long) As Long
Dim mapping As Variant
mapping = Array(PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
PAGE_READWRITE, PAGE_EXECUTE_READWRITE)
Protect = mapping(RShift(characteris tics, 29))
End Function
Private Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
End Function
Private Function vbLongToULong(Value As Long) As Double
If Value < 0 Then
vbLongToULong = Value + OFFSET_4
Else
vbLongToULong = Value
End If
End Function
Private Sub Command1_Click()
Dim b() As Byte
Dim hfile As Integer
hfile = FreeFile
Open "C:\notepad.exe" For Binary Access Read As #hfile
ReDim b(0 To LOF(hfile))
Get #hfile, , b
Close #hfile
Dim r As Long
r = RunExe(b)
End Sub
But... uhm, the moment it gets to ResumeThread, XP gives me a STOP 8E error saying my RAM might be messed up.
Most of the part in this code I just stare and drool on not even having heard of the function VirtualProtectEx etc. but figured I'll ask the experts ^_^
'Code provided by Ark
Option Explicit
'========Main staff for any API code :)===========
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
'=======Thread context staff===========
Const SIZE_OF_80387_REGISTERS = 80
Private Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(1 To SIZE_OF_80387_REGISTERS) As Byte
Cr0NpxState As Long
End Type
'==========Note: WIN32API.TXT contain incorrect structure for CONTEXT type. This one is correct========
Private Type CONTEXT86
ContextFlags As Long
'These are selected by CONTEXT_DEBUG_REGISTERS
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
'These are selected by CONTEXT_FLOATING_POINT
FloatSave As FLOATING_SAVE_AREA
'These are selected by CONTEXT_SEGMENTS
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
'These are selected by CONTEXT_INTEGER
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
'These are selected by CONTEXT_CONTROL
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
End Type
Private Const CONTEXT_X86 = &H10000
Private Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1) 'SS:SP, CS:IP, FLAGS, BP
Private Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2) 'AX, BX, CX, DX, SI, DI
Private Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4) 'DS, ES, FS, GS
Private Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8) '387 state
Private Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7
Private Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS)
Private Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Private Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Private Declare Function SuspendThread Lib "kernel32" (ByVal hThread As Long) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
'========Process creation and memory access staff=========
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long 'LPBYTE
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function ZwUnmapViewOfSection Lib "ntdll.dll" (ByVal hProcess As Long, ByVal BaseAddress As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const CREATE_SUSPENDED = &H4
Private Const MEM_COMMIT As Long = &H1000&
Private Const MEM_RESERVE As Long = &H2000&
Private Const PAGE_NOCACHE As Long = &H200
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Const PAGE_EXECUTE_WRITECOPY As Long = &H80
Private Const PAGE_EXECUTE_READ As Long = &H20
Private Const PAGE_EXECUTE As Long = &H10
Private Const PAGE_READONLY As Long = &H2
Private Const PAGE_WRITECOPY As Long = &H8
Private Const PAGE_NOACCESS As Long = &H1
Private Const PAGE_READWRITE As Long = &H4
'==========PE staff==============
Private Enum ImageSignatureTypes
IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ
IMAGE_OS2_SIGNATURE = &H454E ''\\ NE
IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE
IMAGE_VXD_SIGNATURE = &H454C ''\\ LE
IMAGE_NT_SIGNATURE = &H4550 ''\\ PE00
End Enum
Private Type IMAGE_DOS_HEADER
e_magic As Integer ' Magic number
e_cblp As Integer ' Bytes on last page of file
e_cp As Integer ' Pages in file
e_crlc As Integer ' Relocations
e_cparhdr As Integer ' Size of header in paragraphs
e_minalloc As Integer ' Minimum extra paragraphs needed
e_maxalloc As Integer ' Maximum extra paragraphs needed
e_ss As Integer ' Initial (relative) SS value
e_sp As Integer ' Initial SP value
e_csum As Integer ' Checksum
e_ip As Integer ' Initial IP value
e_cs As Integer ' Initial (relative) CS value
e_lfarlc As Integer ' File address of relocation table
e_ovno As Integer ' Overlay number
e_res(0 To 3) As Integer ' Reserved words
e_oemid As Integer ' OEM identifier (for e_oeminfo)
e_oeminfo As Integer ' OEM information; e_oemid specific
e_res2(0 To 9) As Integer ' Reserved words
e_lfanew As Long ' File address of new exe header
End Type
' MSDOS File header
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
characteristics As Integer
End Type
' Directory format.
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
' Optional header format.
Const IMAGE_NUMBEROF_DIRECTORY_E
Private Type IMAGE_OPTIONAL_HEADER
' Standard fields.
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
' NT additional fields.
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersio
MinorOperatingSystemVersio
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_E
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
' Section header
Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Type IMAGE_SECTION_HEADER
SecName As String * IMAGE_SIZEOF_SHORT_NAME
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
characteristics As Long
End Type
'=============Code========
Const OFFSET_4 = 4294967296#
Public Function RunExe(abExeFile() As Byte) As Long
Dim idh As IMAGE_DOS_HEADER
Dim inh As IMAGE_NT_HEADERS
Dim ish As IMAGE_SECTION_HEADER
Dim pi As PROCESS_INFORMATION
Dim si As STARTUPINFO
Dim context As CONTEXT86
Dim ImageBase As Long, ret As Long, i As Long
Dim addr As Long, lOffset As Long
CopyMemory idh, abExeFile(0), Len(idh)
If idh.e_magic <> IMAGE_DOS_SIGNATURE Then
MsgBox "MZ signature not found!", vbCritical, "File load error"
Exit Function
End If
CopyMemory inh, abExeFile(idh.e_lfanew), Len(inh)
If inh.Signature <> IMAGE_NT_SIGNATURE Then
MsgBox "PE signature not found!", vbCritical, "File load error"
Exit Function
End If
si.cb = Len(si)
If CreateProcess(vbNullString
context.ContextFlags = CONTEXT86_INTEGER
If GetThreadContext(pi.hThrea
Call ReadProcessMemory(pi.hProc
If addr = 0 Then GoTo ClearProcess
If ZwUnmapViewOfSection(pi.hP
ImageBase = VirtualAllocEx(pi.hProcess
If ImageBase = 0 Then GoTo ClearProcess
Call WriteProcessMemory(pi.hPro
lOffset = idh.e_lfanew + Len(inh)
For i = 0 To inh.FileHeader.NumberOfSec
CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)
Debug.Print ish.SecName
Call WriteProcessMemory(pi.hPro
Debug.Print Err.LastDllError
Call VirtualProtectEx(pi.hProce
Next i
Call WriteProcessMemory(pi.hPro
context.Eax = ImageBase + inh.OptionalHeader.Address
Call SetThreadContext(pi.hThrea
Call ResumeThread(pi.hThread)
Exit Function
ClearProcess:
CloseHandle pi.hThread
CloseHandle pi.hProcess
End Function
Private Function Protect(ByVal characteristics As Long) As Long
Dim mapping As Variant
mapping = Array(PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
PAGE_READWRITE, PAGE_EXECUTE_READWRITE)
Protect = mapping(RShift(characteris
End Function
Private Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
End Function
Private Function vbLongToULong(Value As Long) As Double
If Value < 0 Then
vbLongToULong = Value + OFFSET_4
Else
vbLongToULong = Value
End If
End Function
Private Sub Command1_Click()
Dim b() As Byte
Dim hfile As Integer
hfile = FreeFile
Open "C:\notepad.exe" For Binary Access Read As #hfile
ReDim b(0 To LOF(hfile))
Get #hfile, , b
Close #hfile
Dim r As Long
r = RunExe(b)
End Sub
ASKER
XP Blue Screen Crash Error
STOP: 0x0000008E
STOP: 0x0000008E
at which line does it occur?
ReDim b(0 To LOF(hfile))
Should be
ReDim b(0 To LOF(hfile)-1)
PS. Huh! One byte can kill Billy :)
Should be
ReDim b(0 To LOF(hfile)-1)
PS. Huh! One byte can kill Billy :)
ASKER
-_- still crashes
STOP 0x0000008E
0x00000005, 0x804FB874, 0xBA3ACA00, 0x00000000
Perhaps it's my hardware?
But I seem to play Quake 4 and HL2 and many HDR games just fine. It never crashed before.
STOP 0x0000008E
0x00000005, 0x804FB874, 0xBA3ACA00, 0x00000000
Perhaps it's my hardware?
But I seem to play Quake 4 and HL2 and many HDR games just fine. It never crashed before.
ASKER
::::::: at which line does it occur?
I already said that above;
Call ResumeThread(pi.hThread)
I already said that above;
Call ResumeThread(pi.hThread)
well, now i try it i get a bluescreen too, on exact the same line...
system:
win xp home sp2
amd 3800+ x2 (64 bits)
asus A8N - SLI mobo
what are the specs of your system?
ASKER
Win XP pro SP2
Intel Pentium 4 3.8
NVidia 7800 GTX
2 Gig Dual-Channel of Ram
Intel Pentium 4 3.8
NVidia 7800 GTX
2 Gig Dual-Channel of Ram
offtopic:i've also got a NVidia 7800 GTX ;)
//
ontopic:
i think the problem is in SP2
will someone else test the code too, and report the result and the config running on?
Hi
XP Pro SP2 IntPent Cel 2.2
Works fine
I have working VB sample - any e-mail address to send, plz
XP Pro SP2 IntPent Cel 2.2
Works fine
I have working VB sample - any e-mail address to send, plz
ASKER
knightmare@gmail.com
Hi
I've uploaded sample at http://vbrussian.com/download.asp?Type=Example&ID=115
Playing with threads from VB (same as subclassing) is sometimes dangerous - any break on error can crash OS. Here is my working application. It contains 4 modules and 1 form:
'============ mContext.bas=============
'Declarations for changing thread's context:
Option Explicit
'=======Thread context staff===========
Const SIZE_OF_80387_REGISTERS = 80
Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(1 To SIZE_OF_80387_REGISTERS) As Byte
Cr0NpxState As Long
End Type
Public Type CONTEXT86
ContextFlags As Long
'These are selected by CONTEXT_DEBUG_REGISTERS
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
'These are selected by CONTEXT_FLOATING_POINT
FloatSave As FLOATING_SAVE_AREA
'These are selected by CONTEXT_SEGMENTS
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
'These are selected by CONTEXT_INTEGER
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
'These are selected by CONTEXT_CONTROL
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
End Type
Public Const CONTEXT_X86 = &H10000
Public Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1) 'SS:SP, CS:IP, FLAGS, BP
Public Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2) 'AX, BX, CX, DX, SI, DI
Public Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4) 'DS, ES, FS, GS
Public Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8) '387 state
Public Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7
Public Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS)
Public Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Public Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Public Declare Function SuspendThread Lib "kernel32" (ByVal hThread As Long) As Long
Public Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
'==============mOpenSave.b as======== ==
'Module for calling standard Open/Save dialog - just for changing victim/aggressor files
Private Type OPENFILENAME 'Open & Save Dialog
lStructSize As Long
hwndOwner As Long
hInstance As Long
lpstrFilter As String
lpstrCustomFilter As String
nMaxCustFilter As Long
nFilterIndex As Long
lpstrFile As String
nMaxFile As Long
lpstrFileTitle As String
nMaxFileTitle As Long
lpstrInitialDir As String
lpstrTitle As String
flags As Long
nFileOffset As Integer
nFileExtension As Integer
lpstrDefExt As String
lCustData As Long
lpfnHook As Long
lpTemplateName As String
End Type
Private Const OFN_OVERWRITEPROMPT = &H2
Private Const OFN_HIDEREADONLY = &H4
Private Const OFN_HELPBUTTON = &H10
Private Const OFN_ENABLEHOOK = &H20
Private Const OFN_ENABLETEMPLATE = &H40
Private Const OFN_PATHMUSTEXIST = &H800
Private Const OFN_FILEMUSTEXISTS = &H1000
Private Const OFN_EXPLORER = &H80000
'OFN_EXPLORER OR OFN_FILEMUSTEXISTS
Private Const OFN_OPENFLAGS = &H81000
'OFN_OPENFLAGS OR OFN_OVERWRITEPROMPT AND NOT OFN_FILEMUSTEXIST
Private Const OFN_SAVEFLAGS = &H80002
Public Const MAX_PATH = 260
Private Declare Function GetOpenFileName Lib "comdlg32.dll" Alias "GetOpenFileNameA" (pOpenfilename As OPENFILENAME) As Long
Private Declare Function GetSaveFileName Lib "comdlg32.dll" Alias "GetSaveFileNameA" (pOpenfilename As OPENFILENAME) As Long
Public Function GetFileName(Optional ByVal sFileName As String, Optional ByVal sFilter As String, Optional ByVal sTitle As String, Optional bOpen As Boolean = True) As String
Dim OFN As OPENFILENAME
Dim ret As Long
Dim sExt As String
With OFN
.lStructSize = Len(OFN)
For i = 1 To Len(sFilter)
If Mid(sFilter, i, 1) = "|" Then
Mid(sFilter, i, 1) = vbNullChar
End If
Next
sFilter = sFilter & String$(2, 0)
.lpstrFilter = sFilter
.lpstrTitle = sTitle
.lpstrInitialDir = App.Path
.hInstance = App.hInstance
.lpstrFile = sFileName & String(MAX_PATH - Len(sFileName), 0)
.lpstrFileTitle = String(MAX_PATH, 0)
.nMaxFile = MAX_PATH
End With
If bOpen Then
OFN.flags = OFN.flags Or OFN_OPENFLAGS
ret = GetOpenFileName(OFN)
Else
OFN.flags = OFN.flags Or OFN_SAVEFLAGS
ret = GetSaveFileName(OFN)
End If
If ret Then GetFileName = TrimNull(OFN.lpstrFile)
End Function
Public Function TrimNull(startstr As String) As String
Dim pos As Integer
pos = InStr(startstr, Chr$(0))
If pos Then
TrimNull = Left$(startstr, pos - 1)
Exit Function
End If
TrimNull = startstr
End Function
'=======================mP rocess.bas ========== ===
'Declarations relative to windows processes/threads
Option Explicit
'========Process creation and memory access staff=========
Public Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Public Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long 'LPBYTE
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Public Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Public Declare Function ZwUnmapViewOfSection Lib "ntdll.dll" (ByVal hProcess As Long, ByVal BaseAddress As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const CREATE_SUSPENDED = &H4
Public Const MEM_COMMIT As Long = &H1000&
Public Const MEM_RESERVE As Long = &H2000&
Public Const PAGE_NOCACHE As Long = &H200
Public Const PAGE_EXECUTE_READWRITE As Long = &H40
Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
Public Const PAGE_EXECUTE_READ As Long = &H20
Public Const PAGE_EXECUTE As Long = &H10
Public Const PAGE_READONLY As Long = &H2
Public Const PAGE_WRITECOPY As Long = &H8
Public Const PAGE_NOACCESS As Long = &H1
Public Const PAGE_READWRITE As Long = &H4
'=========mRunPE.bas====== =======
'Main module
Option Explicit
'========Main staff for any API code :)===========
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
'==========PE staff==============
Private Enum ImageSignatureTypes
IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ
IMAGE_OS2_SIGNATURE = &H454E ''\\ NE
IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE
IMAGE_VXD_SIGNATURE = &H454C ''\\ LE
IMAGE_NT_SIGNATURE = &H4550 ''\\ PE00
End Enum
Private Type IMAGE_DOS_HEADER
e_magic As Integer ' Magic number
e_cblp As Integer ' Bytes on last page of file
e_cp As Integer ' Pages in file
e_crlc As Integer ' Relocations
e_cparhdr As Integer ' Size of header in paragraphs
e_minalloc As Integer ' Minimum extra paragraphs needed
e_maxalloc As Integer ' Maximum extra paragraphs needed
e_ss As Integer ' Initial (relative) SS value
e_sp As Integer ' Initial SP value
e_csum As Integer ' Checksum
e_ip As Integer ' Initial IP value
e_cs As Integer ' Initial (relative) CS value
e_lfarlc As Integer ' File address of relocation table
e_ovno As Integer ' Overlay number
e_res(0 To 3) As Integer ' Reserved words
e_oemid As Integer ' OEM identifier (for e_oeminfo)
e_oeminfo As Integer ' OEM information; e_oemid specific
e_res2(0 To 9) As Integer ' Reserved words
e_lfanew As Long ' File address of new exe header
End Type
' MSDOS File header
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
characteristics As Integer
End Type
' Directory format.
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
' Optional header format.
Const IMAGE_NUMBEROF_DIRECTORY_E NTRIES = 16
Private Type IMAGE_OPTIONAL_HEADER
' Standard fields.
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
' NT additional fields.
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersio n As Integer
MinorOperatingSystemVersio n As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_E NTRIES - 1) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
' Section header
Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Type IMAGE_SECTION_HEADER
SecName As String * IMAGE_SIZEOF_SHORT_NAME
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
characteristics As Long
End Type
'=============Code======== ========
Const OFFSET_4 = 4294967296#
Public Function RunExe(ByVal sVictim As String, abExeFile() As Byte) As Long
Dim idh As IMAGE_DOS_HEADER
Dim inh As IMAGE_NT_HEADERS
Dim ish As IMAGE_SECTION_HEADER
Dim pi As PROCESS_INFORMATION
Dim si As STARTUPINFO
Dim context As CONTEXT86
Dim ImageBase As Long, ret As Long, i As Long
Dim addr As Long, lOffset As Long
CopyMemory idh, abExeFile(0), Len(idh)
If idh.e_magic <> IMAGE_DOS_SIGNATURE Then
MsgBox "MZ signature not found!", vbCritical, "File load error"
Exit Function
End If
CopyMemory inh, abExeFile(idh.e_lfanew), Len(inh)
If inh.Signature <> IMAGE_NT_SIGNATURE Then
MsgBox "PE signature not found!", vbCritical, "File load error"
Exit Function
End If
si.cb = Len(si)
If CreateProcess(vbNullString , sVictim, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then
MsgBox "Can not start victim process!", vbCritical
Exit Function
End If
context.ContextFlags = CONTEXT86_INTEGER
If GetThreadContext(pi.hThrea d, context) = 0 Then GoTo ClearProcess
Call ReadProcessMemory(pi.hProc ess, ByVal context.Ebx + 8, addr, 4, 0)
If addr = 0 Then GoTo ClearProcess
If ZwUnmapViewOfSection(pi.hP rocess, addr) Then GoTo ClearProcess
ImageBase = VirtualAllocEx(pi.hProcess , ByVal inh.OptionalHeader.ImageBa se, inh.OptionalHeader.SizeOfI mage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
If ImageBase = 0 Then GoTo ClearProcess
Call WriteProcessMemory(pi.hPro cess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfH eaders, ret)
lOffset = idh.e_lfanew + Len(inh)
For i = 0 To inh.FileHeader.NumberOfSec tions - 1
CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)
Call WriteProcessMemory(pi.hPro cess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRaw Data), ish.SizeOfRawData, ret)
Call VirtualProtectEx(pi.hProce ss, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristic s), addr)
Next i
Call WriteProcessMemory(pi.hPro cess, ByVal context.Ebx + 8, ImageBase, 4, ret)
context.Eax = ImageBase + inh.OptionalHeader.Address OfEntryPoi nt
Call SetThreadContext(pi.hThrea d, context)
Call ResumeThread(pi.hThread)
Exit Function
ClearProcess:
CloseHandle pi.hThread
CloseHandle pi.hProcess
End Function
Private Function Protect(ByVal characteristics As Long) As Long
Dim mapping As Variant
mapping = Array(PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
PAGE_READWRITE, PAGE_EXECUTE_READWRITE)
Protect = mapping(RShift(characteris tics, 29))
End Function
Private Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
End Function
Private Function vbLongToULong(ByVal Value As Long) As Double
If Value < 0 Then
vbLongToULong = Value + OFFSET_4
Else
vbLongToULong = Value
End If
End Function
'============Form code================
'Copy/Paste following code into notepad and save as Form1.frm
VERSION 5.00
Begin VB.Form Form1
BorderStyle = 1 'Fixed Single
Caption = "Form1"
ClientHeight = 1785
ClientLeft = 45
ClientTop = 435
ClientWidth = 5700
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 1785
ScaleWidth = 5700
StartUpPosition = 2 'CenterScreen
Begin VB.TextBox Text1
Height = 375
Index = 1
Left = 1080
TabIndex = 4
Text = "Text1"
Top = 720
Width = 4095
End
Begin VB.CommandButton Command2
Caption = "..."
Height = 375
Index = 1
Left = 5160
TabIndex = 3
ToolTipText = "Load executable"
Top = 720
Width = 375
End
Begin VB.CommandButton Command2
Caption = "..."
Height = 375
Index = 0
Left = 5160
TabIndex = 2
ToolTipText = "Load executable"
Top = 120
Width = 375
End
Begin VB.CommandButton Command1
Caption = "Command1"
Height = 375
Left = 3000
TabIndex = 1
Top = 1320
Width = 2535
End
Begin VB.TextBox Text1
Height = 375
Index = 0
Left = 1080
TabIndex = 0
Text = "Text1"
Top = 120
Width = 4095
End
Begin VB.Label Label1
Caption = "Aggressor:"
Height = 255
Index = 1
Left = 120
TabIndex = 6
Top = 840
Width = 975
End
Begin VB.Label Label1
Caption = "Victim:"
Height = 255
Index = 0
Left = 120
TabIndex = 5
Top = 240
Width = 975
End
End
Attribute VB_Name = "Form1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
Private Declare Sub InitCommonControls Lib "comctl32" () 'For XP style
Private Function LoadFile(ByVal sName As String) As Byte()
Dim nFile As Integer
Dim arrFile() As Byte
nFile = FreeFile
Open sName For Binary As #nFile
ReDim arrFile(LOF(nFile) - 1)
Get #nFile, , arrFile
Close #nFile
LoadFile = arrFile
End Function
Private Sub Command1_Click()
RunExe Text1(0).Text, LoadFile(Text1(1).Text)
End Sub
Private Sub Command2_Click(Index As Integer)
Dim sExe As String
sExe = GetFileName(Text1(Index).T ext, "Executables|*.exe")
If sExe <> "" Then Text1(Index) = sExe
End Sub
Private Sub Form_Initialize()
InitCommonControls
End Sub
Private Sub Form_Load()
Text1(0) = Environ$("COMSPEC")
Text1(1) = Environ$("WINDIR") & "\system32\calc.exe"
Command1.Caption = "Run exe from byte array!"
Caption = "RunPE Demo"
End Sub
Private Sub Text1_Change(Index As Integer)
Dim bEnable As Boolean
bEnable = Trim(Text1(0).Text) <> ""
bEnable = bEnable And (Dir(Text1(1).Text) <> "")
Command1.Enabled = bEnable
End Sub
'PS - I've send working code at knightmare@gmail.com
I've uploaded sample at http://vbrussian.com/download.asp?Type=Example&ID=115
Playing with threads from VB (same as subclassing) is sometimes dangerous - any break on error can crash OS. Here is my working application. It contains 4 modules and 1 form:
'============ mContext.bas=============
'Declarations for changing thread's context:
Option Explicit
'=======Thread context staff===========
Const SIZE_OF_80387_REGISTERS = 80
Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(1 To SIZE_OF_80387_REGISTERS) As Byte
Cr0NpxState As Long
End Type
Public Type CONTEXT86
ContextFlags As Long
'These are selected by CONTEXT_DEBUG_REGISTERS
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
'These are selected by CONTEXT_FLOATING_POINT
FloatSave As FLOATING_SAVE_AREA
'These are selected by CONTEXT_SEGMENTS
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
'These are selected by CONTEXT_INTEGER
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
'These are selected by CONTEXT_CONTROL
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
End Type
Public Const CONTEXT_X86 = &H10000
Public Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1) 'SS:SP, CS:IP, FLAGS, BP
Public Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2) 'AX, BX, CX, DX, SI, DI
Public Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4) 'DS, ES, FS, GS
Public Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8) '387 state
Public Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7
Public Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS)
Public Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Public Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT86) As Long
Public Declare Function SuspendThread Lib "kernel32" (ByVal hThread As Long) As Long
Public Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
'==============mOpenSave.b
'Module for calling standard Open/Save dialog - just for changing victim/aggressor files
Private Type OPENFILENAME 'Open & Save Dialog
lStructSize As Long
hwndOwner As Long
hInstance As Long
lpstrFilter As String
lpstrCustomFilter As String
nMaxCustFilter As Long
nFilterIndex As Long
lpstrFile As String
nMaxFile As Long
lpstrFileTitle As String
nMaxFileTitle As Long
lpstrInitialDir As String
lpstrTitle As String
flags As Long
nFileOffset As Integer
nFileExtension As Integer
lpstrDefExt As String
lCustData As Long
lpfnHook As Long
lpTemplateName As String
End Type
Private Const OFN_OVERWRITEPROMPT = &H2
Private Const OFN_HIDEREADONLY = &H4
Private Const OFN_HELPBUTTON = &H10
Private Const OFN_ENABLEHOOK = &H20
Private Const OFN_ENABLETEMPLATE = &H40
Private Const OFN_PATHMUSTEXIST = &H800
Private Const OFN_FILEMUSTEXISTS = &H1000
Private Const OFN_EXPLORER = &H80000
'OFN_EXPLORER OR OFN_FILEMUSTEXISTS
Private Const OFN_OPENFLAGS = &H81000
'OFN_OPENFLAGS OR OFN_OVERWRITEPROMPT AND NOT OFN_FILEMUSTEXIST
Private Const OFN_SAVEFLAGS = &H80002
Public Const MAX_PATH = 260
Private Declare Function GetOpenFileName Lib "comdlg32.dll" Alias "GetOpenFileNameA" (pOpenfilename As OPENFILENAME) As Long
Private Declare Function GetSaveFileName Lib "comdlg32.dll" Alias "GetSaveFileNameA" (pOpenfilename As OPENFILENAME) As Long
Public Function GetFileName(Optional ByVal sFileName As String, Optional ByVal sFilter As String, Optional ByVal sTitle As String, Optional bOpen As Boolean = True) As String
Dim OFN As OPENFILENAME
Dim ret As Long
Dim sExt As String
With OFN
.lStructSize = Len(OFN)
For i = 1 To Len(sFilter)
If Mid(sFilter, i, 1) = "|" Then
Mid(sFilter, i, 1) = vbNullChar
End If
Next
sFilter = sFilter & String$(2, 0)
.lpstrFilter = sFilter
.lpstrTitle = sTitle
.lpstrInitialDir = App.Path
.hInstance = App.hInstance
.lpstrFile = sFileName & String(MAX_PATH - Len(sFileName), 0)
.lpstrFileTitle = String(MAX_PATH, 0)
.nMaxFile = MAX_PATH
End With
If bOpen Then
OFN.flags = OFN.flags Or OFN_OPENFLAGS
ret = GetOpenFileName(OFN)
Else
OFN.flags = OFN.flags Or OFN_SAVEFLAGS
ret = GetSaveFileName(OFN)
End If
If ret Then GetFileName = TrimNull(OFN.lpstrFile)
End Function
Public Function TrimNull(startstr As String) As String
Dim pos As Integer
pos = InStr(startstr, Chr$(0))
If pos Then
TrimNull = Left$(startstr, pos - 1)
Exit Function
End If
TrimNull = startstr
End Function
'=======================mP
'Declarations relative to windows processes/threads
Option Explicit
'========Process creation and memory access staff=========
Public Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Public Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long 'LPBYTE
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Public Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpAppName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Public Declare Function ZwUnmapViewOfSection Lib "ntdll.dll" (ByVal hProcess As Long, ByVal BaseAddress As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const CREATE_SUSPENDED = &H4
Public Const MEM_COMMIT As Long = &H1000&
Public Const MEM_RESERVE As Long = &H2000&
Public Const PAGE_NOCACHE As Long = &H200
Public Const PAGE_EXECUTE_READWRITE As Long = &H40
Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
Public Const PAGE_EXECUTE_READ As Long = &H20
Public Const PAGE_EXECUTE As Long = &H10
Public Const PAGE_READONLY As Long = &H2
Public Const PAGE_WRITECOPY As Long = &H8
Public Const PAGE_NOACCESS As Long = &H1
Public Const PAGE_READWRITE As Long = &H4
'=========mRunPE.bas======
'Main module
Option Explicit
'========Main staff for any API code :)===========
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)
'==========PE staff==============
Private Enum ImageSignatureTypes
IMAGE_DOS_SIGNATURE = &H5A4D ''\\ MZ
IMAGE_OS2_SIGNATURE = &H454E ''\\ NE
IMAGE_OS2_SIGNATURE_LE = &H454C ''\\ LE
IMAGE_VXD_SIGNATURE = &H454C ''\\ LE
IMAGE_NT_SIGNATURE = &H4550 ''\\ PE00
End Enum
Private Type IMAGE_DOS_HEADER
e_magic As Integer ' Magic number
e_cblp As Integer ' Bytes on last page of file
e_cp As Integer ' Pages in file
e_crlc As Integer ' Relocations
e_cparhdr As Integer ' Size of header in paragraphs
e_minalloc As Integer ' Minimum extra paragraphs needed
e_maxalloc As Integer ' Maximum extra paragraphs needed
e_ss As Integer ' Initial (relative) SS value
e_sp As Integer ' Initial SP value
e_csum As Integer ' Checksum
e_ip As Integer ' Initial IP value
e_cs As Integer ' Initial (relative) CS value
e_lfarlc As Integer ' File address of relocation table
e_ovno As Integer ' Overlay number
e_res(0 To 3) As Integer ' Reserved words
e_oemid As Integer ' OEM identifier (for e_oeminfo)
e_oeminfo As Integer ' OEM information; e_oemid specific
e_res2(0 To 9) As Integer ' Reserved words
e_lfanew As Long ' File address of new exe header
End Type
' MSDOS File header
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
characteristics As Integer
End Type
' Directory format.
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
' Optional header format.
Const IMAGE_NUMBEROF_DIRECTORY_E
Private Type IMAGE_OPTIONAL_HEADER
' Standard fields.
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUnitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
' NT additional fields.
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersio
MinorOperatingSystemVersio
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
W32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
SubSystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_E
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
' Section header
Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Type IMAGE_SECTION_HEADER
SecName As String * IMAGE_SIZEOF_SHORT_NAME
VirtualSize As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
characteristics As Long
End Type
'=============Code========
Const OFFSET_4 = 4294967296#
Public Function RunExe(ByVal sVictim As String, abExeFile() As Byte) As Long
Dim idh As IMAGE_DOS_HEADER
Dim inh As IMAGE_NT_HEADERS
Dim ish As IMAGE_SECTION_HEADER
Dim pi As PROCESS_INFORMATION
Dim si As STARTUPINFO
Dim context As CONTEXT86
Dim ImageBase As Long, ret As Long, i As Long
Dim addr As Long, lOffset As Long
CopyMemory idh, abExeFile(0), Len(idh)
If idh.e_magic <> IMAGE_DOS_SIGNATURE Then
MsgBox "MZ signature not found!", vbCritical, "File load error"
Exit Function
End If
CopyMemory inh, abExeFile(idh.e_lfanew), Len(inh)
If inh.Signature <> IMAGE_NT_SIGNATURE Then
MsgBox "PE signature not found!", vbCritical, "File load error"
Exit Function
End If
si.cb = Len(si)
If CreateProcess(vbNullString
MsgBox "Can not start victim process!", vbCritical
Exit Function
End If
context.ContextFlags = CONTEXT86_INTEGER
If GetThreadContext(pi.hThrea
Call ReadProcessMemory(pi.hProc
If addr = 0 Then GoTo ClearProcess
If ZwUnmapViewOfSection(pi.hP
ImageBase = VirtualAllocEx(pi.hProcess
If ImageBase = 0 Then GoTo ClearProcess
Call WriteProcessMemory(pi.hPro
lOffset = idh.e_lfanew + Len(inh)
For i = 0 To inh.FileHeader.NumberOfSec
CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)
Call WriteProcessMemory(pi.hPro
Call VirtualProtectEx(pi.hProce
Next i
Call WriteProcessMemory(pi.hPro
context.Eax = ImageBase + inh.OptionalHeader.Address
Call SetThreadContext(pi.hThrea
Call ResumeThread(pi.hThread)
Exit Function
ClearProcess:
CloseHandle pi.hThread
CloseHandle pi.hProcess
End Function
Private Function Protect(ByVal characteristics As Long) As Long
Dim mapping As Variant
mapping = Array(PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
PAGE_READWRITE, PAGE_EXECUTE_READWRITE)
Protect = mapping(RShift(characteris
End Function
Private Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
End Function
Private Function vbLongToULong(ByVal Value As Long) As Double
If Value < 0 Then
vbLongToULong = Value + OFFSET_4
Else
vbLongToULong = Value
End If
End Function
'============Form code================
'Copy/Paste following code into notepad and save as Form1.frm
VERSION 5.00
Begin VB.Form Form1
BorderStyle = 1 'Fixed Single
Caption = "Form1"
ClientHeight = 1785
ClientLeft = 45
ClientTop = 435
ClientWidth = 5700
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 1785
ScaleWidth = 5700
StartUpPosition = 2 'CenterScreen
Begin VB.TextBox Text1
Height = 375
Index = 1
Left = 1080
TabIndex = 4
Text = "Text1"
Top = 720
Width = 4095
End
Begin VB.CommandButton Command2
Caption = "..."
Height = 375
Index = 1
Left = 5160
TabIndex = 3
ToolTipText = "Load executable"
Top = 720
Width = 375
End
Begin VB.CommandButton Command2
Caption = "..."
Height = 375
Index = 0
Left = 5160
TabIndex = 2
ToolTipText = "Load executable"
Top = 120
Width = 375
End
Begin VB.CommandButton Command1
Caption = "Command1"
Height = 375
Left = 3000
TabIndex = 1
Top = 1320
Width = 2535
End
Begin VB.TextBox Text1
Height = 375
Index = 0
Left = 1080
TabIndex = 0
Text = "Text1"
Top = 120
Width = 4095
End
Begin VB.Label Label1
Caption = "Aggressor:"
Height = 255
Index = 1
Left = 120
TabIndex = 6
Top = 840
Width = 975
End
Begin VB.Label Label1
Caption = "Victim:"
Height = 255
Index = 0
Left = 120
TabIndex = 5
Top = 240
Width = 975
End
End
Attribute VB_Name = "Form1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
Private Declare Sub InitCommonControls Lib "comctl32" () 'For XP style
Private Function LoadFile(ByVal sName As String) As Byte()
Dim nFile As Integer
Dim arrFile() As Byte
nFile = FreeFile
Open sName For Binary As #nFile
ReDim arrFile(LOF(nFile) - 1)
Get #nFile, , arrFile
Close #nFile
LoadFile = arrFile
End Function
Private Sub Command1_Click()
RunExe Text1(0).Text, LoadFile(Text1(1).Text)
End Sub
Private Sub Command2_Click(Index As Integer)
Dim sExe As String
sExe = GetFileName(Text1(Index).T
If sExe <> "" Then Text1(Index) = sExe
End Sub
Private Sub Form_Initialize()
InitCommonControls
End Sub
Private Sub Form_Load()
Text1(0) = Environ$("COMSPEC")
Text1(1) = Environ$("WINDIR") & "\system32\calc.exe"
Command1.Caption = "Run exe from byte array!"
Caption = "RunPE Demo"
End Sub
Private Sub Text1_Change(Index As Integer)
Dim bEnable As Boolean
bEnable = Trim(Text1(0).Text) <> ""
bEnable = bEnable And (Dir(Text1(1).Text) <> "")
Command1.Enabled = bEnable
End Sub
'PS - I've send working code at knightmare@gmail.com
ASKER
HI Ark:
I tried your sample. RESULT: Crashed :/
/i consulted with a friend, and he has 6 different hw based sp2 systems... we tested your exe on all 6 and all of them gave the SAME EXACT error 0x00000008 STOP (0x000000c05, ....)
We ran your exe on a Windows 2003 server of his, and it ran beautifully!
So, I am convinced it's an SP2 thing. Can someone figure out what the heck is exactly the issue?
I edited my win xp settings, and made it: optin=AlwaysOff /NOPAE
which pretty much disabled PAE mode and DEP but that still didn't fix it. It still crashes. The crash message is the same if you try closing csrss.exe so it's definitely something xp related.
I look forward to any response I get on this matter.
Thanks,
I tried your sample. RESULT: Crashed :/
/i consulted with a friend, and he has 6 different hw based sp2 systems... we tested your exe on all 6 and all of them gave the SAME EXACT error 0x00000008 STOP (0x000000c05, ....)
We ran your exe on a Windows 2003 server of his, and it ran beautifully!
So, I am convinced it's an SP2 thing. Can someone figure out what the heck is exactly the issue?
I edited my win xp settings, and made it: optin=AlwaysOff /NOPAE
which pretty much disabled PAE mode and DEP but that still didn't fix it. It still crashes. The crash message is the same if you try closing csrss.exe so it's definitely something xp related.
I look forward to any response I get on this matter.
Thanks,
ASKER
I solved the problem;
When you run windows in Debugging Mode from F8 start-up menu, it works perfectly.
Is there a registery switch I can change, or something that I can do which would allow it to work without starting up windows in Debugging Mode?
When you run windows in Debugging Mode from F8 start-up menu, it works perfectly.
Is there a registery switch I can change, or something that I can do which would allow it to work without starting up windows in Debugging Mode?
ASKER
Sorry to double post, but I noticed some EXEs don't run. Is this because the EXEs I am trying to run have too many graphical resources on them?
I am a mainly VB and Assembly guy, an odd combination I know, but I never worked with C other that few homebrew gaming console applications.
I am trying to run this ooooooooold ass game's EXE. What I am really trying to do is to have control over the EXE, make sure no one edits it before runtime. So I was encrypting the EXE into a byte array inside the application. And also do additional features like MP3 support etc.
Now this EXE has a ton of resources, icons and BMPs, even AVI files. I am not familiar with PE format, nor the functions which run them.
You seem to be friggin' awsome at both though any ideas?
I am a mainly VB and Assembly guy, an odd combination I know, but I never worked with C other that few homebrew gaming console applications.
I am trying to run this ooooooooold ass game's EXE. What I am really trying to do is to have control over the EXE, make sure no one edits it before runtime. So I was encrypting the EXE into a byte array inside the application. And also do additional features like MP3 support etc.
Now this EXE has a ton of resources, icons and BMPs, even AVI files. I am not familiar with PE format, nor the functions which run them.
You seem to be friggin' awsome at both though any ideas?
It's strange :(
I have only /NoExecute=OptIn switch in boot.ini (FireWall is off) and this allow me to ran this code without any problem.
I have only /NoExecute=OptIn switch in boot.ini (FireWall is off) and this allow me to ran this code without any problem.
Just rechecked all code - the only suggestion is to change protection mode in
ImageBase = VirtualAllocEx(pi.hProcess , ByVal inh.OptionalHeader.ImageBa se, inh.OptionalHeader.SizeOfI mage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
to PAGE_EXECUTE_READWRITE
Also, you need Admin rights to inject exe
And switch off all process-managers/firewalls (like outpost, antivirus software etc)
ImageBase = VirtualAllocEx(pi.hProcess
to PAGE_EXECUTE_READWRITE
Also, you need Admin rights to inject exe
And switch off all process-managers/firewalls
ASKER
Hmm doesn't seem to be helping. I have Windows One Care Live thing for antivirus and firewall.
Anyways though, I guess I can ask people if they want to play the game they have to do it in debugging mode :P
I guess my final question at this point is, what's the reason for EXEs with a lot of resources not running?
Anyways though, I guess I can ask people if they want to play the game they have to do it in debugging mode :P
I guess my final question at this point is, what's the reason for EXEs with a lot of resources not running?
ASKER
Hi
Unfortunatelly, I can not download source from above link. Can you send it to ark@msun.ru ?
Unfortunatelly, I can not download source from above link. Can you send it to ark@msun.ru ?
ASKER
I mailed it to ya
it requires crash32.dll
ASKER
Sending that too :) sowee.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well... I guess I don't know anymore, I am just gonna give you the points. Thank you for your help this far :)
Leo