Delete a file in use - Run an EXE Hidden - Run code in other process' memory *NEW VERSION*
|Submitted on: 5/2/2003 6:21:42 PM |
By: Alexandru Ionescu
By 39 Users
Compatibility:VB 5.0, VB 6.0
Users have accessed this code 6739 times.
| Hi everyone, the code is back in Version 2.0 and better then ever! You can now insert your code into Explorer, thus removing the need for compiling a separate special application. You can also create forms, subclass them, and call some (not all) VB functions, as well as use all API and previous modules in your code. This code will create a sample window and then delete itself. However it won't kill the thread, so if you run it again, make sure you kill/restart explorer. Once the code is run, the application will appear NOWHERE. It is also possible to use this method in order to Hook system API calls, which is what I'll be working on for next month. Thanks for your votes last month, I hope you like this new version even better! (Still need compile controller, it's included, read the module for more information)|
Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzipto decompress it.
Virus note:All files are scanned once-a-day by Planet Source Code for viruses,but new viruses come out every day, so no prevention program can catch 100% of them.
FOR YOUR OWN SAFETY, PLEASE:
1)Re-scan downloaded files using your personal virus checker before using it.
2)NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
3)Scan the source code with Minnow's Project Scanner
If you don't have a virus scanner, you can get one at many places on the net including:McAfee.com
Terms of Agreement:
By using this code, you agree to the following terms...
1) You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
2) You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
3) You may link to this code from another website, but ONLY if it is not wrapped in a frame.
4) You will abide by any additional copyright restrictions which the author may have placed in the code or code's description.
Other 2 submission(s) by this author
|Report Bad Submission|
See Voting Log |
|Other User Comments|
|5/2/2003 6:27:36 PM:Ultimatum|
Now THIS is what I'm talking about! =)
|5/2/2003 6:37:58 PM:Ultimatum|
Oh, here's another question: What
skin/XP style are you using?
|5/2/2003 7:05:46 PM:|
Does this work in 9x ?
|5/2/2003 7:31:36 PM:LogicalX|
heres another GURU. 5*
|5/2/2003 7:33:09 PM:Alexandru Ionescu|
It doesn't work in 9X yet, there are
some hidden API calls to do this, but I
haven't gotten around to them yet. If
there is a lot of demand for a
9x-compatible version I might try to
work on it. The problem is that I don't
have 9x anymore, so it would be really
hard for me to debug. Ultimatum: I am
using the skin from Windows
|5/2/2003 8:34:43 PM:Chris Bradley|
He owe's you nothing Dream.
|5/2/2003 9:08:03 PM:Eagle|
Thnaks for demo. Search for Plugins on
PSC and you will also see some ideas on
how to do the same. 5 from here
|5/2/2003 9:08:57 PM:Alexandru Ionescu|
Dream, perhaps you had trouble reading
the comments in the code that say
"NT-Based system" and "I'm trying to
get this to work under 9x." Besides,
some research on msdn.microsoft.com and
looking for the requirements for some
of the API calls would clearly show you
that it's NT-only for now.
|5/2/2003 10:23:08 PM:Alexandru Ionescu|
Eagle, I find plugins to be something
totally different. While the concept
would work for adding new features to
an application, it doensn't have the
advantage of totally hiding your
code...plugins still need a file, and
run in your application's memory.
|5/2/2003 11:18:28 PM:Alex Kwok|
umm.... how come the zip only contained
a module file....
|5/3/2003 12:24:46 AM:Dream|
Alek you need his first submission for
the rest of the files. ALEXANDRU: READ
WHAT I TYPED, you made no mention of
the fact it does not work on 9x systems
in the first version, so not
suprisingly I overlooked your comment
about it in the second version, thus I
spent considerable time trying to get
this to work. Pay Attention.
|5/3/2003 12:32:03 AM:Dream|
Oh and Alek Kwok... check out last
months contest winners for the first
|5/3/2003 12:33:36 AM:Alexandru Ionescu|
Hi Dream..I've just noticed that PSC
took out my other files...very weird.
I'll try to re-upload, altough yes,
using the old ones will work. Once
compiled, the app should run on any NT+
machine with msvbvm60.dll (the VB
|5/3/2003 2:51:31 AM:Ali Akbar|
gr8 work Alex. 5* from me.
|5/3/2003 3:37:52 AM:|
Great Job man !!
Abs(5) from me ;)
|5/3/2003 3:54:25 AM:DerEngel|
Very Very VERY Tight (5/5)
|5/3/2003 4:31:14 AM:Dream|
Isnt msvbvm60dll installed with windows
on NT based systems ie: 2kpro,
longhorn, and xp ? p.s. Im installing
XP on another terminal to get a look at
|5/3/2003 7:36:52 AM:VF-fCRO|
The Idea isn't bad..So there is
what you'll encount:
BASE ADDRESS NAMED WITH VirtualAllocEx
is in USE BY ANOTHER MODULE AND KERNEL
ALLOCATE FIRST HIGHER
2--WHAT'S THAT MEANS?
EXE DS: IS STILL ON LOWER
(REFERENCE ADDRESS USE)
if kernel load DLL on
your code will
ds:[C201000] (REFERENCE ADDRESS
CODE SEGMENT WILL BE ON PREVIOUS
ADDRESS AND YOU'LL ENCOUNT
example works only if BASE
isn't in use by another
your STACK is to small and
than 10-20 parameters on
I suggest you to
Execute DLL through Remote Thread
insted of EXE...
|5/3/2003 9:49:34 AM:Vlad Vissoultchev|
i see your project is progressing.
unfortunately it's still not possible
to run "normal" VB code in the host
if you are wondering the
reason for GPFs it is that COM
libraries are not initialized on the
remote thread! neither is the VB
the same problem is faced
when using CreateThread API function
for in-process multi-threading in a VB
application. you can find my solution
i'm quite intersting in the
progress of the injection attempt,
ultimately would like to be able to
execute fully fledged VB code
keep up the good
|5/3/2003 10:44:42 AM:J. Hope|
Alexandru Ionescu, another TERRIFIC
program, i liked the other one you
posted, keep me informed of any new
releases 5 globes!
|5/3/2003 11:56:03 AM:Alexandru Ionescu|
vf-fcro: you're right about that, there
is a risk that 0x13140000 might already
be taken...however, since i randomly
chose that number, and i've ran it on
many many computers, as well as all the
PSC users, I haven't found a case of
something like that happening. Also, I
can't really allocate anything else
then taht address if it fails, since
the base address of the EXE will still
be the same. IF it doesn't work on
someone's computer, they will have to
|5/3/2003 11:57:39 AM:Alexandru Ionescu|
Vlad: I will take a look at your code.
However, it is possible to run some VB
functions as you've seen (Instr, left,
mid). However I think you were
referring to using forms and class
modules, etc, instead of relying on
pure API. Thanks for the link.
you everyone for your appreciation
It's a great birthday present (26th
|5/3/2003 12:10:35 PM:Alexandru Ionescu|
Dream: The VB Runtime is not installed
by default on NT systems...maybe on XP.
However, I can try to include it and
compress it into the exe. It would then
extract itself when it's run, removing
the need for you to install it on every
|5/3/2003 5:10:54 PM:|
Its Great use if u are a hacker other
that that no use for it...
|5/3/2003 6:21:15 PM:Alexandru Ionescu|
Actually, it can have many other
Self-modidying code for
Running a file only once,
and then deleting itself
modules to an application that doesn't
(reloading the program from
And accessing/reading memory
from other processes for debugging
|5/4/2003 4:27:42 AM:loopz87|
I believe this is a very nice code, but
I can't run it because the
CompileControl doesn't seem to work. It
says it can't find the
|5/4/2003 4:38:43 AM:loopz87|
"Make" menu. So i changed the "Make"
thing to "Crea" in the compiler
control, cause i have the Italian VB.
Nothing happened. Please help...
|5/4/2003 7:28:04 AM:Alexandru Ionescu|
Loopz: The line Set cbFileMenu =
File" should be in Italian, the name of
the first menu in VB, where you have
open/save. If Left$(cbMakeMenu.Caption,
4) = "Make" should be the first four
characters of the make command.
|5/4/2003 7:35:25 AM:loopz87|
Yes, i changed it, but nothing still
|5/4/2003 7:37:29 AM:Alexandru Ionescu|
Which error do you get? Cannot find
"File" or cannot find "make"?
|5/4/2003 7:58:51 AM:loopz87|
cannot find make
|5/4/2003 8:02:42 AM:Ivo Smits|
Explorer.exe crashes when I run
pscinject.exe. I'm using windows XP pro.
|5/4/2003 10:05:42 AM:VF-fCRO|
Force Linker to make an Exe with
Pushing exe on STATIC BASE
ADDRESS expose too many
Knowing how NTDLL.DLL load
can avoid many troubles
like Loading Dependent DLL or
I suggest you to Use
LdrLoadDll API from NTDLL which Loads
all FORWARDS DLL (indenpendenies)
unlike LoadLibrary KERNEL API which
load only named Module in Virtual
i think VB isn't
right place to do as you try....
you should try to use a debugger Loop
instead of this approach.
|5/4/2003 10:26:12 AM:Alexandru Ionescu|
loopz's problem was fixed...if you have
another version of VB, simply remove
the "for..next" loop in
compilecontroler (where it gives the
error) and set the index to 13.
|5/4/2003 11:31:57 AM:|
While this can be used for malicious
purposes, it's of great use in other
situations. great code. 5 globe
|5/5/2003 2:23:26 AM:Sascha|
Real good work! Nice to use for most
"interesting" things. Difficult to
understand but iam growing on the
challenge.... ;) 5*4u
|5/5/2003 9:15:40 AM:|
nice code your a genius 5/5 lets hope
we can get some vb functions working
soon ? :P
|5/5/2003 9:18:08 AM:NovaSoft|
Happend to find something that may be
of interest and use for making it 9x
compatible. Use EliCZ's RT.DLL library.
It is a 2.5kb ASM DLL that emulates NT
functions for 9x. His homepage is
|5/5/2003 10:44:37 AM:Aboka|
To Alexandru Ionescu -
your email, downloaded both the version
and it ROCKS.
|5/5/2003 10:46:35 AM:Aboka|
***** Globes From me,
|5/6/2003 1:31:49 AM:email@example.com|
why are you all bashing his program...?
great piece of code, didn't think
someone would take the time to do this
in VB ;]
|5/6/2003 2:52:18 AM:Bram Pelgrom|
Why is it that I'm worrying about
lamers using this code to create
|5/6/2003 3:24:16 AM:Libor Blaheta|
Good work,but Win98(95) does not have
lFreeEx.But you can download special
DLL(which these API contain) here
|5/6/2003 6:17:25 AM:Alexandru Ionescu|
Thanks for the elirt link Libor and
Novasoft. I'll try to incorporate the
DLL in the next version.
|5/6/2003 1:40:36 PM:|
Can you make one demostration of your
code..like you said it can be used
for..like crash recovery..? self
destroy?.. this will only work for the
programs that are created in vb right?
can you do this remotely in a lan? like
a remote guardian or something like
that (hope you get the idea)?
|5/6/2003 7:23:19 PM:Michael Canejo|
He doesn't have to make a demonstration
to prove his statements. ALL code can
be used for something bad. KILL can
delete files, or it can delete the
programs preference file safely. In
real life a pencil can write or if the
user decides to use it as a weapon,
it's his choice just as the code here
|5/6/2003 9:01:37 PM:|
I saw your script on IRC and i must say
i was very impressed with the work you
have done with it. Excellent, keep up
the good work.
|5/6/2003 10:26:23 PM:|
Great code, hope that the next version
will support COM and win9x
|5/7/2003 2:37:33 AM:Libor Blaheta|
Hi, I think many
users have Win98/95 which don't contain
CreateRemoteThread. I have from the
Internet good articles and
sources(C,Delphi,ASM not VB :-( ) about
API hooking and Code injection, if you
want it I can send it.(I don't have
time and experience to rewrite it to
VB). I'm looking forward to your API
|5/7/2003 4:30:35 PM:Viktor E|
To Dream: The VB runtime is installed
on Windows 2000 Pro. Sandele, pare ca
i-ai dat gata :)
|5/9/2003 2:12:12 PM:rubens|
5* for you
The code might be used for
destroy, but this comunity is rather
for learn, and this is really
Thanks for your code,
and keep improving it, there are
beginners, like me, that can´t do this
|5/13/2003 2:56:03 PM:|
Why not use compile control to make a
dll... Add in some blank functions then
edit them to be this
; set up the
why not just come up with the asm
machine code for calling LoadLibrary to
load a vb DLL -- then you could write
that as your
|5/25/2003 6:20:45 AM:Rizzy J|
Excellent piece of code here!! Please
can you submit a win9x version in the
near future. 5 globes from me!
|5/26/2003 12:54:52 PM:|
Excellent Work!! **5** from
Put how to open system process
or get the window handle of it to
inject our code in the system
any way in c++ i could open
system process as the same way
are using, i don`t know way
hope you can find a way,
|5/26/2003 2:17:49 PM:Alexandru Ionescu|
Win9x will be coming up soon, I'm
currently in exam period and haven't
had the time to update the code.
for hijacking system processes, you'll
need to use the SetDebugPrivileges
Token. I'll add that in the next
edition of the code as well.
|5/26/2003 2:28:14 PM:|
okay thanks a lot,
and i am watting
the next version.
i hope it will not
be long time,
take care, thanks
|5/26/2003 6:06:00 PM:|
heay look i can now inject
into nt system processes but
all crashed after creating
thread i don`t know why,
please help me i need your help
i need to run this work.
|6/30/2003 12:28:03 PM:Danny J|
Win2003 looks alot better than XP for
|6/30/2003 8:22:56 PM:Michael Barnathan|
Wow. I didn't even think this was
possible before seeing this submission.
5 globes from me.
|7/1/2003 4:58:26 PM:|
i'm not able to get this code
|7/1/2003 5:02:42 PM:|
i don't know, why the rest has not been
the error is: explorer.exe:
process "written" on memory is
i have windows xp
|7/2/2003 1:11:13 AM:rae the coder|
i would give you 5 but, all it does is
injection..boring..yawn..back to asm
|7/2/2003 7:51:39 AM:Alexandru Ionescu|
rae: What version of Windows are you
running? Did you properly set up the
Imagebase with compile controller and
read the instructions?
agent: Did you
properly set up the imagebase with
compile controller and read all the
|7/5/2003 7:53:55 PM:KenKnutson|
Wow, this is going to provide learning
material for quite some time. Thanks.
Please keep up the excellent work, I
look forward to the next version. Best
|7/11/2003 6:16:44 PM:rae the coder|
windows xp 2600 sp1
yes i followed
the instructions but after restarting
my pc and running it again, it worked
| Add Your Feedback! |
|Note:Not only will your feedback be posted, but an email will be sent to the code's author in your name. |
NOTICE: The author of this code has been kind enough to share it with you. If you have a criticism, please state it politely or it will be deleted.
For feedback not related to this particular code, please click here.