|
Delete a file in use - Run an EXE Hidden - Run code in other process' memory *NEW VERSION* |
|
| | 
| Submitted on: 5/2/2003 6:21:42 PM
By: Alexandru Ionescu
Level: Advanced
User Rating:
By 39 Users
Compatibility:VB 5.0, VB 6.0
Users have accessed this code 6739 times.
| |
| | | Hi everyone, the code is back in Version 2.0 and better then ever! You can now insert your code into Explorer, thus removing the need for compiling a separate special application. You can also create forms, subclass them, and call some (not all) VB functions, as well as use all API and previous modules in your code. This code will create a sample window and then delete itself. However it won't kill the thread, so if you run it again, make sure you kill/restart explorer. Once the code is run, the application will appear NOWHERE. It is also possible to use this method in order to Hook system API calls, which is what I'll be working on for next month. Thanks for your votes last month, I hope you like this new version even better! (Still need compile controller, it's included, read the module for more information)
| |
|
| |
|
Download code
Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzipto decompress it.
Virus note:All files are scanned once-a-day by Planet Source Code for viruses,but new viruses come out every day, so no prevention program can catch 100% of them.
FOR YOUR OWN SAFETY, PLEASE:
1)Re-scan downloaded files using your personal virus checker before using it.
2)NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
3)Scan the source code with Minnow's Project Scanner
If you don't have a virus scanner, you can get one at many places on the net including:McAfee.com
|
Terms of Agreement:
By using this code, you agree to the following terms...
1) You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
2) You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
3) You may link to this code from another website, but ONLY if it is not wrapped in a frame.
4) You will abide by any additional copyright restrictions which the author may have placed in the code or code's description. |
Other 2 submission(s) by this author
|
|
| |
| Report Bad Submission |
|
| |
| Your Vote! |
|
See Voting Log |
| |
| Other User Comments |
5/2/2003 6:27:36 PM:Ultimatum
Now THIS is what I'm talking about! =)
|
5/2/2003 6:37:58 PM:Ultimatum
Oh, here's another question: What
skin/XP style are you using?
|
5/2/2003 7:05:46 PM:
Does this work in 9x ?
|
5/2/2003 7:31:36 PM:LogicalX
heres another GURU. 5*
|
5/2/2003 7:33:09 PM:Alexandru Ionescu
It doesn't work in 9X yet, there are
some hidden API calls to do this, but I
haven't gotten around to them yet. If
there is a lot of demand for a
9x-compatible version I might try to
work on it. The problem is that I don't
have 9x anymore, so it would be really
hard for me to debug. Ultimatum: I am
using the skin from Windows
Longhorn..Plex.
|
5/2/2003 8:34:43 PM:Chris Bradley
He owe's you nothing Dream.
|
5/2/2003 9:08:03 PM:Eagle
Thnaks for demo. Search for Plugins on
PSC and you will also see some ideas on
how to do the same. 5 from here
|
5/2/2003 9:08:57 PM:Alexandru Ionescu
Dream, perhaps you had trouble reading
the comments in the code that say
"NT-Based system" and "I'm trying to
get this to work under 9x." Besides,
some research on msdn.microsoft.com and
looking for the requirements for some
of the API calls would clearly show you
that it's NT-only for now.
|
5/2/2003 10:23:08 PM:Alexandru Ionescu
Eagle, I find plugins to be something
totally different. While the concept
would work for adding new features to
an application, it doensn't have the
advantage of totally hiding your
code...plugins still need a file, and
run in your application's memory.
|
5/2/2003 11:18:28 PM:Alex Kwok
umm.... how come the zip only contained
a module file....
|
5/3/2003 12:24:46 AM:Dream
Alek you need his first submission for
the rest of the files. ALEXANDRU: READ
WHAT I TYPED, you made no mention of
the fact it does not work on 9x systems
in the first version, so not
suprisingly I overlooked your comment
about it in the second version, thus I
spent considerable time trying to get
this to work. Pay Attention.
|
5/3/2003 12:32:03 AM:Dream
Oh and Alek Kwok... check out last
months contest winners for the first
version!
|
5/3/2003 12:33:36 AM:Alexandru Ionescu
Hi Dream..I've just noticed that PSC
took out my other files...very weird.
I'll try to re-upload, altough yes,
using the old ones will work. Once
compiled, the app should run on any NT+
machine with msvbvm60.dll (the VB
runtime).
|
5/3/2003 2:51:31 AM:Ali Akbar
gr8 work Alex. 5* from me.
|
5/3/2003 3:37:52 AM:
Great Job man !!
Abs(5) from me ;)
|
5/3/2003 3:54:25 AM:DerEngel
Very Very VERY Tight (5/5)
|
5/3/2003 4:31:14 AM:Dream
Isnt msvbvm60dll installed with windows
on NT based systems ie: 2kpro,
longhorn, and xp ? p.s. Im installing
XP on another terminal to get a look at
this!
|
5/3/2003 7:36:52 AM:VF-fCRO
The Idea isn't bad..So there is
problem
what you'll encount:
1--IF
BASE ADDRESS NAMED WITH VirtualAllocEx
is in USE BY ANOTHER MODULE AND KERNEL
ALLOCATE FIRST HIGHER
FREE BASE
ADDRESS
2--WHAT'S THAT MEANS?
YOUR
EXE DS:[] IS STILL ON LOWER
ADR..
Example:
BASE
MODULE=1000000
push ds:[1001000]
(REFERENCE ADDRESS USE)
with Dinamic
linking (dll)
if kernel load DLL on
higher address
your code will
be:
BASE MODULE=C200000
push
ds:[C201000] (REFERENCE ADDRESS
USE)
---------------
In your
case:
CODE SEGMENT WILL BE ON PREVIOUS
BASE
ADDRESS AND YOU'LL ENCOUNT
EXCEPTION_ACCESS_VIOLATION,or
else
EXCEPTION....
.................
...................
Conclusion:
Your
example works only if BASE
ADDRESS
isn't in use by another
module,also
your STACK is to small and
pushing more
than 10-20 parameters on
it also
cause
EXCEPTION...
-------------------
-----------------
I suggest you to
Execute DLL through Remote Thread
insted of EXE...
GRETZ
|
5/3/2003 9:49:34 AM:Vlad Vissoultchev
i see your project is progressing.
unfortunately it's still not possible
to run "normal" VB code in the host
process.
if you are wondering the
reason for GPFs it is that COM
libraries are not initialized on the
remote thread! neither is the VB
runtime!
the same problem is faced
when using CreateThread API function
for in-process multi-threading in a VB
application. you can find my solution
here
http://www.planet-source-code.com/vb/scr
ipts/ShowCode.asp?txtCodeId=36373&lngWId
=1
i'm quite intersting in the
progress of the injection attempt,
ultimately would like to be able to
execute fully fledged VB code
"remotely".
keep up the good
work,
</wqw>
|
5/3/2003 10:44:42 AM:J. Hope
Alexandru Ionescu, another TERRIFIC
program, i liked the other one you
posted, keep me informed of any new
releases 5 globes!
|
5/3/2003 11:56:03 AM:Alexandru Ionescu
vf-fcro: you're right about that, there
is a risk that 0x13140000 might already
be taken...however, since i randomly
chose that number, and i've ran it on
many many computers, as well as all the
PSC users, I haven't found a case of
something like that happening. Also, I
can't really allocate anything else
then taht address if it fails, since
the base address of the EXE will still
be the same. IF it doesn't work on
someone's computer, they will have to
recompile it.
|
5/3/2003 11:57:39 AM:Alexandru Ionescu
Vlad: I will take a look at your code.
However, it is possible to run some VB
functions as you've seen (Instr, left,
mid). However I think you were
referring to using forms and class
modules, etc, instead of relying on
pure API. Thanks for the link.
Thank
you everyone for your appreciation
=)
It's a great birthday present (26th
april 86).
|
5/3/2003 12:10:35 PM:Alexandru Ionescu
Dream: The VB Runtime is not installed
by default on NT systems...maybe on XP.
However, I can try to include it and
compress it into the exe. It would then
extract itself when it's run, removing
the need for you to install it on every
computer.
|
5/3/2003 5:10:54 PM:
Its Great use if u are a hacker other
that that no use for it...
|
5/3/2003 6:21:15 PM:Alexandru Ionescu
Actually, it can have many other
usages:
Self-modidying code for
auto-updates
Running a file only once,
and then deleting itself
Adding new
modules to an application that doesn't
support plugins
Crash recovery
(reloading the program from
memory)
And accessing/reading memory
from other processes for debugging
purposes. =)
|
5/4/2003 4:27:42 AM:loopz87
I believe this is a very nice code, but
I can't run it because the
CompileControl doesn't seem to work. It
says it can't find the
|
5/4/2003 4:38:43 AM:loopz87
"Make" menu. So i changed the "Make"
thing to "Crea" in the compiler
control, cause i have the Italian VB.
Nothing happened. Please help...
|
5/4/2003 7:28:04 AM:Alexandru Ionescu
Loopz: The line Set cbFileMenu =
mIDE.CommandBars(1).Controls("File")..."
File" should be in Italian, the name of
the first menu in VB, where you have
open/save. If Left$(cbMakeMenu.Caption,
4) = "Make" should be the first four
characters of the make command.
|
5/4/2003 7:35:25 AM:loopz87
Yes, i changed it, but nothing still
happens
|
5/4/2003 7:37:29 AM:Alexandru Ionescu
Which error do you get? Cannot find
"File" or cannot find "make"?
|
5/4/2003 7:58:51 AM:loopz87
cannot find make
|
5/4/2003 8:02:42 AM:Ivo Smits
Explorer.exe crashes when I run
pscinject.exe. I'm using windows XP pro.
|
5/4/2003 10:05:42 AM:VF-fCRO
Force Linker to make an Exe with
Exports
with Realocation
Table..
Pushing exe on STATIC BASE
ADDRESS expose too many
problems!
Knowing how NTDLL.DLL load
modules you
can avoid many troubles
like Loading Dependent DLL or
Drivers.
I suggest you to Use
LdrLoadDll API from NTDLL which Loads
all FORWARDS DLL (indenpendenies)
unlike LoadLibrary KERNEL API which
load only named Module in Virtual
Address Space!
i think VB isn't
right place to do as you try....
Maybe
you should try to use a debugger Loop
instead of this approach.
|
5/4/2003 10:26:12 AM:Alexandru Ionescu
loopz's problem was fixed...if you have
another version of VB, simply remove
the "for..next" loop in
compilecontroler (where it gives the
error) and set the index to 13.
|
5/4/2003 11:31:57 AM:
While this can be used for malicious
purposes, it's of great use in other
situations. great code. 5 globe
|
5/5/2003 2:23:26 AM:Sascha
Real good work! Nice to use for most
"interesting" things. Difficult to
understand but iam growing on the
challenge.... ;) 5*4u
|
5/5/2003 9:15:40 AM:
nice code your a genius 5/5 lets hope
we can get some vb functions working
soon ? :P
|
5/5/2003 9:18:08 AM:NovaSoft
Happend to find something that may be
of interest and use for making it 9x
compatible. Use EliCZ's RT.DLL library.
It is a 2.5kb ASM DLL that emulates NT
functions for 9x. His homepage is
http://elicz.cjb.net/
|
5/5/2003 10:44:37 AM:Aboka
To Alexandru Ionescu -
I received
your email, downloaded both the version
and it ROCKS.
Thank you,
|
5/5/2003 10:46:35 AM:Aboka
***** Globes From me,
|
5/6/2003 1:31:49 AM:hunterg0000@yahoo.com
why are you all bashing his program...?
great piece of code, didn't think
someone would take the time to do this
in VB ;]
|
5/6/2003 2:52:18 AM:Bram Pelgrom
Why is it that I'm worrying about
lamers using this code to create
another
|
5/6/2003 3:24:16 AM:Libor Blaheta
Good work,but Win98(95) does not have
CreateRemoteThread/VirtualAllocEx/Virtua
lFreeEx.But you can download special
DLL(which these API contain) here
http://www.anticracking.sk/EliCZ/export/
EliRT.zip.
|
5/6/2003 6:17:25 AM:Alexandru Ionescu
Thanks for the elirt link Libor and
Novasoft. I'll try to incorporate the
DLL in the next version.
|
5/6/2003 1:40:36 PM:
Can you make one demostration of your
code..like you said it can be used
for..like crash recovery..? self
destroy?.. this will only work for the
programs that are created in vb right?
can you do this remotely in a lan? like
a remote guardian or something like
that (hope you get the idea)?
|
5/6/2003 7:23:19 PM:Michael Canejo
He doesn't have to make a demonstration
to prove his statements. ALL code can
be used for something bad. KILL can
delete files, or it can delete the
programs preference file safely. In
real life a pencil can write or if the
user decides to use it as a weapon,
it's his choice just as the code here
is.
|
5/6/2003 9:01:37 PM:
I saw your script on IRC and i must say
i was very impressed with the work you
have done with it. Excellent, keep up
the good work.
|
5/6/2003 10:26:23 PM:
Great code, hope that the next version
will support COM and win9x
|
5/7/2003 2:37:33 AM:Libor Blaheta
To:Alexandru Ionescu
Hi, I think many
users have Win98/95 which don't contain
CreateRemoteThread. I have from the
Internet good articles and
sources(C,Delphi,ASM not VB :-( ) about
API hooking and Code injection, if you
want it I can send it.(I don't have
time and experience to rewrite it to
VB). I'm looking forward to your API
hooking code.
Libor
|
5/7/2003 4:30:35 PM:Viktor E
To Dream: The VB runtime is installed
on Windows 2000 Pro. Sandele, pare ca
i-ai dat gata :)
|
5/9/2003 2:12:12 PM:rubens
5* for you
The code might be used for
destroy, but this comunity is rather
for learn, and this is really
interesting job!
Thanks for your code,
and keep improving it, there are
beginners, like me, that can´t do this
work.
|
5/13/2003 2:56:03 PM:
Why not use compile control to make a
dll... Add in some blank functions then
edit them to be this
format
pushad
pushfd
; set up the
function parameters
call
realFunction
popfd
popad
also...
why not just come up with the asm
machine code for calling LoadLibrary to
load a vb DLL -- then you could write
that as your
|
5/25/2003 6:20:45 AM:Rizzy J
Excellent piece of code here!! Please
can you submit a win9x version in the
near future. 5 globes from me!
|
5/26/2003 12:54:52 PM:
Excellent Work!! **5** from
me...
Put how to open system process
or get the window handle of it to
inject our code in the system
process,
any way in c++ i could open
any
system process as the same way
u
are using, i don`t know way
i
hope you can find a way,
thanks for
sharing it.
|
5/26/2003 2:17:49 PM:Alexandru Ionescu
Win9x will be coming up soon, I'm
currently in exam period and haven't
had the time to update the code.
As
for hijacking system processes, you'll
need to use the SetDebugPrivileges
Token. I'll add that in the next
edition of the code as well.
|
5/26/2003 2:28:14 PM:
okay thanks a lot,
and i am watting
the next version.
i hope it will not
be long time,
take care, thanks
again,
|
5/26/2003 6:06:00 PM:
hi again,
heay look i can now inject
my code
into nt system processes but
they
all crashed after creating
remote
thread i don`t know why,
so
please help me i need your help
really
i need to run this work.
thanks,
|
6/30/2003 12:28:03 PM:Danny J
Win2003 looks alot better than XP for
sure
|
6/30/2003 8:22:56 PM:Michael Barnathan
Wow. I didn't even think this was
possible before seeing this submission.
5 globes from me.
|
7/1/2003 4:58:26 PM:
HELP!!!
i'm not able to get this code
run!
error: explorer.exe:
|
7/1/2003 5:02:42 PM:
i don't know, why the rest has not been
submitted:
the error is: explorer.exe:
process "written" on memory is
illegal
i have windows xp
thanx
agent
|
7/2/2003 1:11:13 AM:rae the coder
i would give you 5 but, all it does is
crash explorer..no
injection..boring..yawn..back to asm
|
7/2/2003 7:51:39 AM:Alexandru Ionescu
rae: What version of Windows are you
running? Did you properly set up the
Imagebase with compile controller and
read the instructions?
agent: Did you
properly set up the imagebase with
compile controller and read all the
instructions?
|
7/5/2003 7:53:55 PM:KenKnutson
Wow, this is going to provide learning
material for quite some time. Thanks.
Please keep up the excellent work, I
look forward to the next version. Best
Regards.
|
7/11/2003 6:16:44 PM:rae the coder
windows xp 2600 sp1
yes i followed
the instructions but after restarting
my pc and running it again, it worked
=] *****
|
|
| Add Your Feedback! |
Note:Not only will your feedback be posted, but an email will be sent to the code's author in your name.
NOTICE: The author of this code has been kind enough to share it with you. If you have a criticism, please state it politely or it will be deleted.
For feedback not related to this particular code, please click here.
|
|
