Hi everyone, the code is back in Version 2.0 and better then ever! You can now insert your code into Explorer, thus removing the need for compiling a separate special application. You can also create forms, subclass them, and call some (not all) VB functions, as well as use all API and previous modules in your code. This code will create a sample window and then delete itself. However it won't kill the thread, so if you run it again, make sure you kill/restart explorer. Once the code is run, the application will appear NOWHERE. It is also possible to use this method in order to Hook system API calls, which is what I'll be working on for next month. Thanks for your votes last month, I hope you like this new version even better! (Still need compile controller, it's included, read the module for more information)
Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzip to decompress it.Virus note:All files are scanned once-a-day by Planet Source Code for viruses, but new viruses come
out every day, so no prevention program can catch 100% of them. For your own safety, please:
Re-scan downloaded files using your personal virus checker before using it.
NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
Scan the source code with Minnow's Project Scanner
If you don't have a virus scanner, you can get one at many places on the net
including:McAfee.com
Terms of Agreement:
By using this code, you agree to the following terms...
You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
You may link to this code from another website, but ONLY if it is not wrapped in a frame.
You will abide by any additional copyright restrictions which the author may have placed in the code or code's description.
It doesn't work in 9X yet, there are some hidden API calls to do this, but I haven't gotten around to them yet. If there is a lot of demand for a 9x-compatible version I might try to work on it. The problem is that I don't have 9x anymore, so it would be really hard for me to debug. Ultimatum: I am using the skin from Windows Longhorn..Plex. (If this comment was disrespectful, please report it.)
Thnaks for demo. Search for Plugins on PSC and you will also see some ideas on how to do the same. 5 from here (If this comment was disrespectful, please report it.)
Dream, perhaps you had trouble reading the comments in the code that say "NT-Based system" and "I'm trying to get this to work under 9x." Besides, some research on msdn.microsoft.com and looking for the requirements for some of the API calls would clearly show you that it's NT-only for now. (If this comment was disrespectful, please report it.)
Eagle, I find plugins to be something totally different. While the concept would work for adding new features to an application, it doensn't have the advantage of totally hiding your code...plugins still need a file, and run in your application's memory. (If this comment was disrespectful, please report it.)
Alek you need his first submission for the rest of the files. ALEXANDRU: READ WHAT I TYPED, you made no mention of the fact it does not work on 9x systems in the first version, so not suprisingly I overlooked your comment about it in the second version, thus I spent considerable time trying to get this to work. Pay Attention. (If this comment was disrespectful, please report it.)
Hi Dream..I've just noticed that PSC took out my other files...very weird. I'll try to re-upload, altough yes, using the old ones will work. Once compiled, the app should run on any NT+ machine with msvbvm60.dll (the VB runtime). (If this comment was disrespectful, please report it.)
Isnt msvbvm60dll installed with windows on NT based systems ie: 2kpro, longhorn, and xp ? p.s. Im installing XP on another terminal to get a look at this! (If this comment was disrespectful, please report it.)
The Idea isn't bad..So there is problem what you'll encount: 1--IF BASE ADDRESS NAMED WITH VirtualAllocEx is in USE BY ANOTHER MODULE AND KERNEL ALLOCATE FIRST HIGHER FREE BASE ADDRESS
2--WHAT'S THAT MEANS? YOUR EXE DS:[] IS STILL ON LOWER ADR..
Example: BASE MODULE=1000000 push ds:[1001000] (REFERENCE ADDRESS USE)
with Dinamic linking (dll) if kernel load DLL on higher address your code will be: BASE MODULE=C200000 push ds:[C201000] (REFERENCE ADDRESS USE) --------------- In your case: CODE SEGMENT WILL BE ON PREVIOUS BASE ADDRESS AND YOU'LL ENCOUNT EXCEPTION_ACCESS_VIOLATION,or else EXCEPTION....
.................................... Conclusion: Your example works only if BASE ADDRESS isn't in use by another module,also your STACK is to small and pushing more than 10-20 parameters on it also cause EXCEPTION... ------------------------------------
I suggest you to Execute DLL through Remote Thread insted of EXE...
GRETZ
(If this comment was disrespectful, please report it.)
i see your project is progressing. unfortunately it's still not possible to run "normal" VB code in the host process.
if you are wondering the reason for GPFs it is that COM libraries are not initialized on the remote thread! neither is the VB runtime!
the same problem is faced when using CreateThread API function for in-process multi-threading in a VB application. you can find my solution here http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=36373&lngWId=1 i'm quite intersting in the progress of the injection attempt, ultimately would like to be able to execute fully fledged VB code "remotely".
keep up the good work, </wqw> (If this comment was disrespectful, please report it.)
Alexandru Ionescu, another TERRIFIC program, i liked the other one you posted, keep me informed of any new releases 5 globes! (If this comment was disrespectful, please report it.)
vf-fcro: you're right about that, there is a risk that 0x13140000 might already be taken...however, since i randomly chose that number, and i've ran it on many many computers, as well as all the PSC users, I haven't found a case of something like that happening. Also, I can't really allocate anything else then taht address if it fails, since the base address of the EXE will still be the same. IF it doesn't work on someone's computer, they will have to recompile it. (If this comment was disrespectful, please report it.)
Vlad: I will take a look at your code. However, it is possible to run some VB functions as you've seen (Instr, left, mid). However I think you were referring to using forms and class modules, etc, instead of relying on pure API. Thanks for the link. Thank you everyone for your appreciation =) It's a great birthday present (26th april 86). (If this comment was disrespectful, please report it.)
Dream: The VB Runtime is not installed by default on NT systems...maybe on XP. However, I can try to include it and compress it into the exe. It would then extract itself when it's run, removing the need for you to install it on every computer. (If this comment was disrespectful, please report it.)
5/3/2003 5:10:54 PM:
Its Great use if u are a hacker other that that no use for it... (If this comment was disrespectful, please report it.)
Actually, it can have many other usages: Self-modidying code for auto-updates Running a file only once, and then deleting itself Adding new modules to an application that doesn't support plugins Crash recovery (reloading the program from memory) And accessing/reading memory from other processes for debugging purposes. =) (If this comment was disrespectful, please report it.)
I believe this is a very nice code, but I can't run it because the CompileControl doesn't seem to work. It says it can't find the (If this comment was disrespectful, please report it.)
"Make" menu. So i changed the "Make" thing to "Crea" in the compiler control, cause i have the Italian VB. Nothing happened. Please help... (If this comment was disrespectful, please report it.)
Loopz: The line Set cbFileMenu = mIDE.CommandBars(1).Controls("File")..."File" should be in Italian, the name of the first menu in VB, where you have open/save. If Left$(cbMakeMenu.Caption, 4) = "Make" should be the first four characters of the make command. (If this comment was disrespectful, please report it.)
Force Linker to make an Exe with Exports with Realocation Table.. Pushing exe on STATIC BASE ADDRESS expose too many problems! Knowing how NTDLL.DLL load modules you can avoid many troubles like Loading Dependent DLL or Drivers. I suggest you to Use LdrLoadDll API from NTDLL which Loads all FORWARDS DLL (indenpendenies) unlike LoadLibrary KERNEL API which load only named Module in Virtual Address Space!
i think VB isn't right place to do as you try.... Maybe you should try to use a debugger Loop instead of this approach. (If this comment was disrespectful, please report it.)
loopz's problem was fixed...if you have another version of VB, simply remove the "for..next" loop in compilecontroler (where it gives the error) and set the index to 13. (If this comment was disrespectful, please report it.)
5/4/2003 11:31:57 AM:
While this can be used for malicious purposes, it's of great use in other situations. great code. 5 globe (If this comment was disrespectful, please report it.)
Real good work! Nice to use for most "interesting" things. Difficult to understand but iam growing on the challenge.... ;) 5*4u (If this comment was disrespectful, please report it.)
5/5/2003 9:15:40 AM:
nice code your a genius 5/5 lets hope we can get some vb functions working soon ? :P (If this comment was disrespectful, please report it.)
Happend to find something that may be of interest and use for making it 9x compatible. Use EliCZ's RT.DLL library. It is a 2.5kb ASM DLL that emulates NT functions for 9x. His homepage is http://elicz.cjb.net/ (If this comment was disrespectful, please report it.)
why are you all bashing his program...? great piece of code, didn't think someone would take the time to do this in VB ;] (If this comment was disrespectful, please report it.)
Good work,but Win98(95) does not have CreateRemoteThread/VirtualAllocEx/VirtualFreeEx.But you can download special DLL(which these API contain) here http://www.anticracking.sk/EliCZ/export/EliRT.zip. (If this comment was disrespectful, please report it.)
Thanks for the elirt link Libor and Novasoft. I'll try to incorporate the DLL in the next version. (If this comment was disrespectful, please report it.)
5/6/2003 1:40:36 PM:
Can you make one demostration of your code..like you said it can be used for..like crash recovery..? self destroy?.. this will only work for the programs that are created in vb right? can you do this remotely in a lan? like a remote guardian or something like that (hope you get the idea)? (If this comment was disrespectful, please report it.)
He doesn't have to make a demonstration to prove his statements. ALL code can be used for something bad. KILL can delete files, or it can delete the programs preference file safely. In real life a pencil can write or if the user decides to use it as a weapon, it's his choice just as the code here is.
(If this comment was disrespectful, please report it.)
5/6/2003 9:01:37 PM:
I saw your script on IRC and i must say i was very impressed with the work you have done with it. Excellent, keep up the good work. (If this comment was disrespectful, please report it.)
5/6/2003 10:26:23 PM:
Great code, hope that the next version will support COM and win9x (If this comment was disrespectful, please report it.)
To:Alexandru Ionescu Hi, I think many users have Win98/95 which don't contain CreateRemoteThread. I have from the Internet good articles and sources(C,Delphi,ASM not VB :-( ) about API hooking and Code injection, if you want it I can send it.(I don't have time and experience to rewrite it to VB). I'm looking forward to your API hooking code. Libor (If this comment was disrespectful, please report it.)
5* for you The code might be used for destroy, but this comunity is rather for learn, and this is really interesting job! Thanks for your code, and keep improving it, there are beginners, like me, that can´t do this work. (If this comment was disrespectful, please report it.)
5/13/2003 2:56:03 PM:
Why not use compile control to make a dll... Add in some blank functions then edit them to be this format pushad pushfd ; set up the function parameters call realFunction popfd popad
also... why not just come up with the asm machine code for calling LoadLibrary to load a vb DLL -- then you could write that as your (If this comment was disrespectful, please report it.)
Excellent piece of code here!! Please can you submit a win9x version in the near future. 5 globes from me! (If this comment was disrespectful, please report it.)
5/26/2003 12:54:52 PM:
Excellent Work!! **5** from me...
Put how to open system process or get the window handle of it to inject our code in the system process,
any way in c++ i could open any system process as the same way u are using, i don`t know way
i hope you can find a way,
thanks for sharing it. (If this comment was disrespectful, please report it.)
Win9x will be coming up soon, I'm currently in exam period and haven't had the time to update the code. As for hijacking system processes, you'll need to use the SetDebugPrivileges Token. I'll add that in the next edition of the code as well. (If this comment was disrespectful, please report it.)
5/26/2003 2:28:14 PM:
okay thanks a lot,
and i am watting the next version.
i hope it will not be long time,
take care, thanks again, (If this comment was disrespectful, please report it.)
5/26/2003 6:06:00 PM:
hi again,
heay look i can now inject my code into nt system processes but they all crashed after creating remote thread i don`t know why,
so please help me i need your help really i need to run this work.
thanks, (If this comment was disrespectful, please report it.)
rae: What version of Windows are you running? Did you properly set up the Imagebase with compile controller and read the instructions? agent: Did you properly set up the imagebase with compile controller and read all the instructions? (If this comment was disrespectful, please report it.)
Wow, this is going to provide learning material for quite some time. Thanks. Please keep up the excellent work, I look forward to the next version. Best Regards. (If this comment was disrespectful, please report it.)
yes i followed the instructions but after restarting my pc and running it again, it worked =] ***** (If this comment was disrespectful, please report it.)
Is there any way to duplicate the thread where its running more than 1 instance of the same thing, just by loading the executable 1 time? or even could those instances in memory spawn new ones of itself? (If this comment was disrespectful, please report it.)
7/25/2003 3:27:43 PM:
Hi Billy... to duplicate the thread, you would need to make the second version run at a different base address. I haven't found any way to programatically change this, but I think it's somewhere in the PE header... theoretically it could be possible. (If this comment was disrespectful, please report it.)
Additional: Consider this: VB app must run under "right initiated" COM/OLE platform,if not it surely encount GPF!! So:Run Remote Thread with That: Push PrivateContext Call VBThunMain
PrivateContext actually begins at: VB5! somewhere inside EXE. Find this with some internal Search function,and execute code above...
(If this comment was disrespectful, please report it.)
Whew, ya could be the next Coding Genius, 2 submissions with both being contest winners is rare. Great code! (If this comment was disrespectful, please report it.)
I Don't understand any of the code. Can you please e-mail me(my e-mail is visual314@aol.com) in deltail about the code. Please!!! (If this comment was disrespectful, please report it.)
Timothy, the code is commented...if you still have problems understanding it, perhaps it's still too advanced for you...I wouldn't mind explaning it...but why are you interested in the code? Anyways, I'm putting up an OE plugin next month. (If this comment was disrespectful, please report it.)
8/6/2003 8:52:28 PM:
do you work in longhorn (If this comment was disrespectful, please report it.)
8/21/2003 9:03:29 AM:
hi alex good piece of code! I'm also waitin'4 win 9x compatible version.I tried to use eliRT.dll but I had 2 errors, one about msvbvm60.dll and another about explorer.exe. s u (If this comment was disrespectful, please report it.)
Amazing stuff (If this comment was disrespectful, please report it.)
10/28/2003 2:59:24 PM:
Nice stuff, always dreamed to do such thing. Just wanted to react concerning the VB Runtime topic. U told us u could find a way adding it to EXE and compress it? If the system does not have the vb runtimes dlls, exe wont get launched, so no extraction possible. Else need to write first part program in c for extraction then in vb -only possible way i could see. Thank for helping out. Very nice piece of code, 5$ (If this comment was disrespectful, please report it.)
It is not working on my version of XP. Gotta admit I hacked it. I moved a lot of memory to optimize it. It might have messed it up. I'm sure it is a nice prog so you'll get 5 globes from me. (If this comment was disrespectful, please report it.)
11/8/2003 3:28:59 AM:
I use both XP and win98 so another request from me for a win9x version. (If this comment was disrespectful, please report it.)
1/1/2004 12:41:18 AM:
i don't know wath happen but, the program just close it self and display and error, relation to explorer, I'm using XP (If this comment was disrespectful, please report it.)
Now I haven't tried this yet, but from what I understand, you call CreateRemoteThread to create a thread in another process, then chuck some ASM into it? Well there's an easy enough way you could run VB code from there. It would require you to have a VB EXE running as well, but it's still useful (for one your code is now running in the context of the app you hijacked, probably an easy way to get code running at SYSTEM level, hehehe). [continued in next comment] (If this comment was disrespectful, please report it.)
What you do is have your EXE hijack the process, and for the ASM, simply put in Call (or whatever the x86 ASM code is for subroutines) followed by FuncPtr(Some function in your EXE). Assuming there's nothing really weird about this as compared to Windows itself, the function in your EXE will be run by the hijacked process. (There's no difference between calling a function in a VB app and one in a C/C++ app; if there were, callback API functions wouldn't work.)
Not the most useful idea ever, but if you absolutely must have some VB code running you could always do that. (If this comment was disrespectful, please report it.)
Wow thats coding! Is it possible to insert an other program onto the memory, not your own i mean.. Then the problem of deleting exe files in use would dissapear! The memory base would not be 0x13140000, and i guess i would have to start the exe and get the handle, and then change the GetModuleHandleA(vbNullString) to find where the "other" app's memory is located! (If this comment was disrespectful, please report it.)
4/9/2004 9:00:02 PM:
Extremely amazing of what you did, sir. I am regret that I didn't have an account in planet-source-code so that I couldn't vote for your doing. However, in my view, you are the best of the best VB experts. (If this comment was disrespectful, please report it.)
4/9/2004 9:03:11 PM:
:) sir, I have just do a search and see your code. It is extremely amzing.
Best job Best wishes to you
(If this comment was disrespectful, please report it.)
I found a problem with this program. Actually not the coding, but compiling. I have ran this program in several of windows versions. The base code /BASE:0x13140000 does not work on all versions. changing the base helped and it worked. (If this comment was disrespectful, please report it.)
5/17/2004 1:13:26 PM:
what are the limitations on this code? For example,what kind of functions would not be possible in the main module?
Will it be possible to inject a substantially complex program into memory? one that uses class modules and bas files..? (If this comment was disrespectful, please report it.)
I tried this, but it didnt work...it doesnt load the 'psinfect.exe' or what ever into another programs memory might this me something to do with the base address? if so what can i change it to? Nice code tho! (If this comment was disrespectful, please report it.)
Very nice BUT I got an error (The intruction at "0x660fd0d9" referenced memory at "0x0014e528". The memory could not be "read".) I've tried to change the "/Base" many times randomly (changing one number per try) and I've also tried to change the "host" program, i changed it to calculator ("SciCalc") but still have the same problem. I'm using windows XP pro (SP2) and VB6 (with SP6) I really need this code to work.
Anyway, more than great work. Best Regards (If this comment was disrespectful, please report it.)
3/12/2005 1:27:11 AM:
this is a brilliant project indeed!! thanks for sharing :) (If this comment was disrespectful, please report it.)
Would have loved to see his next version of this, but being that it has been over a year since the last comment, and none from Alex in over 5 years, I think he has moved on to better Internals such as kernel dev. I would have liked to have have seen if anyone found a method for executing vb specific functions, but I that just might not be possible. The thread would probably have to some how call the functions in "msvbvm60.dll" using their address, which I don't know if it is possible. Another thing that bothers me, is that the process where this exe's module is injected into: There is no way to Free that memory, without making the process crash. For 1, a "&" needs to be added to this Const MEM_RELEASE = &H8000& (deals with signed/unsigned ints). (If this comment was disrespectful, please report it.)
Also the 2nd param in VirtualFreeEx needs to by passed ByVal (you never want to pass an address ByRef unless it is a pointer to a pointer). That fix will make VirtualFreeEx actually work (which was useless before) the problem is that doesn't make explorer very happy, when releasing that memory. It even gets upset when just decommitting to (so it is just in a reserved state), in that it wants to crash every time =[. I will try to find out the issue and do some more testing because it's an annoyance that you have to restart the process to have it properly load in another compiled version of this application. (If this comment was disrespectful, please report it.)
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular code, please
click here instead.)
By 64 Users
Download code
5/2/2003 6:27:36 PM: 
