can PB launch a included EXE file ?

thefool · Post by **thefool** » Thu Sep 01, 2005 2:37 pm

PB wrote:> isn't this the way that packers like UPX and others act?. They embedd the
> application we want in a stub/loader that decompresses the data(our exe,
> dll) in memory and run it?

Interesting theory, so I tested it -- and no, UPX decompresses the exe to the
Windows Temp folder before running it. I used FileMon to watch for what files
were created in Temp when I launched my app that was compressed with
UPX, and it showed a file with the same byte-size as my uncompressed app
being created there. I then decompressed the app and launched it again,
and nothing was seen in Temp this time. So, it doesn't run it from memory.

LOL i always belived upx did that in memory. Of course its possible.
And of course many apps uses it. Please think about it

Exe encrypters that would do it directly to disc?

AND just have a look at the link i posted, it does the stuff in memory directly. Please have a look at that before posting shit like "Its not possible bwa bwa bwa"

Jellybean · Post by **Jellybean** » Thu Sep 01, 2005 2:44 pm

PB wrote:> isn't this the way that packers like UPX and others act?. They embedd the
> application we want in a stub/loader that decompresses the data(our exe,
> dll) in memory and run it?

Interesting theory, so I tested it -- and no, UPX decompresses the exe to the
Windows Temp folder before running it. I used FileMon to watch for what files
were created in Temp when I launched my app that was compressed with
UPX, and it showed a file with the same byte-size as my uncompressed app
being created there. I then decompressed the app and launched it again,
and nothing was seen in Temp this time. So, it doesn't run it from memory.

That depends on how you look at it. Most likely the file is still technically in memory cache and has not yet been written to the physical disc.

xgp · Post by **xgp** » Thu Sep 01, 2005 8:02 pm

Jellybean wrote:
PB wrote:> isn't this the way that packers like UPX and others act?. They embedd the
> application we want in a stub/loader that decompresses the data(our exe,
> dll) in memory and run it?

Interesting theory, so I tested it -- and no, UPX decompresses the exe to the
Windows Temp folder before running it. I used FileMon to watch for what files
were created in Temp when I launched my app that was compressed with
UPX, and it showed a file with the same byte-size as my uncompressed app
being created there. I then decompressed the app and launched it again,
and nothing was seen in Temp this time. So, it doesn't run it from memory.
That depends on how you look at it. Most likely the file is still technically in memory cache and has not yet been written to the physical disc.

Now i am really confused :S
PB has tested and saw his executable in Temp folder. So what happens?
If the file written to hard disk and executed or by some way is executed in memory.?

Anyway, i got this is a really hard task.

Greets

xgp

thefool · Post by **thefool** » Thu Sep 01, 2005 8:28 pm

@PB: Its bullshit what you said. Me and a friend just tested this using FileMon and the newest STABLE! upx version.

I wrote a simple console app that writes 2 strings and uses the jpegdecoder lib for adding size.. 45 kbytes uncompressed!

Now i turn on filemon and looks for outputs by my file, and BAM! Nothing :S
Neither one of us gets anything..

thefool · Post by **thefool** » Thu Sep 01, 2005 8:37 pm

and i apologize for the hard language but it just makes me mad when someone is saying "This is impossible!"..

LuCiFeR[SD] · Post by **LuCiFeR[SD]** » Thu Sep 01, 2005 10:26 pm

Nothing is impossible or men would still be using Big sticks and saying "unga bunga" to make women want to sleep with us

.... or we would still be programming in Amos

LOL

Nothing is impossible, hell making an exe run from memory on the Amiga was sooooooooooo easy that even a 5 year old could manage it, I don't know the windows API well enough or the windows exe structure well enough to try and do it. Although, I think it's about time I actually bothered to learn a bit more about windows, but I can't stop using WinUAE hehe.

thefool · Post by **thefool** » Thu Sep 01, 2005 10:29 pm

"ohohoh it seems like upx is making temporary files.. WWOOOOOTTT im stttoonned! woha i see temporary files all around me!! HELP HEEEELP HEEE....... Mwarg.."

sorry.

However i think we need to have a look at the upx source. Maybe its because you are on 98? I dunno if they couldnt make it there. And are you sure you were using the lates stable upx?

edit: again no offence man

just trying to make you mad

!
Well. Please try to have a go at the newest upx and test it!

dagcrack · Post by **dagcrack** » Thu Sep 01, 2005 10:41 pm

No temp file detected here.
Using Windows XP Professional

I'll try with a 9x later.

PB · Post by PB » Fri Sep 02, 2005 2:40 am

> @PB: Its bullshit what you said

Really? And you were sitting at my PC when I saw this? I hate being accused
of being a liar when I know what I saw. Your rudeness astounds me.

> Maybe its because you are on 98?

My signature clearly shows that I'm running Win2K Pro with SP4.

> And are you sure you were using the lates stable upx?

Naturally. I'm using version 1.25w from http://upx.sourceforge.net

> woha i see temporary files all around me!! HELP HEEEELP HEEE.......

I have lost all respect for you now. Stay out of my way in future, thanks.

And just for the record, here's two screenshots which prove it:

http://purebasic.myftp.org/?filename=fi ... erties.gif
http://purebasic.myftp.org/?filename=fi ... mpFile.gif

dagcrack · Post by **dagcrack** » Fri Sep 02, 2005 3:47 am

Here I tried again .. and no temp
perhaps your antivirus or some sort of program is doing that.
I know they internally do stuff like that though (and its known why... ).

Hey I think he was just kiddin' Dont get mad we are here to solve this now, we need to know if UPX does pass to temp and run or run to memory its important to know, lets forget about everything else for now

Please can you try with a clean system (no services no programs no nothing) ? perhaps a virtual machine.. i'll do that when I get spare time at the morning.

edit: I see AVAST4 in the path: that tells me you're using avast antivirus and their latest version is 4 so perhaps what you've seen was just your antivirus passing to temp and later scanning the file.

PB · Post by PB » Fri Sep 02, 2005 4:31 am

> perhaps what you've seen was just your antivirus passing to temp and
> later scanning the file

I see what you mean, so I did a test without Avast running and nothing was
seen with FileMon this time. So yeah, it does do it in memory then. Avast
made it appear as though it was done to disk -- how was I to know that UPX
wasn't decompressing to Temp and then Avast just scanning this temp file?
Anyway, it's good to know that Avast protects against apps run in memory!

But that's still no reason for TheFool to go nuts and abuse me the way he did.
Some mature conversation (like you did, Dagcrack) is all that was required.

Post by **Dare2** » Fri Sep 02, 2005 5:00 am

viewtopic.php?p=101478#101478

dagcrack · Post by **dagcrack** » Fri Sep 02, 2005 5:59 am

thefool wrote:and i apologize for the hard language but it just makes me mad when someone is saying "This is impossible!"..

Well... It also pisses me off - to me nothing is impossible. The only limit is your mind, and the amount of coffee you can hold in your vains

---

Hey no one will believe me this.. I had a nice post for this thread but firefox crashed with out a reason.. im quite sad! because of the post and for firefox.. it only crashed once before here.. its starting to be less and less stable with the newer releases

Basically I was saying that I was happy that we solved this - UPX is still usable then - and thats good because I use it quite a lot at work.

Also I was talking about how this is a nice community, other communities I've been at, they arent like this one... in first place when a newbie asks "How do I..." they make fun out of him and laugh.. make him feel stupid even!. Here is different, I believe Pb community is better here as programmers and as people, than any other programmming language communities

(that i've seen). So if 2 guys get mad at each other in an year.. thats good, at the other communities every 3 posts theres a flame war! hehe.

PB: Perhaps he saw the source and found out that what you said wasnt true and thats why he took it to the "fun" way ? I don't know im just guessing again.

Now to rewrite the other post I was writting (I usualy write two or 3 posts at the same time, with some pauses between.. makes your head cool down in the worst of the cases and when I dont want to know anything about what has been said.. I simply dont post anymore at that thread)

xgp · Post by **xgp** » Fri Sep 02, 2005 11:06 am

@dagcrack : Comments for what?. Well said.

So, packers run the application in memory, but this is a really hard task to to on Windows. So maybe this post should be terminated by now, i don't know, but due to the complexity of the task...at least i learned somethings.
If i get prepared maybe i will search for pages that can explain this in pratice.

Greets

xgp

thefool · Post by **thefool** » Fri Sep 02, 2005 12:21 pm

You have received 2 links to examples on how to do it.

@dagrack: you are right it was just for fun!

@Pb: sorry if you took me seriously..! It was not meant to be rude in anyway at all.. However yes it seems like avast is making temp files. I just think you should have noticed that when you see the Ashserv wich is an avast service. Of course, if you didnt know that i cant blame you for anything!

I have lost all respect for you now. Stay out of my way in future, thanks.

I certanly dont hope this is true.. It was not meant that way. And not flaming either...

btw nice link dare2 hehe