Page 1 of 7
Execute EXE from memory Lib
Posted: Wed Jun 21, 2006 2:30 pm
by Maxus
This lib:
http://www.bigvolga.ru/svalka/ExecuteEXE
install this lib to PBdir\PureLibraries\UserLibraries\
Help:
Code: Select all
If ReadFile(0,"C:\WINNT\Notepad.exe")
Length = Lof(0)
*Buffer = AllocateMemory(Length)
ReadData(0,*Buffer,Length)
CloseFile(0)
ExecuteEXE(*Buffer,"","")
EndIf
Posted: Wed Jun 21, 2006 3:20 pm
by Bonne_den_kule
Data Execution Prevention prevents your lib to work on my PC. How can I bypass this?
Posted: Wed Jun 21, 2006 3:37 pm
by gnozal
No crash here, but does nothing ?!
Code: Select all
If ReadFile(0,"C:\Windows\Pbrush.exe")
Debug "Found"
length = Lof(0)
*Buffer = AllocateMemory(length)
Debug ReadData(0,*Buffer,length)
CloseFile(0)
ExecuteEXE(*Buffer)
EndIf
(Windows 98SE / PB4 final + beta libs / jaPBe V3)
Posted: Wed Jun 21, 2006 3:37 pm
by J. Baker
works here, thanks!
Posted: Wed Jun 21, 2006 3:40 pm
by thefool
At windows XP SP 2 i get the same message as Bonne_den_kule
Posted: Wed Jun 21, 2006 3:43 pm
by Bonne_den_kule
The problem is that we have to allocate memory which code is allowed to run from, I think.
Understanding Data Execution PreventionData Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.
Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable". If a program tries to run code—malicious or not—from a protected location, DEP closes the program and notifies you.
DEP can take advantage of software and hardware support. To use DEP, your computer must be running Microsoft Windows XP Service Pack 2 (SP2) or later, or Windows Server 2003 Service Pack 1 or later. DEP software alone helps protect against certain types of malicious code attacks but to take full advantage of the protection that DEP can offer, your processor must support "execution protection". This is a hardware-based technology designed to mark memory locations as non-executable. If your processor does not support hardware-based DEP, it's a good idea to upgrade to a processor that offers execution protection features.
I am using a Amd Athlon 64 X2 3800+, which supports "execution protection".
Posted: Wed Jun 21, 2006 4:06 pm
by Bonne_den_kule
64-bit applications should not execute code from the stack or the default process heap. Applications that want to allocate executable memory should do so using VirtualAlloc() with one of the PAGE_EXECUTE memory attributes.
@Maxus: You must allocate the memory block which is executed with #PAGE_EXECUTE_READWRITE constant in your lib.
Posted: Wed Jun 21, 2006 4:13 pm
by Inf0Byt3
Yes, this should fix it.
Posted: Wed Jun 21, 2006 4:40 pm
by Droopy
Great job, thanks
Posted: Wed Jun 21, 2006 5:32 pm
by srod
Brilliant job. Lots of people have been searching for something like this for a while now. Well done.
Posted: Wed Jun 21, 2006 5:38 pm
by Maxus
OK. I'm fixed this bug, Download update:
http://amt-lab.com/svalka/ExecuteEXE
Posted: Wed Jun 21, 2006 7:32 pm
by Inf0Byt3
Great job! It works very nice.
Posted: Wed Jun 21, 2006 8:38 pm
by thefool
This is just cool!
And it seems real! Filemon doesn't repport anything suspicious.
Great job
Posted: Wed Jun 21, 2006 9:30 pm
by ts-soft
thx, works
but what is about parameters oder handle to exe?
there come always 0 from the function
Posted: Wed Jun 21, 2006 10:38 pm
by Bonne_den_kule
The program will appears as cmd.exe in the process explorer.
This is enough info to get the handle and etc. But it would be nice if the function could return the handle + passing program parameters if possible.
And it would be nice with a function to set the default directory.