Jump to content

  • Log In with Google      Sign In   
  • Create Account

Interested in a FREE copy of HTML5 game maker Construct 2?

We'll be giving away three Personal Edition licences in next Tuesday's GDNet Direct email newsletter!

Sign up from the right-hand sidebar on our homepage and read Tuesday's newsletter for details!


We're also offering banner ads on our site from just $5! 1. Details HERE. 2. GDNet+ Subscriptions HERE. 3. Ad upload HERE.


Execute a win32 exe file from memory?


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
32 replies to this topic

#1 Ahmadi   Members   -  Reputation: 122

Like
0Likes
Like

Posted 25 March 2006 - 10:06 AM

Hi I want execute a exe file from memory and not from disk, because i have contain of the exe file in a stream and in memory, if i want write the containt on disk other user can access it, i only want run it from memory. now i have the exe file in stream. i need any help for this work. some users help is that i make a hide file on disk and then execute it, but its childish. i need to execute it directly from RAM. if you dont understand what i need please read follow text, its another shape of my request: {**********} i have one exe in end of my exe. if you consider that first exe is A and second is B( that is attached to end of A). now if i want run A.it have not any problem, and i can easily run A. but if i want run B, i must extract it from A to harddisk and then run it. its bad for me and i dont want to extract it, because i need to user do not find it(B). and B must always be hide. i have not any problem for extracting B . the best way for me is that i run B from memory not from harddisk , and i want to know is it possible? if yes , how? for example if you consider that B is a picture that was attached to end of A . i can show picture without using harddisk: Var S:TFileStream; f:file of byte; begin S:=TFileStream.create; assignfile(f,extractfilename(application.exename)); reset(f); do while reach first of B // while not eof(f) do copy data from f to S // image1.loadfromstream(s); end. {**********}

Sponsor:

#2 Evil Steve   Members   -  Reputation: 1983

Like
0Likes
Like

Posted 25 March 2006 - 10:32 AM

It can be done with DLLs, but it's a lot of work. The way the Windows loader works, it's impossible to load from memory. What you have to do is break the file format appart, fixup and DLL references, then jump to the start of the code.

As far as I know, it simply isn't possible to do this with an EXE only a DLL. You'll have to copy the exe to the temp folder, run it from there, and wait for the process to terminate before deleting the exe.

#3 RunningInt   Members   -  Reputation: 133

Like
0Likes
Like

Posted 25 March 2006 - 10:57 AM

Quote:
I want execute a exe file from memory and not from disk, because i have contain of the exe file in a stream and in memory, if i want write the containt on disk other user can access it, i only want run it from memory. now i have the exe file in stream.


I do not think there is a documented way of doing that in windows so it will be very tricky to accomplish and unstable.

If you want to stop other users accessing the executable you could simply disguise the executable. This will work on the vast majority of users. To do this write the executable to disk as a file with a different extension. This way typical users will not be able to execute it by double clicking on it in explorer. They will have to rename it to .exe to do that and most will not think of this.

If you write the executable to disk as filename.jpg then users will think it is an image file. If they double click to load it the image viewer will fail to open it. They will just think it is a broken jpg. They will not realise it is an executable. Using a well known extension lessens the likelyhood that more savvy users will try and open it in notepad where they will see "This program cannot be run in DOS mode" which kind of gives the game away. For this reason don't use an extension associated with a text viewer such as .txt or .log

You can use CreateProcess to execute any file with any file extension. eg:


STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);

//filename.jpg is an executable
CreateProcess("filename.jpg",NULL,NULL,NULL,false,0,NULL,NULL,&si,&pi);





#4 Anonymous Poster_Anonymous Poster_*   Guests   -  Reputation:

0Likes

Posted 25 March 2006 - 11:01 AM

https://www.joachim-bauch.de/tutorials/load_dll_memory.html/en

#5 Anonymous Poster_Anonymous Poster_*   Guests   -  Reputation:

0Likes

Posted 26 March 2006 - 08:27 PM

Quote:
Original post by Anonymous Poster
https://www.joachim-bauch.de/tutorials/load_dll_memory.html/en

it can load a proc of dll in memory and then call proc. but i dont need it. i need to execute an exe file.exe file is not for me that i make it a procedure and then dll. for example maybe the exe file is notepad, how can i make notepad to a proc of dll!! its impossible.




#6 bpoint   Members   -  Reputation: 464

Like
0Likes
Like

Posted 26 March 2006 - 08:39 PM

You could look inside the source of UPX and see how they do it, considering they specialize in that sort of thing.


#7 bpoint   Members   -  Reputation: 464

Like
0Likes
Like

Posted 26 March 2006 - 08:47 PM

Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...

Edit: Which is pretty much what Evil Steve said anyway. :)


#8 LessBread   Moderators   -  Reputation: 1411

Like
0Likes
Like

Posted 26 March 2006 - 08:47 PM

An exe and a dll are both pe files. It seems to me that the trick would be to invoke the system routines that launch a process employing the file image from memory where required and that's some pretty low level coding - definitely not beginning level programming.

#9 Ahmadi   Members   -  Reputation: 122

Like
0Likes
Like

Posted 26 March 2006 - 08:48 PM

Quote:
Original post by bpoint
You could look inside the source of UPX and see how they do it, considering they specialize in that sort of thing.

UPX is exe compressor, can it run exe from memory?



#10 LessBread   Moderators   -  Reputation: 1411

Like
0Likes
Like

Posted 26 March 2006 - 08:56 PM

Quote:
Original post by bpoint
Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...


The kernel has to set up the virtual memory space for the process among other things before passing execution on to the thread for the new process. There are instances of special kernel structures for every process and every thread. Google on EPROCESS, ETHREAD, KPROCESS and/or KTHREAD to get a peek at what these structures look like. Mark Russinovich's book "Inside Windows 2000" explains what happens when a process is created. Other books examine disassembly listings of aspects of the launch process. It's not for the faint of heart or the novice programmer.

#11 rdragon1   Crossbones+   -  Reputation: 1200

Like
0Likes
Like

Posted 26 March 2006 - 08:59 PM

So, essentially you need to write a loader. Or figure out how to invoke windows' loader minus the part that loads from disk -> memory.

Maybe take a look at ReactOS?

#12 LessBread   Moderators   -  Reputation: 1411

Like
0Likes
Like

Posted 26 March 2006 - 09:08 PM

Yes, basically write a loader - or figure out how to trick windows into loading the exe from ram. All the EPROCESS stuff I mentioned before is overkill. There's a description of an exploit of NtCreateProcess here, NT Syscalls insecurity (#5 out of 6), and a signature of the function here that might possible lead to a solution. However, a parent process will still be needed - that is - some kind of loader would still need to be written.

This might help too: Interfacing the the Native API in Windows 2000.

Be forewarned, this kind of tweaking could crash your system. Proceed at your own risk!

#13 bpoint   Members   -  Reputation: 464

Like
0Likes
Like

Posted 26 March 2006 - 09:08 PM

Quote:
Original post by LessBread
The kernel has to set up the virtual memory space for the process among other things before passing execution on to the thread for the new process. There are instances of special kernel structures for every process and every thread.

Yes, but I don't think all of that is necessary if you're just going to transfer control from your existing process into the new one.

I've constructed some (albeit very simple) PE executables by hand with some compiled assembler that just prints out "Hello World" to the console, but the hardest part of getting that to work is updating the pointers in the import section to properly reference GetStdHandle and WriteConsole. Once those are in place, a jump into the main code _should_ just work properly.

Assuming the OP is not intending on actually spawing a new process while keeping his current one around, it shouldn't be that in-depth. Either way, this is definitely not an easy task. :)

#14 rdragon1   Crossbones+   -  Reputation: 1200

Like
0Likes
Like

Posted 26 March 2006 - 09:11 PM

And I would venture a guess that the reason/purpose for wanting to do this doesn't justify the amount of effort needed to get it working.

#15 LessBread   Moderators   -  Reputation: 1411

Like
0Likes
Like

Posted 26 March 2006 - 09:13 PM

@bpoint - yep - see my last post. [smile]

@RDragon1 - yep - not enough bang for the buck.

#16 Ahmadi   Members   -  Reputation: 122

Like
0Likes
Like

Posted 26 March 2006 - 10:42 PM

Quote:
Original post by bpoint
Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...

Edit: Which is pretty much what Evil Steve said anyway. :)

How can i jump into the EXE's entry point?
if (is it possible) then i can jump without dll need.
do u have a example that show me how can i jump into the EXE's entry point?
because i need it



#17 Ahmadi   Members   -  Reputation: 122

Like
0Likes
Like

Posted 26 March 2006 - 10:44 PM

Quote:
Original post by LessBread
Yes, basically write a loader - or figure out how to trick windows into loading the exe from ram. All the EPROCESS stuff I mentioned before is overkill. There's a description of an exploit of NtCreateProcess here, NT Syscalls insecurity (#5 out of 6), and a signature of the function here that might possible lead to a solution. However, a parent process will still be needed - that is - some kind of loader would still need to be written.

This might help too: Interfacing the the Native API in Windows 2000.

Be forewarned, this kind of tweaking could crash your system. Proceed at your own risk!

NtCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL );
can work on a stream or other data structure in memory?
also process is equal to whole of an exe file? for example maybe my exe be "Photoshop.exe", also it can work?



#18 Ahmadi   Members   -  Reputation: 122

Like
0Likes
Like

Posted 26 March 2006 - 10:49 PM

Quote:
Original post by RDragon1
So, essentially you need to write a loader. Or figure out how to invoke windows' loader minus the part that loads from disk -> memory.

Maybe take a look at ReactOS?

if you mean that loader is a program that can load a exe from <storage> and can execute it. ya, i really need a loader.
i have not any problem for loading a exe file in memroy, my problem is that how can i say OS(operating system) that now run the exe file from my memory address that can be in a stream ,

also i can not find your ReactOS : its my google try
http://www.google.com/search?num=50&hl=en&lr=&q=loader+ReactOS+&btnG=Search
http://www.google.com/search?hl=en&q=+ReactOS&btnG=Google+Search

#19 Ahmadi   Members   -  Reputation: 122

Like
0Likes
Like

Posted 26 March 2006 - 10:59 PM

****************************************
***********My note for all:*************
****************************************
some people say me that why i dont want try some API command such as createprocess or ...,
i must say that all of API instruction that i know only can run a exe file from disk(can not execute from disk).

Also some people say , "try to hide your exe file", for example change extension of it to ".Jpg" and then run it. i know that its possible that i run my exe with .jpg extension without that i change extension to .EXE,
CreateProcess("filename.jpg",NULL,NULL,NULL,false,0,NULL,NULL,&si,&pi);
ya , it work
but user can easily find my exe with renaming!!! (user can change jpg to exe)
because some of my EXEs that i want execute from memory need internet , if your firewall prompt that "filename.jpg" need to access internet, what u think? you really think that filename.jpg is a exe file, and its not good for me,

please help me to i solve my problem
i really need a code ( or maybe program) that can execute EXE file from memory.
also if its not possible ,
please help me to i add some instruction to first of a EXE file.it mean that if user want run exe file, First my code lines run.

#20 LessBread   Moderators   -  Reputation: 1411

Like
0Likes
Like

Posted 26 March 2006 - 11:05 PM

Quote:
Original post by Ahmadi
can work on a stream or other data structure in memory? also process is equal to whole of an exe file? for example maybe my exe be "Photoshop.exe", also it can work?


Not on a stream. The POBJECT_ATTRIBUTES parameter is a pointer to a data structure. A process is not equal to an exe file. The exe file is the program. The process is a static container that maintains the resources necessary for a thread to execute. Don't experiment with your photoshop.exe, stick to notepad.exe. If you screw anything up accidentally, you'll be glad it was notepad that died and not photoshop.

Honestly, from our conversation, it sounds to me that the endeavor exceeds your present abilities. Keep studying programming, learn as much as you can about the operating system, how it operates at a low level, learn as much as you an about x86 cpus, learn some assembly language, maybe even learn how to write device drivers and such and then you'll be ready to tackle a project like this one.

Here's a link to ReactOS. Download the source code and poke around through it. See if that's the kind of code that interests you.




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS