• 15
• 15
• 11
• 9
• 10

# Execute a win32 exe file from memory?

This topic is 4379 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Recommended Posts

Hi I want execute a exe file from memory and not from disk, because i have contain of the exe file in a stream and in memory, if i want write the containt on disk other user can access it, i only want run it from memory. now i have the exe file in stream. i need any help for this work. some users help is that i make a hide file on disk and then execute it, but its childish. i need to execute it directly from RAM. if you dont understand what i need please read follow text, its another shape of my request: {**********} i have one exe in end of my exe. if you consider that first exe is A and second is B( that is attached to end of A). now if i want run A.it have not any problem, and i can easily run A. but if i want run B, i must extract it from A to harddisk and then run it. its bad for me and i dont want to extract it, because i need to user do not find it(B). and B must always be hide. i have not any problem for extracting B . the best way for me is that i run B from memory not from harddisk , and i want to know is it possible? if yes , how? for example if you consider that B is a picture that was attached to end of A . i can show picture without using harddisk: Var S:TFileStream; f:file of byte; begin S:=TFileStream.create; assignfile(f,extractfilename(application.exename)); reset(f); do while reach first of B // while not eof(f) do copy data from f to S // image1.loadfromstream(s); end. {**********}

##### Share on other sites
It can be done with DLLs, but it's a lot of work. The way the Windows loader works, it's impossible to load from memory. What you have to do is break the file format appart, fixup and DLL references, then jump to the start of the code.

As far as I know, it simply isn't possible to do this with an EXE only a DLL. You'll have to copy the exe to the temp folder, run it from there, and wait for the process to terminate before deleting the exe.

##### Share on other sites
Quote:
 I want execute a exe file from memory and not from disk, because i have contain of the exe file in a stream and in memory, if i want write the containt on disk other user can access it, i only want run it from memory. now i have the exe file in stream.

I do not think there is a documented way of doing that in windows so it will be very tricky to accomplish and unstable.

If you want to stop other users accessing the executable you could simply disguise the executable. This will work on the vast majority of users. To do this write the executable to disk as a file with a different extension. This way typical users will not be able to execute it by double clicking on it in explorer. They will have to rename it to .exe to do that and most will not think of this.

If you write the executable to disk as filename.jpg then users will think it is an image file. If they double click to load it the image viewer will fail to open it. They will just think it is a broken jpg. They will not realise it is an executable. Using a well known extension lessens the likelyhood that more savvy users will try and open it in notepad where they will see "This program cannot be run in DOS mode" which kind of gives the game away. For this reason don't use an extension associated with a text viewer such as .txt or .log

You can use CreateProcess to execute any file with any file extension. eg:

STARTUPINFO si = {0};PROCESS_INFORMATION pi;si.cb = sizeof(STARTUPINFO);//filename.jpg is an executableCreateProcess("filename.jpg",NULL,NULL,NULL,false,0,NULL,NULL,&si,&pi);

##### Share on other sites
Quote:

it can load a proc of dll in memory and then call proc. but i dont need it. i need to execute an exe file.exe file is not for me that i make it a procedure and then dll. for example maybe the exe file is notepad, how can i make notepad to a proc of dll!! its impossible.

##### Share on other sites
You could look inside the source of UPX and see how they do it, considering they specialize in that sort of thing.

##### Share on other sites
Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...

Edit: Which is pretty much what Evil Steve said anyway. :)

##### Share on other sites
An exe and a dll are both pe files. It seems to me that the trick would be to invoke the system routines that launch a process employing the file image from memory where required and that's some pretty low level coding - definitely not beginning level programming.

##### Share on other sites
Quote:
 Original post by bpointYou could look inside the source of UPX and see how they do it, considering they specialize in that sort of thing.

UPX is exe compressor, can it run exe from memory?

##### Share on other sites
Quote:
 Original post by bpointActually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...

The kernel has to set up the virtual memory space for the process among other things before passing execution on to the thread for the new process. There are instances of special kernel structures for every process and every thread. Google on EPROCESS, ETHREAD, KPROCESS and/or KTHREAD to get a peek at what these structures look like. Mark Russinovich's book "Inside Windows 2000" explains what happens when a process is created. Other books examine disassembly listings of aspects of the launch process. It's not for the faint of heart or the novice programmer.