Sign in to follow this  

Execute a win32 exe file from memory?

This topic is 4284 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi I want execute a exe file from memory and not from disk, because i have contain of the exe file in a stream and in memory, if i want write the containt on disk other user can access it, i only want run it from memory. now i have the exe file in stream. i need any help for this work. some users help is that i make a hide file on disk and then execute it, but its childish. i need to execute it directly from RAM. if you dont understand what i need please read follow text, its another shape of my request: {**********} i have one exe in end of my exe. if you consider that first exe is A and second is B( that is attached to end of A). now if i want run A.it have not any problem, and i can easily run A. but if i want run B, i must extract it from A to harddisk and then run it. its bad for me and i dont want to extract it, because i need to user do not find it(B). and B must always be hide. i have not any problem for extracting B . the best way for me is that i run B from memory not from harddisk , and i want to know is it possible? if yes , how? for example if you consider that B is a picture that was attached to end of A . i can show picture without using harddisk: Var S:TFileStream; f:file of byte; begin S:=TFileStream.create; assignfile(f,extractfilename(application.exename)); reset(f); do while reach first of B // while not eof(f) do copy data from f to S // image1.loadfromstream(s); end. {**********}

Share this post


Link to post
Share on other sites
It can be done with DLLs, but it's a lot of work. The way the Windows loader works, it's impossible to load from memory. What you have to do is break the file format appart, fixup and DLL references, then jump to the start of the code.

As far as I know, it simply isn't possible to do this with an EXE only a DLL. You'll have to copy the exe to the temp folder, run it from there, and wait for the process to terminate before deleting the exe.

Share this post


Link to post
Share on other sites
Quote:
I want execute a exe file from memory and not from disk, because i have contain of the exe file in a stream and in memory, if i want write the containt on disk other user can access it, i only want run it from memory. now i have the exe file in stream.


I do not think there is a documented way of doing that in windows so it will be very tricky to accomplish and unstable.

If you want to stop other users accessing the executable you could simply disguise the executable. This will work on the vast majority of users. To do this write the executable to disk as a file with a different extension. This way typical users will not be able to execute it by double clicking on it in explorer. They will have to rename it to .exe to do that and most will not think of this.

If you write the executable to disk as filename.jpg then users will think it is an image file. If they double click to load it the image viewer will fail to open it. They will just think it is a broken jpg. They will not realise it is an executable. Using a well known extension lessens the likelyhood that more savvy users will try and open it in notepad where they will see "This program cannot be run in DOS mode" which kind of gives the game away. For this reason don't use an extension associated with a text viewer such as .txt or .log

You can use CreateProcess to execute any file with any file extension. eg:


STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);

//filename.jpg is an executable
CreateProcess("filename.jpg",NULL,NULL,NULL,false,0,NULL,NULL,&si,&pi);



Share this post


Link to post
Share on other sites
Guest Anonymous Poster
https://www.joachim-bauch.de/tutorials/load_dll_memory.html/en

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by Anonymous Poster
https://www.joachim-bauch.de/tutorials/load_dll_memory.html/en

it can load a proc of dll in memory and then call proc. but i dont need it. i need to execute an exe file.exe file is not for me that i make it a procedure and then dll. for example maybe the exe file is notepad, how can i make notepad to a proc of dll!! its impossible.


Share this post


Link to post
Share on other sites
Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...

Edit: Which is pretty much what Evil Steve said anyway. :)

Share this post


Link to post
Share on other sites
An exe and a dll are both pe files. It seems to me that the trick would be to invoke the system routines that launch a process employing the file image from memory where required and that's some pretty low level coding - definitely not beginning level programming.

Share this post


Link to post
Share on other sites
Quote:
Original post by bpoint
You could look inside the source of UPX and see how they do it, considering they specialize in that sort of thing.

UPX is exe compressor, can it run exe from memory?

Share this post


Link to post
Share on other sites
Quote:
Original post by bpoint
Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...


The kernel has to set up the virtual memory space for the process among other things before passing execution on to the thread for the new process. There are instances of special kernel structures for every process and every thread. Google on EPROCESS, ETHREAD, KPROCESS and/or KTHREAD to get a peek at what these structures look like. Mark Russinovich's book "Inside Windows 2000" explains what happens when a process is created. Other books examine disassembly listings of aspects of the launch process. It's not for the faint of heart or the novice programmer.

Share this post


Link to post
Share on other sites
So, essentially you need to write a loader. Or figure out how to invoke windows' loader minus the part that loads from disk -> memory.

Maybe take a look at ReactOS?

Share this post


Link to post
Share on other sites
Yes, basically write a loader - or figure out how to trick windows into loading the exe from ram. All the EPROCESS stuff I mentioned before is overkill. There's a description of an exploit of NtCreateProcess here, NT Syscalls insecurity (#5 out of 6), and a signature of the function here that might possible lead to a solution. However, a parent process will still be needed - that is - some kind of loader would still need to be written.

This might help too: Interfacing the the Native API in Windows 2000.

Be forewarned, this kind of tweaking could crash your system. Proceed at your own risk!

Share this post


Link to post
Share on other sites
Quote:
Original post by LessBread
The kernel has to set up the virtual memory space for the process among other things before passing execution on to the thread for the new process. There are instances of special kernel structures for every process and every thread.

Yes, but I don't think all of that is necessary if you're just going to transfer control from your existing process into the new one.

I've constructed some (albeit very simple) PE executables by hand with some compiled assembler that just prints out "Hello World" to the console, but the hardest part of getting that to work is updating the pointers in the import section to properly reference GetStdHandle and WriteConsole. Once those are in place, a jump into the main code _should_ just work properly.

Assuming the OP is not intending on actually spawing a new process while keeping his current one around, it shouldn't be that in-depth. Either way, this is definitely not an easy task. :)

Share this post


Link to post
Share on other sites
Quote:
Original post by bpoint
Actually, now that I think about it, once you map the EXE into memory, all you should have to do is ensure the DLL functions have been imported properly, then simply jump into the EXE's entry point...

Edit: Which is pretty much what Evil Steve said anyway. :)

How can i jump into the EXE's entry point?
if (is it possible) then i can jump without dll need.
do u have a example that show me how can i jump into the EXE's entry point?
because i need it

Share this post


Link to post
Share on other sites
Quote:
Original post by LessBread
Yes, basically write a loader - or figure out how to trick windows into loading the exe from ram. All the EPROCESS stuff I mentioned before is overkill. There's a description of an exploit of NtCreateProcess here, NT Syscalls insecurity (#5 out of 6), and a signature of the function here that might possible lead to a solution. However, a parent process will still be needed - that is - some kind of loader would still need to be written.

This might help too: Interfacing the the Native API in Windows 2000.

Be forewarned, this kind of tweaking could crash your system. Proceed at your own risk!

NtCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL );
can work on a stream or other data structure in memory?
also process is equal to whole of an exe file? for example maybe my exe be "Photoshop.exe", also it can work?

Share this post


Link to post
Share on other sites
Quote:
Original post by RDragon1
So, essentially you need to write a loader. Or figure out how to invoke windows' loader minus the part that loads from disk -> memory.

Maybe take a look at ReactOS?

if you mean that loader is a program that can load a exe from <storage> and can execute it. ya, i really need a loader.
i have not any problem for loading a exe file in memroy, my problem is that how can i say OS(operating system) that now run the exe file from my memory address that can be in a stream ,

also i can not find your ReactOS : its my google try
http://www.google.com/search?num=50&hl=en&lr=&q=loader+ReactOS+&btnG=Search
http://www.google.com/search?hl=en&q=+ReactOS&btnG=Google+Search

Share this post


Link to post
Share on other sites
****************************************
***********My note for all:*************
****************************************
some people say me that why i dont want try some API command such as createprocess or ...,
i must say that all of API instruction that i know only can run a exe file from disk(can not execute from disk).

Also some people say , "try to hide your exe file", for example change extension of it to ".Jpg" and then run it. i know that its possible that i run my exe with .jpg extension without that i change extension to .EXE,
CreateProcess("filename.jpg",NULL,NULL,NULL,false,0,NULL,NULL,&si,&pi);
ya , it work
but user can easily find my exe with renaming!!! (user can change jpg to exe)
because some of my EXEs that i want execute from memory need internet , if your firewall prompt that "filename.jpg" need to access internet, what u think? you really think that filename.jpg is a exe file, and its not good for me,

please help me to i solve my problem
i really need a code ( or maybe program) that can execute EXE file from memory.
also if its not possible ,
please help me to i add some instruction to first of a EXE file.it mean that if user want run exe file, First my code lines run.

Share this post


Link to post
Share on other sites
Quote:
Original post by Ahmadi
can work on a stream or other data structure in memory? also process is equal to whole of an exe file? for example maybe my exe be "Photoshop.exe", also it can work?


Not on a stream. The POBJECT_ATTRIBUTES parameter is a pointer to a data structure. A process is not equal to an exe file. The exe file is the program. The process is a static container that maintains the resources necessary for a thread to execute. Don't experiment with your photoshop.exe, stick to notepad.exe. If you screw anything up accidentally, you'll be glad it was notepad that died and not photoshop.

Honestly, from our conversation, it sounds to me that the endeavor exceeds your present abilities. Keep studying programming, learn as much as you can about the operating system, how it operates at a low level, learn as much as you an about x86 cpus, learn some assembly language, maybe even learn how to write device drivers and such and then you'll be ready to tackle a project like this one.

Here's a link to ReactOS. Download the source code and poke around through it. See if that's the kind of code that interests you.

Share this post


Link to post
Share on other sites
Quote:
Original post by LessBread
Not on a stream. The POBJECT_ATTRIBUTES parameter is a pointer to a data structure. A process is not equal to an exe file. The exe file is the program. The process is a static container that maintains the resources necessary for a thread to execute. Don't experiment with your photoshop.exe, stick to notepad.exe. If you screw anything up accidentally, you'll be glad it was notepad that died and not photoshop.

Honestly, from our conversation, it sounds to me that the endeavor exceeds your present abilities. Keep studying programming, learn as much as you can about the operating system, how it operates at a low level, learn as much as you an about x86 cpus, learn some assembly language, maybe even learn how to write device drivers and such and then you'll be ready to tackle a project like this one.

Here's a link to ReactOS. Download the source code and poke around through it. See if that's the kind of code that interests you.

i think that its better that you know my goal:
My clear describe about the situation is:
i want create program lock, you can import one exe to it (for example exe
of notepad or photoshop or. ...) and then my app must create a coded exe
from it(your exe),
in future , only my program can run coded exe, and its not possible that user run the exe directly.

its possible that my program decode exe in harddisk and then run it, but it have not good security. i need to decode progarm in memory and then run it from memory.

if i want describe my goal in a few words i must say:
my program is a software lock that need password from user for executing an application.

Share this post


Link to post
Share on other sites
Software locks are not 100% secure. They'll keep out amateurs but a determined individual with some knowledge and skills could break through them. You might consider adapting the UPX source code to fit your needs. The UPX authors decided against adding password protection, [1], but that doesn't mean you can't give it a shot.

Share this post


Link to post
Share on other sites
Quote:
Original post by Ahmadi
Quote:
Original post by LessBread
Not on a stream. The POBJECT_ATTRIBUTES parameter is a pointer to a data structure. A process is not equal to an exe file. The exe file is the program. The process is a static container that maintains the resources necessary for a thread to execute. Don't experiment with your photoshop.exe, stick to notepad.exe. If you screw anything up accidentally, you'll be glad it was notepad that died and not photoshop.

Honestly, from our conversation, it sounds to me that the endeavor exceeds your present abilities. Keep studying programming, learn as much as you can about the operating system, how it operates at a low level, learn as much as you an about x86 cpus, learn some assembly language, maybe even learn how to write device drivers and such and then you'll be ready to tackle a project like this one.

Here's a link to ReactOS. Download the source code and poke around through it. See if that's the kind of code that interests you.

i think that its better that you know my goal:
My clear describe about the situation is:
i want create program lock, you can import one exe to it (for example exe
of notepad or photoshop or. ...) and then my app must create a coded exe
from it(your exe),
in future , only my program can run coded exe, and its not possible that user run the exe directly.

its possible that my program decode exe in harddisk and then run it, but it have not good security. i need to decode progarm in memory and then run it from memory.

if i want describe my goal in a few words i must say:
my program is a software lock that need password from user for executing an application.
All the user needs to do is use a memory editor to grab your program from RAM. It's not going to be that involved.

If you don't need to spawn a new process, then it should be possible using the methods people have described. Load the EXE exactly how This Link shows for a DLL, then jump to the entry point. Look at the PE format to find out where the entry point is, and then just jump to it.

As LessBread said though, this is all very in depth and low level, and it seems like this is above your ability. I would imagine that UPX does it the same way as I described, I'll go and have a look at the source now.

[Edited by - LessBread on March 27, 2006 2:29:38 PM]

Share this post


Link to post
Share on other sites
Like someone said before, its futile what you are doing perse, I have written something that sounds alot like what you want, I used a temporary EXE, I didnt even hide it that well as a matter of fact. Instead of that , make the EXE dependent on the loader :). By that i mean, export functions from the loader as though it were actualy a dll. For the executable, simply have it check that its calling process was the executable in order for it to run, that should thwart most hackers (provided you are encrypting the file while within the exe, etc).

Now there are other things you can do to ensure that it only gets run from the sandbox program. Though any of these ways, you are going to have to modify the host executable somewhat.

Share this post


Link to post
Share on other sites
I think you should look at some EXE packer/cryptor sources, how they work and why.
They do not store the entire EXE along with a generic decoder EXE, but they patch the original EXE and add their decryptor/decompressor stuff.

If you want to write a password protector, you will have to learn the EXE file formats, otherwise it is going to take 2 minutes and a hex editor to rip the protected file.

Share this post


Link to post
Share on other sites

This topic is 4284 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this