Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Launch an exec / proc from memory

3,303 views
Skip to first unread message

Hanger_man

unread,
Dec 13, 2000, 11:53:19 AM12/13/00
to
Hi,
I load a entire binary-exec file in memory, is there a possibility to launch
this applic without writing it to disk.
Hanger man


Tom Stewart

unread,
Dec 13, 2000, 3:04:41 PM12/13/00
to
In article <9189gp$2u...@news.vtx.ch>,

Look for the recent thread "Creating a process without a file..." or
specifically, for this message pointed to within that thread:
http://www.deja.com/getdoc.xp?AN=588030398
>
>

--
Content below this point not provided by me.


Sent via Deja.com
http://www.deja.com/

Gary Nebbett

unread,
Dec 14, 2000, 4:25:00 AM12/14/00
to
In article <918koi$5mq$1...@nnrp1.deja.com>, Tom Stewart <tast...@my-deja.com> wrote:
> In article <9189gp$2u...@news.vtx.ch>, "Hanger_man" <happy_ha...@yahoo.fr> wrote:
> > Hi,
> > I load a entire binary-exec file in memory, is there a possibility to launch
> > this applic without writing it to disk.
> > Hanger man
>
> Look for the recent thread "Creating a process without a file..." or
> specifically, for this message pointed to within that thread:
> http://www.deja.com/getdoc.xp?AN=588030398

Here is an improved and simplified version of the program from the referenced article.

Gary

#include <windows.h>

extern "C" NTSYSAPI LONG NTAPI ZwUnmapViewOfSection(HANDLE, PVOID);

ULONG protect(ULONG characteristics)
{
static const ULONG mapping[]
= {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, PAGE_EXECUTE_READ,
PAGE_READWRITE, PAGE_EXECUTE_READWRITE, PAGE_READWRITE, PAGE_EXECUTE_READWRITE};

return mapping[characteristics >> 29];
}

int main(int argc, char *argv[])
{
PROCESS_INFORMATION pi;
STARTUPINFO si = {sizeof si};

CreateProcess(0, "cmd", 0, 0, FALSE, CREATE_SUSPENDED, 0, 0, &si, &pi);

CONTEXT context = {CONTEXT_INTEGER};

GetThreadContext(pi.hThread, &context);

PVOID x; ReadProcessMemory(pi.hProcess, PCHAR(context.Ebx) + 8, &x, sizeof x, 0);

ZwUnmapViewOfSection(pi.hProcess, x);

PVOID p = LockResource(LoadResource(0, FindResource(0, "Image", "EXE")));

PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(p) + PIMAGE_DOS_HEADER(p)->e_lfanew);

PVOID q = VirtualAllocEx(pi.hProcess,
PVOID(nt->OptionalHeader.ImageBase),
nt->OptionalHeader.SizeOfImage,
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

WriteProcessMemory(pi.hProcess, q, p, nt->OptionalHeader.SizeOfHeaders, 0);

PIMAGE_SECTION_HEADER sect = IMAGE_FIRST_SECTION(nt);

for (ULONG i = 0; i < nt->FileHeader.NumberOfSections; i++) {

WriteProcessMemory(pi.hProcess,
PCHAR(q) + sect[i].VirtualAddress,
PCHAR(p) + sect[i].PointerToRawData,
sect[i].SizeOfRawData, 0);

ULONG x;

VirtualProtectEx(pi.hProcess, PCHAR(q) + sect[i].VirtualAddress, sect[i].Misc.VirtualSize,
protect(sect[i].Characteristics), &x);
}

WriteProcessMemory(pi.hProcess, PCHAR(context.Ebx) + 8, &q, sizeof q, 0);

context.Eax = ULONG(q) + nt->OptionalHeader.AddressOfEntryPoint;

SetThreadContext(pi.hThread, &context);

ResumeThread(pi.hThread);

return 0;
}

Message has been deleted
0 new messages