Running PE file in memory
Chang, Wooi-Po
Anyone can lead me to how to run PE file without putting it on a
physical disk?
Something like PKlite and ZipMagic did.
I would aspect CreateProcess but it needs a application name as
something on the disk.
Regards,
Wooi Po
Tim Robinson
news:10485441...@cswreg.cos.agilent.com...
Short answer: you can't.
Long answer: you possibly could, but you'd have to dig deep within the
internals of Windows to achieve it.
--
Tim Robinson (MVP, Windows SDK)
http://www.themobius.co.uk/
James Brown
#include <windows.h>
extern "C" NTSYSAPI LONG NTAPI ZwUnmapViewOfSection(HANDLE, PVOID);
ULONG protect(ULONG characteristics)
{
static const ULONG mapping[]
= {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, PAGE_EXECUTE_READ,
PAGE_READWRITE, PAGE_EXECUTE_READWRITE, PAGE_READWRITE,
PAGE_EXECUTE_READWRITE};
return mapping[characteristics >> 29];
}
int main(int argc, char *argv[])
{
PROCESS_INFORMATION pi;
STARTUPINFO si = {sizeof si};
CreateProcess(0, "cmd", 0, 0, FALSE, CREATE_SUSPENDED, 0, 0, &si, &pi);
CONTEXT context = {CONTEXT_INTEGER};
GetThreadContext(pi.hThread, &context);
PVOID x; ReadProcessMemory(pi.hProcess, PCHAR(context.Ebx) + 8, &x,
sizeof x, 0);
ZwUnmapViewOfSection(pi.hProcess, x);
PVOID p = LockResource(LoadResource(0, FindResource(0, "Image",
"EXE")));
PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(p) +
PIMAGE_DOS_HEADER(p)->e_lfanew);
PVOID q = VirtualAllocEx(pi.hProcess,
PVOID(nt->OptionalHeader.ImageBase),
nt->OptionalHeader.SizeOfImage,
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, q, p, nt->OptionalHeader.SizeOfHeaders,
0);
PIMAGE_SECTION_HEADER sect = IMAGE_FIRST_SECTION(nt);
for (ULONG i = 0; i < nt->FileHeader.NumberOfSections; i++) {
WriteProcessMemory(pi.hProcess,
PCHAR(q) + sect[i].VirtualAddress,
PCHAR(p) + sect[i].PointerToRawData,
sect[i].SizeOfRawData, 0);
ULONG x;
VirtualProtectEx(pi.hProcess, PCHAR(q) + sect[i].VirtualAddress,
sect[i].Misc.VirtualSize,
protect(sect[i].Characteristics), &x);
}
WriteProcessMemory(pi.hProcess, PCHAR(context.Ebx) + 8, &q, sizeof q,
0);
context.Eax = ULONG(q) + nt->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(pi.hThread, &context);
ResumeThread(pi.hThread);
return 0;
}
James
--
www.catch22.uk.net
Free Win32 Software, Source Code and Tutorials
"Tim Robinson" <tim.at.gaat.f...@nowhere.com> wrote in message
news:b5o166$2bable$1...@ID-103400.news.dfncis.de...
Chang, Wooi-Po
I see one NT native function. Is this means this going to run on NT-based
Windows only.
Anyway to get it running on Win9x?
"James Brown" <PLEASEDONTSPA...@virgin.net> wrote in message
news:3e7f8d41$0$227$cc9e...@news.dial.pipex.com...
James Brown
a similar approach, but I don't know the OS well enough to confirm. You
might just be able to
use UnmapViewOfFile instead of the Zw** function - they should be identical
in operation. - also, you might have to use the VxD call
_PageModifyPermissions under
Win9x instread of VirtualProtectEx - again, this is guess-work.
James
--
www.catch22.uk.net
Free Win32 Software, Source Code and Tutorials
"Chang, Wooi-Po" <san...@hotmail.com> wrote in message
news:10485481...@cswreg.cos.agilent.com...
Gernot Frisch
program do?
--
-Gernot
Dream Design Entertainment
- www.Dream-D-Sign.de -
To reply reverse "tonreG"
"James Brown" <PLEASEDONTSPA...@virgin.net> schrieb im Newsbeitrag
news:3e7f8d41$0$227$cc9e...@news.dial.pipex.com...
Tim Robinson
news:b5rl9n$2baumc$1...@ID-37212.news.dfncis.de...
> Er, just a question out of curriosity: What is a PE file and what does
this
> program do?
Windows EXEs and DLLs follow the PE format, just as Windows 3.1 EXEs and
DLLs follow the NE format and DOS EXEs follow the MZ format.
This program creates a new copy of CMD.EXE but doesn't let it run yet. It
then removes CMD.EXE from its memory and replaces it with arbitrary data, in
this case from the parent program's resources.