flat assembler
Message board for the users of flat assembler.

Index > Windows > Launch Executable from Memory ?

Goto page 1, 2, 3, 4, 5  Next
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 14 Mar 2011, 19:21
Hello everyone! I have little question to you. I'm interesting how can I launch exe from memory ? Here's structure what I mean.
1)I have embedded executable into executable (2 executables in 1 file)
2)I have base address of second executable (starting with MZ..)
3)Launch it without extracting executable.
Is that possible ?
And another thing, I'm interesting how to get base address from EP. I've tested some apps, which starts on 401000(Debugger EP) it's EP is at 0+1024 (Using with hex editor.) But when I saw app which EP is 4517E0(Debugger EP), in Hex Editor it shows that EP is 0+330720(Hex Editor) I don't get logic how it counts. Help Sad
Thank you.


Last edited by Overflowz on 05 Apr 2011, 19:18; edited 2 times in total
Post 14 Mar 2011, 19:21
View user's profile Send private message Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 14 Mar 2011, 20:07
Quote:
And another thing, I'm interesting how to get base address from EP.

ep is just entry point. I belive you really mean IB (image base). IB is an address on wich headers are loaded. Sections are loaded at addreses from their headers. Those addreses are RVA, relative to image base.
Post 14 Mar 2011, 20:07
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 14 Mar 2011, 20:17
b1528932
Okay, I got it. and is there any way to do like this ? And how to count Image base from EP ? (PE Header + 38,39 or 40 don't remember = EP in Debugger)
Post 14 Mar 2011, 20:17
View user's profile Send private message Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
Dex4u 14 Mar 2011, 23:52
This may not be what you want, but you will find it usefull http://comrade.ownz.com/projects/petools.html
Post 14 Mar 2011, 23:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 15 Mar 2011, 10:52
Dex4u
Nothing from them are useful for this what I'm trying to do. I'll explain better now.
1)I have executable(1.exe), which has another executable(2.exe) in resources.
2)After starting 1.exe, it extracts 2.exe from resources and executes it. 2.exe are starting normal after extract.
But can I do this without extracting it and just run the code from memory ? I mean can I execute executable(2.exe) from resources without extracting it on HD ?
Post 15 Mar 2011, 10:52
View user's profile Send private message Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 15 Mar 2011, 18:05
forget the ep. i can set it to any vaklue i like. It only tells where to start executing code.
It can be anywhere at the end, beggining, middle or even outside.

You can creayte a process using data from another exe, but its undocumented, you will run into problems, and if you dont get thats EP, its also pointless.
Allocatnig memory, parsing exe headers and creating process/thread objects is not hard, but you also have to notify csrss about new process and do other stuff i cant remember right now. Creating process this way is pointless, i cant help you with that because i havent done it myself.


Quote:
I mean can I execute executable(2.exe) from resources without extracting it on HD ?

What you define by execute? Start executing code? Yes, just jump to it..
Or perhaps start executing code in a new process? I told you before its hard.
Createing process manually will propably not work on some windows versions, wich you dont want to happen.

Also remember that if you extract a file from resources, most AVs will detect it as a trojan/dropper, co if you write a malware consider if you realy want to do it this way.
Its better to include second file, and just execute second one from first one.
Post 15 Mar 2011, 18:05
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 15 Mar 2011, 19:20
b1528932
No mate, I'm not trying to write malware. I'm just trying to protect my files from debugging/editing them. But this is nice idea for me and always trying to find some way to do that. I think, RunPE does what I'm asking for. But it's in VB and I don't understand it much.. I've tried so much but without luck. Look here for example, trying to read file from HD, then parse it in memory and trying to execute it. But IAT and buffer and other things are destroyed cause of first exe..
removed source for security reasons.


Last edited by Overflowz on 18 Mar 2011, 21:02; edited 1 time in total
Post 15 Mar 2011, 19:20
View user's profile Send private message Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 15 Mar 2011, 19:46
EP is a relative address from image base.
Note that you do not know in wich section it might be. You have to loop through section table, and test if EP is between virtual address of seciton and its size.

Also it is terrible code, i guess you use it only to test something. Dont mix api calls and fnuction body like that, split it into many functions, create abstraction layer, and check for errors, every single time, thats why they are there.
Post 15 Mar 2011, 19:46
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 15 Mar 2011, 19:58
b1528932
Yes, I wrote just for testing. Using ollydbg and watching everything there. Anyway I don't understand how to do that Sad I think that's impossible lol )) I think there is 1 way to fix API calls, using PEB. am I right ? I don't know about buffers.. and I don't know how to use PEB too = Impossible for me. I need fresh example code of that to understand what to do ))
P.S I found delphi source on NET and can someone translate it in FASM ? )) Thank you.
removed source for security reasons.


Last edited by Overflowz on 18 Mar 2011, 21:02; edited 2 times in total
Post 15 Mar 2011, 19:58
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 16 Mar 2011, 08:48
Quote:
Overflowz wrote:
I'm just trying to protect my files from debugging/editing them.

another approach, easier to implement (both 1.exe as well 2.exe are the same file, so you won't extract anything)

1.exe runs itself again (GetCommandLine ... CreateProcess with DEBUG_PROCESS flag)

parent becomes debugger of the child

both parent and child starts to run from the same OEP, but some code splits execution into parent procedure and child procedure

the skeleton of such code looks like:

start:
call [IsDebuggePresent]
test al,1
jnz child

parent:
call [GetCommandLine]
invoke [CreateProcess], rax, ... , DEBUG_PROCESS, ...
L0:
call [WaitForDebugEvent]
; more code here, e.g. jump to exit when intercepting Exit Process Debug Event
call [ContinueDebugEvent]
jmp L0

child:
; your_protected_code


you have some samples in fdbg package (projects section of the FASM forum), look there for self_dbg directory in the package for windows
it is only for x64 (you must port it to i386 if your project is not x64)

Your code will be compatible among all versions of windows, you won't need to manually create memory for the second exe neither parse exe header / sections. You have to add some protection into child proc (some instructions to generate exceptions) which will be handled in parent debug loop (else the attacker may ignore parent and start to debug child process immediatelly, your child proc must essentially depend on parent debugger else such protection will be broken immediately, your child proc mustn't run correctly without its parent debugger).
Post 16 Mar 2011, 08:48
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 16 Mar 2011, 10:14
Feryno
Thanks for reply! there is 1 more problem. Here's structure what I'm trying to do.
[1] 1.exe MUST start first because it modifies some data in 2.exe
[2] after data is modified, then it should run 2.exe without extracting.
That's what I'm asking for.. Sad Anyway thanks for that useful code! Smile
1 more thing, I'm opening executable as binary file and not code to execute it..
Post 16 Mar 2011, 10:14
View user's profile Send private message Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz 16 Mar 2011, 19:33
Code:
There is no API support for running an EXE from memory. Manually loading an exe and preparing it for execution is no trivial task (code is not for Windows), although I'm sure there are utilities and code out there that do it. The typical solution is to dump the image to a temporary file and run it from there. 
source from: http://cboard.cprogramming.com/windows-programming/63419-loading-process-memory.html#5
    
Post 16 Mar 2011, 19:33
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 16 Mar 2011, 20:10
pearlz
I know that already. I need "trick" how to do that because I saw people are already doing that thing! Watch delphi source what I've posted. Smile
Post 16 Mar 2011, 20:10
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 17 Mar 2011, 13:17
you can do the same using debugger methods
the parent (debugger) modifies the child (debuggee) on the fly, there is only 1 executable on the disk
the most ugly way (for reverser) is when the parent decrypts on the fly the only one instruction of the child which is executing and after it is executed by the child the parent encrypts it back
some protectors under 16 bit DOS used this method
it requires additional work under protected mode but it can be done successfully also
just try to debug these executables (I found my backports from x64 to i386)
I'll delete this attachment soon as I reached the edge of quota limit of the forum (5 MB), let me know that you got it so I can delete it then

the first sample a0C.exe uses REPZ LODSD instruction to modify child
MazeGen likes such instructions very much http://board.flatassembler.net/topic.php?p=63103#63103
the second sample a0D.exe contains about 10 instructions to be decrypted/encrypted as they execute (who says that there can't be 10000 such instructions if you extend it in the feature?)


Last edited by Feryno on 18 Mar 2011, 06:03; edited 1 time in total
Post 17 Mar 2011, 13:17
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 17 Mar 2011, 13:26
sorry the sample decrypting the only one instruction of the child which is executing exists at me only in x64 version

edit 2011-03-18 deleted attachment


Last edited by Feryno on 18 Mar 2011, 06:03; edited 1 time in total
Post 17 Mar 2011, 13:26
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 17 Mar 2011, 13:36
Feryno
Well, downloaded and thank you for helping! Smile Anyway, I was gonna write packer or crypter or something like that (just exercise for me.) This is really hard for me, but I'll keep this and I'll learn it time by time. Thank you! Smile
Post 17 Mar 2011, 13:36
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 18 Mar 2011, 00:23
Did you mean this

Code:
proc SomeProc
  PUSH EBP
  MOV EBP,ESP
  ;use EBP and ESP here
  MOV EAX,[SomeVarWithAMemoryValue]

  ; If passed on stack
  ; ESP = EIP
  ; 
  ;If  system pushed a flag (Some error happened)
  ; ESP = Error code
  ; ESP + 4 = EIP
  ; ESP + 8 = Parameters
  ; ESP + A = Eflags

  MOV EBP,EAX   ;
  POP EBP
ret
endp       ; You know where this will jump to


;In memory,assuming everything is set up fine

proc SomeMemoryAddressToBeJumpedTo
        PUSH MB_OK
        PUSH someVar ;  My title
        PUSH someVar2  ; I come in peace !
        PUSH 0
        call    [MessageBox]
       MOV EBP,ESP
ret
endp
    


I think that is what you need, maybe Rolling Eyes

You can test it with OllyDbg....I use Pelles-C Debugger it works well too
Post 18 Mar 2011, 00:23
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Mar 2011, 09:31
typedef
Wish I had commands hehe Smile I have dumped executable file in memory(Starting with MZ header 4d 5a instructions etc..) and I have no idea how to make it start without dumping on Hard Drive.. Smile just imagine, I have executable file that does messagebox only. but in resources, it has another executable file which does another messagebox but it can be only started after dumping on HD and then execute. but I need do it without dumping on HD, got it ? Razz
Post 18 Mar 2011, 09:31
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Mar 2011, 12:21
removed source for security reasons.


Last edited by Overflowz on 18 Mar 2011, 21:02; edited 3 times in total
Post 18 Mar 2011, 12:21
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Mar 2011, 20:59
Hey! I though much and much and I think I got solution for this! I'll remove source codes for security reason. SOLVED!
Post 18 Mar 2011, 20:59
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3, 4, 5  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.