flat assembler
Message board for the users of flat assembler.

Index > Windows > Launch Executable from Memory ?

Goto page Previous  1, 2, 3, 4, 5  Next
Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 18 Mar 2011, 21:34
This is what it does..... Reads a binary executable file from resource table.

It calls VirtualAllocEX, which allocates some memory in it's space, with the size being that of the binary file read, it then reads the binary file into PE structures and starts a process at the allocated address, using those PE structures.
Post 18 Mar 2011, 21:34
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 18 Mar 2011, 21:35
PM me of what you found....
Post 18 Mar 2011, 21:35
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 206
Location: Brazil
ctl3d32 19 Mar 2011, 02:45
There is a static library in MASM32 forum. One of there days i will try to convert it. For those who want it, here is the link: http://www.masm32.com/board/index.php?topic=3150.0

Share your knowledge! Free Assange! Smile

edit: Sorry...


Last edited by ctl3d32 on 19 Mar 2011, 11:29; edited 1 time in total
Post 19 Mar 2011, 02:45
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 19 Mar 2011, 03:52
Quote:

Free Assage!

Get it right, Assange. Razz
Post 19 Mar 2011, 03:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 05 Apr 2011, 19:18
First of all, I must say really sorry for writing [SOLVED] thing on topic because what I though was just theory. I'd better ask someone before I do something. I'm still stuck here. I'm learning PE things but I can't get it right so.. I'm trying easy way first. Loading functions from memory libs. I did something like this, I've found kernel base address, then I go to PE header and Export Data Directory. But I don't understand what should I do there now.. Here's code and can anybody finish this for me ? Smile I'm trying a lot but I really can't figure out because I think it's really hard for me I guess. Here's what I'm trying first.
Code:
     push esi                    ;/
     xor eax,eax                 ;|
     mov eax,[fs:0x30]           ;|
     mov eax,[eax+0x0c]          ;|    Get KERNELBASE..
     mov esi,[eax+0x1c]          ;|
     lodsd                       ;|
     mov eax,[eax+0x8]           ;\
     pop esi

     mov ecx,[eax+0x3c] 
     add eax,ecx               ;PE Header
     mov ecx,[eax+0x78]   
     add eax,ecx               ;IMAGE_EXPORT_DIRECTORY
     ret
    

How should I check for functions now ? Just someone give me little example how to get just 1 function from it and call. I've tried google but without luck. also, I can't understand Iczelions tutorial about EXPORT TABLE.. and also, I had this idea when I wrote solved. Smile
1)Allocate memory for EXE which are inside resources.
2)Copy resource's EXE in memory
3)Start current process with CREATE_SUSPEND state.
4)ReadProcessMemory of allocated EXE's space.
5)WriteProcessMemory on current process with allocated EXE's data.
6)Resume Process.
But I can't figure out how to do this and don't know if this would work. Both things will be good for me, how to execute from memory and call function from memory too.
Regards and very very thanks to this forum and people here. Smile
Post 05 Apr 2011, 19:18
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 05 Apr 2011, 23:20
Try these

CreateFileMapping
MapViewOfFile with FILE_MAP_EXECUTE
CopyMemory/RtlCopyMemory
UnMapViewOfFile

"To have a file with executable permissions, an application must call CreateFileMapping with either PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_READ, and then call MapViewOfFile with FILE_MAP_EXECUTE | FILE_MAP_WRITE or FILE_MAP_EXECUTE | FILE_MAP_READ."
- MSDN : http://msdn.microsoft.com/en-us/library/aa366761%28v=vs.85%29.aspx

Ex.
http://msdn.microsoft.com/en-us/library/aa366551%28v=vs.85%29.aspx


Last edited by typedef on 06 Apr 2011, 00:42; edited 1 time in total
Post 05 Apr 2011, 23:20
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 05 Apr 2011, 23:41
Overflowz: Do you need your dropper to execute your payload in separate process, or can it be within same process? By "without extracting" you mean you don't want to code PE loader yourself but you want to use some existing loader which supports this? Note that such unusual activity might be easily picked up by heuristic scanner.
Post 05 Apr 2011, 23:41
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Apr 2011, 00:09
typedef
I've saw lot of examples which were using that API calls but I don't understand none of them, even after read MSND..
vid
Nope, I'm not writing viruses.. Smile I'm just learning the way how to do that, thats all.. I'm interested how to do it myself and I know there are lot of examples and I have lot of them and trying to study on them but I can't figure out...

I need just small example how those things could work. Smile
Regards.
Post 06 Apr 2011, 00:09
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 206
Location: Brazil
ctl3d32 06 Apr 2011, 10:38
Take a look at my previous post. It does exactly what you want. You'll just have to port it from MASM.
Post 06 Apr 2011, 10:38
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 789
Location: Adelaide
sinsi 06 Apr 2011, 11:15
Maybe this could help, to see how much work is involved...
What Goes On Inside Windows 2000: Solving the Mysteries of the Loader

The problem can be that windows changes things as it 'evolves' so if it works in XPSP2 it's broken in XPSP3.

ctl3d32, that was my thought too, that's not the only example.
MASM to FASM and vice versa is easy (thanks Tomasz Very Happy ).
Post 06 Apr 2011, 11:15
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Apr 2011, 12:10
ctl3d32
I'm sorry but I can't understand that.. That's hard way I guess..
Here's another one what I'm trying right now but I'm getting ERROR_NOACCESS on VirtualProtect API.. Can someone fix this for me ? I've tried alot but without success.. Thank you.
Code:
format PE GUI 4.0
include 'WIN32A.INC'
entry main
section '.data' data readable writeable
fname db 'msg1.exe',0
hFile dd ?
nSize dd ?
alloc dd ?
rbytes dd ?
lpBytesRead dd ?
lpBuffer dd ?
junk dd ?
pHandle dd ?
pinfo PROCESS_INFORMATION
sinfo STARTUPINFO
section '.text' code readable executable
proc main
invoke CreateFile,fname,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
mov [hFile],eax
invoke GetFileSize,eax,0
mov [nSize],eax
invoke GlobalAlloc,0,eax
mov [alloc],eax
invoke ReadFile,[hFile],eax,[nSize],lpBytesRead,0
invoke CloseHandle,[hFile]
invoke GetModuleFileName,0,lpBuffer,100
invoke CreateProcess,lpBuffer,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo
mov eax,[pinfo.hThread]
push eax
invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId]
mov [pHandle],eax
invoke ReadProcessMemory,[pHandle],0x400000,junk,[nSize],0
invoke GetCurrentProcessId
invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax
invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READWRITE,0
invoke WriteProcessMemory,eax,0x400000,junk,[nSize],0
pop eax
invoke ResumeThread,eax
ret
endp

section '.idata' import data readable
library user32,'user32.dll',\
        kernel32,'kernel32.dll'

include 'API\USER32.INC'
include 'API\KERNEL32.INC'
section '.reloc' fixups data discardable readable    


at first, everything is okay here (No errors in debugger). Problem is after calling WriteProcessMemory but it was giving same error "ERROR_NOACCESS" and I've tried VirtualProtect but still same thing.. Any suggestions ?
Regards.
Post 06 Apr 2011, 12:10
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 06 Apr 2011, 13:43
what is in junk ? It looks like a pointer to me not any kind of data.
Post 06 Apr 2011, 13:43
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 06 Apr 2011, 13:49
Try using one of these flags for VirtualProtect

    PAGE_EXECUTE_READ

    or

    PAGE_EXECUTE_READWRITE


As this page says http://msdn.microsoft.com/en-us/library/aa366786%28v=vs.85%29.aspx
Post 06 Apr 2011, 13:49
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Apr 2011, 14:25
typedef
junk is just data where ReadProcessMemory saves data there.

and also, I've got same problem, it says ERROR_INVALID_PARAMETER.
Code:
invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_EXECUTE_READWRITE,0    

and also, I've tried this too but same result.
Code:
invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_EXECUTE_READWRITE,somebufferhere    
Post 06 Apr 2011, 14:25
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 06 Apr 2011, 14:35
http://msdn.microsoft.com/en-us/library/aa366898(v=vs.85).aspx

read carefully about flNewProtect
Post 06 Apr 2011, 14:35
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Apr 2011, 14:39
P.S I've done this and works perfect now but It's not writing data in process.. It executes still same process, not another one. Here's what I've done and shows no errors.. Smile
Code:
invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_READWRITE,somebufferhere    

Any help ?
Post 06 Apr 2011, 14:39
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 06 Apr 2011, 14:42
vid
I'm sorry, I don't understand too much English and programming and also MSDN.. Smile Just trying everything with guessing.. Sad
Post 06 Apr 2011, 14:42
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 06 Apr 2011, 21:35
Code:
invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ + PAGE_READWRITE,somebufferhere
    


NOT

Code:
invoke VirtualProtect,0x400000,[nSize],PAGE_EXECUTE_READ OR PAGE_READWRITE,somebufferhere
    


You are ORing two values if you use bit OR, use '+' for logical or
Post 06 Apr 2011, 21:35
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 06 Apr 2011, 23:48
typedef, no, keep using "OR", if you by mistake set the same flag twice (e.g. by using two symbols sharing some or all the flags), then you'll end up setting the incorrect flags. For instance, doing "PAGE_EXECUTE_READ OR PAGE_EXECUTE_READ" will result in 0x20 while "PAGE_EXECUTE_READ + PAGE_EXECUTE_READ" will result in 0x40 which is the value for PAGE_EXECUTE_READWRITE.

Finally, logical or (which can't be used here, BTW), is "|", not "+".
Post 06 Apr 2011, 23:48
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 07 Apr 2011, 00:27
LocoDelAssembly wrote:


Finally, logical or (which can't be used here, BTW), is "|", not "+".


I was just trying to point out to him that in C++ we use combined flags
like MB_OK | MB_ICONERROR in FASM its MB_OK + MB_ICONERROR
because the MSDN documentation is in C++ not FASM.......... and he used OR because when I posted, I meant he could use EITHER PAGE_XXX OR PAGE_XXX..

That's why he used OR because he thought it was part of the code.

.... If he knows what he's doing then let him use OR.
Do you have a hard time understanding me ? Sorry If I confused you.

But what you said about same flag is true.
Post 07 Apr 2011, 00:27
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.