Sign in to follow this  
Followers 0
IchBistTod

executing an exe from memory?

13 posts in this topic

#1 ·  Posted (edited)

Okay I was reading that there is a way to do a dllcall completely in memory using its binary data.

my question is, is there a way to execute an exe in memory?

example:

1.read .exe

2.use binary() func on it

3.execute it from memory without needing to use filewrite() and run()

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites



*bump*


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

I don't know anything about machine code or asm, but take a look at this link. It uses machine code.


[font="Verdana"] [size="2"]"[/size][/font]Failure is not an option -- it comes packaged with Windows"[font="Verdana"][size="2"] Gecko Web Browser[/size][/font][font="Verdana"][size="2"], [/size][/font][font="Verdana"][size="2"]Yahtzee![/size][/font][font="Verdana"][size="2"], Toolbar Launcher (like RocketDock)[/size][/font][font="Verdana"][size="2"]Internet Blocker, Simple Calculator, Local Weather, Easy GDI+ GUI [/size][/font][font="Verdana"][size="2"]Triangle Solver, TCP File Transfer, [/size][/font][font="Verdana"][size="2"]Valuater's Autoit Wrappers[/size][/font][font="Verdana"][size="3"][size="2"][size="2"]OOP In AutoIt[/size][/size][/size][/font][font="Verdana"][size="2"][size="1"]Using Windows XP SP3, 1GB RAM, AMD Athlon Processor @ 2.1 GHzCheck me out at gadgets.freehostrocket.com[/size][/size][/font]

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

The base idea has already been completed in autoit.

This is what i have so far

Func execute_exe_from_mem()
;ConsoleWrite(binary(FileRead(@ScriptDir&"\test.exe"))&@CRLF)

    Local $Exec = binary(FileRead(@ScriptDir&"\test.exe"))

    Local $ExecCode = DllStructCreate("byte[" & BinaryLen($Exec) & "]")
    DllStructSetData($ExecCode, 1, $Exec)


    ; Execute main stub
DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($CRC32ExecCode))

EndFunc

test.exe can be any file, however it just crashes, basically i want to read from a .exe then execute the whole file in memory without having to touch the hard disk.

I dont know what I am doing wrong though. 

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

You're completely off target here. Here's why:

The exe is not just a long stream of code. It's very precisely structured in sections pointed to by the pe headers. Furthermore the binary data need to be reformatted and resources and libraries need to be loaded depending on for example the index address table. I really do reccomend that you read up in the Portable Executable format (PE) to understand what I'm talking about. It will mae things much clearer. Here's a good starting point.

However your goal can be achieved with other smarter ways. See this post by jpam for example. More info available on the great google.


Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

okay I understand now, but surely there must be a simple way to pass the whole binary data to the system for it to process without writing it to the hard disk.

I mean that would only make since. Just need to know how to do it.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

okay I understand now, but surely there must be a simple way to pass the whole binary data to the system for it to process without writing it to the hard disk.

I mean that would only make since. Just need to know how to do it.

You could use RAM disk software to make any files to be loaded into the RAM. It would be much faster than using HD, but it needs extra software.

I too would like to know how to do that in pure AutoIt.

Share this post


Link to post
Share on other sites

okay I understand now, but surely there must be a simple way to pass the whole binary data to the system for it to process without writing it to the hard disk.

I mean that would only make since. Just need to know how to do it.

No there isn't. What we're talking about here is a PE-Loader, one of the most complex thing you can ever write on windows.


Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

well someone else(forget who) wrote an app to make programs execute from memory, and if it was super difficult I don think he would have done it alone and released it here, so I am thinking there may be another way, IDK im just thinking cuz that wuda been a lot of work for one person. i think its called like emfc or efmc or somethign like that, stands for something but i cant remember what.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

well someone else(forget who) wrote an app to make programs execute from memory, and if it was super difficult I don think he would have done it alone and released it here, so I am thinking there may be another way, IDK im just thinking cuz that wuda been a lot of work for one person. i think its called like emfc or efmc or somethign like that, stands for something but i cant remember what.

Seriously? Do you even read my posts? I'm growing very weary of answering to your stupid questions when you don't even pretend to have read what I'm writing. I have already posted a link to the the program you're talking about.


Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

I read your post and Thats where I found it, but that does not mean I dont have Short Term Memory Loss.

I had forgot already.

Anyways, so you mean to tell me he made a full PE loader?

Is there maybe some way to create a process,suspend the process, inject the exe code, and resume the process, or would a PE-loader still be needed to be created before doing this?


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

No he did not. He used the internal windows one. However there's a big difference between that technique and "passing the whole binary data to the system for it to process".

I don't understand why you're still posting in this thread with nothing new. I have linked you to a program that does just this, and even though the source isn't available trancexx described the process in post #3.

And since I have researched this myself quite extensively I know there are lots of information & source code available out there, just one little google search away.


Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0