Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > microsoft.public.win32.programmer.kernel > #6

Re: Load Executable from Memory

Newsgroups microsoft.public.win32.programmer.kernel
Date 2018-03-27 08:29 -0700
References <38AEAC16.F6FC7DA9@gmx.net> <38b181c8@guardhouse.chbs>#1/1>
Message-ID <74c2fb6b-4daf-4110-8f05-bef4f29639b2@googlegroups.com> (permalink)
Subject Re: Load Executable from Memory
From bsadino95@gmail.com

Show all headers | View raw

On Monday, February 21, 2000 at 3:00:00 PM UTC+7, Gary Nebbett wrote:
> "Christian Zietz" <czietz@gmx.net> wrote in message news:38AEAC16.F6FC7DA9@gmx.net...
> 
> > is there a possibility to load an executable from RAM instead of from a
> > file? What I want to do is: the EXE is loaded into memory by my
> > application, the import table is patched, then the Windows loader
> > becomes active and creates a new process.
> 
> As Tomas pointed out, depending on exactly what you want to do, it might not
> be necessary to create a new process from an in-memory image. If you really
> do need to create a process from an in-memory image on NT then you might try
> the following, which assumes that the in-memory image originates from a
> binary resource bound to the executable.
> 
> Gary
> 
> 
> #define WIN32_NO_STATUS
> #include <windows.h>
> #undef  WIN32_NO_STATUS
> 
> namespace NT {
>     extern "C" {
> 
> #pragma warning(disable: 4005)  // macro redefinition
> #include <ntddk.h>
> #pragma warning(default: 4005)
> 
>     }
> }
> using NT::NTSTATUS;
> 
> typedef struct _DEBUG_CONTROL {
>     ULONG L0 : 1;
>     ULONG G0 : 1;
>     ULONG L1 : 1;
>     ULONG G1 : 1;
>     ULONG L2 : 1;
>     ULONG G2 : 1;
>     ULONG L3 : 1;
>     ULONG G3 : 1;
>     ULONG LE : 1;
>     ULONG GE : 1;
>     ULONG    : 3;
>     ULONG GD : 1;
>     ULONG    : 2;
>     ULONG RWE0 : 2;
>     ULONG LEN0 : 2;
>     ULONG RWE1 : 2;
>     ULONG LEN1 : 2;
>     ULONG RWE2 : 2;
>     ULONG LEN2 : 2;
>     ULONG RWE3 : 2;
>     ULONG LEN3 : 2;
> } DEBUG_CONTROL, *PDEBUG_CONTROL;
> 
> 
> VOID preppatch()
> {
>     CONTEXT context = {CONTEXT_DEBUG_REGISTERS};
> 
>     PDEBUG_CONTROL dr7 = PDEBUG_CONTROL(&context.Dr7);
> 
>     context.Dr0 = ULONG(GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwCreateThread"));
> 
>     dr7->L0 = 1, dr7->RWE0 = 0, dr7->LEN0 = 0;
> 
>     SetThreadContext(GetCurrentThread(), &context);
> }
> 
> LONG patch(PEXCEPTION_POINTERS ep)
> {
>     if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) {
> 
>         HANDLE hProcess = PHANDLE(ep->ContextRecord->Esp)[4];
> 
>         PCONTEXT context = ((PCONTEXT*)(ep->ContextRecord->Esp))[6];
> 
>         NT::PROCESS_BASIC_INFORMATION pbi;
> 
>         NT::NtQueryInformationProcess(hProcess, NT::ProcessBasicInformation, &pbi, sizeof pbi, 0);
> 
>         PVOID x; ReadProcessMemory(hProcess, PCHAR(pbi.PebBaseAddress) + 8, &x, sizeof x, 0);
> 
>         NT::ZwUnmapViewOfSection(hProcess, x);
> 
>         HRSRC hRsrc = FindResource(0, "Image", "EXE");
> 
>         HGLOBAL hGlobal = LoadResource(0, hRsrc);
> 
>         PVOID p = LockResource(hGlobal);
> 
>         PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(p) + PIMAGE_DOS_HEADER(p)->e_lfanew);
> 
>         PVOID q = VirtualAllocEx(hProcess,
>                                  PVOID(nt->OptionalHeader.ImageBase),
>                                  nt->OptionalHeader.SizeOfImage,
>                                  MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
> 
>         WriteProcessMemory(hProcess, PCHAR(q), PCHAR(p), 0x1000, 0);
> 
>         PIMAGE_SECTION_HEADER sect = IMAGE_FIRST_SECTION(nt);
> 
>         for (ULONG i = 0; i < nt->FileHeader.NumberOfSections; i++)
> 
>             WriteProcessMemory(hProcess,
>                                PCHAR(q) + sect[i].VirtualAddress,
>                                PCHAR(p) + sect[i].PointerToRawData,
>                                sect[i].SizeOfRawData, 0);
> 
>         WriteProcessMemory(hProcess, PCHAR(pbi.PebBaseAddress) + 8, &q, sizeof q, 0);
> 
>         context->Eax = ULONG(q) + nt->OptionalHeader.AddressOfEntryPoint;
> 
>         ep->ContextRecord->Dr7 = 0;
> 
>         return EXCEPTION_CONTINUE_EXECUTION;
>     }
> 
>     return EXCEPTION_CONTINUE_SEARCH;
> }
> 
> int main(int argc, char *argv[])
> {
>     PROCESS_INFORMATION pi;
>     STARTUPINFO si = {sizeof si};
> 
>     __try {
>         preppatch();
> 
>         CreateProcess(0, "Explorer", 0, 0, FALSE, 0, 0, 0, &si, &pi);
>     }
>     __except (patch(GetExceptionInformation())) {}
> 
>     return 0;
> }

Could you help me explain the process of this stuff in a narrative way, perhaps?
 and i dont know what is _try and _except

Thank you!

Back to microsoft.public.win32.programmer.kernel | Previous | Next | Find similar

Thread

Re: Load Executable from Memory bsadino95@gmail.com - 2018-03-27 08:29 -0700

csiph-web