View Full Version : [Q] embed exe as resource inside a win32 exe and launching from memory

December 13th, 2013, 08:02
this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps..

For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/download.php?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory().
Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have).


December 13th, 2013, 11:31
Hi all,
I found something that after a lot of testing I got to work, but not when UAC is turned on.


any idea in this case?

It's not for malware writing, but for pen testing, so if you want to share privately any guess just PM me.


December 13th, 2013, 13:39
Hey Shub,

Why would your code that loads a DLL from memory not work? After all, an EXE file has the same file format as a DLL. Simply load it like you would load a DLL, and then call the entrypoint? Or do you want to run the EXE in a separate process?


December 13th, 2013, 16:24
What you're talking about is called "dynamic forking". You can find plenty of code samples on the web to do this: https://www.google.com/search?q="dynamic+forking"

December 13th, 2013, 17:19
Here is another paper for your "dynamic forking" lectures: https://zairon.wordpress.com/2011/01/10/dynamic-forking-in-action/

December 13th, 2013, 17:41
Process may be created only from file section.

December 13th, 2013, 17:54
@rendari, I thought to do exactly what you said indeed, modifying the exe as a dll and adding an export table that points to the OEP. Haven't tried yet, since I was busy inserting an aes256 crypter: the resource is stored as a crypted dll and decryped on the fly in memory..

@the others, thanks for the buzzword I'll dig more using it. But the question remains, do these techniques work when UAC control is active? Apparently not as far as I have seen around.
The sample I also found and linked above uses exactly the same technique on itself, but it miserably fails giving an error "The application was unable to start correctly (0xc0000005) whatever exe you use. Click OK to close the application." It seems the same problem someone posted here: http://stackoverflow.com/questions/7192544/dynamic-forking-of-win32-exe
I'm on a Win8.1 64b indeed but the program is compiled as 32b.

December 15th, 2013, 18:01
LWE ("http://www.woodmann.com/forum/showthread.php?14973-LWE")