Results 1 to 8 of 8

Thread: [Q] embed exe as resource inside a win32 exe and launching from memory

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    [Q] embed exe as resource inside a win32 exe and launching from memory

    well,
    this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps..

    For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/download.php?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory().
    Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have).

    thanks!
    Shub
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Hi all,
    I found something that after a lot of testing I got to work, but not when UAC is turned on.

    http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/

    any idea in this case?

    It's not for malware writing, but for pen testing, so if you want to share privately any guess just PM me.

    Thanks1
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  3. #3
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Hey Shub,

    Why would your code that loads a DLL from memory not work? After all, an EXE file has the same file format as a DLL. Simply load it like you would load a DLL, and then call the entrypoint? Or do you want to run the EXE in a separate process?

    -rendari

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    What you're talking about is called "dynamic forking". You can find plenty of code samples on the web to do this: https://www.google.com/search?q="dynamic+forking"

  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Here is another paper for your "dynamic forking" lectures: https://zairon.wordpress.com/2011/01/10/dynamic-forking-in-action/
    A mind is like a parachute. It doesnt work if it's not open.

  6. #6
    Process may be created only from file section.

  7. #7
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    @rendari, I thought to do exactly what you said indeed, modifying the exe as a dll and adding an export table that points to the OEP. Haven't tried yet, since I was busy inserting an aes256 crypter: the resource is stored as a crypted dll and decryped on the fly in memory..

    @the others, thanks for the buzzword I'll dig more using it. But the question remains, do these techniques work when UAC control is active? Apparently not as far as I have seen around.
    The sample I also found and linked above uses exactly the same technique on itself, but it miserably fails giving an error "The application was unable to start correctly (0xc0000005) whatever exe you use. Click OK to close the application." It seems the same problem someone posted here: http://stackoverflow.com/questions/7192544/dynamic-forking-of-win32-exe
    I'm on a Win8.1 64b indeed but the program is compiled as 32b.
    Last edited by Shub-nigurrath; December 13th, 2013 at 18:10.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  8. #8

Similar Threads

  1. ARTeam: IDA plugin to analyze dumped memory regions inside IDA
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: October 1st, 2008, 14:00
  2. xml embed references. halp! :(
    By upb in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: November 10th, 2007, 03:50
  3. need help with resource tuner 1.7(PLEASE)
    By Jon in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: April 29th, 2002, 16:50
  4. MessageBoxA inside MFC
    By UnderCover in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 20th, 2001, 21:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •