Results 1 to 8 of 8

Thread: [Q] embed exe as resource inside a win32 exe and launching from memory

Hybrid View

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    [Q] embed exe as resource inside a win32 exe and launching from memory

    well,
    this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps..

    For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/download.php?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory().
    Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have).

    thanks!
    Shub
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Hi all,
    I found something that after a lot of testing I got to work, but not when UAC is turned on.

    http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/

    any idea in this case?

    It's not for malware writing, but for pen testing, so if you want to share privately any guess just PM me.

    Thanks1
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  3. #3
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Hey Shub,

    Why would your code that loads a DLL from memory not work? After all, an EXE file has the same file format as a DLL. Simply load it like you would load a DLL, and then call the entrypoint? Or do you want to run the EXE in a separate process?

    -rendari

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    What you're talking about is called "dynamic forking". You can find plenty of code samples on the web to do this: https://www.google.com/search?q="dynamic+forking"

  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Here is another paper for your "dynamic forking" lectures: https://zairon.wordpress.com/2011/01/10/dynamic-forking-in-action/
    A mind is like a parachute. It doesnt work if it's not open.

  6. #6
    Process may be created only from file section.

Similar Threads

  1. ARTeam: IDA plugin to analyze dumped memory regions inside IDA
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: October 1st, 2008, 14:00
  2. xml embed references. halp! :(
    By upb in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: November 10th, 2007, 03:50
  3. need help with resource tuner 1.7(PLEASE)
    By Jon in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: April 29th, 2002, 16:50
  4. MessageBoxA inside MFC
    By UnderCover in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 20th, 2001, 21:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •