Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

[Q] embed exe as resource inside a win32 exe and launching from memory

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

[Q] embed exe as resource inside a win32 exe and launching from memory

Post by Shub-nigurrath »

well,
this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps..

For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/d ... p?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory().
Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have).

thanks!
Shub
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

Post by Shub-nigurrath »

Hi all,
I found something that after a lot of testing I got to work, but not when UAC is turned on.

http://www.rohitab.com/discuss/topic/31 ... -not-file/

any idea in this case?

It's not for malware writing, but for pen testing, so if you want to share privately any guess just PM me.

Thanks1
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
rendari
Senior Member
Posts: 217
Joined: Sat Dec 10, 2005 7:08 pm

Post by rendari »

Hey Shub,

Why would your code that loads a DLL from memory not work? After all, an EXE file has the same file format as a DLL. Simply load it like you would load a DLL, and then call the entrypoint? Or do you want to run the EXE in a separate process?

-rendari
User avatar
disavowed
Posts: 1290
Joined: Mon Apr 01, 2002 3:00 pm

Post by disavowed »

What you're talking about is called "dynamic forking". You can find plenty of code samples on the web to do this: https://www.google.com/search?q="dynamic+forking"
User avatar
ZaiRoN
Posts: 922
Joined: Fri Oct 12, 2001 7:00 am
Location: Italy
Contact:

Post by ZaiRoN »

Here is another paper for your "dynamic forking" lectures: https://zairon.wordpress.com/2011/01/10 ... in-action/
A mind is like a parachute. It doesnt work if it's not open.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Process may be created only from file section.
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

Post by Shub-nigurrath »

@rendari, I thought to do exactly what you said indeed, modifying the exe as a dll and adding an export table that points to the OEP. Haven't tried yet, since I was busy inserting an aes256 crypter: the resource is stored as a crypted dll and decryped on the fly in memory..

@the others, thanks for the buzzword I'll dig more using it. But the question remains, do these techniques work when UAC control is active? Apparently not as far as I have seen around.
The sample I also found and linked above uses exactly the same technique on itself, but it miserably fails giving an error "The application was unable to start correctly (0xc0000005) whatever exe you use. Click OK to close the application." It seems the same problem someone posted here: http://stackoverflow.com/questions/7192 ... -win32-exe
I'm on a Win8.1 64b indeed but the program is compiled as 32b.
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Locked