Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Windows API, load exe/dll from memory


  • Please log in to reply
7 replies to this topic

#1 array

array

    CC Lurker

  • Just Joined
  • Pip
  • 4 posts

Posted 19 November 2010 - 07:22 AM

Does anyone know how to use the Windows API to load an executable object (exe or dll) from a memory buffer. Normally a routine like CreateProcess or LoadLibrary needs a physical file that it loads into memory and does the required operations on to begin execution.

I would need to write custom routines that would allow me to manually read (from an archive, from a network stream, etc.) an image into a buffer, and then have the kernel use that buffer to create a new process or load a library, bypassing any need for a physical file.

A quick and dirty solution would be to use temporary files, but I think I would prefer a proper and elegant solution. Thus the need for this.

Would it be possible? I think maybe packers like UPX should something similar, or?
  • 0

#2 mebob

mebob

    CC Devotee

  • Validating
  • PipPipPipPipPipPip
  • 467 posts
  • Programming Language:C, C++, Assembly
  • Learning:PHP

Posted 19 November 2010 - 01:18 PM

I don't think there is a way to do this, because of the way that an OS runs (in Protected Mode). There may be a way, though. I've actually wondered about this myself.
  • 0
Latinamne loqueris?

#3 array

array

    CC Lurker

  • Just Joined
  • Pip
  • 4 posts

Posted 19 November 2010 - 01:23 PM

After some more searching I found this: Loading a DLL from memory » ~magog/public

I'll have to study it closer, but it does appear to achieve what I'm looking for. Any further suggestions are still welcome, though!
  • 0

#4 mebob

mebob

    CC Devotee

  • Validating
  • PipPipPipPipPipPip
  • 467 posts
  • Programming Language:C, C++, Assembly
  • Learning:PHP

Posted 19 November 2010 - 01:31 PM

Wow, that's a lot to read.
  • 0
Latinamne loqueris?

#5 array

array

    CC Lurker

  • Just Joined
  • Pip
  • 4 posts

Posted 19 November 2010 - 01:33 PM

Basically, it boils down to this:

  • Open the given file and check the DOS and PE headers.
  • Try to allocate a memory block of PEHeader.OptionalHeader.SizeOfImage bytes at position PEHeader.OptionalHeader.ImageBase.
  • Parse section headers and copy sections to their addresses. The destination address for each section, relative to the base of the allocated memory block, is stored in the VirtualAddress attribute of the IMAGE_SECTION_HEADER structure.
  • If the allocated memory block differs from ImageBase, various references in the code and/or data sections must be adjusted. This is called Base relocation.
  • The required imports for the library must be resolved by loading the corresponding libraries.
  • The memory regions of the different sections must be protected depending on the section’s characteristics. Some sections are marked as discardable and therefore can be safely freed at this point. These sections normally contain temporary data that is only needed during the import, like the informations for the base relocation.
  • Now the library is loaded completely. It must be notified about this by calling the entry point using the flag DLL_PROCESS_ATTACH.

It might take a while before I fully understand all the code myself, but in case anyone else is looking for the same thing :) Luckily, there is also sample code available for download!
  • 0

#6 mebob

mebob

    CC Devotee

  • Validating
  • PipPipPipPipPipPip
  • 467 posts
  • Programming Language:C, C++, Assembly
  • Learning:PHP

Posted 19 November 2010 - 01:38 PM

Parsing....sounds like loads of fun.
Oh, and I found this: Windows memory protection constraints that are used with the VirtualAlloc Function (Windows)

On the listing of the memory protection constraints, look at the 3rd one. If I read it right and I understand it correctly, you should be able to use VirtualAlloc() to allocate a block of memory that you will load raw executable code in to and (I'm a bit unsure of this part) use the memory address that you loaded the code into as a function pointer. Of course, you would still need to do the parsing and stuff.
  • 0
Latinamne loqueris?

#7 array

array

    CC Lurker

  • Just Joined
  • Pip
  • 4 posts

Posted 19 November 2010 - 01:43 PM

Yes, I think that's the "trick" to it. The simple, difficult stuff is then the parsing and the relocation.
  • 0

#8 mebob

mebob

    CC Devotee

  • Validating
  • PipPipPipPipPipPip
  • 467 posts
  • Programming Language:C, C++, Assembly
  • Learning:PHP

Posted 19 November 2010 - 01:43 PM

Oh. I guess I should of read deeper into the article.
  • 0
Latinamne loqueris?




Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download