Often asked, but never answered:
How could I run an executable from memory?
A simple example with Notepad.exe, attached in a rc file would be nice. Or just some hints, which tasks are needed to throw a working example App together :-)

best regards
Posted on 2001-09-09 09:32:28 by bazik
You mean like having an executable inside your resources and then excuting it?
You'll have to dump it to disk..
Yeah i can figure out some more painful methods but i doubt whether they are worth it or not...
If i were you, i'd dump to a %TEMP% folder and then ShellExecuteA :)

At least this is the modus operandi i implemented in a patch engine i made once. I had the 'child' executable in the .DATA section of the main program. So i read it, dump it, fix it and voil?..there's the newly born proggy :)


Posted on 2001-09-09 17:00:11 by latigo
Dumping to disk feels pretty wrong, imho :). The other way to do
it is to write a whole PE loader yourself, which is simpler than it sounds.
It can be made to work pretty well with a DLL. But for an exe... I'm
not really sure. Theoretically (if the image has relocations), it could
probably be done, but there might be a lot of issues du to the way
processes are handled.
Posted on 2001-09-09 19:10:04 by f0dder
You could make you code section writeable, or allocate memory, and implement the worlds first 32bit *.com program
Posted on 2001-09-09 22:16:49 by eet_1024
think that dumping to disk is the best and simplest solution. I have thought of IMAGEHLP.DLL, but its no help for this problem.

Posted on 2001-09-10 03:46:29 by japheth
I think it all depends on how serious the project is..
If your job/career depends on this, then dumping to disk might sound very cheap. On the other hand, if you are making some quick 'housechore' hack, then go for the disk dumping :)

This is something from the top of my head, but you could give it a try...suppose you have the executable inside your resources or on any part of the .data section or wherever..so when you are ready to rock, start a new thread passing a ptr to the executable code.

Mmm..sounds to quick to be true..maybe i'll try it later.


Posted on 2001-09-10 09:26:35 by latigo
It won't be enough. You will have to apply relocations, and do import
loading. And if "FileAlign != 4096", then you will have even more chores
to do.
Posted on 2001-09-10 09:35:15 by f0dder
...Which takes to your first post in this thread :)

Posted on 2001-09-10 09:41:58 by latigo

the pe exe you want run must have relocs(or the default imagebase must be free). first alloc a block of memory equal to imagesize: copy the pe header and the sections to the right positions.

parse import table, putting the addresses of the apis in the correct points, then parse the relocs, and add to each the difference between the address of mem you allocated minus the original imagebase. then jmp to entrypoint.

probably more steps are need if the prog use TLS or resources, but this will work for the console ones, or dlls.

check http://www.coderz.net/asm_infamy/infamy.htm for a pe packer that do something similar to this.

Posted on 2001-09-10 13:46:44 by ancev