Hi all;

This is my first post. I found this forum while surfing the internet and I feel that I am in the right place to learn Win32ASM programming. I have to read a lot I think :)

Before coming so far to here, I was dealing with a problem. I know Ansi C and Visual Basic programming. In one of my Visual Basic projects, I am loading a binary data from a file to a binary array. And try to execute that specific code from the memory.

I have a couple of question, you guys maybe familiar with:

Since I know the memory location of a binary file, is there a way to execute that binary directly from memory [ without writing to a physical drive first] with Win32ASM coding?

If it is possible, as being a newbie sucks, would you please show me some references, articles to read and learn?

And what must a beginner in win32ASM programming do first ? Is there a place I would better start?

Thanks for any pointers about the subject.

EpcH

PS: I am gonna check the site if any tutorials available, I came directly to the forum from the link I found.
Posted on 2003-02-13 15:34:20 by EpcH
It could be a good idea if you give us a reason for trying to execute the loaded data before we give you a solution. I personally can think of only one reason why you would want to do it, and that reason would get this thread closed instantly. We are not being anal about this, it's just that we don't want the board used to educate virus/trojan/worm writers, which would get it shut down.

So, what are you trying to achieve?
Posted on 2003-02-13 18:12:49 by sluggy
I am very sorry, you are right. I didnt think in that way while posting, anyway here is why I am interested..

Overall, out of topic, I want to learn win32ASM, I am a CS student and I love to learn new things.

And here is why I asked the question,

I wrote an application that enables users to log on a server. It has two parts, The main executable which does certain thinks like dowloding messages or informing the user for events and there is the second executable that allows users to log on a server.

Here comes the problem, This server is an online gaming server. It is for an old game called Ultima Online. And the client is written by Electronic Arts. The main server is an emulator.

And there is an open source application in internet that manupulates the CLIENT and destroys SERVER EMULATOR files, it interrupts the communication packets and changes them in the favor of its user. The Devil thing is it is open source.

But to do things, this specific cheating program and most of the others need the client stored physically. So I thought and included the client as a resource file. For protection I added garbage in it and track the location of the client with pointer type approach in that garbage. So any resource hacker program will simply get garbage.

By the way I am trying to protect the client from average users that only knows to use programs. Not from experts that hack into it.

Anyway, as I said I can reload the executable in runtime to an bytearray. But here is the problem, how can I execute it without writing it physically but from the array itself.

As I asked this question to friends in visualbasicforum.com, they told me that I must get into win32ASM coding. That is how my interest begin about the subject.

I simply do not know any method either in VB or C, though I am planning to send an email to my teacher :) Anyway I think this is the whole story.

Thanks for giving your time and replying;

EpcH

PS: I examined API functions and get some useful functions to deal with memory but couldnt find any information about the subject.
Posted on 2003-02-13 19:00:35 by EpcH
So, admins, is it safe to teach him or what?



Anyway first you must make the memory section you are loading it into 'executable.' This is done via 'VirtualAlloc' I think. Then jmp to the code, or call it. The latter, I think, can be done in C, by using some kind of type casting...



void *MemorySectionToExecute;
void (*Cast(void)); /*Supposed to be a pointer to a function, can't remember
exact type-casting, however.*/
.
.
.
/*not sure about this however...*/
Cast = (void*(void)) MemorySectionToExecute;
*(Cast());


I KNOW it can be done in C, it's just a matter of type casting, well it'll be easier in Asm because there is no type casting. But I KNOW it can be done in C, K&R designed it that way. ;) :grin: :)
Posted on 2003-02-13 19:21:55 by AmkG
Thanks Amgk,

I am examing the VirtualAlloc Api, the parameters. The term "Type casting" confused me a little. When you say Type Casting I understand programmer controlled Type changes for a variable. I mean:

float The_Thing;
(double) The_Thing;

This is Type Cast ? in order to prevent "Coersion" event that stupid C compilers love to do. So I get little confused by the term Type Cast in C you used.

I am trying to figure out the API you mentioned and the related API functions with it.

Thanks very much for sharing the info,
I really appreciate,

I begin to read Tutorials, they are well prepared and documented.

EpcH
Posted on 2003-02-13 19:49:37 by EpcH

Thanks Amgk,

I am examing the VirtualAlloc Api, the parameters. The term "Type casting" confused me a little. When you say Type Casting I understand programmer controlled Type changes for a variable. I mean:

float The_Thing;
(double) The_Thing;

This is Type Cast ? in order to prevent "Coersion" event that stupid C compilers love to do. So I get little confused by the term Type Cast in C you used.


Yes this IS!

Type-casting directly converts the data.

However type-casting a pointer to the data means that the data is NOT changed, but treated in a different manner. So you can extract the lower byte (char) of a word (short int):

/*assuming your processor is little-endian, anyway*/
short int intvariable; char extract;

extract = * (char*) (&intvariable);

You have an array that the C compiler treats as data.

You want to treat this as code, so you type-cast via a pointer to the array.

However... how DO you store the data in the array?

Is it just plain code, or are you storing the *executable file* itself?

If it's the file itself, that's when you need to analyze the file. After all the executable file has a header, and it needs to be linked, etc. I believe this topic has been discussed on the boards before, I suggest you look near the upper right corner of this page and click the 'SEARCH' button.
:) :grin: ;)
Posted on 2003-02-14 03:52:38 by AmkG
Thanks for the information,

I now understand what we are talking about, I always do a search before asking a question, but if somebody does not know the key words [ the correct ones] then the search returns with unrelated content. But I do know now :)

Anyway I appreciate the information,

I asked the same question to my teacher and complained that why doesnt he teach us things like this :) [ He hasnt answered yet, which means I am in danger hehe].

Because there is always this discussion that the "Black Art Coding" thing. What if he learns and creates a stupid devil application? And this idea makes it very difficult to learn such things.

Thanks all,

EpcH

PS: I am loading the executable file itself to an array, actually I am adding some garbage to the file and track the exact location of the executable in that array and extract it from the garbage when I need to use it.
Posted on 2003-02-14 21:17:50 by EpcH


PS: I am loading the executable file itself to an array, actually I am adding some garbage to the file and track the exact location of the executable in that array and extract it from the garbage when I need to use it.


Oh dear.... that is difficult...

You may have to learn about the PE or Portable Executable format that Windows uses. Then write your own 'loader' for this. I have tried looking for a WinAPI that can load a file already in memory but I have not yet found one. This means you will have to find a way to treat a memory location as a file you can execute using CreateProcess (somehowI think can be done, but I am not sure....). Your other alternative, as I mentioned above, is to create your own loader, which is probably more effort than you need.

You might try to experiment with 'named pipes' but I suspect it won't work.

Also, adding some garbage to the beginning of the file is not enough. You might want to directly encrypt the file with garbage. Just generate some garbage, XOR it to your executable filed, then when you need to decrypt, generate the same garbage and XOR it back.
Posted on 2003-02-15 02:59:39 by AmkG
EpcH,

A simple solution:

a)Embedding your child program to your main application
b)Extracting the child program with openfile,savefile,closefile(I don't know exactly
the functions of VB's file manipulation system.
c)Running the child program with the WinExec API (kernel32.dll)
d)At the end,deleting the program when we are O.K.

Regards,

Vortex
Posted on 2003-02-15 05:07:58 by Vortex
Vortex, he specifically asked if it was possible to execute it from memory.

EpcH:

Looks like you'll have to code your own PE loader then :) Some things you need to do: load sections to correct offsets, create and initialize uninitialzed sections, apply relocations (this will almost always be necissary since you will be executing the program in your loading program's address space), and then load all the imported DLL's and fix up the import table. Iczillion has some nice tutes on the PE file format to get you started.
Posted on 2003-02-15 07:23:55 by Qweerdy
Qweerdy,why to suffer so much with the coding of a new PE loader? :)
The simple solution is to execute the child process from another file. :)
This method is much more practical.
Posted on 2003-02-16 04:35:34 by Vortex
Vortex:

Yes, it's very easy to do it that way. In fact I assumed he already knew it could be done that way, so I didn't bother mentioning it. And I personally never mind a challenge, and I like to assume other people don't either :)
In fact I already coded a proc to handle relocations and imports some time ago for another purpose, it's on my website. I found it a very good learning experience, and I might someday expand it to a full PE loader.
Posted on 2003-02-16 06:39:44 by Qweerdy
Thanks All guys,

Vortex in that method, if I understand you correctly, you are using shell Api, so as you said you write the data on a physical drive first and then delete it, maybe waitforsingleobject Api combo will do the job. But the problem is while the program is running, it is vulnarable, because it is just sitting on a physical drive and waits to finish his job and to be delated. At that instant, what if the user steals that file? Am I wrong?

If I understand you correctly, what you are telling is the normal procedure of doing this.


Qweerdy I have to read and learn these stuff. I understand that with my current knowledge of coding, I will have trouble handling that so I read .. :)

Thanks for the information guys,

It is all very helpful.

EpcH
Posted on 2003-02-16 11:16:52 by EpcH
EpcH,

You don't have to wait for anything since win32 is a multi-tasking environment.
You can use VB's AppActivate function.It's very easy.

Quote from Vb.hlp:

This example illustrates various uses of the AppActivate statement to activate an application window. The Shell statements assume the applications are in the paths specified. .

AppActivate "Microsoft Word" ' Activate Microsoft ' Word.

' AppActivate can also use the return value of the Shell function.
MyAppID = Shell("C:\WORD\WINWORD.EXE", 1) ' Run Microsoft Word.
AppActivate MyAppID ' Activate Microsoft ' Word.

You can extract your child program to the temp folder of windows.There,you file will
be located securely.

Regards,

Vortex
Posted on 2003-02-17 02:28:38 by Vortex
Thanks Vortex,

In some cases I need the main executable to wait other executables that were fired with shell functions to finish their tasks and then the main executable free to continue. That why I mentined that subject.

Putting a file to temp directory unfortunately can't solve the issue, it is an easy task to get something from there,we usually use that technique for temprory patch files [ execute and then kill it, for safety put it in temp folder, if something happens, handle it with error handlers and OS will delete it at next run time if you cant at runtime]

Thanks for sharing though :)

As Time is important for me, and learning a new programming needs attention and time, I am writing a server/client application that will make necassary security checks at the background. I am Hoping to finish it soon.

Thanks guys, you are great, thanks for giving your time and efforts to help a stranger.

By the way, I realized that you are from Turkey? I missed a lot, it is my home land :) A little PS for you in my mother tongue.

EpcH

PS: Vortex winApi lerle bir sorunum yok abicim, avucumun ici gibi kullanirim, dll leri sag bastan sayabilirim :) Sorun bahsettigim gibi memory handling lazim bana, direk calistirmam gerekiyo hafizadan ki erisilmez olsun. Bu is icin asm coding olayina girecegim ama zamanim yok malesef. VB icindede asm coding ile maksimum performans alabiliyoruz bu acidan girmem sart. Ilgin icin tesekkur ederim, ilerde kaynak bazinda danisabilecegim bir arkadas buldum galiba kendime:)
Posted on 2003-02-17 02:46:54 by EpcH
Ehm, there was an example from Elicz (check his site) which showed how to "capture" ImageLoad. If I don't remember wrong, his prog got "alerted" of every process execution the moment the binary image of app was loaded. This means there must be a way to tell the OS to run an "Image" in memory. I'll try to find functions involved in this and post them as soon as I can. Something about NTDLL gets in my mind...

Ka.
Posted on 2003-02-17 17:24:38 by KaSt