I did a search but could not find anything about it. I been trying to execute a file from memory only so there will be no disk activity. Is this possible . I can't seem to find a way to do it. It may sound like a crazy idea but if you got texts in a buffer why do you always have to write to disk just to execute it.

I would be useing it to execute registry files with the Regedit4 header that i create in memory and have no use for it to write to disk.

I never could find a way to set registry binary files so if i can do it this way it will be good enough. I got a lot of things i do with IE Explore registry setting, but my way is the wrong way as a programmers way of doing things.

I need to learn how to do it both ways really. As far as setting binary files Dream show me how to do it with numbers only it will not do letters like 21,bf,00



The_Text db "21,bf,00",0

Text2 db "Thank You",0


c_execute_memory PROC

PUSH offset The_Text;offset SW_SHOW
PUSH 0 ;offset The_Text
PUSH 0 ;offset The_Text
PUSH offset The_File
PUSH 0 ;offset The_Text
PUSH 0 ;offset The_Text
CALL ShellExecute

RET
c_execute_memory ENDP
Posted on 2003-07-08 23:36:02 by cmax
I would be useing it to execute registry files with the Regedit4 header that i create in memory and have no use for it to write to disk.


Are you shellexecuting regedit.exe in order to add things to the registry?

RobotBob
Posted on 2003-07-08 23:40:20 by RobotBob
Are you talking about a PE file or just raw opcodes. If it's a PE file it can't really be done, the PE format has relative offsets and jump tables that are resolved at load time, the segments have to be repositioned by the PE loader as well. It is technically possible but from a practical standpoint it would be easier to save it to a file and execute it.
Posted on 2003-07-08 23:44:26 by donkey
No I just have my own numbers in the program to replace cetain numbers in the reg. Since its only a few it's a waste of time writing to disk than executing it but thats all i can do at the moment. The right way is RegSet but no one know how to do it with binary (numbers and letters). And learn to execute in memory only would be a plus.



REGEDIT4


"ITBarLayout"=hex:11,00,00,00,36,00,00,00,00,00,00,00,10,00,00,00,1f,00,00,00,\
5e,00,00,00,01,00,00,00,a0,06,00,00,a0,0f,00,00,05,00,00,00,62,04,00,00,26,\
00,00,00,02,00,00,00,a1,06,00,00,a0,0f,00,00,04,00,00,00,a1,00,00,00,a0,0f,\
00,00,03,00,00,00,a0,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
Posted on 2003-07-08 23:49:17 by cmax
So if I get you right, you are saving that text file to disk
and then shellexecuting regedit.exe in order to load the .reg file?

Why not use the registry api for this?

Or maybe I am missunderstanding you.

RobotBob
Posted on 2003-07-08 23:53:36 by RobotBob
I don't know how to ... Thats what i want to find out and how to do execute from mem if it is possilbe also ....

I need to learn both ways but i be happy with anything that works...

Being force to write a dumb reg file to disks than executing it is not a mark of a ASM programmer. It's my only bomber..
Posted on 2003-07-09 00:01:32 by cmax
The right way to do it is with the registry API, it involves only three functions :

RegOpenKeyEx
RegSetValueEx
RegCloseKey
Posted on 2003-07-09 00:03:18 by donkey
Would you PLEASE show me an example.

I tried them all . and can do them all .... But its hard to do it with BINARY. I can do it with numbers like 10,20,30,40 but not with letters like bf,cf,df,10 that you see in binary not dword binary. There is a big difference.

I can do everything else but not this :(
Posted on 2003-07-09 00:12:51 by cmax
cmax i am nearly finished with your example.

gimme a few :)

RobotBob
Posted on 2003-07-09 00:19:25 by RobotBob
Just in case

Be carefull with changing those numbers.

Export that key FIRST so you can replace it.
Posted on 2003-07-09 00:25:33 by cmax
[size=12]invoke RegSetValueEx, hKey, lpValueName, 0, REG_BINARY, offset SomeBlockOfData, sizeOfBlock[/size]
Posted on 2003-07-09 00:27:21 by iblis
Here is your code cmax:



; #################################################

.486
.model flat, stdcall
option casemap :none ; case sensitive

; #################################################

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\advapi32.lib

main PROTO
.data
hRegKey dd 0
disp dd 0

SubKey db "Software\Microsoft\Internet Explorer\Toolbar\WebBrowser",0
ITBarLayout db "ITBarLayout",0
BytesToSet db 11h,00h,00h,00h,36h,00h,00h,00h,00h,00h
db 00h,00h,10h,00h,00h,00h,1fh,00h,00h,00h
db 5eh,00h,00h,00h,01h,00h,00h,00h,0a0h,06h
db 00h,00h,0a0h,0fh,00h,00h,05h,00h,00h,00h
db 62h,04h,00h,00h,26h,00h,00h,00h,02h,00h
db 00h,00h,0a1h,06h,00h,00h,0a0h,0fh,00h,00h
db 04h,00h,00h,00h,0a1h,00h,00h,00h,0a0h,0fh
db 00h,00h,03h,00h,00h,00h,0a0h,02h,00h,00h
db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
db 00h,00h,00h,00h,00h

; #################################################
.code

start:
invoke RegCreateKeyEx,HKEY_CURRENT_USER,OFFSET SubKey,0,0,REG_OPTION_NON_VOLATILE, \
KEY_ALL_ACCESS, NULL,OFFSET hRegKey, OFFSET disp
invoke RegSetValueEx,hRegKey, OFFSET ITBarLayout, 0, REG_BINARY, OFFSET BytesToSet, 564
invoke RegCloseKey,hRegKey

invoke ExitProcess,0

; #################################################

end start


Although on the setvalue I hand entered 564 for the number of bytes.
But it does write your key. You'll need to tweak it to make sure I have you bytes right.

EDIT: man this board php plays screwy with the formating :)
have Fun
RobotBob
Posted on 2003-07-09 00:41:38 by RobotBob
I'm going to try it now. If it works my seach and 500 questions is over...

I post this anyway because this all i every got out of trying...


................................... a extra 01 at the end for 2 byte
SomeBlockOfData, "8145e001",0

Gives me 38 31 34 35 65 30 30 31

It should be 81 45 e0 01
.........................................
.........................................
SomeBlockOfData, "81,45,e0",0

Gives me 38 31 2c 34 35 2c 65 30

It should be 81 45 e0

.........................................
.........................................



This is a problem that i have been having with RegSetValueEx BINARY
for a long time. Even if i use the EXACT SAME numbers from the key and send those same number back to the same key it should be the same numbers
but they are not. What is going wrong.


IF YOU TRY THIS WebBrowser KEY running or not will not hurt anything
but you must backup that key first using Regedit.exe



.386
.MODEL FLAT,STDCALL
option casemap:none


include \MASM32\INCLUDE\windows.inc

include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
include \MASM32\INCLUDE\shell32.inc
include \masm32\include\advapi32.inc ;;;Registry


includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib
includelib \MASM32\LIB\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \MASM32\LIB\oleaut32.lib


.DATA

KeyName db "Software\Microsoft\Internet Explorer\Toolbar\WebBrowser",0
ToolBar db "ITBarLayout",0

SomeBlockOfData db "81,45,e0",0
;szText SomeBlockOfData db "8145e001",0

.DATA?

rKey DWORD ?


.CODE
start:


; ...................................
PUSH offset rKey
PUSH KEY_QUERY_VALUE
PUSH 0
PUSH offset KeyName
PUSH HKEY_CURRENT_USER
CALL RegOpenKeyEx
; ...................................
invoke RegSetValueEx, rKey, offset ToolBar, 0, REG_BINARY, offset SomeBlockOfData, 8
; ...................................
PUSH rKey
CALL RegCloseKey

end start
Posted on 2003-07-09 02:22:11 by cmax
It's Alive
It's Alive

Thanks

RobotBob


It took three years off and on for me to find this out. And i tried HARD
Posted on 2003-07-09 02:46:38 by cmax
Running PE in the Memory? Cmax,you need to code your own PE loader. :)
Posted on 2003-07-09 03:25:43 by Vortex
Running PE in the Memory? Cmax,you need to code your own PE loader.

hmmm....... Maybe not...

I think it would be possible to map the PE, find the code section table, then jmp to entrypoint.
Posted on 2003-07-09 03:27:46 by roticv
Hello Vortex,

The minute i get completly past this I can move on to the HEAVY stuff :)


Hello Again RobotBob

I tried on the other key under WebBrowser and a few others IE keys. The key {01E04581-4EEE-11D0-BFE9-00AA005B4383} and the code will not work for letters like FFh,EEh,BFh ...
.
I don't understand why it works for one binary key and not the other.

I get the ERROR: Undefined FFh

Thanks Again

Now i see why it took me so long... Difference code needed for difference binary types i guest.
Posted on 2003-07-09 03:59:20 by cmax
If you want to but values like FFh you need to put a 0 in front, so MASM recognises it as a hex value, not as some kind of variable.
BytesToSet  db   0BFh,0AAh,0EEh,0FFh,36h, ...

gives me
bf aa ee ...

in the registry.

And no error like that "undefined" you got.


HTH, phueghy
Posted on 2003-07-09 04:32:03 by phueghy


hmmm....... Maybe not...

I think it would be possible to map the PE, find the code section table, then jmp to entrypoint.


Mapping the PE,that's a nice idea;but how to solve the jump table problem?
Posted on 2003-07-09 04:45:34 by Vortex
That did it phueghy;
Thanks

Do someone know of a link where i can get a copy of the hex list so i can learn what each number mean. Im seaching the Board right now but there got to be hundreds of threads with the word Hex in it but i am looking anyway.

I think i want to be a REAL MAN.
Posted on 2003-07-09 06:51:47 by cmax