A while ago, Chetnik coded a demo launching PEs loaded to memory. It loads a test file, fixes the import table and executes the PE file. Modifying Chetnik's original demo, I created a main module "extracting" an embedded PE file to the memory. The main executable ( PEmem.exe ) launches the PE file "dumped" to the memory.
Many thanks to Hutch for his fda tool.
PS : You can get Chetnik's pe-mem demo from :
http://www.masmforum.com/simple/index.php?action=dlattach;topic=576.0;id=846
Many thanks to Hutch for his fda tool.
PS : You can get Chetnik's pe-mem demo from :
http://www.masmforum.com/simple/index.php?action=dlattach;topic=576.0;id=846
Here is another version where the embedded application is decompressed to memory.
Before binding the test file to the main executable, it is compressed to reduce the size with Jeremy Collake's JCALG1 compression library.
Thanks to Jeremy Collake for JCALG1
Before binding the test file to the main executable, it is compressed to reduce the size with Jeremy Collake's JCALG1 compression library.
Thanks to Jeremy Collake for JCALG1
Pretty interesting that resources work in the embedded file... have you tested this on 9x?
The original test file dialog.exe which comes with my res2bin tool was developed on a win95b system. Memory dialog templates are also available on win 9x systems, for more information have a look at win32.hlp reference.
Ah, didn't look closely at the source - I wonder if this would work for "normal" resource usage...
As the result of my tests, I can say that embedded PEs with "normal" resources doesn't work with Chetnik's methode. This is why I used binary resource data in my example.
Mmh, resource data is pretty "special"... especially on 9x :)
Hi f0dder,
If you have the opportunity, could you try my binary resource example ( which comes with PEmem2.zip ) on a 9x system?
If you have the opportunity, could you try my binary resource example ( which comes with PEmem2.zip ) on a 9x system?
I will try to do so soon, Vortex - please remind me. I have an exam period right now, so I have to do a bit of studying and such... but I have assembled my test box soon, a pii-350 with exchangable drives (2k, 98, ...), so I should be able to test :)
Hi f0dder,
Thanks for your interest.
Good luck at your exams, I am sure you will be successfull.
Thanks for your interest.
Good luck at your exams, I am sure you will be successfull.
Finally got around to testing on win98se, and it works... I still don't think it will work if you use "normal" resource functions, but those can of course be emulated and the loaded app IAT could be patched to use those emulated functions.
Hi f0dder,
Thanks for testing the executable. About "normal" resources, I said exactly the same as you, they don't function with Chetnik's technique. Naturally, emulation can be a solution but that is another work to do.
Thanks for testing the executable. About "normal" resources, I said exactly the same as you, they don't function with Chetnik's technique. Naturally, emulation can be a solution but that is another work to do.
Very interesting and useful, I have for various reasons disabled PAE mode on my PC and DEP in XPSP2 because of some program execution issues with it. Has anyone tried it with DEP/PAE enabled ?
Can't see why it shouldn't work but my machine won't boot with PAE enabled because of software incompatibilities so I can't test to make sure.
Can't see why it shouldn't work but my machine won't boot with PAE enabled because of software incompatibilities so I can't test to make sure.
donkey, as long as you unpack/load/whatever the image to VirtualAlloc'ed memory that has the EXECUTE permission, it should work just fine... but no heapalloc, global/localalloc, stack memory, etc...