A while ago, Chetnik coded a demo launching PEs loaded to memory. It loads a test file, fixes the import table and executes the PE file. Modifying Chetnik's original demo, I created a main module "extracting" an embedded PE file to the memory. The main executable ( PEmem.exe ) launches the PE file "dumped" to the memory.

Many thanks to Hutch for his fda tool.

PS : You can get Chetnik's pe-mem demo from :

Posted on 2005-05-28 04:58:30 by Vortex
Here is another version where the embedded application is decompressed to memory.

Before binding the test file to the main executable, it is compressed to reduce the size with Jeremy Collake's JCALG1 compression library.

Thanks to Jeremy Collake for JCALG1
Posted on 2005-05-28 09:22:33 by Vortex
Pretty interesting that resources work in the embedded file... have you tested this on 9x?
Posted on 2005-05-29 20:05:44 by f0dder
The original test file dialog.exe which comes with my res2bin tool was developed on a win95b system. Memory dialog templates are also available on win 9x systems, for more information have a look at win32.hlp reference.
Posted on 2005-05-30 04:46:00 by Vortex
Ah, didn't look closely at the source - I wonder if this would work for "normal" resource usage...
Posted on 2005-05-30 05:37:35 by f0dder
As the result of my tests, I can say that embedded PEs with "normal" resources doesn't work with Chetnik's methode. This is why I used binary resource data in my example.
Posted on 2005-05-30 12:22:14 by Vortex
Mmh, resource data is pretty "special"... especially on 9x :)
Posted on 2005-05-30 13:36:09 by f0dder
Hi f0dder,

If you have the opportunity, could you try my binary resource example ( which comes with PEmem2.zip ) on a 9x system?
Posted on 2005-05-30 14:19:33 by Vortex
I will try to do so soon, Vortex - please remind me. I have an exam period right now, so I have to do a bit of studying and such... but I have assembled my test box soon, a pii-350 with exchangable drives (2k, 98, ...), so I should be able to test :)
Posted on 2005-05-30 16:58:46 by f0dder
Hi f0dder,

Thanks for your interest.

Good luck at your exams, I am sure you will be successfull.
Posted on 2005-05-31 00:31:23 by Vortex
Finally got around to testing on win98se, and it works... I still don't think it will work if you use "normal" resource functions, but those can of course be emulated and the loaded app IAT could be patched to use those emulated functions.
Posted on 2005-06-12 12:06:24 by f0dder
Hi f0dder,

Thanks for testing the executable. About "normal" resources, I said exactly the same as you, they don't function with Chetnik's technique. Naturally, emulation can be a solution but that is another work to do.
Posted on 2005-06-12 15:13:08 by Vortex
Very interesting and useful, I have for various reasons disabled PAE mode on my PC and DEP in XPSP2 because of some program execution issues with it. Has anyone tried it with DEP/PAE enabled ?

Can't see why it shouldn't work but my machine won't boot with PAE enabled because of software incompatibilities so I can't test to make sure.
Posted on 2005-06-12 16:02:36 by donkey
donkey, as long as you unpack/load/whatever the image to VirtualAlloc'ed memory that has the EXECUTE permission, it should work just fine... but no heapalloc, global/localalloc, stack memory, etc...
Posted on 2005-06-12 16:08:19 by f0dder