Hi friends,

Based on Chetnik's code to run EXEs from memory, I coded a small static library named PEmem.lib extending Chetnik's method to load and call functions from DLLs embedded to the main application. This means that you can use DLLs like static libraries. Eliminating the dumping of DLLs to HDD, I think this method could be an interesting one to use decompressing modules ( DLLs ) embedded to the main executable.

Here are the functions :

LoadEXEfromMem PROC pEXE:DWORD

This functions loads a  PE / DLL from memory and does all the initializing procedures

   pEXE   :   pointer to the PE or DLL in memory

Return values :
   
   eax   :   entry point of the "virtual" PE / DLL

   edx   :   pointer to the PE / DLL loaded to the allocated memory
         eax holds a handle to the "virtual" PE / DLL

GetProcAddr PROC hModule:DWORD,func:DWORD

This function gets the adress of a function from a "virtual" DLL

   hModule   :   handle to the "virtual" DLL
         edx holds this value after a call to LoadEXEfromMem

Return values :

   eax   :   address of the "virtual" DLL's exported function "func"

You will find two demos in the attachment, one for running EXE from memory, the other one calling function from an embedded DLL

I used Hutch's fda.exe to embed to EXE and DLL to the main executables. ( Many thanks Hutch for your nice tool. )

Many thanks to Chetnik for his pemem demo inspiring  me to code this library.

If you have the time, could you test the two demos PEmem.exe and DLLmem.exe ? ( Please specify also your operation system )
Attachments:
Posted on 2005-11-06 08:55:32 by Vortex
Thanks for your work, I will test it.
Posted on 2005-11-06 09:28:21 by miaomiao
You should use EAX for success/failure and have some pointer-to-returnvalue arguments to the function - that way the library could be used from HLLs as well :) (not really an issue for me since I have my own routines for this, but some other people might appreciate it).

Also, perhaps routines for unloading the module again?
Posted on 2005-11-06 09:44:59 by f0dder
miaomiao,

Thanks for your support.

You should use EAX for success/failure and have some pointer-to-returnvalue arguments to the function - that way the library could be used from HLLs as well  (not really an issue for me since I have my own routines for this, but some other people might appreciate it).


f0dder,

If you check the examples, you will see the line below :
    invoke  VirtualFree,hVirtModule,0,MEM_RELEASE ; Release the memory allocated
                                                  ; for consfunc.dll

Also, eax is already used to check if the routines are running without problem.

Since the modules are linked statically, there is no way to unload them. Loading dynamically EXE modules / DLLs as datafiles and releasing the allocated memory for those embedded modules gives the opportunity to unload all of them. I can code a simple FreeEXEfromMem function, that's not a problem.

Pointer to return value is a good suggestion, I will do it in the next release of the library. Thanks for the idea.
Posted on 2005-11-06 10:00:49 by Vortex
Following f0dder's suggestions , I modified LoadEXEfromMem and I added a function to release the allocated memory :

LoadEXEfromMem PROC pEXE:DWORD,pModule:DWORD

This functions loads a  PE / DLL from memory and does all the initializing procedures

pEXE : pointer to the PE or DLL in memory
pModule : pointer to module value, block of memory allocated to initializethe embedded PE / DLL

Return values :

eax : entry point of the "virtual" PE / DLL

FreeEXEfromMem PROC hModule:DWORD

hModule : pointer to the PE / DLL loaded to the allocated memory


Basically FreeEXEfromMem does the job of the VirtualFree function.
Attachments:
Posted on 2005-11-08 13:09:17 by Vortex
Why not add support to embedd the exe's and dlls without having to use fda tool or call fda tool with the necessary commandlines
Posted on 2005-11-08 15:46:00 by shism2

Why not add support to embedd the exe's and dlls without having to use fda tool or call fda tool with the necessary commandlines


With a little effort, I believe that you can code it. Why not to try your luck?
Posted on 2005-11-09 12:16:53 by Vortex
That's true lol ;)
Posted on 2005-11-09 17:59:27 by shism2
Here is the second version. This time, I tried to maintain the library code to make it more readable. Preserving Chetnik's methode, I merged some portions of the the source code to make one compact module, the new version of LoadEXEfromMem
Attachments:
Posted on 2007-03-15 15:48:20 by Vortex
My apologies for members who downloaded the second version of the library. LoadEXEfromMem didn't preserve esi,edi and ebx, I fixed it. New upload above.
Posted on 2007-03-18 04:26:39 by Vortex

My apologies for members who downloaded the second version of the library. LoadEXEfromMem didn't preserve esi,edi and ebx, I fixed it. New upload above.


doesn't loads notepad.exe and other exe's which i tried (except Dialog.exe which is demo application for library).
Posted on 2009-04-07 04:25:36 by volodyja
Unless the library fixes up all the resource-related APIs (which I guess it doesn't), then a lot of executables are going to fail.
Posted on 2009-04-07 08:28:51 by f0dder
Hi Vortex,

this is a very nice code.  8)
But what about the call to ExitProcess from the loaded EXE? In this case, call the entrypoint does not return back.
Posted on 2009-04-07 14:10:27 by Obivan

doesn't loads notepad.exe and other exe's which i tried (except Dialog.exe which is demo application for library).


That's an expected result because notepad.exe does not have a relocation section, plus the library does not handle resource sections. Your executable should have a relocation section and you need to use binary templates for resources.
Posted on 2009-04-07 15:13:19 by Vortex

Hi Vortex,

this is a very nice code.  8)
But what about the call to ExitProcess from the loaded EXE? In this case, call the entrypoint does not return back.


The embedded executable should be terminated with a ret instruction. The library is useful to handle executables built from source code.
Posted on 2009-04-07 15:16:52 by Vortex