How I can do to execute any applications from memory in ASM ? if it's possible ?
Posted on 2001-03-15 00:44:00 by ASM_Killer
It depends on what you mean, you can load another program into memory an execute it using CreateProcess. Or do you mean self-modifying code? Umbongo
Posted on 2001-03-15 03:19:00 by umbongo
Have you any code with createprocess function ?
Posted on 2001-03-15 04:47:00 by ASM_Killer
Here you go:-

.data
szApp db "c:\winnt\notepad.exe",0

.code

LOCAL sInfo :STARTUPINFO
LOCAL pInfo :PROCESS_INFORMATION 


	mov	sInfo.cb,sizeof STARTUPINFO
	xor	eax,eax
	mov	sInfo.lpReserved,eax 
	mov	sInfo.lpDesktop,eax 
	mov	sInfo.lpTitle,eax 
	mov	sInfo.dwX,eax 
	mov	sInfo.dwY,eax 
	mov	sInfo.dwXSize,eax 
	mov	sInfo.dwYSize,eax 
	mov	sInfo.dwXCountChars,eax 
	mov	sInfo.dwYCountChars,eax 
	mov	sInfo.dwFillAttribute,eax 
	mov	sInfo.dwFlags,eax 
	mov	sInfo.wShowWindow,ax 
	mov	sInfo.cbReserved2,ax 
	mov	sInfo.lpReserved2,eax 
	mov	sInfo.hStdInput,eax 
	mov	sInfo.hStdOutput,eax 
	mov	sInfo.hStdError,eax 
	
	mov	pInfo.hProcess,eax
	mov	pInfo.hThread,eax
	mov	pInfo.dwProcessId,eax 
	mov	pInfo.dwThreadId,eax

	invoke CreateProcess,0,ADDR szApp,0,0,0,
                             DETACHED_PROCESS,0,0,
                             ADDR sInfo,ADDR pInfo

Posted on 2001-03-15 06:34:00 by umbongo
Thanx you for your answer umbongo, I want to make compressor file but I want to extract file in memory and execute from it not by file. Do you know ?
Posted on 2001-03-15 07:50:00 by EAGLE Art
Well I know what you'd have to do, but it seems a little difficult, you're better off extracting it to a temporary file, then executing that. But, if you want to try, I'd suggest creating a very large area of memory (i.e. big enough to put the uncompressed file in) then you can alter the memory protection under windows to allow you to execute it. The Debugging functions should allow you to do this kind of thing, I am assuming it's quite straght forward, but it should be like this:- 1) uncompress you program into memory. 2) call the address at the start of the program. I have a feeling there would be alot more to it than that, what exactly are you trying to achieve here? Maybe I canhelp by suggesting another way of doing the same thing. umbongo
Posted on 2001-03-15 08:05:00 by umbongo
You definitely don't want to *call* the original entrypoint, you will want to jump to it. Extracting to a temporary file is not a good idea. Well. The problem with in-memory decompression is you have to have a "large enough" between the compressed data and where you decompress it to, that the compressed data is not overwritten by the decompressed data. Iirc, aPLib can do this with a not-so-large gap. The next problem is section properties. You will have to mark all sections as writable, otherwise you will get page faults. Probably the easiest thing to do is to combine all sections into one big section, but... You will probably want to look up VirtualProtect, VirtualAlloc, and related functions. And take a look at the UPX packer, source is available if I'm not mistaken.
Posted on 2001-03-15 08:20:00 by f0dder
Have you any example in ASM or tutorial to do this ? Regards, EAGLE Art
Posted on 2001-03-15 10:20:00 by EAGLE Art
i think, if you uncompress the executable and want to execute it, you' ll have to jump to the entry point, but first, you' ll have to convert the import table with the getmodulehandlea and getprocaddress apis
Posted on 2001-03-15 13:33:00 by roy