How I can do to execute any applications from memory in ASM ? if it's possible ?
It depends on what you mean, you can load another program into memory an execute it using CreateProcess. Or do you mean self-modifying code? Umbongo
Have you any code with createprocess function ?
Here you go:-
.data szApp db "c:\winnt\notepad.exe",0 .code LOCAL sInfo :STARTUPINFO LOCAL pInfo :PROCESS_INFORMATION mov sInfo.cb,sizeof STARTUPINFO xor eax,eax mov sInfo.lpReserved,eax mov sInfo.lpDesktop,eax mov sInfo.lpTitle,eax mov sInfo.dwX,eax mov sInfo.dwY,eax mov sInfo.dwXSize,eax mov sInfo.dwYSize,eax mov sInfo.dwXCountChars,eax mov sInfo.dwYCountChars,eax mov sInfo.dwFillAttribute,eax mov sInfo.dwFlags,eax mov sInfo.wShowWindow,ax mov sInfo.cbReserved2,ax mov sInfo.lpReserved2,eax mov sInfo.hStdInput,eax mov sInfo.hStdOutput,eax mov sInfo.hStdError,eax mov pInfo.hProcess,eax mov pInfo.hThread,eax mov pInfo.dwProcessId,eax mov pInfo.dwThreadId,eax invoke CreateProcess,0,ADDR szApp,0,0,0, DETACHED_PROCESS,0,0, ADDR sInfo,ADDR pInfo
Thanx you for your answer umbongo, I want to make compressor file but I want to extract file in memory and execute from it not by file. Do you know ?
Well I know what you'd have to do, but it seems a little difficult, you're better off extracting it to a temporary file, then executing that. But, if you want to try, I'd suggest creating a very large area of memory (i.e. big enough to put the uncompressed file in) then you can alter the memory protection under windows to allow you to execute it. The Debugging functions should allow you to do this kind of thing, I am assuming it's quite straght forward, but it should be like this:- 1) uncompress you program into memory. 2) call the address at the start of the program. I have a feeling there would be alot more to it than that, what exactly are you trying to achieve here? Maybe I canhelp by suggesting another way of doing the same thing. umbongo
You definitely don't want to *call* the original entrypoint, you will want to jump to it. Extracting to a temporary file is not a good idea. Well. The problem with in-memory decompression is you have to have a "large enough" between the compressed data and where you decompress it to, that the compressed data is not overwritten by the decompressed data. Iirc, aPLib can do this with a not-so-large gap. The next problem is section properties. You will have to mark all sections as writable, otherwise you will get page faults. Probably the easiest thing to do is to combine all sections into one big section, but... You will probably want to look up VirtualProtect, VirtualAlloc, and related functions. And take a look at the UPX packer, source is available if I'm not mistaken.
Have you any example in ASM or tutorial to do this ? Regards, EAGLE Art
i think, if you uncompress the executable and want to execute it, you' ll have to jump to the entry point, but first, you' ll have to convert the import table with the getmodulehandlea and getprocaddress apis