launch an exe from inside another exe

[Shub-Nigurrath]

well,
this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps..

For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/download.php?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory().
Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have).

thanks!

[Shub-Nigurrath]

edit, found something on which to stumble upon..

http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/

[Shub-Nigurrath]

humm, the solution above, after a lot of testing seems not to work when UAC is on. Any idea in this case?

[deepzero]

what exactly are you planning to do?


Your best bet is probably to CreateProcess a dummy process (say, cmd.exe) in a suspended state, then map your own image into the process and continue execution.
It's a common evasion technique in malware.

[0xd0000]

Not sure I understand the exact context, (.net/native) but would reflection work? I've approached something that sounds similar to your scenario using InvokeMember.


http://msdn.microsoft.com/en-us/library/system.type.invokemember(v=vs.110).aspx

Code:

            Assembly asm = Assembly.LoadFrom(this.g_exePath);
            Type hwidClass = null;
            foreach (Type type in asm.GetTypes())
            {
                if (type.Name == "x500000hsd76")
                    hwidClass = type;
            }
            object hwid = Activator.CreateInstance(hwidClass);
            object somethingRandom = hwid.GetType().InvokeMember("get_8850XynnG", BindingFlags.InvokeMethod, null, hwid, null);
            string resultedValue = somethingRandom.GetType().GetField("resultedValue").GetValue(somethingRandom).ToString();
            return resultedValue.GetHashCode();

[BlackWhite]

Is it possible to create a virtua device and put that exe on the device?
I have found this kind of technique is used by some rootkits.

[Newbie_Cracker]

Quote:

Originally Posted by deepzero

what exactly are you planning to do?


Your best bet is probably to CreateProcess a dummy process (say, cmd.exe) in a suspended state, then map your own image into the process and continue execution.
It's a common evasion technique in malware.

I used same method few years ago to write a cryptor.

[Shub-Nigurrath]

indeed I later discovered that the process is called dynamic forcing and is actually what I also implemented, starting from a code found on the web (http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/).

But the question remains, do these techniques work when UAC control is active? Apparently not as far as I have seen from comments and from my experiments.
The method miserably fails giving always the error "The application was unable to start correctly (0xc0000005) . Click OK to close the application." no matter which exe you use on it. It seems almost the same problem someone posted here: http://stackoverflow.com/questions/7192544/dynamic-forking-of-win32-exe
Ah, and yes I'm on a Win8.1 64b with UAC, and the program is compiled as 32b.