#1
|
||||
|
||||
launch an exe from inside another exe
well,
this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps.. For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/download.php?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory(). Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have). thanks!
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#2
|
||||
|
||||
edit, found something on which to stumble upon..
http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#3
|
||||
|
||||
humm, the solution above, after a lot of testing seems not to work when UAC is on. Any idea in this case?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#4
|
||||
|
||||
what exactly are you planning to do?
Your best bet is probably to CreateProcess a dummy process (say, cmd.exe) in a suspended state, then map your own image into the process and continue execution. It's a common evasion technique in malware. |
The Following User Gave Reputation+1 to deepzero For This Useful Post: | ||
niculaita (12-14-2013) |
#5
|
|||
|
|||
Not sure I understand the exact context, (.net/native) but would reflection work? I've approached something that sounds similar to your scenario using InvokeMember.
http://msdn.microsoft.com/en-us/library/system.type.invokemember(v=vs.110).aspx Code:
Assembly asm = Assembly.LoadFrom(this.g_exePath); Type hwidClass = null; foreach (Type type in asm.GetTypes()) { if (type.Name == "x500000hsd76") hwidClass = type; } object hwid = Activator.CreateInstance(hwidClass); object somethingRandom = hwid.GetType().InvokeMember("get_8850XynnG", BindingFlags.InvokeMethod, null, hwid, null); string resultedValue = somethingRandom.GetType().GetField("resultedValue").GetValue(somethingRandom).ToString(); return resultedValue.GetHashCode(); |
#6
|
|||
|
|||
Is it possible to create a virtua device and put that exe on the device?
I have found this kind of technique is used by some rootkits. |
#7
|
||||
|
||||
I used same method few years ago to write a cryptor.
__________________
In memory of UnREal RCE... |
#8
|
||||
|
||||
indeed I later discovered that the process is called dynamic forcing and is actually what I also implemented, starting from a code found on the web (http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/).
But the question remains, do these techniques work when UAC control is active? Apparently not as far as I have seen from comments and from my experiments. The method miserably fails giving always the error "The application was unable to start correctly (0xc0000005) . Click OK to close the application." no matter which exe you use on it. It seems almost the same problem someone posted here: http://stackoverflow.com/questions/7192544/dynamic-forking-of-win32-exe Ah, and yes I'm on a Win8.1 64b with UAC, and the program is compiled as 32b.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
HD - How to turn off from inside Windows? | aldente | General Discussion | 1 | 04-08-2005 09:02 |
FLEXlm 8.1a inside... | Zigmund | General Discussion | 3 | 09-03-2004 23:27 |