Executing an Exe held in Memory?

This is a discussion on Executing an Exe held in Memory? within the Windows Programming forums, part of the Platform Specific Boards category; Hi there, I'm having problems with hackers decompiling my programs and releasing hacked versions. So... Is there ary way to ...

  1. #1
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812

    Question Executing an Exe held in Memory?

    Hi there,

    I'm having problems with hackers decompiling my programs and releasing hacked versions. So...

    Is there ary way to execute an exe program held in memory? This is what I want to do, as follows:

    [exe 1][exe 2]

    I append exe2 to the end of the file of exe1 - exe1 runs as normal when the file is launched.

    I want exe1 to extract and load the contents of exe2, which is appended to its own file, and execute it.

    I know how to extract and load the contents of exe2 into memory, but how do I begin execution, without first re-saving to disk?

    Can it be done?

    (I'm using C++, but also familiar with Delphi and the WinApi.)

    Anyone any other ideas to make the life of hackers harder?

    Cheers

    Andy
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  2. #2
    pronounced 'fib' FillYourBrain's Avatar
    Join Date
    Aug 2002
    Posts
    2,297
    If they're using a program like softice, your method won't stop them. One way that some people try is by "detecting" the common cracker activities. Like softice. There is code out there for detecting if softice is running. You could prevent your app from running when one of these detected things happens.

    In the end, the cracker will win though. You pretty much can't stop that.
    "You are stupid! You are stupid! Oh, and don't forget, you are STUPID!" - Dexter

  3. #3
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,789
    If you get the code into memory you can issue a JMP instruction or start a thread with the startproc at the point you want executioin to begin

    I doubt it would be easy though as you would have to do most of the work that the windows loader does when it maps a dll.....ie putting the right sections in the right places...

    I dont see how this would prevent hacking though? The second exe will be mapped to the process address space and so the code will be fully viewable to a debugger that issues a memory dump for that region.

    Maybe you could try some sort of self encrypted exe......though it's not too portable and it's usually more of an ASM freak method....

  4. #4
    Banned maes's Avatar
    Join Date
    Aug 2001
    Posts
    744
    I don't really know how people hack a programme, but why don't you test the exe for it's authenticity with MD5.

    Example: you build the exe an create an MD5 hash of that exe (don't know it is possible with a binary file )
    you put that hash somewhere in a filename and name it texture.dat. You fill the file with all kind of rubbish and put the hash sowhere in the middle at a location you only know of.

    then everytime the program is run, it creates a new MD5 hash and compares it with the one in the texture.dat file.

    if the match the user can continue, if they don't match exit without warning. (because if you display a warning the hacker wil know how too look for the string).

    don't kow if I expained this very well:
    Code:
    int main()
    {
    char hash1[128];
    char hash2[128];
    
    hash=MD5("myexe.exe");
    fopen blablabla
    fseek(...my_place_in_texture.dat)
    fread(hash2,128,128,fp_texture.dat)
    if(strcmp(hash1,hash2)!=0)
    return 0;
    continue prog

    Just an idea

  5. #5
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    Hey thanks for the replies,

    >Maybe you could try some sort of self encrypted exe.

    That was the aim behind my origanal question. What [else] do you mean be self encrypted exe - that's what I want.


    >The second exe will be mapped to the process address space and so the code will be fully viewable to a debugger that issues a memory dump for that region.

    Mmm. Perhaps that idea isn't worth pursuing then?


    >There is code out there for detecting if softice is running.

    Sounds good. Any idea where I can get it?


    >In the end, the cracker will win though.

    Understand that. But if everyone else locks their doors and you don't, you will be the first to get robbed.

    Cheers

    Andy
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  6. #6
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    >but why don't you test the exe for it's authenticity with MD5

    Thanks for the idea, but already do something similiar. Stopped quite a lot of hacking but not all.
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

  7. #7
    Banned maes's Avatar
    Join Date
    Aug 2001
    Posts
    744
    I just read Fordmeisters reply:
    >>Maybe you could try some sort of self encrypted exe......though it's not too portable and it's usually more of an ASM freak method....

    What kind of hackig are they doing on your program.
    There are exe compressors out there that sort of encrypt the resources in your exe so they can't open them in an external resource editor.
    WWPack32 is such a program.

    Like I said above, just a thought

  8. #8
    Banned maes's Avatar
    Join Date
    Aug 2001
    Posts
    744
    Originally posted by Davros
    >but why don't you test the exe for it's authenticity with MD5

    Thanks for the idea, but already do something similiar. Stopped quite a lot of hacking but not all.
    I'm curious, what kind of hacking didn't it stop?
    they can't change anything in the exe anymore (to my knowledge ) ?

  9. #9
    pronounced 'fib' FillYourBrain's Avatar
    Join Date
    Aug 2002
    Posts
    2,297
    all they would need to do is hack the md5 to say that it was successful all the time
    "You are stupid! You are stupid! Oh, and don't forget, you are STUPID!" - Dexter

  10. #10
    pronounced 'fib' FillYourBrain's Avatar
    Join Date
    Aug 2002
    Posts
    2,297
    Originally posted by Davros
    >There is code out there for detecting if softice is running.

    Sounds good. Any idea where I can get it?
    search google, on my quick little search for "detect softice" I found this example http://www.fhcf.net/misc/id_ws/datab...g/killsice.zip But I make no guarantees because its not mine and I've never used it
    "You are stupid! You are stupid! Oh, and don't forget, you are STUPID!" - Dexter

  11. #11
    Code Monkey Davros's Avatar
    Join Date
    Jun 2002
    Posts
    812
    Thanks everyone
    OS: Windows XP
    Compilers: MinGW (Code::Blocks), BCB 5

    BigAngryDog.com

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Memory problem with Borland C 3.1
    By AZ1699 in forum C Programming
    Replies: 16
    Last Post: 11-16-2007, 11:22 AM
  2. Suggestions on this C style code
    By Joelito in forum C Programming
    Replies: 11
    Last Post: 06-07-2007, 04:22 AM
  3. Relate memory allocation in struct->variable
    By Niara in forum C Programming
    Replies: 4
    Last Post: 03-23-2007, 04:06 PM
  4. Shared Memory - shmget questions
    By hendler in forum C Programming
    Replies: 1
    Last Post: 11-29-2005, 02:15 AM
  5. Memory allocation and deallocation
    By Micko in forum C++ Programming
    Replies: 3
    Last Post: 08-19-2005, 07:45 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21