Starting a process with no disk file present

This is a discussion on Starting a process with no disk file present within the Windows Programming forums, part of the Platform Specific Boards category; Hi, I have an unusual problem: I need to run a program without having copied it to disk first. The ...

  1. #1
    Registered User
    Join Date
    Feb 2008
    Posts
    1

    Starting a process with no disk file present

    Hi,

    I have an unusual problem: I need to run a program without having copied it to disk first. The scenario is this:

    a) I have a downloader app which resides on the client machine, this program contacts a server over the network/internet to download a blob via TCP/IP. This blob is actually a byte for byte image of an .exe file.

    b) The downloader should then kick start the process using this blob residing within its memory, without having written it to disk first as a file.

    This needs to run on XP or Vista. Does anyone have a clue if this is possible?

    No, I am not writing a virus or any malware!!!

    thanks very much for any input,
    Tom

  2. #2
    Registered User
    Join Date
    Oct 2001
    Posts
    2,129
    Make a ramdisk?

    dunno how.

  3. #3
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,413
    Oh yes, it's possible, but never easy. You might need to inject code into a process so it can run it. Very advanced stuff. Lots that can go wrong.
    If you have the courage, perhaps checking out CodeProject might help. I know they have guides about such things. Not for the faint of heart, because it's also very difficult.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  4. #4
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    You might need to inject code into a process so it can run it.
    He already has a running process which is downloading the exe file. And if he doesn't want to execute the code in that process, then he can always call CreateProcess() for a new one.

    What you need to do is read up on the PE file format. There are several msdn articles on this topic. You need to read through the exe's import table so that you can load all the libraries that the exe is implicitly linked to. Next you need to go through all the addresses in the linked in libraries and modify their addresses. When they are initially compiled, they assume a base address of 0x400000, but this is the address the main executable starts at. So you need to offset all the addresses by the difference between where they got loaded to, and the value 0x400000.

    I would start off with this article. If the content in there is too advanced for you, then I suggest you give up. That article barely scratches the surface of what you need to know to accomplish this task. I actually did exactly what you are asking for about 5 years ago, but I've long since forgotten the specifics on what it entailed. It took over a week of reading documentation before I had the knowledge to start coding though.

  5. #5
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,189
    He wants to execute the program without saving it to disk, which means he has to load it directly to ram, which means it has to run in the current (downloader) image space. This can be done, but its not easy. There are several methods depending on your requirements.

    Are you looking at security, i.e. you dont want them to have the code on the local machine, or are you looking at memory footprint on teh disk?

    The easiest way involves touching up the downloader's image. The smaller (on disk) method involves allocating memory from the heap and doing manual fixup of the code.

    This is a fairly advanced topic, adn I wouldnt recommend it for anything that doesnt absolutely require it.
    Last edited by abachler; 02-05-2008 at 09:53 AM.
    Until you can build a working general purpose reprogrammable computer out of basic components from radio shack, you are not fit to call yourself a programmer in my presence. This is cwhizard, signing off.

  6. #6
    Registered User Codeplug's Avatar
    Join Date
    Mar 2003
    Posts
    4,630
    >> No, I am not writing a virus or any malware!!!
    Explain why you think you need this then.

    gg

  7. #7
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    I have one more VERY experimental idea. You could make an empty skeleton executable for which you have manually specified section locations from the compiler settings. Using the same section addresses for another program could result in an executable, from which you can just do a plain copy of sections to the skeleton.

    Just an idea. I've never tried anything like this before.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  8. #8
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,413
    ...But as you know, that's usually not the problem. It's easy to allocate executable memory, but the problem is to make sure it works as it should.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  9. #9
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    Quote Originally Posted by Elysia View Post
    ...But as you know, that's usually not the problem. It's easy to allocate executable memory, but the problem is to make sure it works as it should.
    The point is that the sections are at the same place. If you mess with the compiler settings and make the skeleton and memory executable both have the same section addresses, then you would end up with working memory addresses. No fix-ups needed. Also then a program should be able to generate a skeleton using the PE header of the memory executable. ^^
    Last edited by maxorator; 02-05-2008 at 12:04 PM.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  10. #10
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,413
    You mean perhaps compile the actual code to inject into the process in the application first. Then you could copy all that code and inject it later with no ill effects.
    Well, at least I hope. I'm no expert at injecting and running code.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  11. #11
    Reverse Engineer maxorator's Avatar
    Join Date
    Aug 2005
    Location
    Estonia
    Posts
    2,318
    Well, as a reverse engineer I've done this injecting stuff in quite many different ways. Just another challenge for me.

    Generating the skeleton:
    + Copy executable header
    + Copy all section info
    + Create zero bytes where initialized section data should be
    + Copy import & export sections (any more valid sections needed for preinitialization?)

    Reverse approach
    + Copy the executable
    + Fill all sections except import & export sections with zeros.

    There shouldn't be much more to it.
    Last edited by maxorator; 02-05-2008 at 12:17 PM.
    "The Internet treats censorship as damage and routes around it." - John Gilmore

  12. #12
    C++まいる!Cをこわせ! Elysia's Avatar
    Join Date
    Oct 2007
    Posts
    22,413
    I'll admit, it's interesting. I've actually pondered hooking some system calls, but never got around to finishing it...
    I was thinking of making an no-reboot app since many installs sometimes force you to reboot. But hooking some system calls, I could stop any reboot attempt before it begins.
    Better than the alternative to refuse a shutdown via a message since applications and services already have begun to shutdown.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  13. #13
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,059
    No, I am not writing a virus or any malware!!!
    I'd have to question whether or not you're writing malware because the only way of accomplishing your task is to use a technique called the Nebbet Shuttle. It's named after the author, Gary Nebbett.

    This technique launches a process in a suspended state. The process memory can then be manipulated and overwritten with a new binary. After the memory is overwritten, the process can then resume.

    For example, you would start calc.exe up in a susended state, overlay the process memory with your malware.exe and then resume the process. Viewing task manager would indicate that calc.exe was running but actually your malware.exe would be running.

    Also, firewall exceptions can be circumvented in this manner.

    Finally, the computer forensic folks will have nothing to work with since no residue was left on the disk.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. opening empty file causes access violation
    By trevordunstan in forum C Programming
    Replies: 10
    Last Post: 10-21-2008, 11:19 PM
  2. To find the memory leaks without using any tools
    By asadullah in forum C Programming
    Replies: 2
    Last Post: 05-12-2008, 07:54 AM
  3. Game Pointer Trouble?
    By Drahcir in forum C Programming
    Replies: 8
    Last Post: 02-04-2006, 01:53 AM
  4. Encryption program
    By zeiffelz in forum C Programming
    Replies: 1
    Last Post: 06-15-2005, 03:39 AM
  5. System
    By drdroid in forum C++ Programming
    Replies: 3
    Last Post: 06-28-2002, 10:12 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21