Thread: Running non .exe files

  1. 02-01-2012 #1
    slackwarefan
    slackwarefan is offline
    Registered User
    Join Date
    Apr 2009
    Posts
    10

    Running non .exe files

    Hello everyone. I'm trying to write a program that can run valid PE files that do not have the .exe, .com, .bat, .scr, or .pif extensions. I do malware removal for a living, and we see a lot of exe hijacks, so we need to be able to have a program that can run exe files after they're no longer registered as application-x/msdownload in the registry.

    I know it's possible, because sysinternals has a tool called psexec which you can use to run programs, and I've renamed calc.exe to calc.pqs and it still runs so long as I launch it from psexec (e.g. psexec.exe calc.pqs).

    Someone had recommended using the libraries that psexec uses to try to accomplish this goal. From what I can tell it uses a function(s) from pdh.dll to accomplish this, but I can't tell how.

    I've also tried using CreateProcess() & ShellExec() to accomplish this. ShellExec asks what to open it with, CreateProcess returns error 2 (Trying to run an invalid Windows application).

    Thanks everyone.
    -Slackwarefan
    Last edited by slackwarefan; 02-01-2012 at 01:40 PM.
  2. 02-01-2012 #2
    adeyblue
    adeyblue is offline
    'Allo, 'Allo, Allo
    Join Date
    Apr 2008
    Posts
    639
    psexec uses CreateProcess(WithToken|WithLogon|AsUser) to run things, depending on what arguments you give it. Of course, it sounds like this entire thing is fruitless anyway. If you can't run plain exe files, how do you intend to run the tool that you'll create? It'll have to have a non-exe association to run it, at which point you're back to square one.

    Not sure how you came to pdh.dll, psexec doesn't use it at all.
  3. 02-01-2012 #3
    slackwarefan
    slackwarefan is offline
    Registered User
    Join Date
    Apr 2009
    Posts
    10
    We can slip it in. The Rogue AV whitelists some files so you can go online to pay them for their scam. Renaming it to iexplore.exe with arguments to run our standard battery of tools allows me to fix the hijack, remove the malware, and stop any rootkits in one move, instead of chasing my tail with tools re-inserting themselves into reg after reboot & downloaders re-downloading the code because I couldn't wipe them out due to policy restrictions the virus made. I've tried using CreateProcess myself. Here's the code I used. If you can tell me where I'm going wrong it'd be greatly appreciated.

    Code:
            STARTUPINFO si;
	PROCESS_INFORMATION pi;

	memset(&si,0,sizeof(si));
	si.cb = sizeof(si);
	si.lpReserved = NULL;
	si.lpTitle = NULL;

	si.dwFlags = STARTF_USESHOWWINDOW;
	si.wShowWindow = SW_MINIMIZE;

	BOOL res = CreateProcess(NULL,"C:\\Windows\\System32\\calc.123",NULL,NULL,FALSE,0,NULL,NULL,&si,&pi);
	if(res == FALSE) {
           char sBuffer[100];
           sprintf(sBuffer,"Error Code: %d", GetLastError());
		MessageBox(NULL, sBuffer, "FAILED TO EXECUTE PE CODE!",
                             MB_ICONEXCLAMATION | MB_OK);
	}

	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);
  4. 02-02-2012 #4
    Elysia
    Elysia is offline
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    You can rename .exe files to .bat or .com and they will run, if that's of any help.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.
  5. 02-03-2012 #5
    adeyblue
    adeyblue is offline
    'Allo, 'Allo, Allo
    Join Date
    Apr 2008
    Posts
    639
    You're probably compiling a 32-bit program and running it on a 64-bit version of Windows, where C:\Windows\system32\calc.123 becomes C:\Windows\SysWOW64\calc.123. Since the calc.123 doesn't exist in the SysWOW64 directory, it fails.

    The code works fine
  6. 02-06-2012 #6
    ledow
    ledow is offline
    Registered User ledow's Avatar
    Join Date
    Dec 2011
    Posts
    435
    Surely a reg file that restore the EXE file association would be no more complex and more effective - as someone else pointed out, if you can run one program, you can fix the problem without having to do fancy things. Copy regedit.exe to your whitelisted filenames and you're away, and fixing the problem in one less step.

    That said, doing malware removal on this kind of scale in an automated fashion is just asking for trouble if you ask me. Clean boot into recovery, format, reinstall from image. Probably takes a lot less time than any of your fancy tricks anyway. If you're doing this on many people's computers (e.g. a repair shop) then the chances of finding the same malware with the same whitelist is slim and you'll spend more time chasing it and its million variants than you would have done to just remove the disk and scan it from a proper antivirus as a data-only disk, then restore registry entries and return disk to the original machine.

    Seriously: I'd be sacked if I dealt with malware on my network often enough that your sort of tool helped. And if your tool was useful, then just booting the machine in an OS that's NOT running a known malware in memory is 100% more effective at correcting the problem. Hell, I could knock up a read-only Linux boot disk in minutes that would restore the EXE file association on any machine in a *CLEAN* way before you scanned it - crafting your own C program to load in an executable to then attempt cleansing of the system "Live" while the malware is active? Sounds like a recipe for disaster to me - for a start, rootkit-like capabilities of some modern malware mean that you wouldn't be able to even *SEE* the change in the registry if the malware was still live (some of them are capable of hooking access to critical parts of the filesystem / registry / process list on startup so you can't detect the malware's presence or remove it).

    As a "slackwarefan", I'm sure you could do a better job than this Heath-Robinson affair.
    - Compiler warnings are like "Bridge Out Ahead" warnings. DON'T just ignore them.
    - A compiler error is something SO stupid that the compiler genuinely can't carry on with its job. A compiler warning is the compiler saying "Well, that's bloody stupid but if you WANT to ignore me..." and carrying on.
    - The best debugging tool in the world is a bunch of printf()'s for everything important around the bits you think might be wrong.
« Previous Thread | Next Thread »
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. difference between running .exe and compiler running .exe???
    By scwizzo in forum C++ Programming
    Replies: 13
    Last Post: 12-09-2008, 11:09 AM
  2. Running the application (.exe) files on other PCs
    By csonx_p in forum Windows Programming
    Replies: 11
    Last Post: 06-11-2008, 09:31 PM
  3. Linking header files, Source files and main program(Accel. C++)
    By Daniel Primed in forum C++ Programming
    Replies: 3
    Last Post: 01-17-2006, 11:46 AM
  4. help running batch files
    By xxwerdxx in forum Tech Board
    Replies: 5
    Last Post: 09-25-2005, 12:58 PM
  5. running exe files from a c++ program
    By Leeman_s in forum C++ Programming
    Replies: 3
    Last Post: 09-17-2002, 01:17 AM