Executing an Exe held in Memory?

**Davros** · 11-05-2003

Hi there,

I'm having problems with hackers decompiling my programs and releasing hacked versions. So...

Is there ary way to execute an exe program held in memory? This is what I want to do, as follows:

[exe 1][exe 2]

I append exe2 to the end of the file of exe1 - exe1 runs as normal when the file is launched.

I want exe1 to extract and load the contents of exe2, which is appended to its own file, and execute it.

I know how to extract and load the contents of exe2 into memory, but how do I begin execution, without first re-saving to disk?

Can it be done?

(I'm using C++, but also familiar with Delphi and the WinApi.)

Anyone any other ideas to make the life of hackers harder?

Cheers

Andy

**FillYourBrain** · 11-05-2003

If they're using a program like softice, your method won't stop them. One way that some people try is by "detecting" the common cracker activities. Like softice. There is code out there for detecting if softice is running. You could prevent your app from running when one of these detected things happens.

In the end, the cracker will win though. You pretty much can't stop that.

**Fordy** · 11-05-2003

If you get the code into memory you can issue a JMP instruction or start a thread with the startproc at the point you want executioin to begin

I doubt it would be easy though as you would have to do most of the work that the windows loader does when it maps a dll.....ie putting the right sections in the right places...

I dont see how this would prevent hacking though? The second exe will be mapped to the process address space and so the code will be fully viewable to a debugger that issues a memory dump for that region.

Maybe you could try some sort of self encrypted exe......though it's not too portable and it's usually more of an ASM freak method....

**maes** · 11-05-2003

I don't really know how people hack a programme, but why don't you test the exe for it's authenticity with MD5.

Example: you build the exe an create an MD5 hash of that exe (don't know it is possible with a binary file )
you put that hash somewhere in a filename and name it texture.dat. You fill the file with all kind of rubbish and put the hash sowhere in the middle at a location you only know of.

then everytime the program is run, it creates a new MD5 hash and compares it with the one in the texture.dat file.

if the match the user can continue, if they don't match exit without warning. (because if you display a warning the hacker wil know how too look for the string).

don't kow if I expained this very well:

Code:

int main()
{
char hash1[128];
char hash2[128];

hash=MD5("myexe.exe");
fopen blablabla
fseek(...my_place_in_texture.dat)
fread(hash2,128,128,fp_texture.dat)
if(strcmp(hash1,hash2)!=0)
return 0;
continue prog

Just an idea

**Davros** · 11-05-2003

Hey thanks for the replies,

>Maybe you could try some sort of self encrypted exe.

That was the aim behind my origanal question. What [else] do you mean be self encrypted exe - that's what I want.

>The second exe will be mapped to the process address space and so the code will be fully viewable to a debugger that issues a memory dump for that region.

Mmm. Perhaps that idea isn't worth pursuing then?

>There is code out there for detecting if softice is running.

Sounds good. Any idea where I can get it?

>In the end, the cracker will win though.

Understand that. But if everyone else locks their doors and you don't, you will be the first to get robbed.

Cheers

Andy

**Davros** · 11-05-2003

>but why don't you test the exe for it's authenticity with MD5

Thanks for the idea, but already do something similiar. Stopped quite a lot of hacking but not all.

**maes** · 11-05-2003

I just read Fordmeisters reply:
>>Maybe you could try some sort of self encrypted exe......though it's not too portable and it's usually more of an ASM freak method....

What kind of hackig are they doing on your program.
There are exe compressors out there that sort of encrypt the resources in your exe so they can't open them in an external resource editor.
WWPack32 is such a program.

Like I said above, just a thought

**maes** · 11-05-2003

Originally posted by Davros
>but why don't you test the exe for it's authenticity with MD5

Thanks for the idea, but already do something similiar. Stopped quite a lot of hacking but not all.

I'm curious, what kind of hacking didn't it stop?
they can't change anything in the exe anymore (to my knowledge

) ?

**FillYourBrain** · 11-05-2003

all they would need to do is hack the md5 to say that it was successful all the time

**FillYourBrain** · 11-05-2003

Originally posted by Davros
>There is code out there for detecting if softice is running.

Sounds good. Any idea where I can get it?

search google, on my quick little search for "detect softice" I found this example http://www.fhcf.net/misc/id_ws/datab...g/killsice.zip But I make no guarantees because its not mine and I've never used it

**Davros** · 11-05-2003

Thanks everyone

Thread: Executing an Exe held in Memory?

Thread Tools

Search Thread

Display

Executing an Exe held in Memory?

Similar Threads

Memory problem with Borland C 3.1

Suggestions on this C style code

Relate memory allocation in struct->variable

Shared Memory - shmget questions

Memory allocation and deallocation