bsteo
Reputation: 1779
C++ add PE file as resource and execute it from memory
I have the following program in C++ that adds an EXE file (PE) as resource and executes it from memory (no, is not malware related, I just use for a personal project a GPL exe file, so no license violation) but seems the PE file is not loaded as resource when I compile it from commandline as cl /EHsc embed.cpp. The full sourcecode is as follows:
embed.cpp
#include <windows.h>
#include <iostream>
#include "resource.h"
SECURITY_ATTRIBUTES secAttrib;
using namespace std;
void RunFromMemory(char*, char*);
int main(int argc, char* argv[])
{
HGLOBAL hResData;
HRSRC hResInfo;
void *pvRes;
DWORD dwSize;
char* lpMemory;
HMODULE hModule = GetModuleHandle(NULL);
if (((hResInfo = FindResource(hModule, MAKEINTRESOURCE(IDD_EXE1), RT_RCDATA)) != NULL)
&& ((hResData = LoadResource(hModule, hResInfo)) != NULL)
&& ((pvRes = LockResource(hResData)) != NULL))
{
dwSize = SizeofResource(hModule, hResInfo);
lpMemory = (char*)malloc (dwSize);
memset(lpMemory,0,dwSize);
memcpy (lpMemory, pvRes, dwSize);
RunFromMemory(lpMemory,argv[0]);
}
}
void RunFromMemory(char* pImage,char* pPath)
{
DWORD dwWritten = 0;
DWORD dwHeader = 0;
DWORD dwImageSize = 0;
DWORD dwSectionCount = 0;
DWORD dwSectionSize = 0;
DWORD firstSection = 0;
DWORD previousProtection = 0;
DWORD jmpSize = 0;
IMAGE_NT_HEADERS INH;
IMAGE_DOS_HEADER IDH;
IMAGE_SECTION_HEADER Sections[1000];
PROCESS_INFORMATION peProcessInformation;
STARTUPINFO peStartUpInformation;
CONTEXT pContext;
char* pMemory;
char* pFile;
memcpy(&IDH,pImage,sizeof(IDH));
memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));
dwImageSize = INH.OptionalHeader.SizeOfImage;
pMemory = (char*)malloc(dwImageSize);
memset(pMemory,0,dwImageSize);
pFile = pMemory;
dwHeader = INH.OptionalHeader.SizeOfHeaders;
firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);
memcpy(pFile,pImage,dwHeader);
if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
{
jmpSize = INH.OptionalHeader.SizeOfHeaders;
}
else
{
jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
jmpSize += 1;
jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
{
jmpSize = 0;
dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);
if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
{
jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
}
else
{
jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
jmpSize += 1;
jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
}
memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
memset(&pContext,0,sizeof(CONTEXT));
peStartUpInformation.cb = sizeof(peStartUpInformation);
if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED,NULL,NULL,&peStartUpInformation,&peProcessInformation))
{
pContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(peProcessInformation.hThread,&pContext);
VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(peProcessInformation.hThread,&pContext);
VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
ResumeThread(peProcessInformation.hThread);
}
free(pMemory);
}
app.rc
IDD_EXE1 RCDATA "mm.txt"
resource.h
#define IDD_EXE1 1004
the mm.txt is my EXE file.
It compiles ok but I can't see the EXE added as resource. Any thoughts where I could be wrong?
EDIT:
As per Zevin Zenph Zambori's answer, "loaded" the exe as HEX and not resource, all works ok, the only problem my compiled console applications hangs at the end waiting for user input (carriage-return or smth...) any idea why doesn't terminate? Here is the code:
// compile under VC with: cl /EHsc embed.cpp
#include <windows.h>
#include <iostream>
SECURITY_ATTRIBUTES secAttrib;
using namespace std;
void RunFromMemory(char*, char*);
char _image_[] = {
0x4D,0x5A, .... ,0x00,0x00 };
int main(int argc, char* argv[])
{
char current_file_path[1024];
GetModuleFileNameA(0, current_file_path, 1024); // Path to current executable.
RunFromMemory(_image_, current_file_path);
return 0;
}
void RunFromMemory(char* pImage,char* pPath)
{
DWORD dwWritten = 0;
DWORD dwHeader = 0;
DWORD dwImageSize = 0;
DWORD dwSectionCount = 0;
DWORD dwSectionSize = 0;
DWORD firstSection = 0;
DWORD previousProtection = 0;
DWORD jmpSize = 0;
IMAGE_NT_HEADERS INH;
IMAGE_DOS_HEADER IDH;
IMAGE_SECTION_HEADER Sections[1000];
PROCESS_INFORMATION peProcessInformation;
STARTUPINFO peStartUpInformation;
CONTEXT pContext;
char* pMemory;
char* pFile;
memcpy(&IDH,pImage,sizeof(IDH));
memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH));
dwImageSize = INH.OptionalHeader.SizeOfImage;
pMemory = (char*)malloc(dwImageSize);
memset(pMemory,0,dwImageSize);
pFile = pMemory;
dwHeader = INH.OptionalHeader.SizeOfHeaders;
firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections);
memcpy(pFile,pImage,dwHeader);
if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0)
{
jmpSize = INH.OptionalHeader.SizeOfHeaders;
}
else
{
jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment;
jmpSize += 1;
jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++)
{
jmpSize = 0;
dwSectionSize = Sections[dwSectionCount].SizeOfRawData;
memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize);
if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0)
{
jmpSize = Sections[dwSectionCount].Misc.VirtualSize;
}
else
{
jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment;
jmpSize += 1;
jmpSize *= INH.OptionalHeader.SectionAlignment;
}
pFile = (char*)((DWORD)pFile + jmpSize);
}
memset(&peStartUpInformation,0,sizeof(STARTUPINFO));
memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION));
memset(&pContext,0,sizeof(CONTEXT));
peStartUpInformation.cb = sizeof(peStartUpInformation);
if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED,NULL,NULL,&peStartUpInformation,&peProcessInformation))
{
pContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(peProcessInformation.hThread,&pContext);
VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection);
WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten);
WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten);
pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(peProcessInformation.hThread,&pContext);
VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0);
ResumeThread(peProcessInformation.hThread);
}
free(pMemory);
}
Upvotes: 0
Views: 7686
Answers (3)
Zevin Zenph Zambori
Reputation: 323
I just tested your RunFromMemory() and it works fine for me.
What I did is not loading a PE file as resource during the compilation process. Instead I convert the PE into a text file containing the HEX value of all the bytes, declare a char array with the HEX values, and invoke the RunFromMemory() with the current PE path and the char array I declared containing the whole image.
Maybe you could try it. :)
char _image_[pl_len] = {0x4d, 0x5a, ......}; // bytes of the PE file.
int main()
{
char current_file_path[1024];
GetModuleFileNameA(0, current_file_path, 1024); // Path to current executable.
RunFromMemory(_image_, current_file_path);
return 0;
}
Upvotes: 1
Malkocoglu
Reputation: 2601
If the software has a library form then use it as-is. If it has LGPL, then there is no violation of any kind. What you want to do (adding EXE to your file and execute it from memory) is much harder (AFAIK impossible) than simply loading a DLL. Adding the EXE to your file as a resource is the least of your problems...
Upvotes: 0
PTT
Reputation: 556
I tried this and it is working.
http://www.codeproject.com/Articles/4221/Adding-and-extracting-binary-resources
Upvotes: 0
Related Questions
- How to Load PE Files for Process Hollowing?
- How to parse PE file dont use API
- How does a PE file get mapped into memory?
- Using only pointer arithmetic to traverse a loaded DLL/EXE for the PE File Format
- add new section to a pe file in c++
- When Resources of a PE file are loaded
- PE File Format Section Add On
- c++ writing file contents in a program
- How can I load an external file/program in memory and then execute it (C++ and Unix)?
- Write a value into PE file