Penetration Testing mailing list archives
RE: Loading EXE files directly from memory?
From: Omar Herrera <oherrera () prodigy net mx>
Date: Tue, 05 Dec 2006 09:43:40 -0600
True, but in Microsoft Windows this is a harder task since the O.S. requires explicitly that the executable file is located on hard disk for it to be executed (i.e. processing the file headers to prepare the memory and load any external functions is done only from files stored on disk; a filename is a required parameter). But as usual, there are ways to overcome this restriction. For example, this article discusses 3 techniques that allows you to execute a program from memory without using Windows API functions (at least with Windows versions previous to Vista): http://www.codeproject.com/threads/winspy.asp Some wrapper programs like eliteWrap (also used to deploy trojans and other pieces of malware) will usually dump the binary to disk before executing it. The problem is that the executable will reside on disk and you won't be able to delete it while it is being executed (if you used the functions provided by the MS API). Cheers, Omar Herrera
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Peter Parker Sent: Monday, December 04, 2006 6:21 AM To: Jeroen; pen-test () securityfocus com Subject: Re: Loading EXE files directly from memory? I had some similar problem in one of my previous unix requirement... What I did was to write a small code that would decrypt a binary directly onto a pipe which is further redirected to a shell. To give a command line analogy.. cat <file> | sh hth, On Mon, 4 Dec 2006 00:26:02 +0100, "Jeroen" <jeroen () isvet nl> said:Hi there, I want to load an EXE file directly from memory, without writing it to disk first. Are there some good tutorials on the web about this? Or other interesting links/tips/hints? Thanks, Jeroen ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600 000008bOW-------------------------------------------------------------------------- peter peterparker () fastmail fm -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600 000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Loading EXE files directly from memory? Jeroen (Dec 03)
- Re: Loading EXE files directly from memory? Peter Parker (Dec 04)
- RE: Loading EXE files directly from memory? Omar Herrera (Dec 05)
- Re: Loading EXE files directly from memory? Justin Ferguson (Dec 05)
- Re: Loading EXE files directly from memory? Krugger (Dec 07)
- Re: Loading EXE files directly from memory? Esteban Lucena (Dec 05)
- Re: Loading EXE files directly from memory? dork (Dec 07)
- RE: Loading EXE files directly from memory? Marc Doudiet (Dec 17)
- Re: Loading EXE files directly from memory? Peter Parker (Dec 04)