Re: Loading EXE files directly from memory?

From: Esteban Lucena (esteban.lucena@gmail.com)
Date: Tue Dec 05 2006 - 13:24:49 EST


mmm let me think about it

first, you must decide in which OS the program you write will live..
second, you must consider the different executable file formats, ELF
(linux) or PE (win), etc. anyway, maybe its nos necessary to put the
entire executable file in an array, you can put only the code that you
need, and that its useful. don't forget that the PE or the ELF
headers, have a lot of information and sections...
the steps:
1- put the asm code in an array, the opcodes (like shellcode)
2- modify the execution flow of the program to the array.
3* return to the program

or with some crypto
(previusly, encrypt the code-array, in other place)

1- put the encrypted asm code in an array (in the source)
2- decrypt the array
3- execute the code
4- return to program

or with some crypto and for example a webserver

1- get the array with encrypted code from some server on the internet
2- decrypt the array
3- execute the code that is in the array
4- return to program

note: you can modify the execution flow of the program to the array by
modifing the return adress that is in the stack, i've made some code
to do that in a friendly manner, but in the internet there is a lot of
material. anyway, if you need help,i could paste my code here.
I hope you can see this is a rich area.. with a little effort you can
make polimorphic code and stuff.

Advantages: if the array code is encripted, in a remote server, is
dificult, maybe impossible to analize the program, whitout access to
the server, this gives you an advantage over the reverse ingeniers.
-If you analize ,disassembling the code with the IDA (
http://www.datarescue.com), obviously, you will see a diferent code, a
short one, and non representative static code. you can also debug step
by step until you arrive to your array-code. in that case, you can
make the analisis harder by filling the array whit non-action opcodes,
so the analisis will be a tedius thing.. but never impossible.

Anything write me.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:25 EDT