I want to be able to get an EXE file in memory like this:
then execute that exe file from memory, by passing the byte array to the Windows loader, which will perform the action of executing the program.
Normally when you run a program you double click on it. What happens next is the Windows loader allocates space in memory for that program to reside in while executing. Then it looks in the exe file for the base address of the executable code, and copy's the executable code into the execution memory space that it previously allocated. After this the Windows loader proceeds to perform the action of "execution" on the program, which is to say it commands the CPU to begin to processing the executable machine code that is now residing in that allocated memory location.
What I want to do is to invoke the Windows loader in a way that it normally isn't invoked. I want to take the memory image of an executable file (see the above code for how I created that), and pass that memory image of the executable file to the Windows loader. I want to tell the Windows loader "hey, don't read a file off the harddrive for this particular operation, read the file out of the copy of the file that's in memory", at which point instead of passing Windows loader a command to load up from the hard drive, I'll pass it the byte array which is the in-memory copy of the EXE file, at which point Windows loader should perform "execution" on that executable which is residing in memory. That is to say it should take the in-memory copy of the EXE file, find the base address (like it normally would for an on-harddrive copy of an exe file), and then copy the executable code from this in-memory copy of the exe file, and put it into an allocated execution space, and then command the CPU to process the machine code that is now in that allocated space.
A lot of people on the net have suggested that to execute a program from a memory location that one write their own loader. However this is complicated and unnecesary, as Windows already has a loader for executables. I just need to figure out how to invoke Windows loader programatically, and redirect its input source from the harddrive that it normally reads from, to the variable where my in-memory copy of the exe file resides.
My only problem is trying to figure out just HOW to invoke the Windows loader from within my program, and how to redirect its input source to be my variable instead of a file on the harddrive. I'm pretty sure there's probably an API call for doing this very thing, but I can't find it. It must exist though, because it's the kind of thing copyprotection mechanisms use all the time. I mean any program that's copy protected is actually an exe file containing as a resource an encrypted copy of the actual program you want to run. When you enter the correct registration information, the exe program now decrypts the copy of the program it holds, and does NOT write a temporary copy to the harddrive, but rather has the Windows loader DIRECTLY EXECUTE the decrypted copy of the program IN MEMORY.
Code:
dim a() as byte
open "c:\windows\system32\calc.exe" for binary as #1
get #1, 1, a()
close #1Normally when you run a program you double click on it. What happens next is the Windows loader allocates space in memory for that program to reside in while executing. Then it looks in the exe file for the base address of the executable code, and copy's the executable code into the execution memory space that it previously allocated. After this the Windows loader proceeds to perform the action of "execution" on the program, which is to say it commands the CPU to begin to processing the executable machine code that is now residing in that allocated memory location.
What I want to do is to invoke the Windows loader in a way that it normally isn't invoked. I want to take the memory image of an executable file (see the above code for how I created that), and pass that memory image of the executable file to the Windows loader. I want to tell the Windows loader "hey, don't read a file off the harddrive for this particular operation, read the file out of the copy of the file that's in memory", at which point instead of passing Windows loader a command to load up from the hard drive, I'll pass it the byte array which is the in-memory copy of the EXE file, at which point Windows loader should perform "execution" on that executable which is residing in memory. That is to say it should take the in-memory copy of the EXE file, find the base address (like it normally would for an on-harddrive copy of an exe file), and then copy the executable code from this in-memory copy of the exe file, and put it into an allocated execution space, and then command the CPU to process the machine code that is now in that allocated space.
A lot of people on the net have suggested that to execute a program from a memory location that one write their own loader. However this is complicated and unnecesary, as Windows already has a loader for executables. I just need to figure out how to invoke Windows loader programatically, and redirect its input source from the harddrive that it normally reads from, to the variable where my in-memory copy of the exe file resides.
My only problem is trying to figure out just HOW to invoke the Windows loader from within my program, and how to redirect its input source to be my variable instead of a file on the harddrive. I'm pretty sure there's probably an API call for doing this very thing, but I can't find it. It must exist though, because it's the kind of thing copyprotection mechanisms use all the time. I mean any program that's copy protected is actually an exe file containing as a resource an encrypted copy of the actual program you want to run. When you enter the correct registration information, the exe program now decrypts the copy of the program it holds, and does NOT write a temporary copy to the harddrive, but rather has the Windows loader DIRECTLY EXECUTE the decrypted copy of the program IN MEMORY.