C：从ram运行已编译的函数

Question

I'm working on a project that i need to load a simple exe file to a buffer and then call the entry point of the exe file from within the ram .

i know that i can't load and run a very complicated exe file with a lot of dependencies from buffer but i think its possible to call an independent function of the exe (PE) file (like an empty main).

to do so,i have to find the entry point address of exe file (its offset) and then cast that address (which is now loaded in a buffer) to a pointer-to-function and then call that, it probably would call the function loaded in ram but i don't know how to find the address .

this is what I've done so far :

int main(){

    void (* function)();
    unsigned char* buffer;
    FILE* fp;
    size_t size;
    char* path = "address of the file";
    fp = fopen(path, "rb");
    fseek(fp, 0, SEEK_END); 
    size = ftell(fp);         /*calc the size needed*/
    fseek(fp, 0, SEEK_SET); 
    buffer = (unsigned char *) malloc(size);
    fclose(fp);

    /*problem : i have to sum the buffer address with that offset here*/
    function = (void (*)())(buffer);

    function();

    return 0;
}

i think it's pretty much clear from the code what im trying to do .

here is a link that tries to do the same thing for meterpreter (the idea is the same):

https://github.com/rsmudge/metasploit-loader/blob/master/src/main.c

i'd appreciate any help .

Thanks

Answer 1

Chances are you are probably tring to solve the wrong problem. If you are using an operating system (say Windows or Linux), then the simplest thing to do is just call the system function, ie

char* path = "address of the file";
system(path);

That will run the exe.

Note that pretty much every exe that is built to run on a OS is NOT trivial to just load into memory and run. That is because the start-up code for any C program does NOT start with main() like you might think. It starts at a deeper level, that involves loading runtime libraries, allocating memory and eventually the run time will call main() .

That said, if you are not dealing with a real exe file (exe files are PE format on Windows and ELF on Linux), but instead it is a hand compiled binary image, then what you are doing will work, assuming the code was compile with PIC options to make the code relocatable, the code does not depend on the C runtime libary or any dynamically loaded library and the entry point is the first address of the binary file. However, I can tell you, no one does it like this.

Answer 2

An "exe" file is more appropriate called Portable Executable . The entry point (please note that this most probably not main() ) is in the OpationalHeader as the attribute AddressOfEntryPoint.

PIMAGE_DOS_HEADER dos;
PIMAGE_NT_HEADERS pe;
void (* function)();

dos = (PIMAGE_DOS_HEADER)data;
if (dos->e_magic != IMAGE_DOS_SIGNATURE) {
    return NULL;
}

pe = (PIMAGE_NT_HEADERS)&((const unsigned char *)(buffer))[dos->e_lfanew];
if (pe->Signature != IMAGE_NT_SIGNATURE) {
    return NULL;
}

function = pe->OptionalHeader.AddressOfEntryPoint + buffer;
function();

The chances that the application you want to execute works without fixed relocations or imports are basically infinitesimal -- so you should use an existing solution.

Also keep in min that most PC running now have Data Execution Prevention enabled, so you should allocate with VirtualAllocate()

Answer 3

You could consider using a dynamic library if you want to load a function dynamically. You'll need to build a .so file instead of a exe file. On Linux, this is the dlopen and dlsym API.

http://man7.org/linux/man-pages/man3/dlopen.3.html

http://man7.org/linux/man-pages/man3/dlsym.3.html

On Windows, you'll want LoadLibrary ...