Running a program from memory

Question

If have a binary file that i read in a buffer. How can i run this file by injecting it's data in a random process?

I tried the following pathway:

1. Reading the file in char[]

2. Get a process's handle

3. Reserve virtual memory in this process equal to the file length via VirtualAllocEx

4. Write the binary content to allocated virtual memory in this process

5. Creating a thread that runs from the entry point of the binary file.

Here's my code:

#include <iostream>
#include <stdio.h>
#include <stdlib.h>

#include <fstream>
#include <cstring>
#include <string.h>

IMAGE_DOS_HEADER        image_dos_header;
IMAGE_NT_HEADERS        image_nt_headers;
PCHAR pMem;


using namespace std;
int getfile(const char * name, char ** ret=0)
{
FILE * pFile=new FILE;
long size;

pFile = fopen (name,"rb");

fseek (pFile, 0, SEEK_END);
size=ftell (pFile);
rewind(pFile);

if(ret)

{
    char *buffer;
    buffer = new char [size];
    // read data as a block:
    fread(buffer,1,size,pFile);
    *ret=buffer;
}

fclose (pFile);

return size;
}
int main()
{

DWORD PID=2356;
DWORD j;
char *buffer;
int filelen=getfile("understanding.exe",&buffer);//filename //#1


int virLen = filelen;

HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS,false,PID);//#2
if(hprocess != 0)
{
    LPVOID lpviraddr = VirtualAllocEx(hprocess,NULL,virLen,MEM_COMMIT|              MEM_RESERVE,PAGE_EXECUTE_READWRITE);//#3
    if (lpviraddr != 0)
    {
        BOOL k = WriteProcessMemory(hprocess,lpviraddr,buffer,filelen,&j);
        if (k != 0)//#4
        {




            CreateRemoteThread(hprocess,NULL,0,LPTHREAD_START_ROUTINE(lpviraddr+0xA8),NULL,0,NULL);//#5





        }
        else
        {
            std::cout <<GetLastError();
            printf("[*]Something Wrong - Operation Aborted1\n");
        }

    }
    else
    {
        printf("[*]Something Wrong - Operation Aborted2\n");
    }

}
else
{

    std::cout <<GetLastError();
    printf("[*]Something Wrong - Operation Aborted3\n");
}




return 0;
}

The value 0xA8 is an offset where is located the entry point in the file.

The problem seems to be in the last step because it leads to the crashing of the host process without executing my file.

Answer 1

The process of mapping a file directly, fixing it up so it is a (semi-)valid PE file and then running it is commonly referred to as ManualMapping . I believe this term is coined by Darawk , who also wrote one of the very first (public) samples that did this. Do note however, that his implementation lacks some (much needed) features.

There are samples floating around that are more complete, one of the more complete (and well tested) samples is: https://github.com/DarthTon/Blackbone/tree/master/src/BlackBone/ManualMap

Please note, this is meant to be ran from a driver, so there is some driver-related code surrounding it.