[ACCEPTED]-CreateProcess from memory buffer-visual-c++
It's actually quite easy. Similar technique 37 has been described in a paper I read like 36 3 years ago.
Windows allow you to call the 35 CreateProcess function with CREATE_SUSPENDED flag, that tells the API 34 to keep the process suspended until the 33 ResumeThread function is called.
This gives us time to 32 grab the suspended thread's context using 31 GetThreadContext function, then the EBX register will hold 30 a pointer to the PBE(Process Enviroment Block) structure, which we need 29 to determine the base address.
From the 28 layout of the PBE structure we can see that 27 the ImageBaseAddress is stored at the 8th 26 byte, therefore [EBX+8] will give us actual 25 base address of the process being suspended.
Now 24 we need the in-memory EXE and do appropiate 23 alignment if the alignment of memory and 22 in-memory EXE differs.
If the base address 21 of suspended process and in-memory exe matches, plus 20 if the imageSize of the in-memory exe is 19 lesser or equal to the suspended process' we 18 can simply use WriteProcessMemory to write in-memory exe into 17 the memory space of the suspended process.
But 16 if the aforementioned conditions weren't 15 met, we need a little more magic. First, we 14 need to unmap the original image using ZwUnmapViewOfSection, and 13 then allocate enough memory using VirtualAllocEx within 12 the memory space of the suspended process. Now 11 we need to write the in-memory exe into 10 the memory space of the suspended process 9 using the WriteProcessMemory function.
Next, patch the BaseAddress 8 of the in-memory exe into the PEB->ImageBaseAddress 7 of the suspended process.
EAX register of 6 the thread context holds EntryPoint address, which 5 we need to rewrite with the EntryPoint address 4 of the in-memory exe. Now we need to save 3 the altered thread context using the SetThreadContext function.
Voila! We're 2 ready to call the ResumeThread function on the suspended 1 process to execute it!
You can compile the game as a DLL and put 4 the DLL in the encrypted data file. A DLL 3 can be loaded from memory without writing 2 it to disk. Please see this tutorial (with 1 sample code at the end): Loading a DLL From Memory
What you want to do requires NtCreateProcess, but 5 it's undocumented and therefore brittle. This book apparently 4 covers its use.
Perhaps you could build a 3 patch system? E.g. on launch, program checks 2 for patch DLL in same directory, and loads 1 it if it exists.
Why do you need to create a new process? I 2 would have thought you could run in the 1 context of process which does the unpacking/decryption.
What you want can be achieved with something 7 called a "Packer". Actually launching an 6 exe from memory might be possible, but it's 5 a lot harder than a packer ;)
One of the 4 best known packers is UPX (google it). There 3 are tools to decrypt it, but it should at 2 least give you a starting point to work 1 froim. I'm also fairly certain UPX is open-source.
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.