Exetools - launch an exe from inside another exe

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - launch an exe from inside another exe (https://forum.exetools.com/showthread.php?t=15457)

Shub-Nigurrath

12-13-2013 20:48

launch an exe from inside another exe

well,
this is a request for comments not on how to include an exe as a resource inside another win32 exe/dll, but rather on how to execute it from memory without a dump on disk. I perfectly know how to handle resources, embed, extract and so on, but the problem is the way I want to launch the hidden exe, without disk dumps..

For the dlls there's the solution I also documented here (http://www.accessroot.com/arteam/site/download.php?view.103), using which you can launch a dll directly from the memory. But what happens for the exe files? I would need something similar to CreateProcessfromMemory().
Is there something similar around? I mean something ready, not implying modifications on my code (which would take time I don't have).

thanks!

Shub-Nigurrath

12-13-2013 21:23

edit, found something on which to stumble upon..

http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/

Shub-Nigurrath

12-14-2013 00:19

humm, the solution above, after a lot of testing seems not to work when UAC is on. Any idea in this case?

deepzero

12-14-2013 01:08

what exactly are you planning to do?

Your best bet is probably to CreateProcess a dummy process (say, cmd.exe) in a suspended state, then map your own image into the process and continue execution.
It's a common evasion technique in malware.

0xd0000

12-15-2013 01:29

Not sure I understand the exact context, (.net/native) but would reflection work? I've approached something that sounds similar to your scenario using InvokeMember.

http://msdn.microsoft.com/en-us/library/system.type.invokemember(v=vs.110).aspx

Code:

            Assembly asm = Assembly.LoadFrom(this.g_exePath);

            Type hwidClass = null;

            foreach (Type type in asm.GetTypes())

            {

                if (type.Name == "x500000hsd76")

                    hwidClass = type;

            }

            object hwid = Activator.CreateInstance(hwidClass);

            object somethingRandom = hwid.GetType().InvokeMember("get_8850XynnG", BindingFlags.InvokeMethod, null, hwid, null);

            string resultedValue = somethingRandom.GetType().GetField("resultedValue").GetValue(somethingRandom).ToString();

            return resultedValue.GetHashCode();

BlackWhite

12-15-2013 14:18

Is it possible to create a virtua device and put that exe on the device?
I have found this kind of technique is used by some rootkits.

Newbie_Cracker

12-15-2013 16:38

Quote:

Originally Posted by deepzero (Post 88709)

I used same method few years ago to write a cryptor.

Shub-Nigurrath

12-16-2013 02:09

indeed I later discovered that the process is called dynamic forcing and is actually what I also implemented, starting from a code found on the web (http://www.rohitab.com/discuss/topic/31681-c-run-program-from-memory-and-not-file/).

But the question remains, do these techniques work when UAC control is active? Apparently not as far as I have seen from comments and from my experiments.
The method miserably fails giving always the error "The application was unable to start correctly (0xc0000005) . Click OK to close the application." no matter which exe you use on it. It seems almost the same problem someone posted here: http://stackoverflow.com/questions/7192544/dynamic-forking-of-win32-exe
Ah, and yes I'm on a Win8.1 64b with UAC, and the program is compiled as 32b.

All times are GMT +8. The time now is 20:17.