Running program from memory
 

Is there any way to run a program from memory, like say for example we have an exe stored in a resource and we load the resource into a byte array.. without saving the image to disk, is it possible to run it?

If I remember correctly, on Win32ASM Community board, have a post and many discuss about this method. You can search on this board. Hope you will find the answer.
Regards,
TQN

Funnily enough I came across a post about this when searching this morning:

hxxp://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=O4dx5Ej%24DHA.2576%40tk2msftngp13.phx.gbl

Yes you actually can do that. I remember doing it back in the 1995 days. You basically should download a program called RAMDrive. With that program you can use your computers RAM to store files.

I think there is more than one type of RAMDrive program out these days though.

hmm i cant think of anything why it shouldnt work. map into mem, resolve imports etc, jmp entrypoint. actually this wouldnt be much different as writing an loader stub for an pepacker. only problem might be relocation info. since .exe files normally use an std imagebase, reloc infos are stripped, without them you might have an hard time figuring out what actually is an offset and whats code.
an solution to this might be to compile the "loader" app onto nonstandard imagebase so the 0x400000 range is "free" (but then again how to alloc mem on exactly this address), or compile the "target" app with relocation info u can use.

many api calls will fail (e.g. anything related to that executable's resources), it won't be a self-contained process but merely a thread sharing the loader's virtual address space, so this clearly will not work for arbitrary executables.

you can try to inject the code data in a app,then call createremotethread