C++ Run Byte Array in memory

Question

Im trying to work on what I think to be called a launcher? The concept is to write all of a binary file to a buffer, then load the buffer into memory. I have seen this code bouncing around a lot (I have written the exe so I have access to the code inside it.):

//HardCoded Binary For testing Reason, reading to launch didn't work neither did this
char RawCode[11414] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, ............................................... 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}


//Main Function
int main(int argc, char* argv[])
{
    int(*f)();
    f = (int(*)())&RawCode;
    (int)(*f)();
}

My Original thought was that maybe the null bytes were effecting the execution causing the Access violation, So after some research I found a message box shellcode formatted as "/x41/x41/.......x41/" with no null bytes and still this hadn't worked. I am kind of lost as there is not much information about this. Does anyone have some references to some good articles or useful tutorials as none of the ones I have found help very much. Thank you all for your time!

score 9 · Answer 1 · edited Apr 20 '16 at 15:36

9

For quite some time now, all modern operating systems have implemented some form of data execution prevention. This means that you cannot just put code somewhere in memory and run it; the memory area has to be flagged to allow execution first. The reason is security -- it makes it much harder to exploit what would otherwise have been remote code execution vulnerabilities.

It also means that you should think long and hard before you attempt something silly like this, because it rips a giant hole in your operating system's attempts to protect you.

So, before you can run code from memory, you have to flag the area in question as executable.

Under Windows, this can be done with the VirtualProtect function. However, it cannot be done for arbitrary regions of memory; it has to be aligned at page boundaries, and the pages have to be allocated with the same VirtualAlloc call. So ultimately, you'll end up with

DWORD old_protect;
LPVOID executable_area = VirtualAlloc(NULL, 11414, MEM_RESERVE, PAGE_READWRITE);

memcpy(executable_area, Rawcode, 11414);
VirtualProtect(executable_area, 11414, PAGE_EXECUTE, &old_protect);

int(*f)() = (int(*)()) executable_area;
f();

// Note: RAII this in C++. Restore old flags, free memory.
VirtualProtect(executable_area, 11414, old_protect, &old_protect);
VirtualFree(executable_area, 11414, MEM_RELEASE);

edited Apr 20 '16 at 15:36

Axalo

2,953
4
25
39

answered Jan 11 '15 at 03:19

Wintermute

42,983
5
77
80

3

On a Unix-like system (MacOS, Linux, etc.), you'll need to use `mmap` in place of `VirtualAlloc` and `mprotect` instead of `VirtualProtect`. – user3553031 Jan 11 '15 at 03:41
Thank you. This still produces an error but I think I my have over stepped my abilities for now. The error is: Unhandled exception at 0x66ACF8C5 (msvcr120.dll) in Cons3.exe: 0xC0000005: Access violation writing location 0x01070000. I think it's time for me to go back and play with simpler things again until I have a better grasp of how the memory region works. Thank you – 404 Username not found Jan 11 '15 at 03:46
Hmm...is the function self-modifying? You get that sometimes in small demos. In that case, you have to use `PAGE_EXECUTE_READWRITE` instead of `PAGE_EXECUTE`. – Wintermute Jan 11 '15 at 03:47
I have tried that but no luck with it. Later on Ill open the program in olly and see if I can see whats going on deeper inside the code. Visual Studio doesn't have the greatest debugger in the world lol. If I find anything out I'll post it. Who knows maybe someone else will find a piece of knowledge they need here sometime. – 404 Username not found Jan 11 '15 at 03:52
1

@404Usernamenotfound You'll need to strip the executable header and/or meta data, do some fix-ups, and other housekeeping before the code and be successfully executed. If this is a PE file the format is documented and there are numerous examples of creating a loader for it. If it's an EXE it likely won't work since it probably doesn't contain relocation information. – Captain Obvlious Jan 11 '15 at 04:01

score 1 · Answer 2 · answered Jan 11 '15 at 03:12

1

First off, does your array contain a representation of an executable file, or does it contain executable machine code? If the former, it probably won't work: most executable file formats start with various metadata which is used by the OS to load the program; executable machine code comes later in the file.

Second, does your system use something resembling DEP? It's likely that your OS is marking the array as non-executable, so trying to execute it will fail.

answered Jan 11 '15 at 03:12

user3553031

5,990
1
20
40

Doesn't matter this should be a comment saying "Warning: May not work" - he's buggered up the pointers. – Alec Teal Jan 11 '15 at 03:17
Hmmm. I never thought of such things. Thank. I may have to figure out something different I guess lol – 404 Username not found Jan 11 '15 at 03:23

RazeLighter777 · Answer 3 · 2017-07-26T19:43:46.683

(Sorry for late answer)

Executing bytes from an array is a BAD idea. Its not cross platform, and it leads to huge security risks.

A more secure way of executing external code is a byte code interpreter.You could limit the access of the program to only touch stuff it needs. The downside is you either have to write your own compiler or write the raw byte code in yourself.

A good tutorial is linked here: http://gameprogrammingpatterns.com/bytecode.html

Another less secure solution would be using a DLL. (Dynamic Linked Library) This way you don't have to write your own compiler.

C++ Run Byte Array in memory

3 Answers3