-1

I'm working on a project that i need to load a simple exe file to a buffer and then call the entry point of the exe file from within the ram .

i know that i can't load and run a very complicated exe file with a lot of dependencies from buffer but i think its possible to call an independent function of the exe (PE) file (like an empty main).

to do so,i have to find the entry point address of exe file (its offset) and then cast that address (which is now loaded in a buffer) to a pointer-to-function and then call that, it probably would call the function loaded in ram but i don't know how to find the address .

this is what I've done so far :

int main(){

    void (* function)();
    unsigned char* buffer;
    FILE* fp;
    size_t size;
    char* path = "address of the file";
    fp = fopen(path, "rb");
    fseek(fp, 0, SEEK_END); 
    size = ftell(fp);         /*calc the size needed*/
    fseek(fp, 0, SEEK_SET); 
    buffer = (unsigned char *) malloc(size);
    fclose(fp);

    /*problem : i have to sum the buffer address with that offset here*/
    function = (void (*)())(buffer);

    function();

    return 0;
}

i think it's pretty much clear from the code what im trying to do .

here is a link that tries to do the same thing for meterpreter (the idea is the same):

https://github.com/rsmudge/metasploit-loader/blob/master/src/main.c

i'd appreciate any help .

Thanks

Ken White
  • 123,280
  • 14
  • 225
  • 444
Mohammad Siavashi
  • 1,192
  • 2
  • 17
  • 48
  • See http://stackoverflow.com/questions/8723039/c-how-to-run-an-exe-file-whose-contents-are-stored-in-a-char-array as well as this paper https://www.blackhat.com/presentations/bh-usa-07/Harbour/Whitepaper/bh-usa-07-harbour-WP.pdf as well as http://stackoverflow.com/questions/3553875/load-an-exe-file-and-run-it-from-memory – Richard Chambers Jan 02 '17 at 19:02
  • 1
    @RichardChambers - both of those SO answers are for C# not C – Mark Lakata Jan 02 '17 at 19:43

3 Answers3

4

Chances are you are probably tring to solve the wrong problem. If you are using an operating system (say Windows or Linux), then the simplest thing to do is just call the system function, i.e.

char* path = "address of the file";
system(path);

That will run the exe.

Note that pretty much every exe that is built to run on a OS is NOT trivial to just load into memory and run. That is because the start-up code for any C program does NOT start with main() like you might think. It starts at a deeper level, that involves loading runtime libraries, allocating memory and eventually the run time will call main().

That said, if you are not dealing with a real exe file (exe files are PE format on Windows and ELF on Linux), but instead it is a hand compiled binary image, then what you are doing will work, assuming the code was compile with PIC options to make the code relocatable, the code does not depend on the C runtime libary or any dynamically loaded library and the entry point is the first address of the binary file. However, I can tell you, no one does it like this.

Mark Lakata
  • 19,989
  • 5
  • 106
  • 123
  • i know that what im doing is wrong . my final goal is being able to receive a exe file from a socket and run it right from the buffer . the above was only for example . but thanks anyway, could you please provide a more details about the last paragraph ?! if i compile my code with PIC options how should i find the entry point address ? thanks. – Mohammad Siavashi Jan 02 '17 at 20:15
  • Why don't you just save the exe file to `/tmp` and call `system()` on it? – Mark Lakata Jan 04 '17 at 01:26
  • i don't want to leave any trace on the hard drive . i don't want my clients to have the executables for some reasons . – Mohammad Siavashi Jan 04 '17 at 18:38
3

An "exe" file is more appropriate called Portable Executable. The entry point (please note that this most probably not main()) is in the OpationalHeader as the attribute AddressOfEntryPoint.

PIMAGE_DOS_HEADER dos;
PIMAGE_NT_HEADERS pe;
void (* function)();

dos = (PIMAGE_DOS_HEADER)data;
if (dos->e_magic != IMAGE_DOS_SIGNATURE) {
    return NULL;
}

pe = (PIMAGE_NT_HEADERS)&((const unsigned char *)(buffer))[dos->e_lfanew];
if (pe->Signature != IMAGE_NT_SIGNATURE) {
    return NULL;
}

function = pe->OptionalHeader.AddressOfEntryPoint + buffer;
function();

The chances that the application you want to execute works without fixed relocations or imports are basically infinitesimal -- so you should use an existing solution.

Also keep in min that most PC running now have Data Execution Prevention enabled, so you should allocate with VirtualAllocate()

user45891
  • 780
  • 6
  • 17
0

You could consider using a dynamic library if you want to load a function dynamically. You'll need to build a .so file instead of a exe file. On Linux, this is the dlopen and dlsym API.

http://man7.org/linux/man-pages/man3/dlopen.3.html

http://man7.org/linux/man-pages/man3/dlsym.3.html

On Windows, you'll want LoadLibrary...

Mark Lakata
  • 19,989
  • 5
  • 106
  • 123