to make a self-contained exe that extracts files and other commands

Question

I am making a filtering sniffer in C and winPCAP that starts on every boot. For this I want to make a self-contained exe file that extracts (no, not compression!) the exe and DLLs to a new folder and performs other commands (like modify startup settings) silently, without showing any window/terminal.

So

The single file contains an exe and DLLs.
When executed, it copies the files to a folder and does other commands
It does it silently, without any windows or terminals or user intervention

I stress on the silent part, so I cant choose some easy installers. Can you reccomend something that generates this executable?

For the curious: its a stealth packet logger program for my college project. The "stealth" part will be tried out only on xp2 virtual machines with IE6 (yeah, old stuff).

EDIT: answering the commenters: it is of a malware character. So I am running it in virtualbox, never on the loose. And I can compromise only an unpatched xp systems with IE6, without antivirus, that is from an OLD install disk. Thats the scope of the IE css use after free vulnerability, AFAIK never seen in the wild. So there is no unethical behavior involved.

You are not taking the security concerns of your user very seriously. Whom universally despise the idea of executable files appearing from nowhere. So does your user's virus scanner. And UAC. Creating self-contained programs is otherwise pretty simple. Everybody calls them setup.exe — Hans Passant, Apr 05 '11 at 14:22
"security concerns of your user"-The only "users" are xp sp2 virtual machines. "user's virus scanner. And UAC" Its a biased battle, sir. Its an old XP release with IE6 with no scanners- cant attack anything sophisticated. Its just a college project. — Jesvin Jose, Apr 05 '11 at 16:16
Since you are installing one file, why not install multiple files. Once you can install one, you can install as many as you like. This seems rather pointless to me. And is it really so terribly hard for you to work out how to use resources to package up files into a single executable? — David Heffernan, Apr 05 '11 at 16:22
Don't get this wrong, but your college project has very much the character of malware. If this is a serious project, people should know that something which sniffs on their network is about to be installed to run at startup (and they should be able to cancel it). Doing such a thing silently is totally no go. — Damon, Apr 05 '11 at 17:15
Installers are on topic for Stack Overflow. This is not too localized. These are not appropriate reasons for closing this question. Please see http://meta.stackexchange.com/questions/36397/technically-valid-answers-that-raise-questions-of-morality if you are closing due to ethical/security concerns. — Adam Davis, Apr 06 '11 at 13:15
Thanks Damon and Hans, I hope my edit is prominent enough. I hate any program that interrupts or does any other actions by itself. My daily system is linux because my windows used to have 4 updaters, 4 browser toolbars and 6 software that came from nowhere (I try to disable them far as I can). — Jesvin Jose, Apr 06 '11 at 13:16
Damn... I set off security concerns and scared off potential help. Will be careful next time... — Jesvin Jose, Apr 06 '11 at 13:19
If you can install one file, you can install many. Why don't you just do that? — David Heffernan, Apr 06 '11 at 13:42

score 2 · Answer 1 · answered Apr 06 '11 at 13:56

You can easily embed resources either by linking them in, with the compiler, or by using a special program and instrumenting the windows API.

Something along the lines of :

char file_to_be_altered[] = "MyInstaller.exe"

HANDLE hUpdate = BeginUpdateResource( file_to_be_altered, FALSE );
UpdateResource( hUpdate, "MyResType", "MyResName1", 0, pData, data_len );
EndUpdateResource( hUpdate, FALSE );

Then when your executable runs, you enumerate your resources and select those that have the type "MyResType".

struct res_entry { BYTE* pData; unsigned int len; }

BOOL CALLBACK EnumNamesCB(
    HMODULE hModule,  // module handle
    LPCTSTR lpType,   // address of resource type
    LPTSTR lpName,    // address of resource name
    LONG_PTR lParam)      // 
{
    std::vector<res_entry>& lst = *(reinterpret_cast< std::vector<res_entry>* >( lParam ));
    HRSRC hRes = FindResource( hModule, lpName, lpType );
    if( hRes == 0 )     return TRUE;
    unsigned int len = SizeofResource( hModule, hRes );

    HGLOBAL hGlob = LoadResource( hModule, hRes );
    if( hGlob == 0 )    return TRUE;

    res_entry t;
    t.pData = LockResource( hGlob );
    t.len = len;


    lst.push_back( t );     // this is safe, because the resources are never deallocated
    return TRUE;
}

....

void enum_entries()
{
    std::vector<res_entry> lst;
    ::EnumResourceNames( hFileToQuery, "MyResType", &EnumNamesCB, reinterpret_cast<LONG_PTR>(&lst) );
}

You can do whatever you want with this data, e.g. CreateFile ... and the write the data out to disc.

NB: This is how installers may do it on windows, and this was developed to extract files to the temp dir and install from there.

It should not be so much different. C does not have std::vector, so roll your own container. C90 does not like variables declared im the body of the function, so move it. This is demo code, and cannot 1:1 transfered to your environment, but should be easily adaptable. — Christopher, Apr 06 '11 at 17:58
It is easier to embed the needed data at compile/link time by declaring them in a resource file. And you don't have to enumerate resources, you can use `LoadResource` right away. — Alexey Ivanov, Apr 07 '11 at 06:53

score 1 · Accepted Answer · edited May 23 '17 at 12:26

The trivial way to do it is to create a very large array inside your program, and store the data to be extracted inside that array. When executed the program takes the array and writes it out to a file or files as needed, then executes the file you want to run once the files are extracted. See, for example, C Question: How to store data inside the executable file.

Once the program is compiled you can replace the data in the EXE using a binary editor to copy your files in place without having to convert your files to a C array or some other data structure every time you change your payload.

In order to keep the size down the primary program typically decompresses the array and expects a compressed array. A lot of installers simply use zip as the decompressor takes care of multiple files in one array, and you don't have to fiddle with adding a directory array and reference array - it's all built in, and command line zip compressors are common and easy to use.

Whether the primary program opens a terminal depends on how you program it. I expect you'll need it to be a win32 program so windows doesn't open a DOS terminal, and you simply don't open any windows inside your program. That's a separate question, though, so consider asking it as a new question.

As David points out, this process is typically automated in the linker stage. Each linker is slightly different, but you can check out Embedding resources in .exe using GCC for an example using one of the more common compilers.

I assume you know what you are doing, but keep in mind that there are a lot of unpatched stock winxp sp2 systems out there - assuming that you won't hurt anyone because you don't believe such systems are online is a poor choice. Make certain that your program doesn't have the ability to leave the virtual machines. There are ways, for instance to connect their networks without allowing the machines access to the internet, or your computer's network. Keep in mind that the Morris worm was a pet project that wasn't intended or expected to go wild either.

@David I've edited my answer to include a question using the linker to embed resources. — Adam Davis, Apr 06 '11 at 14:02
Adam, the Morris worm "went wild"? Thats ominous! As for "lot of unpatched stock winxp sp2 sytems", they will have to deliberately login to my server. It doesnt spread by itself. — Jesvin Jose, Apr 07 '11 at 05:57
@aitchnyu Actually, it would be more correct to say that the morris worm was intentionally released, but an unintended side effect was discovered after release that caused the main problem. It was meant to be harmless. http://en.wikipedia.org/wiki/Morris_worm Glad to hear you've got your software locked down so it can't easily spread, just be aware that it's quite possible that your program has bugs in it which may cause more of a problem than you desire. — Adam Davis, Apr 07 '11 at 15:35

to make a self-contained exe that extracts files and other commands

2 Answers2