7

Im trying to work on what I think to be called a launcher? The concept is to write all of a binary file to a buffer, then load the buffer into memory. I have seen this code bouncing around a lot (I have written the exe so I have access to the code inside it.):

//HardCoded Binary For testing Reason, reading to launch didn't work neither did this
char RawCode[11414] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, ............................................... 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}


//Main Function
int main(int argc, char* argv[])
{
    int(*f)();
    f = (int(*)())&RawCode;
    (int)(*f)();
}

My Original thought was that maybe the null bytes were effecting the execution causing the Access violation, So after some research I found a message box shellcode formatted as "/x41/x41/.......x41/" with no null bytes and still this hadn't worked. I am kind of lost as there is not much information about this. Does anyone have some references to some good articles or useful tutorials as none of the ones I have found help very much. Thank you all for your time!

Improve this question

3 Answers 3

Reset to default
8

For quite some time now, all modern operating systems have implemented some form of data execution prevention. This means that you cannot just put code somewhere in memory and run it; the memory area has to be flagged to allow execution first. The reason is security -- it makes it much harder to exploit what would otherwise have been remote code execution vulnerabilities.

It also means that you should think long and hard before you attempt something silly like this, because it rips a giant hole in your operating system's attempts to protect you.

So, before you can run code from memory, you have to flag the area in question as executable.

Under Windows, this can be done with the VirtualProtect function. However, it cannot be done for arbitrary regions of memory; it has to be aligned at page boundaries, and the pages have to be allocated with the same VirtualAlloc call. So ultimately, you'll end up with

DWORD old_protect;
LPVOID executable_area = VirtualAlloc(NULL, 11414, MEM_RESERVE, PAGE_READWRITE);

memcpy(executable_area, Rawcode, 11414);
VirtualProtect(executable_area, 11414, PAGE_EXECUTE, &old_protect);

int(*f)() = (int(*)()) executable_area;
f();

// Note: RAII this in C++. Restore old flags, free memory.
VirtualProtect(executable_area, 11414, old_protect, &old_protect);
VirtualFree(executable_area, 11414, MEM_RELEASE);
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you. This still produces an error but I think I my have over stepped my abilities for now. The error is: Unhandled exception at 0x66ACF8C5 (msvcr120.dll) in Cons3.exe: 0xC0000005: Access violation writing location 0x01070000. I think it's time for me to go back and play with simpler things again until I have a better grasp of how the memory region works. Thank you
Hmm...is the function self-modifying? You get that sometimes in small demos. In that case, you have to use PAGE_EXECUTE_READWRITE instead of PAGE_EXECUTE.
I have tried that but no luck with it. Later on Ill open the program in olly and see if I can see whats going on deeper inside the code. Visual Studio doesn't have the greatest debugger in the world lol. If I find anything out I'll post it. Who knows maybe someone else will find a piece of knowledge they need here sometime.
@404Usernamenotfound You'll need to strip the executable header and/or meta data, do some fix-ups, and other housekeeping before the code and be successfully executed. If this is a PE file the format is documented and there are numerous examples of creating a loader for it. If it's an EXE it likely won't work since it probably doesn't contain relocation information.
1

First off, does your array contain a representation of an executable file, or does it contain executable machine code? If the former, it probably won't work: most executable file formats start with various metadata which is used by the OS to load the program; executable machine code comes later in the file.

Second, does your system use something resembling DEP? It's likely that your OS is marking the array as non-executable, so trying to execute it will fail.

Improve this answer

2 Comments

Doesn't matter this should be a comment saying "Warning: May not work" - he's buggered up the pointers.
Hmmm. I never thought of such things. Thank. I may have to figure out something different I guess lol
-1

(Sorry for late answer)

Executing bytes from an array is a BAD idea. Its not cross platform, and it leads to huge security risks.

A more secure way of executing external code is a byte code interpreter.You could limit the access of the program to only touch stuff it needs. The downside is you either have to write your own compiler or write the raw byte code in yourself.

A good tutorial is linked here: http://gameprogrammingpatterns.com/bytecode.html

Another less secure solution would be using a DLL. (Dynamic Linked Library) This way you don't have to write your own compiler.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.