Chopinke
asked on
Executing application from memory.
For security reasons I want to decrpyt an application directly into memory and execute it.
I do not even want to use temporary files, since that can be recovered later, like if you kill the launching app.
Is it possible to run an EXE from memory?
Thanks
Charlie
I do not even want to use temporary files, since that can be recovered later, like if you kill the launching app.
Is it possible to run an EXE from memory?
Thanks
Charlie
Calvin Day
Sounds kinda ?able to me.
Hi :-)
It is possible..but it is so hard to do that no one has written delphi code
to do it... this is a question that gets asked about once a month here.
I have followed every Q... no solution has ever been offered...
It is possible to store one delphi exe inside another in encrypted form
and write it out to disk at runtime and execute it.... of course this offers
little protection as the exe is then on disk and cannot be deleted from
disk while running by any ordinary means. It CAN be deleted from disk
while it is running but you have to locate the sectors that hold the exe
and overwrite the data by accessing the disk directly... and this can be trouble!
If you want to play with deleting a running exe from disk you should try
it on a floppy first....or you may end up formatting your hd and re-installing
windows :-(
If you want to try and write code to extract an exe to ram and run it without
it being on disk then look at the C source code for the UPX exe compressor
because this is what it does...the source is freely available
here is an idea... you could store your exe inside another exe in encrypted
form... and extract to disk and run... but modify the extracted exe so that it can
only run within a second or 2 of the time of extraction... you might use the pc
tick count. Someone could find the exe on disk easily but it would not run a second
time because it was keyed to a specific tick count and will simply exit (or whatever)
Of course there is a security flaw in that ANY exe can be grabbed directly from
ram at runtime and with a bit of fixup can be written to disk... I don't think there
is any way to protect against this other than to run it on a secure platform...and
windows on the pc is certainly NOT that :-)
It is possible..but it is so hard to do that no one has written delphi code
to do it... this is a question that gets asked about once a month here.
I have followed every Q... no solution has ever been offered...
It is possible to store one delphi exe inside another in encrypted form
and write it out to disk at runtime and execute it.... of course this offers
little protection as the exe is then on disk and cannot be deleted from
disk while running by any ordinary means. It CAN be deleted from disk
while it is running but you have to locate the sectors that hold the exe
and overwrite the data by accessing the disk directly... and this can be trouble!
If you want to play with deleting a running exe from disk you should try
it on a floppy first....or you may end up formatting your hd and re-installing
windows :-(
If you want to try and write code to extract an exe to ram and run it without
it being on disk then look at the C source code for the UPX exe compressor
because this is what it does...the source is freely available
here is an idea... you could store your exe inside another exe in encrypted
form... and extract to disk and run... but modify the extracted exe so that it can
only run within a second or 2 of the time of extraction... you might use the pc
tick count. Someone could find the exe on disk easily but it would not run a second
time because it was keyed to a specific tick count and will simply exit (or whatever)
Of course there is a security flaw in that ANY exe can be grabbed directly from
ram at runtime and with a bit of fixup can be written to disk... I don't think there
is any way to protect against this other than to run it on a secure platform...and
windows on the pc is certainly NOT that :-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Don't worry it's nothing malicious.
A company wants a protection for their c/s app but they do not have the source code. I am creating some kind of secure shell, where nobody is allowed to run their app directly, but has to log in through the shell I create. It's kind of dumb, but that's what they want.
I want the least chance for somebody to get ahold of the original EXEs.
Actually I found many leads, but I do not know only one thing: how exactly can I run the file in the memory.
I know it is easy just to load a debugger, capture the memory and even run it through the debugger to eliminate any checks like random data or 2 seconds limit! ;)
Thanks,
Charlie
A company wants a protection for their c/s app but they do not have the source code. I am creating some kind of secure shell, where nobody is allowed to run their app directly, but has to log in through the shell I create. It's kind of dumb, but that's what they want.
I want the least chance for somebody to get ahold of the original EXEs.
Actually I found many leads, but I do not know only one thing: how exactly can I run the file in the memory.
I know it is easy just to load a debugger, capture the memory and even run it through the debugger to eliminate any checks like random data or 2 seconds limit! ;)
Thanks,
Charlie
hmmm.. well since the exe you want to protect is not a delphi app
then that makes things a bit harder..
You might try using a commercial exe encryptor... one that can be
called via command line like so "Some.exe password" that way you
can issue the command from a delphi app using shellexecute...
Lots of good links about exe encryption here
http://www.google.com/search?as_q=&num=100&hl=en&ie=UTF-8&oe=UTF-8&btnG=Google+Search&as_epq=exe+encryptor&as_oq=&as_eq=&lr=lang_en&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&safe=images
I wrote a very simple delphi app that can wrap any exe inside itself and
make it password protected.... this was just a demo and has very limited
security... you can find it here at this link (right click the link and choose 'save
target as' because geocities won't allow direct external file links)
http://www.geocities.com/gacarpenter386/pw-demo.zip
You could fortify this simple pw demo by writing directly to the sector holding
the first 512 bytes of the exe.... then just change it a bit so windows can't
recognize it as an exe... changing the first 2 bytes from 'MZ' to something
else will work nicely...do this a second or two after you have extracted the exe
to disk and have run it.... thus the exe will be on disk in runnable form for
only a moment. You can find code to write directly to the disk sector on Torry's
site... finding the sector that holds the proper sector is a bit tricky though.
Windows will let you write over the file of a running exe (even though it should
not)
I have a patcher demo that shows how to disable/re-enable any exe
http://www.geocities.com/gacarpenter386/toggler.zip
here is the readme for my pw demo
==========================
This is a kwik-n-dirty demo that shows one way to make a password
protected exe.
This method does NOT afford any real copy protection... it merely
makes it very difficult for the average PC user to run a pw protected
exe without knowing the pw.
When you run the demo (PWSTUB.EXE) it shows a form with a button
[Select exe to PW protect]
and an edit box where you enter the PW you wish to use to protect your exe.
Just enter a new PW and then click to browse and select the exe... once selected
the exe will be wrapped inside a copy of the PWSTUB.EXE and the name will
be changed to the original exe's name and the now protected exe will replace
the original... be careful because there is NO way to easily remove the
wrapper once it is applied! so make a copy of the original exe if you need
to!
==================
Now you may run the newly protected exe and it will ask for your PW.
Once you enter the PW the exe is extracted to the current dir and will
run. I had the demo extract to the current dir instead of something like
windows/temp so you can more easily keep track of what is happening. The
extracted exe is renamed with 'Temp_' appended... of course you would want
to extract to temp and use the original exe name when creating your own
final version of this app.
I have set the stub to remain running in a non-visible state... just waiting
for the user to close the exe... then it deletes the copy and halts...
You should open the dir that holds the pw protected exe so you can see all
this going on... It will make clear exactly what is happening. When you create
your own version of this there is really no need to keep the stub around...
just leave the copy of the exe in windows/temp... the average user won't find
it there :-)
p.s. You can set a default PW in the PWSTUB.EXE by entering your chosen PW
and double-clicking the edit box... the exe will alter its image on disk by
embedding the default PW.... then whenever you want to protect an exe the PW
is already entered :-)
..Gwen..
==========================
I hope some of this is a help to you.... exe protection is a very hard thing to do..
even Microsoft can't do it well... and they wrote the op system :-)
then that makes things a bit harder..
You might try using a commercial exe encryptor... one that can be
called via command line like so "Some.exe password" that way you
can issue the command from a delphi app using shellexecute...
Lots of good links about exe encryption here
http://www.google.com/search?as_q=&num=100&hl=en&ie=UTF-8&oe=UTF-8&btnG=Google+Search&as_epq=exe+encryptor&as_oq=&as_eq=&lr=lang_en&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&safe=images
I wrote a very simple delphi app that can wrap any exe inside itself and
make it password protected.... this was just a demo and has very limited
security... you can find it here at this link (right click the link and choose 'save
target as' because geocities won't allow direct external file links)
http://www.geocities.com/gacarpenter386/pw-demo.zip
You could fortify this simple pw demo by writing directly to the sector holding
the first 512 bytes of the exe.... then just change it a bit so windows can't
recognize it as an exe... changing the first 2 bytes from 'MZ' to something
else will work nicely...do this a second or two after you have extracted the exe
to disk and have run it.... thus the exe will be on disk in runnable form for
only a moment. You can find code to write directly to the disk sector on Torry's
site... finding the sector that holds the proper sector is a bit tricky though.
Windows will let you write over the file of a running exe (even though it should
not)
I have a patcher demo that shows how to disable/re-enable any exe
http://www.geocities.com/gacarpenter386/toggler.zip
here is the readme for my pw demo
==========================
This is a kwik-n-dirty demo that shows one way to make a password
protected exe.
This method does NOT afford any real copy protection... it merely
makes it very difficult for the average PC user to run a pw protected
exe without knowing the pw.
When you run the demo (PWSTUB.EXE) it shows a form with a button
[Select exe to PW protect]
and an edit box where you enter the PW you wish to use to protect your exe.
Just enter a new PW and then click to browse and select the exe... once selected
the exe will be wrapped inside a copy of the PWSTUB.EXE and the name will
be changed to the original exe's name and the now protected exe will replace
the original... be careful because there is NO way to easily remove the
wrapper once it is applied! so make a copy of the original exe if you need
to!
==================
Now you may run the newly protected exe and it will ask for your PW.
Once you enter the PW the exe is extracted to the current dir and will
run. I had the demo extract to the current dir instead of something like
windows/temp so you can more easily keep track of what is happening. The
extracted exe is renamed with 'Temp_' appended... of course you would want
to extract to temp and use the original exe name when creating your own
final version of this app.
I have set the stub to remain running in a non-visible state... just waiting
for the user to close the exe... then it deletes the copy and halts...
You should open the dir that holds the pw protected exe so you can see all
this going on... It will make clear exactly what is happening. When you create
your own version of this there is really no need to keep the stub around...
just leave the copy of the exe in windows/temp... the average user won't find
it there :-)
p.s. You can set a default PW in the PWSTUB.EXE by entering your chosen PW
and double-clicking the edit box... the exe will alter its image on disk by
embedding the default PW.... then whenever you want to protect an exe the PW
is already entered :-)
..Gwen..
==========================
I hope some of this is a help to you.... exe protection is a very hard thing to do..
even Microsoft can't do it well... and they wrote the op system :-)
ASKER
No comment on MS! ;)
I appreciate your efforts helping me, but I do not need protection ideas for the EXE itself, I can use encryption, compression, transformation etc... I have my ideas. That's not the problem.
If I had wanted to save it to a temporary file for the fraction of seconds for execution I would have not asked this question.
So it remains.
I have the image of an EXE file in the memory, how can I execute it?
Let's say I have a memory mapped file with SEC_IMAGE type, how can I execute it?
Charlie
PS.: I increased the points since it seems to be a little bit tough question.
I appreciate your efforts helping me, but I do not need protection ideas for the EXE itself, I can use encryption, compression, transformation etc... I have my ideas. That's not the problem.
If I had wanted to save it to a temporary file for the fraction of seconds for execution I would have not asked this question.
So it remains.
I have the image of an EXE file in the memory, how can I execute it?
Let's say I have a memory mapped file with SEC_IMAGE type, how can I execute it?
Charlie
PS.: I increased the points since it seems to be a little bit tough question.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the way, before anyone gets any wierd ideas, no, I have no vested interest in anyone acquiring Shrinker. I am in no way connected to Blink Inc.. I am just a very satisfied customer. ;-)
listen...
This Q is over a year old thus it qualifies for being abandoned. But I don't feel it has been correctly answered either. This Q is about how to run an EXE straight from memory and this has not been answered. I wouldn't mind it if this Q was deleted instead. I just don't know how the others feel about this, though.
If you do want to split the points, I would suggest:
Gwena 100 points because he provided some interesting code examples of EXE wrappers.
Workshop_Alex & RDWilson2 each 70 points, for providing links to EXE-shrinkers.
Gwena is the closest to answering this Q, though.
If you do want to split the points, I would suggest:
Gwena 100 points because he provided some interesting code examples of EXE wrappers.
Workshop_Alex & RDWilson2 each 70 points, for providing links to EXE-shrinkers.
Gwena is the closest to answering this Q, though.