Can use execute a binary from memory opposed to from a disk?

I would like to have one executable 'execute' another executable from a memory buffer / ram disk (do these even exist under windows?).

Basically I want to have my main executable encrypted, and then have a loader which loads it to ram, decrypts it and then executes it. I do *not* want to write the decrypted thing out to a temporary file and then run that.

If I did, it would kind of defeat the purpose of encrypting the file to begin with unless there is a safe place, an invisible place, I can put this temporary file that is decrypted when I run it.

I just do not want a clever end user getting ahold of a decrypted version of an executable file.

Does anyone have any idea how to do this?

you will need reference for this topic

dll injection

Kuphryn

I think you have previously asked same question, the answer is no, it's almost(*) impossible to do that. The main reason is resolving references on your own, thats not possible.

Why not extract your encrypted file into temp. file and execute it from there ?

Is there the possibility of an encrypted folder? I've never used them but I believe that there are products available which can encrypt certain folders under Windows. Could this help you? For example, if a particular folder was encrypted and its decryption key was only known to your loader program, you could possibly decrypt your main program into a temporary file (within the encrypted folder) and run it from there. In theory, nothing outside of your program could see the contents of the temporary file. Of course, that in itself might prevent Windows from being able to run it...!

What are you trying to avoid? The possibility of reverse-engineering or what?

Quote:

---

Originally Posted by kuphryn

you will need reference for this topic

dll injection

Kuphryn

---

Yes I asked about DLLs. This time I am asking about EXEs.

Why do I need a reference? What do you mean?

Quote:

---

Originally Posted by Krishnaa

I think you have previously asked same question, the answer is no, it's almost(*) impossible to do that. The main reason is resolving references on your own, thats not possible.

---

Yes, I asked about DLLs, not EXEs. Are they treated the same?

Quote:

---

Why not extract your encrypted file into temp. file and execute it from there ?

---

What would be the point of ecryption then? All someone would have to do is take the extra, tiny step, of locating the temp file and then reading it all decrypted.

Quote:

---

Originally Posted by John E

What are you trying to avoid? The possibility of reverse-engineering or what?

---

Yes that is the main thrust of it, although I realize you can't actually stop reverse engineering. You can only make it very difficult.

Part of the problem is that there are lots and lots and lots of logging strings the the application as well as xml tags.

If you were to take the Linux app, "strings" and run it on our program, you would get a bonanza of information.

Furthermore, I use encrypted communication with our server (blowfish) and a clever hacker might be able to find the encryption key. If our binary was encrypted with a different key, it would make it harder to find.

If somehow I could "load" our exe into ram and THEN run it, it would make doing updates very easy since I could easily replace the encrypted exe file because it isn't actually running.

Lastly, the newer AV software, notably Norton and McAfee are super paranoid and every time we update our app (which is frequently due to its evolving technology) they throw up lots of warning boxes about how our product's exe has changed. Then the users need to re-authorize it which usually involves several click boxes from these AV products. If our main EXE was really a data file, then our frequent updates would not cause such a hassle.

Quote:

---

Originally Posted by DeepT

What would be the point of ecryption then? All someone would have to do is take the extra, tiny step, of locating the temp file and then reading it all decrypted.

---

Well, they can always just break your application by attaching a debugger and then check out what it's doing.

Anyway, I believe I've seen a way to load an executable from a resource or the internet etc., and then execute it without saving it to disk. I just cant remember where :rolleyes:. I also believe I've read somewhere that this (or atleast that technique) doesn't work on XP and newer... I'll see if I can dig up the code.

- petter

Quote:

---

Originally Posted by DeepT

What would be the point of ecryption then?

---

Encryption is used to protect data. Data unlike machine code contained by an executable is something that never gets executed. This is why your requirement to execute an encrypted file is not the norm.

(If I may I ask - why do you wish to do this?)

Quote:

---

Originally Posted by DeepT

All someone would have to do is take the extra, tiny step, of locating the temp file and then reading it all decrypted.

---

That's right.

Which makes my question all the more important - what is in an executable that demands the same to be encrypted?

Does it matter? Lets say it has classified information in it.

Let me put it this way, the application I am writing is a security application. The more difficult it is for a hacker to understand the application the more secure the entire system is.

Is there, or is there not a way, to run an executable that does *not* exist on a disk?

Quote:

---

Originally Posted by DeepT

Let me put it this way, the application I am writing is a security application. The more difficult it is for a hacker to understand the application the more secure the entire system is.

---

Are you convinced that a hacker of the capability to understand your executable's machine code and figure your algorithms out will not be competent enough to see what the decrypting application is doing?

Additionally, optimizing compilers like VS 2005 produce binary output that does not have one-to-one correlation with the source. i.e. Even for a hacker who can read an unfriendly binary and figure algorithms out, it isn't that straightforward. Add to that, you can make use of code obfuscators.

Quote:

---

Originally Posted by DeepT

Is there, or is there not a way, to run an executable that does *not* exist on a disk?

---

Assume there is one (viruses do this all the time) - it is possible to peek into a Process' Memory - so, what seems to be a safe haven isn't really that safe.

______________

A possible solution is this - should you choose to decrypt your executible and run it from the disk, the executed file should first open itself with OF_SHARE_DENY_READ effectively blocking the ability of any process to access it's content.

Quote:

---

Originally Posted by MSDN

OF_SHARE_DENY_READ-

Opens a file and denies read access to other processes.

---

On closure, the executible can signal another to delete it.

This isn't foolproof (and nothing is), but quite achievable.

Quote:

---

Originally Posted by Siddhartha

Are you convinced that a hacker of the capability to understand your executable's machine code and figure your algorithms out will not be competent enough to see what the decrypting application is doing?

---

It is not so much as the algorithms, they have been recently patented.

There is a lot of "clear text" in our app, which would be easy to see. Some of our cypher keys are also in our app, although they are not "clear text".

The concern is the end users, who in many cases are not 'willing'. Our application is a network management tool that does such things as make sure someone has AV software installed, running, and up to date with definitions. There are dozens and dozens of things it does.

As a network admin, you may want your users to have AV software otherwise they can not use your network. As an end user, you may not be happy about this and may resent this fact and try and bypass our app. You will quickly find out that simply removing our app will quickly result in your network connection going away.

The only option is to try and "spoof" the system. The first step I would do, as a hacker, is examine the EXE and see what I could find. Right now you would find a lot from it. As it is, you would still be stuck, but a really, really clever hacker might figure out a way.

Anyway, there are alot of benefits to be gained on many fronts if I could load our exe as a data file and just "execute" it without it having a physical presence on a disk.

In general, this idea itself could do a lot for software copy protection. I know if I was making a video game, I could use something like this to make a nearly uncrackable game, although it would also require that each copy of the game to be somehow unique.

Have you considered something like this ???

Stongbit

If you use this then password protect the program at startup there is not much else you can do...if "they" want into your program they will get into it UNLESS it is on a protected/secure/trusted network.

In any case, if someone was determined enough, it wouldn't be too difficult to write a program that dumps the entire contents of memory into a file. Using such an app, they could dump the current RAM contents immediately after boot-up, then load your program, then do another dump. Comparing the two would tell them whereabouts your program was located and they could probably reverse engineer it from there (if they were determined enough).

The best you can ever hope for is to deter casual hackers. You can never protect yourself from a determined hacker.

I did read somewhere that about 90% of crackers give up after 30 minutes and move on to something else.

Quote:

---

Originally Posted by DeepT

Does it matter? Lets say it has classified information in it.

Let me put it this way, the application I am writing is a security application. The more difficult it is for a hacker to understand the application the more secure the entire system is.

Is there, or is there not a way, to run an executable that does *not* exist on a disk?

---

BTW some hackers do come to codeguru.com, what if they come to know your super idea ? :p

Quote:

---

Originally Posted by DeepT

Is there, or is there not a way, to run an executable that does *not* exist on a disk?

---

If you're referring specifically to a Windows program, the answer is probably "No". However, Windows isn't the only OS. Indeed, it isn't strictly necessary for a computer to even run a host OS. Many devices use "embedded systems" where an application gets run directly from an EPROM.

However, even this isn't foolproof. There's nothing to stop a determined hacker from removing the EPROM and analysing its contents.

The bottom line is that nothing is 100% safe. Once you release your code - no matter what form you release it in - you run the risk of someone analyising it or copying it. The only method of protection that's 100% safe is never to release the code!!

Am I missing something? How can you can decrypt the exe without the user peeking into your decryption key?
edit

Quote:

---

Originally Posted by DeppT

ram disk (do these even exist under windows?)

---

No, you have to write a driver to do that job.

Quote:

---

Originally Posted by kumaresh_ana

Am I missing something? How can you can decrypt the exe without the user peeking into your decryption key?

---

Why user comes into picture ? the program internaly decrypts the resource contents into memory.

Quote:

---

Originally Posted by Krishnaa

Why user comes into picture ? the program internaly decrypts the resource contents into memory.

---

Yes I get it. What I cannot get is : The loader as the OP says needs to know the key; a simple disassmebly of this app could reveal the key to the user. Then the user can decrypt it himself and all your work of loading app without writing to disk is defeated.
edit
what do i mean by the user is hacker.

Quote:

---

Originally Posted by DeepT

The only option is to try and "spoof" the system. The first step I would do, as a hacker, is examine the EXE and see what I could find. Right now you would find a lot from it. As it is, you would still be stuck, but a really, really clever hacker might figure out a way.

---

The first step I would do is to run your app under system debugger like SoftICE, and make a whole process snapshot in its running state. :D

All decyphered modules running from anywhere (file or memory) will be unveiled in running state. Oops...

Quote:

---

Originally Posted by DeepT

Lastly, the newer AV software, notably Norton and McAfee are super paranoid and every time we update our app (which is frequently due to its evolving technology) they throw up lots of warning boxes about how our product's exe has changed. Then the users need to re-authorize it which usually involves several click boxes from these AV products. If our main EXE was really a data file, then our frequent updates would not cause such a hassle.

---

To avoid this various other issues you can strip the crucial data off your exe and encrypt only that data file.
AFAIK, no crypto principle is available to do the service you are asking for (this suggests me that we are missusing the crpto). Crypto always assumes that "a secret key is always secret". If you can peek into the system memory then the very assumption goes wrong.

Yes, I know nothing is "full proof". I am not trying to get a "full proof" system.

I just do not want the program to be a cakewalk to crack. An encrypted EXE will make it a lot more difficult, and yes, the casual hacker is of bigger concern then mr. super hacker. Someone will crack it, I just do not want it to be too easy for them.

Right now, a big area of deployment are campus networks. Campus networks, by their nature, have a lot of curious comp-sci majors who like to take a stab at cracking our product. It is very uncommon for someone to actually examine our exe very closely, but once in a long while someone will and ask a question about something they shouldn't (meaning they were nosing around in our EXE).

An extra layer of encryption on the exe itself, would reduce even this snooping.

Even then, I am quite aware that someone, somewhere will still get by any encryption I do.


Ok, a slightly different angle of attack. If I can not encrypt and load an exe into memory, is it possible for a single exe to be partially encrypted, maybe like having a header that can decrypt the rest of the exe and then jump to a new section of code that was previously decrypted?

Quote:

---

Originally Posted by kumaresh_ana

To avoid this various other issues you can strip the crucial data off your exe and encrypt only that data file.
AFAIK, no crypto principle is available to do the service you are asking for (this suggests me that we are missusing the crpto). Crypto always assumes that "a secret key is always secret". If you can peek into the system memory then the very assumption goes wrong.

---

True, but you can always hide a key in a forest of keys. Again, not full proof, but certainly beyond the "worth the effort" threshold of most would-be hackers.

Quote:

---

Originally Posted by DeepT

Ok, a slightly different angle of attack. If I can not encrypt and load an exe into memory, is it possible for a single exe to be partially encrypted, maybe like having a header that can decrypt the rest of the exe and then jump to a new section of code that was previously decrypted?

---

Yes, it is always possible. Exe packers always do that. the unpacking code will be available as a section and all others (packed) will be different sections. On runtime the unpacker section will unpack the remaining sections readying for the execution.

Quote:

---

Originally Posted by kumaresh_ana

Yes, it is always possible. Exe packers always do that. the unpacking code will be available as a section and all others (packed) will be different sections. On runtime the unpacker section will unpack the remaining sections readying for the execution.

---

Ok, great. How do I do that?

Sorry I cannot help you in this. I just know it can be done.

1. During build time encrypt the portion and build it into the exe? :confused:
2. Decrypt the portion and write it in the memory? :confused:

Quote:

---

Originally Posted by DeepT

Ok, great. How do I do that?

---

You will need to understand the PE format first, there is a section inside executable where the code (assembly) is stored, packers generaly take that and encrypt it, add new code which gets executed when the exe is run, and then this part decrypts the original code and places it in it's original position. Packers also use some *algorithms* to optimize and alter the code in a way to make it harder to analyse.

Quote:

---

Originally Posted by kumaresh_ana

Sorry I cannot help you in this. I just know it can be done.

1. During build time encrypt the portion and build it into the exe? :confused:
2. Decrypt the portion and write it in the memory? :confused:

---

Not build time, after the build, you should have a separate program to alter the binary, otherwise you are giving away your logic to others. :)

Yes, thats what I meant. but slipped about. :D

Actually, I am not sure "packers" do this at all.

For example, winzip that creates a self-extracting exe...

It sticks whatever it is packing after the "packer part" of the program, but whatever is unpacked is written to disk.

An analogy would be to have zipped exe, that unzips itself and runs without writing any files to disk.

I do not know of any packer / archiver that does this. All of them simply unpack their payload to disk before executing anything else.

You really should read what www.strongbit.com can do as far as hiding the code in the PE and scemes to make it almost impossible to follow in memory..this does not pack the PE then unpack it to the disk as you previous stated...is is NOT like PKZIP or WINZIP....it works with a native EXE and .NET programs.

That does seem like a pretty neat tool. It would be nice to see how it really works. It seems that would significantly increase executable sizes though and It is unclear if it encrypts non-executable data.

Quote:

---

Originally Posted by DeepT

That does seem like a pretty neat tool. It would be nice to see how it really works. It seems that would significantly increase executable sizes though and It is unclear if it encrypts non-executable data.

---

Yes is does encrypt and compress non-exe data. My exe size went from 560K to ~285K built in VS 2005 native exe with same results from VC++ 6.0.

There is a 30 day eval on their exe encryptor....give it a try...what do you have to loose...then get a PE viewer and try to read your data in the NEW exe...

P.S. I'm not connected with Strongbit in any way..other than liking their product..so far