Forum > General

How to run a EXE (Win32 any) starting from memory

<< < (4/4)

Eric, as I can see you got different answers, but your problem isn't solved and it seems you ignored the answers.
Maybe we just misunderstood the question, or you didn't read the answers.
Provide us more information on what you want to do exactly and why you want to do it, explain us a scenario of where something like what you want can be applied.
If you have problems with the english language let us now, we will find somebody to help you in your language.

From a private message I think I understand what Eric wants.
He has an exe in say a database and he wants to run it from memory without saving it to disk. It is possible, I've seen an article about it. But is wont be easy, you need a lot of MSDN reading.
I personally would suggest to temporary save the file.
If not possible you may try to find a way to create a virtual ram disk and load the exe from that.

If you still want to execute the exe yourself, then JoshyFun already gave some steps.

The problem is that you officially cannot create a process without a file. So what you can do is creating a suspended process of say cmd.exe, then use VirtualAlloc to extend the process memory so it would fit your exe. Map your exe into that memory, setup process params and resume the process.  See on how images are loaded.

While searchin I ran into this powerpoint:
There the CreateProcess is explained:

* Call NtCreateSection(SEC_IMAGE)

* Check for special handling: VDM, WoW64, restrictions, CMD files

* Call NtQuerySection() to get ImageInformation

* Use LdrQueryImageFileExecutionOptions() to see if debugging
Special handling for POSIX executable

* Create the new process in the kernel via NtCreateProcessEx()

* If requested, call NtSetInformationProcess(ProcessPriorityClass)

* If (dwCreationFlags & CREATE_DEFAULT_ERROR_MODE)
    call NtSetInformationProcess(ProcessDefaultHardErrorMode)

* Call BasePushProcessParameters() to push params into new process

* Stuff in the standard handles if needed

* Call BaseCreateStack() to create a user-mode stack in process

* Call BaseInitializeContext() to create an initial thread context

* Call NtCreateThread() to create the first thread
// thread may run, so no more modification to new process virtual space

* Use CsrClientCallServer(BasepCreateProcess) to register new process and thread with CSRSS
If app is restricted
    Set a restricted token on the process
   assign it to a job object so that it can't escape the token.
Unless the initial thread was created suspended, start it with NtResumeThread()

For and "explanation" of those functions see

Anyway.... I still think saving a temp file is waaaaaay easier.


[0] Message Index

[*] Previous page

Go to full version