Running an EXE from memory?

**smUX** · Jun 7th, 2006, 07:24 PM

Yeah, I know, I'm always asking the difficult ones :-)

But let's say I wrote a program which encrypted EXEs for safety reasons. Is there a way in which I could, once having decrypted them, put the EXE into a specific area in memory or something and execute it without writing it back to HD? This is just a theoretical, not something I am actually planning to do or anything (yet :-)).

Something like this could also be used for data security and program control (ensuring only certain people run your program and it can't be stolen or used on another PC.

I do (as I write this) see the potential security flaws in this idea, as this is probably exactly how viruses and such get around, but is there a safe way to do this?

**rnd me** · Jun 7th, 2006, 07:53 PM

try a ramdrive:

You can use the dos based ramdrive.sys in Win XP by following these steps.

1.start the add hardware wizzard
2.Click on 'Next' on the 'Welcome' screen of the Hardware Wizard.
3.The Hardware Wizard will scan your machine for new hardware.
4.When it finds no new hardware, say YES, you have the hardware in.
5.Go to the bottom and choose the 'Add a new hardware device' option.
6.Use the 'Install the hardware that I manually select from a List (Advanced)' choice.
7.On the next screen, use the first choice 'Show all devices'. [WAIT!!]
8.From the next screen, choose 'Microsoft' in the list and select the 'RAMdisk Driver'. There is also the 'Have Disk' button - if you click that button, you can manually select ramdisk.inf from C:\WINDOWS\INF
9.Click 'Next' and the Hardware Wizard will install the RAMdisk driver

That installs the hardware so that it now exists on the system. The next thing is to configure it so as to be useful. A quick way may be to add this to your registry and see what happens on your machine. I do not know if this will work for you but I have this in my registry.

Put this into a text file called <whateveryouwant>.reg and click it -> yes

-----start----
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ramdisk]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,72,00,61,00,6d,00,64,00,69,00,73,\
00,6b,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="Ramdisk Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ramdisk\Parameters]
"BreakOnEntry"=dword:00000000
"DebugLevel"=dword:00000000
"DebugComp"=dword:ffffffff
"DiskSize"=dword:002e8000
"DriveLetter"="Z:"
"RootDirEntries"=dword:00000200
"SectorsPerCluster"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ramdisk\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ramdisk\Enum]
"Count"=dword:00000001
"NextInstance"=dword:00000001
"0"="Root\\UNKNOWN\\0000"
--------end-------

This ramdrive.sys only supports up to 32 MB but Microsoft also have a sample driver you can download and modify to suit your specific needs. It was made for 2000 but should be suitable for XP. This will hopefully get you to the 256MB you desire but I do not know since I have not used it.
http://support.microsoft.com/support.../Q257/4/05.ASP

----------------------------------
stolen from eo @ http://www.hardwareanalysis.com/content/topic/7663/

**smUX** · Jun 7th, 2006, 07:58 PM

What I am talking about isn't a virtual disk in memory, but more about basically a middle step between double clicking a file and it running

You double click the file, it loads into memory and runs...What I want is you double click the file, it runs an external program which loads that file in and does certain processing on it *then* loads it into memory and runs it. I'm thinking about a security system for something I have planned :-)

**rory** · Jun 7th, 2006, 08:09 PM

yeah i was wondering the same thing .. if I download a file into a string ... instead of writing it to the HDD once the download is complete .. how can you simply run it ..? Shell doesnt work as its not an actual file on the disk ..

**rnd me** · Jun 7th, 2006, 08:24 PM

i know shell, create process, and shellex all need a file to operate...

i don't think this is possible to do as you described.

but let me offer a few work arounds.

1 rename the .exe to something else, register that extention to another app that decrypts it or whatever.

2use sendto to run the app

3 drag the exe onto a handler exe, using command$ to transfer the filename.

4 use a bat file

5 monitor the clipboard so instead of running it, you could copy it, and then it could be processed and automatically run w/o intervention.

6 use a ramdisk or usb key

7 create a dual-layer exe, part of which is encrypted, minus a splash screen handler to interact with your decryptor

8 perhaps create an empty shadow app and use copymemory to overwrite it in ram?
- thats only a wild guess however...

but i really think that you cannot just run something from memory, save vbscript...

**rnd me** · Jun 7th, 2006, 10:11 PM

i've been thinking about it, and i'm not completly sure what you are trying to do, but i did have a few realizations.

- ive read about a special firefox setup that can run without disk accsess... though i still think it needed a USB key to run; but you can run exes from internet to local with that firefox, and the data wouldn't go to the HD.

another angle was not encrypting/authenticating your app, but rather make it monitor another app instance/process, and terminate when it did. then you could authenticate the other app; tying to HD serial number is a good way to limit code execution.

i am not clear why you need to protect the EXE however, as they aren't typically modified during runtime.

are you looking for encryption, authentication, or something else?

**rnd me** · Jun 7th, 2006, 10:18 PM

Originally Posted by rory

yeah i was wondering the same thing .. if I download a file into a string ... instead of writing it to the HDD once the download is complete .. how can you simply run it ..? Shell doesnt work as its not an actual file on the disk ..

shell can work, as anything you DL is cached in a temp folder. good luck finding that file at runtime though...
you CAN run exe's strait from the internet, and then use a util to wipe the cache upon exit...

your concern is more straitforward; i think a usbkey firefox or a small ramdrive could be useful for you.
http://support.microsoft.com/kb/q257405/
it does work with XP, up to SP1 at least...

or you could put a kill command in form_terminate to axe a dependancy, or pipe a kill command to run after the app exited, and delete the EXE. or a wipe command...

**smUX** · Jun 8th, 2006, 12:04 AM

Let's say you have a program that you've written. Let's assume in this case that it is a beta demonstration program that you have sent out to a few people. On the HD it would be highly encrypted and unusable but when you try to run it the file would get decrypted into memory and run from there...keeping it secure once in MEMORY isn't the issue (although they could obviously do a memory dump, I know :-)) as I'm trying to work out how to do one thing at a time :-)

Once the program is run it could be deleted from HD while being run in memory, then the disk could be wiped clean (the point at which the file was, of course, not the whole disk) to secure against the file being recoverable

The problem with writing this data to a ramdisk is that you're then providing an unencrypted copy of the file on what is essentially a disk drive that literally anyone can access...the opposite of what's required!

Also, having the file run in memory rather than from file frees up the exe, which is obviously useful if you instead wanted to run an update on a file, downloading the newest copy :-)

There's many applications for something like this...and after thinking about it there's actually less "malicious" ones than good ones :-)

**rnd me** · Jun 8th, 2006, 12:37 AM

it seems to me:
that if it's on the HD encrypted, having the exe on the HD is not a problem.

so the EXE unencrypts itself on load?

or, in other words, the structure of the EXE changes upon load right>?

not sure how that would work...

if you are protecting demo exe you have a few options:
tie the encryption to a specific machine using the hard drive serial.

from gary bauer:

VB Code:

Public Declare Function GetVolumeSerialNumber Lib "kernel32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As Long, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, ByVal lpMaximumComponentLength As Long, ByVal lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As Long, ByVal nFileSystemNameSize As Long) As Long
 
Public Function SerialNumber(DriveLetter) As Long
    Dim Serial As Long
    Call GetVolumeSerialNumber(Ucase(DriveLetter) & ":\", 0&, 0&, Serial, 0&, 0&, 0&, 0&)
    SerialNumber = Serial
End Function
'syntax: MsgBox SerialNumber("C")

personally, i simply compile EXEs that expire a month or so down the road for my demos:

VB Code:

'in Form_Load
Dim expy As Date
expy = "04/15/2006 09:10:07 AM"
If Now > expy Then
MsgBox "Version Expired"
End
End If

i don't think an exe file can be changed around.
i also get an "accsess denied" when trying to delete a running exe file, so that probably is a wash as well.

if you are worried about decompiling, use sourcesafe or something like that. but that begs the question of who you are sending these apps to...

making another file at runtime, a long text file, based on usernames, windows install dates, HD serials, etc and requiring the presence of that file during run gives you mathmatically sound security. you can even verify this unique string (text file)'s date and size. also, that file can be deleted during runtime, causing the app to terminate the next time it is checked in a timer event, at the beggining of a common sub, etc...

let me know if any of this helps or not.

i am interested in the same thing.

$0.02

**smUX** · Jun 8th, 2006, 12:41 AM

I'm mostly thinking hypothetically...it may be that the EXE is never actually seen on the HD encrypted or otherwise, or it may be that the EXE is partially available on the HD and partially available elsewhere for security reasons...memory would be edited to merge the two together so it would run :-)

**schoolbusdriver** · Jun 8th, 2006, 03:48 AM

The closest I've seen to what you describe is a routine I wrote:- Embed WMP into a html file, setting it to play a video. Load it into IE. Delete the html file. Delete the video file. WMP carries on playing the vid. No errors. Wmp.dll has loaded everything into memory. Food for thought?

**smUX** · Jun 8th, 2006, 07:42 AM

WMP is the devil and it has its many minions doing its bidding...I'd do almost anything to achieve what I want, but selling my soul to WMP isn't one of them :-)

**rory** · Jun 8th, 2006, 07:50 AM

btw .. WMP now has an exploit that allows trojans to get by FireFox ..

**Al42** · Jun 8th, 2006, 11:09 AM

You can do this the same way a self-extracting executable used to be done - an exe that decrypts the following encrypted code into the exe's buffer, then executes the code in the buffer. I believe one of Phil Katz's programs (PKArc?) had the ability to compress a file and add the decompress/runner at the beginning, something like SFX does.

**iPrank** · Jun 8th, 2006, 11:29 AM

There are many commercial applications available that does similar to what you want. Try googling for "exe encryptor".
But, in reality, none of them is 100% secure.

**smUX** · Jun 8th, 2006, 11:36 AM

What I am actually thinking is of other applications...web-based programs that run in memory, for instance...just theoretical at this stage :-)

**Rich2189** · Jun 8th, 2006, 11:57 AM

Cool so you get the speed of a desktop application and it doesnt take up any HDD Space. AND its easier to secure from copiers since the programs isnt stored on your computer.

**smUX** · Jun 8th, 2006, 12:07 PM

It's still copiable (memory dumps and such) but I am sure there's ways to safeguard against that as well :-))

It's just a thread of an idea I am thinking about for something :-)

Thread: Running an EXE from memory?

Thread Tools

Display

Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Re: Running an EXE from memory?

Posting Permissions