Loading executable into memory

[Rayko]

Alright, for a school project i'm making a filecrypter, and i need to load the executable directly into the memory.

For those that don't know it yet, a crypter consists of a crypter, and a seperate "stub"

the crypter crypts the file, and the stub is binded to the file, and upon execution, the stub is executed, and in turn executes the file it's bound to.

I have a RunPE sub, and on itself it works fine

Code:

Imports System.Runtime.CompilerServices
Imports System.Reflection

Public Class Form1

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim x As New Threading.Thread(AddressOf RunInternalExe)
        x.Start()
    End Sub
    Private Sub RunInternalExe()
        Dim CurrentAssembly As Reflection.Assembly = Reflection.Assembly.GetExecutingAssembly()
        Dim Resource As String = String.Empty
        Dim ArrResources As String() = CurrentAssembly.GetManifestResourceNames()
        For Each Resource In ArrResources
            If Resource.IndexOf("test.exe") > -1 Then Exit For
        Next
        Dim ResourceStream As IO.Stream = CurrentAssembly.GetManifestResourceStream(Resource)
        If ResourceStream Is Nothing Then
            Return
        End If
        Dim ResourcesBuffer(CInt(ResourceStream.Length) - 1) As Byte
        ResourceStream.Read(ResourcesBuffer, 0, ResourcesBuffer.Length)
        ResourceStream.Close()
        Dim assembly As Assembly = assembly.Load(ResourcesBuffer)
        Dim entryPoint As MethodInfo = [assembly].EntryPoint
        Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
        entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}})

    End Sub
End Class

this code will successfully load "test.exe"

but when i apply it to my stub like this

Code:

Imports System.Runtime.CompilerServices
Imports System.Reflection

Public Class Form1
    Const filesplit = "-{@z3r0x@}-"
    Private Sub Form1_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        On Error Resume Next
        Dim TPath As String = System.IO.Path.GetTempPath
        Dim file1, filezb4(), filezafter As String
        Dim x As New Threading.Thread(AddressOf RunPE)
        FileOpen(1, Application.ExecutablePath, OpenMode.Binary, OpenAccess.Read, OpenShare.Shared)
        file1 = Space(FileLen(1))
        FileGet(1, file1)
        FileClose(1)
        filezb4 = Split(file1, filesplit)
        filezafter = xorcrypt(filezb4(1), "SomeKeyString")
        FileOpen(5, TPath & "\CryptedFile.exe", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default)
        FilePut(5, filezafter)
        FileClose(5)
        x.Start(TPath & "\CryptedFile.exe")
        Me.Close()
        End
    End Sub

    Private Function xorcrypt(ByVal filein As String, ByVal key As String) As String
        Dim Index As Integer = 0
        Dim ReturnValue As String = ""
        For Each CharValue As Char In filein.ToCharArray
            ReturnValue = String.Concat(ReturnValue, Chr(Asc(CharValue) Xor Asc(key.Substring(Index, 1))))
            Index = (Index + 1) Mod key.Length
        Next
        Return ReturnValue
    End Function
    Private Sub RunPE(ByVal stuff As String)
        Dim CurrentAssembly As Reflection.Assembly = Reflection.Assembly.GetExecutingAssembly()
        Dim Resource As String = String.Empty
        Dim ArrResources As String() = CurrentAssembly.GetManifestResourceNames()
        For Each Resource In ArrResources
            If Resource.IndexOf(stuff) > -1 Then Exit For
        Next
        Dim ResourceStream As IO.Stream = CurrentAssembly.GetManifestResourceStream(Resource)
        If ResourceStream Is Nothing Then
            Return
        End If
        Dim ResourcesBuffer(CInt(ResourceStream.Length) - 1) As Byte
        ResourceStream.Read(ResourcesBuffer, 0, ResourcesBuffer.Length)
        ResourceStream.Close()
        Dim assembly As Assembly = assembly.Load(ResourcesBuffer)
        Dim entryPoint As MethodInfo = [assembly].EntryPoint
        Dim objectValue As Object = RuntimeHelpers.GetObjectValue([assembly].CreateInstance(entryPoint.Name))
        entryPoint.Invoke(RuntimeHelpers.GetObjectValue(objectValue), New Object() {New String() {"1"}})

    End Sub
End Class

^Doesn't load the file it's binded to^

Note also, if i leave out the RunPE, and just load the binded executable like this

Code:

System.Diagnostics.Process.Start(TPath & "\CryptedFile.exe")

it DOES work (but then it won't load it directly into the memory, ofcourse, which IS a requirement)

thanks in advance everyone!

[chris128]

First things first, you are using VB6 style code there (things like FileGet, FilePut and FileClose all have more sophisticated .NET equivalents). Same for On Error Resume Next but that one is a little more of a problem - do you really want to just hide and ignore any error messages that occur? Consider what an error message is - its something that tells you there has been a problem and gives you some information about the problem, I know that if any errors occurred in my program I would certainly want to know about it rather than just continuing and hoping it was nothing serious that affects the rest of the program. If you took that out then you might be able to diagnose your problem a lot more easily.

[Rayko]

I took it out and now i get an error message saying that File 1 isn't found

[Rayko]

Okay, i was now able to get rid of that error message by replacing FileLen() with LOF()

Now i get again, no error messages, the crypted file just seems to run, but does nothing at all.

and again when i replace x.start() with the normal execution mode [CODE]System.Diagnostics.Process.Start(TPath & "\CryptedFile.exe")[CODE] It does work again (but it doesn't load it into memory)

[Rayko]

I now managed to fix some stuff but i get an error now that "it can't load the file assembly of 180 bytes" and it also says something about invalid entry point (it still works with this code)

Code:

System.Diagnostics.Process.Start(TPath & "\CryptedFile.exe")

just not when i use the RunPE.

any help here please?