views:

128

answers:

1

I want to dump a process image on the disk and then execute it

  • i listed the process modules
  • i used readprocessmemory to read the memory range of the exe

but when i try to execute it fails.how can i solve this?

thanks

+4  A: 

You can't. When you load a PE into memory, (I assume you're using MapAndLoad from ImageHlp.pas,) it loads the modules into memory and loads the data, but it doesn't go through and realign all the pointers the way the standard Windows Loader does. The pointers in the app are all going to be relative addresses that don't actually point to what they're supposed to point to. If you know enough about how RVAs and mappings work, you can analyze the code, but you can't actually execute it.

Mason Wheeler
there are applications wich have this functionality so is not imposible.
opc0de
eg. lord pe deluxe by yoda
opc0de
Well, it's probably using some other method, most likely duplicating the functionality of the Windows Loader. Is the source available? Can you examine it and see how Yoda does it?
Mason Wheeler
LordPE can be found at http://freewareapp.com/lordpe_download/ and it's freeware. No source available. I suspect that LordPE just examines the process, finds the file that's linked to it and then modifies the original executable instead of the process memory.
Workshop Alex