Fwd: Execute binary code
Chris Mellon
arkanes at gmail.com
Mon Jan 8 21:17:30 EST 2007
On 1/8/07, Gabriel Genellina <gagsl-py at yahoo.com.ar> wrote:
> At Monday 8/1/2007 18:01, citronelu at yahoo.com wrote:
>
> >Chris Mellon wrote:
> > > Writing to a temp file will be at least 3 times as easy and twice as
> > > reliable as any other method you come up with.
> >
> >I'm not disputing that, but I want to keep a piece of code (a parser
> >for Oracle binary dumps, that I didn't wrote) out of foreign hands, as
> >much as possible. Using a TEMP directory is not "stealth" enough.
>
> This is what I would do (untested of course!) (Mostly using the
> Win32 API so you'll have to use pywin32 or ctypes).
>
> Call CreateFile with dwShareMode=0, FILE_ATTRIBUTE_TEMPORARY,
> FILE_FLAG_NO_BUFFERING, FILE_FLAG_DELETE_ON_CLOSE.
> That means that no other process could open the file, if it fits in
> available memory probably it won't even be written to disk, and it
> will be deleted as soon as it has no more open handles. File name
> does not have to end in .exe.
> Copy the desired contents into a buffer obtained from VirtualAlloc;
> then call WriteFile; release the buffer (rounding size up to next 4KB multiple)
> Then CreateProcess with CREATE_SUSPENDED, and CloseHandle on the
> file, and CloseHandle on the two handles returned on
> PROCESS_INFORMATION. At this stage, the only open handle to the
> temporary file is held by the section object inside the process.
> Then ResumeThread(hTread) -process begins running- and
> WaitForSingleObject(hProcess) -wait until finishes-.
> As soon as it finishes execution, the last handle to the file is
> closed and it is deleted.
>
> Another approach would be to go below the Windows API and use the
> native API function NtCreateProcess -officially undocumented- which
> receives a section handle (which does not have to be disk based). But
> this interfase is undocumented and known to change between Windows versions...
>
> Or search for a rootkit...
>
>
> --
> Gabriel Genellina
> Softlab SRL
>
Thats a lot of work to execute a binary image that can be trivially
recovered from the python source with 2 minutes of work (up to 15 if
you have to install Python and google for how to write to a file
first).
More information about the Python-list
mailing list