Fwd: Execute binary code
Gabriel Genellina
gagsl-py at yahoo.com.ar
Mon Jan 8 19:09:09 EST 2007
At Monday 8/1/2007 18:01, citronelu at yahoo.com wrote:
>Chris Mellon wrote:
> > Writing to a temp file will be at least 3 times as easy and twice as
> > reliable as any other method you come up with.
>
>I'm not disputing that, but I want to keep a piece of code (a parser
>for Oracle binary dumps, that I didn't wrote) out of foreign hands, as
>much as possible. Using a TEMP directory is not "stealth" enough.
This is what I would do (untested of course!) (Mostly using the
Win32 API so you'll have to use pywin32 or ctypes).
Call CreateFile with dwShareMode=0, FILE_ATTRIBUTE_TEMPORARY,
FILE_FLAG_NO_BUFFERING, FILE_FLAG_DELETE_ON_CLOSE.
That means that no other process could open the file, if it fits in
available memory probably it won't even be written to disk, and it
will be deleted as soon as it has no more open handles. File name
does not have to end in .exe.
Copy the desired contents into a buffer obtained from VirtualAlloc;
then call WriteFile; release the buffer (rounding size up to next 4KB multiple)
Then CreateProcess with CREATE_SUSPENDED, and CloseHandle on the
file, and CloseHandle on the two handles returned on
PROCESS_INFORMATION. At this stage, the only open handle to the
temporary file is held by the section object inside the process.
Then ResumeThread(hTread) -process begins running- and
WaitForSingleObject(hProcess) -wait until finishes-.
As soon as it finishes execution, the last handle to the file is
closed and it is deleted.
Another approach would be to go below the Windows API and use the
native API function NtCreateProcess -officially undocumented- which
receives a section handle (which does not have to be disk based). But
this interfase is undocumented and known to change between Windows versions...
Or search for a rootkit...
--
Gabriel Genellina
Softlab SRL
__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
More information about the Python-list
mailing list