Fwd: Execute binary code

Gabriel Genellina gagsl-py at yahoo.com.ar
Tue Jan 9 01:09:09 CET 2007


At Monday 8/1/2007 18:01, citronelu at yahoo.com wrote:

>Chris Mellon wrote:
> > Writing to a temp file will be at least 3 times as easy and twice as
> > reliable as any other method you come up with.
>
>I'm not disputing that, but I want to keep a piece of code (a parser
>for Oracle binary dumps, that I didn't wrote) out of foreign hands, as
>much as possible. Using a TEMP directory is not "stealth" enough.

This is what I would do  (untested of course!) (Mostly using the 
Win32 API so you'll have to use pywin32 or ctypes).

Call CreateFile with dwShareMode=0, FILE_ATTRIBUTE_TEMPORARY, 
FILE_FLAG_NO_BUFFERING, FILE_FLAG_DELETE_ON_CLOSE.
That means that no other process could open the file, if it fits in 
available memory probably it won't even be written to disk, and it 
will be deleted as soon as it has no more open handles. File name 
does not have to end in .exe.
Copy the desired contents into a buffer obtained from VirtualAlloc; 
then call WriteFile; release the buffer (rounding size up to next 4KB multiple)
Then CreateProcess with CREATE_SUSPENDED, and CloseHandle on the 
file, and CloseHandle on the two handles returned on 
PROCESS_INFORMATION. At this stage, the only open handle to the 
temporary file is held by the section object inside the process.
Then ResumeThread(hTread) -process begins running- and 
WaitForSingleObject(hProcess) -wait until finishes-.
As soon as it finishes execution, the last handle to the file is 
closed and it is deleted.

Another approach would be to go below the Windows API and use the 
native API function NtCreateProcess -officially undocumented- which 
receives a section handle (which does not have to be disk based). But 
this interfase is undocumented and known to change between Windows versions...

Or search for a rootkit...


-- 
Gabriel Genellina
Softlab SRL 


	

	
		
__________________________________________________ 
Preguntá. Respondé. Descubrí. 
Todo lo que querías saber, y lo que ni imaginabas, 
está en Yahoo! Respuestas (Beta). 
¡Probalo ya! 
http://www.yahoo.com.ar/respuestas 




More information about the Python-list mailing list