C++ Run Byte Array in memory

Question

Im trying to work on what I think to be called a launcher? The concept is to write all of a binary file to a buffer, then load the buffer into memory. I have seen this code bouncing around a lot (I have written the exe so I have access to the code inside it.):

//HardCoded Binary For testing Reason, reading to launch didn't work neither did this
char RawCode[11414] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xFF, 0xFF, ............................................... 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}


//Main Function
int main(int argc, char* argv[])
{
    int(*f)();
    f = (int(*)())&RawCode;
    (int)(*f)();
}

My Original thought was that maybe the null bytes were effecting the execution causing the Access violation, So after some research I found a message box shellcode formatted as "/x41/x41/.......x41/" with no null bytes and still this hadn't worked. I am kind of lost as there is not much information about this. Does anyone have some references to some good articles or useful tutorials as none of the ones I have found help very much. Thank you all for your time!

Answer 1

For quite some time now, all modern operating systems have implemented some form of data execution prevention. This means that you cannot just put code somewhere in memory and run it; the memory area has to be flagged to allow execution first. The reason is security -- it makes it much harder to exploit what would otherwise have been remote code execution vulnerabilities.

It also means that you should think long and hard before you attempt something silly like this, because it rips a giant hole in your operating system's attempts to protect you.

So, before you can run code from memory, you have to flag the area in question as executable.

Under Windows, this can be done with the VirtualProtect function. However, it cannot be done for arbitrary regions of memory; it has to be aligned at page boundaries, and the pages have to be allocated with the same VirtualAlloc call. So ultimately, you'll end up with

DWORD old_protect;
LPVOID executable_area = VirtualAlloc(NULL, 11414, MEM_RESERVE, PAGE_READWRITE);

memcpy(executable_area, Rawcode, 11414);
VirtualProtect(executable_area, 11414, PAGE_EXECUTE, &old_protect);

int(*f)() = (int(*)()) executable_area;
f();

// Note: RAII this in C++. Restore old flags, free memory.
VirtualProtect(executable_area, 11414, old_protect, &old_protect);
VirtualFree(executable_area, 11414, MEM_RELEASE);

Answer 2

First off, does your array contain a representation of an executable file, or does it contain executable machine code? If the former, it probably won't work: most executable file formats start with various metadata which is used by the OS to load the program; executable machine code comes later in the file.

Second, does your system use something resembling DEP? It's likely that your OS is marking the array as non-executable, so trying to execute it will fail.