Custom Windows PE Loader

NTDEV
1

Hi,

I have written a PE loader so that I can execute processes from memory,
currently though it shares the address space of the loader.

Is there a way I can make this a separate process from memory. I am
assuming that I would be using undocumented API’s here that would be
subject to change but I am OK with that currently.

Thanks
Ceri

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email

2

Hello,

One suggestion would be:

  1. have the loader createprocess() (in suspended mode) a dummy empty program
    2.have the loader inject the PE loading/fixing code (in a form of a DLL into
    that process)
    3.that loader code will now transform that dummy/empty program into a valid
    program
    4.the loader will unload the DLL loader (previously injected)
    5.the loader will resume the execution of the now valid process.

Hope that helps,
Elias

“Ceri Coburn” wrote in message
news:xxxxx@ntdev…
Hi,

I have written a PE loader so that I can execute processes from memory,
currently though it shares the address space of the loader.

Is there a way I can make this a separate process from memory. I am
assuming that I would be using undocumented API’s here that would be
subject to change but I am OK with that currently.

Thanks
Ceri

3

Yea, that was going to be one of my options, but I didn’t want an empty
PE on the HDD. I was trying to use ZwCreateProcess using the parent
handle and not a section handle (kind of like a fork), but I wasn’t
quite sure where to set up a separate PEB etc…, or whether that would
even work.

Thanks
Ceri

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: 27 September 2004 09:27
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Custom Windows PE Loader

Hello,

One suggestion would be:

  1. have the loader createprocess() (in suspended mode) a dummy empty
    program
    2.have the loader inject the PE loading/fixing code (in a form of a DLL
    into
    that process)
    3.that loader code will now transform that dummy/empty program into a
    valid
    program
    4.the loader will unload the DLL loader (previously injected)
    5.the loader will resume the execution of the now valid process.

Hope that helps,
Elias

“Ceri Coburn” wrote in message
news:xxxxx@ntdev…
Hi,

I have written a PE loader so that I can execute processes from memory,
currently though it shares the address space of the loader.

Is there a way I can make this a separate process from memory. I am
assuming that I would be using undocumented API’s here that would be
subject to change but I am OK with that currently.

Thanks
Ceri


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@first4internet.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com


This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email



This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email