My question is twofold:
Part One:
I was wondering if there is a way to run a software driver from a memory buffer. This buffer could be populated in a number of ways (decrypting an encrypted blob from a resource in a launching executable, or by reading the encrypted blob from a socket.)
I would *strongly* prefer that the decrypted driver not touch the disk. It seems easy enough to drop the decrypted driver to disk and load it.
Part Two:
Assuming there is a way to do this, is there a way to detect of someone else does it?
Also, Is there a good way to monitor calls to VirtualAlloc filtering out calls that do not set the PAGE_EXECUTE bit?
To speed things along:
Yes, I have valid reasons for wanting to do this.
No, I am not a hacker.
No, I am not developing malware.
Yes, I know bad guys would want to do this (assuming they are not already doing so).