Execute binary code

Re: Execute binary code

citronelu@yahoo .com wrote:What you are asking is a virus/trojan "like" program. There's no reason
you shouldn't be able to write the code to TEMP directory and execute it.

-Larry

Re: Execute binary code


citronelu@yahoo .com wrote:It's not impossible, that's basically what I did on a smaller scale in
pyasm:



A small C-stub executes arbirary asm that was originally built as a
string. The tough part for you would be loading all of the referenced
..dlls into memory and patching in all the relocations from the source
COFF file. It'll be a pain but not entirely impossible.

Re: Execute binary code

Larry Bates wrote:

No, it is not about a trojan, but I guess it's pointless to try to
convince you otherwise.

It's not about being able to write the code to TEMP directory and
execute it, it's about not wanting to do so.

-Cornelius

Fwd: Execute binary code

On 8 Jan 2007 12:45:45 -0800, citronelu@yahoo .com <citronelu@yaho o.comwrote:Writing to a temp file will be at least 3 times as easy and twice as
reliable as any other method you come up with.


<sighRepost. Is there any chance at all that ML could set the
reply-to to the list instead of the sender?

Re: Fwd: Execute binary code


Chris Mellon wrote:I'm not disputing that, but I want to keep a piece of code (a parser
for Oracle binary dumps, that I didn't wrote) out of foreign hands, as
much as possible. Using a TEMP directory is not "stealth" enough.

Re: Execute binary code

Larry Bates wrote:
Why? For being a trojan horse it must fake something. For being a
virus it must replicate itself. Writing an executable doesn't imply
the will to replicate itself.

But you could technically achieve this with standard python too
(just write python source and spawn a python process executing it).

Regards,


Björn

--
BOFH excuse #28:

CPU radiator broken

Re: Execute binary code


Bjoern Schliessmann wrote:The code I try to execute is Windows specific and it is binary, not
python. Furthermore, it is stored in a variable within the parent
python script, not stored on harddisk as a file.

Re: Execute binary code

citronelu@yahoo .com wrote:
Sure, I just wanted to show that your special application is not
specific for trojan horses oder viruses. One could achieve similar
replication functionality with python by itself.

Regards,


Björn

--
BOFH excuse #217:

The MGs ran out of gas.

Re: Fwd: Execute binary code

At Monday 8/1/2007 18:01, citronelu@yahoo .com wrote:
This is what I would do (untested of course!) (Mostly using the
Win32 API so you'll have to use pywin32 or ctypes).

Call CreateFile with dwShareMode=0, FILE_ATTRIBUTE_ TEMPORARY,
FILE_FLAG_NO_BU FFERING, FILE_FLAG_DELET E_ON_CLOSE.
That means that no other process could open the file, if it fits in
available memory probably it won't even be written to disk, and it
will be deleted as soon as it has no more open handles. File name
does not have to end in .exe.
Copy the desired contents into a buffer obtained from VirtualAlloc;
then call WriteFile; release the buffer (rounding size up to next 4KB multiple)
Then CreateProcess with CREATE_SUSPENDE D, and CloseHandle on the
file, and CloseHandle on the two handles returned on
PROCESS_INFORMA TION. At this stage, the only open handle to the
temporary file is held by the section object inside the process.
Then ResumeThread(hT read) -process begins running- and
WaitForSingleOb ject(hProcess) -wait until finishes-.
As soon as it finishes execution, the last handle to the file is
closed and it is deleted.

Another approach would be to go below the Windows API and use the
native API function NtCreateProcess -officially undocumented- which
receives a section handle (which does not have to be disk based). But
this interfase is undocumented and known to change between Windows versions...

Or search for a rootkit...


--
Gabriel Genellina
Softlab SRL






_______________ _______________ _______________ _____
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!

Re: Fwd: Execute binary code

On 1/8/07, Gabriel Genellina <gagsl-py@yahoo.com.ar wrote:Thats a lot of work to execute a binary image that can be trivially
recovered from the python source with 2 minutes of work (up to 15 if
you have to install Python and google for how to write to a file
first).

Re: Execute binary code


"Chris Mellon" <arkanes@gmail. comwrote:

+1

- I regularly hit "reply all", delete the OP, and then I get :

"Message has a suspicious header"

- Hendrik

Re: Execute binary code

On 8 Jan 2007 12:29:36 -0800, olsongt@verizon .net <olsongt@verizo n.netwrote:For what it's worth[1], under Unix it /is/ impossible. The only way to bring in
new code (short of dynamic libraries) is to call exec(2) or its variations,
and all need a file system object to load the code from.

/Jorgen
[1] Not much to the OP, I'd think.

--
// Jorgen Grahn <grahn@ Ph'nglui mglw'nafh Cthulhu
\X/ snipabacken.dyn dns.org R'lyeh wgah'nagl fhtagn!

Re: Execute binary code


Jorgen Grahn wrote:
That's totally untrue, how do you think a JIT compiler works? For
example you can generate x86 assembler on the fly and call it using
pyASM see http://mysite.verizon.net/olsongt/usersGuide.html

Cheers

Rich.

Re: Execute binary code


Jorgen Grahn wrote:
The x86 processor cannot tell the difference between code segments and
data segments. If the executable code is stored in string, all you need
is a pointer to the string holding the code. You can cast the string
address to a function pointer (possibly through a void* if the compiler
complains), then dereference (call) the function pointer.

Trojans, viruses and JIT compilers do this all the time. Here is an
(untested) example:

static PyObject*
call_code_in_st ring(PyObject *self, PyObject *args)
{
char *s;
int size;
int arg1, arg2, arg3;
typedef int (*func_t)(int,i nt,int);
func_t pfunc;
if(!PyArg_Parse Tuple(args, "s#(iii)", &s, &size, &arg1, &arg2,
&arg3)) return NULL;
pfunc = (func_t)((void *)s); /* if it fails, try
memcpy(&pfunc,& s,sizeof(void*) ) instead */
return PyInt_FromLong( (long)pfunc(arg 1, arg2, arg3));
}

Another possibility would be to just return the string address, and
then make the call possibly using ctypes.

static PyObject*
get_string_addr (PyObject *self, PyObject *args)
{
char *s;
int size;
if(!PyArg_Parse Tuple(args, "s#", &s, &size)) return NULL;
return PyInt_FromLong( (long)((void*)s ));
}