Problem with running EXE from a byte() array

[sebastian nielsen]

If I have this code:
Dim fs As New System.IO.FileStream("C:\application.exe",
System.IO.FileMode.Open)
Dim br As New System.IO.BinaryReader(fs)
Dim data() as Byte
data = br.ReadBytes(Convert.ToInt32(fs.Length))
br.close()
fs.close()

Now data() contains the whole EXE in binary format, and I want to run
the binary data like the C:\application.exe was executed.

I tried with this:
Dim oAss As System.Reflection.Assembly
Dim meth As System.Reflection.MethodInfo
Dim obj As Object
oAss = System.Reflection.Assembly.Load(data)
meth = oAss.EntryPoint
obj = oAss.CreateInstance(meth.Name)
meth.Invoke(obj, Nothing)

but it stumbled on Load(data) that BadImageFormatException "It could
not read the file or collection 77824 bytes loaded from
WindowsApplication1, Version=1,0.0.0, Culture=neutral,
PublicKeyToken=null or one of its dependencys. A attempt to read in a
application with a invalid format was made"

Then I tried with another EXE, but the it stumbled on the Invoke(obj,
Nothing) that a incorrect number of parameters was supplied. The
debugger said that obj was "nothing", so apparently the
oAss.CreateInstance method failed.

I want it to work with any EXE, and the application should run the
content in the data() array like he EXE was launched itself.
I don't want to write the EXE to disk and exec it with the Shell()
method or some like that.

 

[Cor Ligthert [MVP]]

In addition to Patrice

http://www.vb-tips.com/StartProcess.aspx

Cor

 

[sebastian nielsen]

Yes, but what im doing, is that I have a encoder application, which
loads lets say c:\application.exe and makes a BASE64 string of it.
Then I put that BASE64 string as a constant into my application, and
now I want to run the BASE64 string by decoding it and then running
the contents in memory without writing the EXE to disk.

In other words, I want to hard-code a application into my application.

 

[Cor Ligthert[MVP]]

Sebastian,

This is the difference between common people like most of us and artist like
you.

We just choose the most efficient methods, you see this probably as art.

However, art has to be unique, so very much success with your creation.

Cor

 

[sebastian nielsen]

Nope. This has with security to do.

What im really doing at encoding stage, is that I load in the
application into a byte array, then encrypt it with
System.Security,Cryptography.Rijndael using a key derived from a
password with System.Security.Cryptography.Sha512
Then I encode the resulting ciphertext using Base64

Then I paste this base64 text into my other application as a string,
to password protect the child EXE.

So in the encoder, I select that I want to password protect C:
\application.exe
Then I get encoded base64 text, which I paste as a string constant in
the application.
Ill try to decode the encoded application with
System.Security.Cryptography.Rijndael with the user-supplied password,
in a try/catch-block. If incorrect password is entered, the padding
will be incorrect and then it trows a Exception.CryptographyException
which will be catched and display "Incorrect password" to user.

If decryption succeeds, I want to put the decrypted EXE in memory and
run it.

 

[Martin H.]

Hello Sebastian,

Maybe there is a way, but sooner or later you might have to deal with
functionality of the operating system which tries to prevent that.
Windows XP already has Data Execution Prevention (although by default it
is only set to "Turn on DEP for essential Windows programs and services
only") which prevents data code (as in variables) to be changed to
executable code. I don't know how that is with Vista, but I expect that
it has at least the same functionality as XP. I think that the only way
to go is to save it as a temporary file and delete it right after
execution is complete. If you want to prevent it from being copied, you
might have to lock it so that other applications cannot access it.

If your application ran only under Windows 2000/98 you could do make
data memory executable, but who is still using these dinosaurs today?

Best regards,

Martin

 

[sebastian nielsen]

I have heard that DEP is there to prevent *accidential* execution of
data code, for example a buffer owerflow from a malicious user on the
internet, that causes the overflowed code to execute.
But now I as a developer wants to intentionally execute data, so there
must be a way to place the decrypted code into executeable memory
where DEP does not care about and then execute it.

Maybe there is any windows API to put executeable code into
executeable memory and then execute it? Or some native .NET function/
library to do it.

 

[sebastian nielsen]

Its both.

First example: I want to build a application, and license it. Users
need to enter a CD-key and the application starts.
Second example: I have purcased lets say 10 licenses from a third
party vendor for a application. The license agreement says im allowed
to install this license on unlimited number of computers as long as no
more than 10 licenses are running at a given time.

Then I could use my application to encrypt the third party EXE, and
have a license server, which lends out encryption keys for licensing,
and then the client returns keys that are no longer in use. And the
server makes sure no more than 10 keys are lended out at a given time.

Third example: I want to enforce when a application on a work computer
can be started and how many times. I encrypt the EXE and have it to
fetch a key from a server. The server only allows a given number of
keys to be sent only on specific times.

Fourth example: I simply want to password protect a generic EXE so
people with physical access to my computer cannot use that EXE.

Fifth example: I want to license a application on a per-IP-basis. I
just have the license server send out encryption keys for the correct
IP.
-----------------------------------------
So Im gonna build a encryption framework that can be used for any
application protection, so I just need the ability to run a EXE stored
in a byte() array.
The ready-made libraries only "obfuscates" the code, which means they
are not encrypting it, only "hiding" it by making it harder to
understand any decompiled or disassembled code.
What I want to do is to ENCRYPT the code.
And most of the ready-made license library just locks the application
by inserting code that ask for license key or password and then jumps
to the correct location.

 

[Michel Posseth [MCP]]

Hello Sebastian

Balena once wrote an article about a simular task, you can find it here
and might be of some help for you

http://www.dotnet2themax.com/blogs/fbalena/PermaLink,guid,60e09b96-7033-4883-95b0-8ddb0b205ad3.aspx


regards

Michel Posseth [MCP]