Open Elmue opened 4 years ago
@Elmue If you managed to run your own Win32 application on Win 10 x64, that's great already!
Well, I tried to have a universal DLL/EXE loader which works as the Microsoft loader does. This means that it should load any DLL/EXE without limitations. This is sadly not the case. Anything is still missing. Sometimes you want to load third party DLLs/EXEs and it really sucks when they crash. There are open source projects which do far more complicated things and they never crash. For example I use EasyHook which is a great project. It works without any problem.
With the current fancycode you can load DLLs but starting Calc.exe or Notepad.exe from memory fails always. Calling the entry point hangs forever or crashes.
At least I know that adapting the PEB and the Loader Table is missing in fancycode. Here is the missing code:
Without the above code you can neither start Calc.exe nor Notepad.exe. It fails on ALL operating systems.
With the above code you can start Calc.exe and Notepad.exe from memory. But not on all operating systems.
1.) If an EXE file does not have a relocation table it is very probable that you cannot start it. Without relocation table the EXE MUST run at the predefined base address (mostly 40000). If this address area is already occupied by your starter process there is no way to start this EXE. In this case recompile the EXE that you want to start. Under "Linker Options" --> "Adavanced" --> "Fixed Base Address" enter "Generate a relocation section" This will add the linker commandline option /FIXED:NO After that the EXE will run at any base address.
2.) The Calc.exe on Windows 10 is not the real calculator anymore. It is only a launcher of 26 kB size which starts Calculator.exe in an AppContainer and then exits.
3.) With the above code I got the following results:
Windows XP 32 bit: Starting a 32 bit Calc.exe and Notepad.exe work perfectly (ONLY with the above code fix). Windows 7 64 bit: Starting a 32 bit Calc.exe and Notepad.exe work perfectly (ONLY with the above code fix). Windows 7 64 bit: Starting a 64 bit Calc.exe crashes immediately and Notepad.exe crashes when you chose a font. Windows 10 64 bit: Starting a 32 + 64 bit Calc.exe works (Calculator.exe is launched in AppContainer) Windows 10 64 bit: Starting a 32 + 64 bit Notepad.exe does not work
4.) But I can start my own MFC compiled GUI application either 32 bit or 64 bit perfectly on ALL operating systems. And even without the above PEB fix!
SUMMARY: My own EXE (with GUI) can be started, but Microsoft's EXE's not always. That's weird. I gave up getting this to work. If anybody can explain me that, please post a comment. BTW: I have no antivirus installed and Windows Defender is disabled.
Don't forget to implement the Activation Context! https://github.com/fancycode/MemoryModule/issues/100
and fix the execution bug: https://github.com/fancycode/MemoryModule/issues/101
P.D. There is many code out there using the process hollowing technique. But it has exactly the same problems. Notepad.exe can be started on XP but not on Windows 10.
Elmue