Injecting Code into Executable at Runtime

Injecting code into executable at runtime

This is essentially how executable loaders do things; in their case they perform a mmap of a file, not an anonymous mapping, but apart from that it's essentially the same.

Note that it's a good idea not to have both write and execute access at the same time, as it makes certain types of security exploits easier. You can use mprotect to adjust the protection flags after the initial mapping.

How can I inject a file into an EXE at runtime and reference the file during program operation?

You could that easily with Mono.Cecil, you'd just have to write something like:

var module = ModuleDefinition.ReadModule ("Application.exe");

module.Resources.Add (
    new EmbeddedResource (
        "signature.xml",
        ManifestResourceAttributes.Private, 
        File.ReadAllBytes ("signature.xml")));

module.Write ("Application.exe",
    new WriterParameters {
        StrongNameKeyPair = new StrongNameKeyPair ("keypair.snk")
});

To inject the signature.xml resource from the signature.xml file, and sign back your assembly with your keypair.snk that you used to sign Application.exe.

And at runtime, you'd just have to use:

var stream = Assembly.GetExecutingAssembly ()
    .GetManifestResourceStream ("signature.xml");

To retrieve the resource.

How to programmatically inject parameters/instructions into a pre-built portable executable

Very few programmers ever need to do this sort of thing. You could go your entire career without it. I last did it in about 1983.

If I remember correctly, I had 2.exe include an assembler module with something like this (I've forgotten the syntax):

.GLOBAL TARGET
TARGET  DB 200h  ; Reserve 512 bytes

1.exe would then open 2.exe, search the symbol table for the global symbol "TARGET", figure out where that was within the file, write the 512 bytes it wanted to, and save the file. This was for a licensing scheme.

The comment from https://stackoverflow.com/users/422797/igor-skochinsky reminded me that I did not use the symbol table on that occasion. That was a different OS. In this case, I did scan for a string.

Make an executable at runtime

Building an executable from scratch is hard. First, you'd need to generate machine code for what the program would do, and then you need to encapsulate such code in an executable file. That's overkill unless you want to write a compiler for a language.

These utilities that generate a self-extracting executable don't really make the executable from scratch. They have the executable pre-generated, and the data file is just appended to the end of it. Since the Windows executable format allows you to put data at the end of the file, caring only for the "real executable" part (the exe header tells how big it is - the rest is ignored).

For instance, try to generate two self-extracting zip, and do a binary diff on them. You'll see their first X KBytes are exactly the same, what changes is the rest, which is not an executable at all, it's just data. When the file is executed, it looks what is found at the end of the file (the data) and unzips it.

Take a look at the wikipedia entry, go to the external links section to dig deeper:
http://en.wikipedia.org/wiki/Portable_Executable

I only mentioned Windows here but the same principles apply to Linux. But don't expect to have cross-platform results, you'll have to re-implement it to each platform. I couldn't imagine something that's more platform-dependent than the executable file. Even if you use C# you'll have to generate the native stub, which is different if you're running on Windows (under .net) or Linux (under Mono).

How to inject bytecode to a compiled java program without using tools?

Javassist is essentially decompiling and compiling the code, that is why there is a lot of code there.
And you won't find the type code injection you are looking for in javassist. So "Go read javassist" is a rather stupid suggestion.

If you want to put your code into an specific place(for instance in the start or constructor)
you can see how to find the spot by reading JVM docs.

However as Antimony mentioned, you are looking for bytecode knowledge, so here it is:
http://arhipov.blogspot.com.au/2011/01/java-bytecode-fundamentals.html

If you want to inject a piece of bytecode,you can just find the start of your main() and paste the code there. It will be 200-300 LOC MAX.

With linux binaries it is much easier, read this:
http://www.skyfree.org/linux/references/ELF_Format.pdf

Is it possible to locate functions from executable at runtime on Windows?

When source code is compiled into executable code, things like function and variable names are lost. Unless you have metadata like debug information database, .pdb/.dbg or a map file, .map, then you are not able to find functions in general.

If the function is exported by the module, then you can find its address with GetProcAddress.


Related Topics

Calculate Total Used Disk Space by Files Older Than 180 Days Using Find

Running R Scripts or Commands with Interpretor in Unix for Unix-Layman

What Tools Do I Need to Develop in Actionscript (In Linux)

How to Use Awk for a Compressed File

How to Implement a Practical Fiber Scheduler

How to Set Cap_Sys_Nice Capability to a Linux User

Bumping Version Numbers for New Releases in Associated Files (Documentation)

Vim Incremental Search

I Want to Use "Awk" or Sed to Print All the Lines That Start with "Comm=" in a File

Automatically Kill Process That Consume Too Much Memory or Stall on Linux

How to Compile Linux Kernel with Something Other Than Gcc

Can't Build 32Bit Wine on 64Bit Linux

How to Echo a Sum of a Variable and a Number

Shell Script Change Directory with Variable

How to Check Whether the Processor Cache Has Been Flushed Recently

What Is %Gs in Assembly

Critical Timing in an Arm Linux Kernel Driver

Errors in Make File:*** Missing Separator. Stop


Leave a reply



Submit