How to launch an executable...

다음 링크에서 가져왔습니다.

http://www.openrce.org/blog/view/790

...without creating it on disk. Ever wondered how to do that?
So did I. So I've taken apart an interesting executable crypter that
I found the other day. Not one of those crypters adding code/sections
to an existing PE file but one of those crypters that embed the "target"
executable as a resource into its loader code.

The technique is simple, yet interesting (for _various_ purposes).

1. launch a copy of the loader process in suspended mode.
2. get the context structure of the copy of the loader process.
3. retrieve the imagebase of the process by parsing its PEB structure (ebx at process start!).
4. free all the data belonging to the process by calling ZwUnmapViewOfSection and passing it the imagebase.
5. get the SizeOfImage value of the embedded executable from its PE header.
6. allocate a new block of memory starting at the imagebase with the size of the SizeOfImage value.
7. copy all the headers (pe header, section header etc.) to the allocated block of memory.
8. copy each section of the embedded executable to the allocated block of memory, setting their memory protection according to their section characteristics.
9. the imagebase in the PEB of the process has to patched to equal the address of the allocated block of memory
10. set eax of the process to point to the entrypoint of the process
11. resume the process, if all went well.

For a better understanding, have a look at the disassembly.