On 1/8/07, Gabriel Genellina <[EMAIL PROTECTED]> wrote: > At Monday 8/1/2007 18:01, [EMAIL PROTECTED] wrote: > > >Chris Mellon wrote: > > > Writing to a temp file will be at least 3 times as easy and twice as > > > reliable as any other method you come up with. > > > >I'm not disputing that, but I want to keep a piece of code (a parser > >for Oracle binary dumps, that I didn't wrote) out of foreign hands, as > >much as possible. Using a TEMP directory is not "stealth" enough. > > This is what I would do (untested of course!) (Mostly using the > Win32 API so you'll have to use pywin32 or ctypes). > > Call CreateFile with dwShareMode=0, FILE_ATTRIBUTE_TEMPORARY, > FILE_FLAG_NO_BUFFERING, FILE_FLAG_DELETE_ON_CLOSE. > That means that no other process could open the file, if it fits in > available memory probably it won't even be written to disk, and it > will be deleted as soon as it has no more open handles. File name > does not have to end in .exe. > Copy the desired contents into a buffer obtained from VirtualAlloc; > then call WriteFile; release the buffer (rounding size up to next 4KB > multiple) > Then CreateProcess with CREATE_SUSPENDED, and CloseHandle on the > file, and CloseHandle on the two handles returned on > PROCESS_INFORMATION. At this stage, the only open handle to the > temporary file is held by the section object inside the process. > Then ResumeThread(hTread) -process begins running- and > WaitForSingleObject(hProcess) -wait until finishes-. > As soon as it finishes execution, the last handle to the file is > closed and it is deleted. > > Another approach would be to go below the Windows API and use the > native API function NtCreateProcess -officially undocumented- which > receives a section handle (which does not have to be disk based). But > this interfase is undocumented and known to change between Windows versions... > > Or search for a rootkit... > > > -- > Gabriel Genellina > Softlab SRL >
Thats a lot of work to execute a binary image that can be trivially recovered from the python source with 2 minutes of work (up to 15 if you have to install Python and google for how to write to a file first). -- http://mail.python.org/mailman/listinfo/python-list
