UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store
 

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
September
Su M Tu W Th F Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30
Sponsored Links
Latest Postings
The History Thread...
by Gremelin
09/18/14 12:42 PM
Doom 3
by Cyrez
09/11/14 11:58 PM
Latest Reviews
Page 1 of 2 1 2 >
Topic Options
Rate This Topic
#20480 - 06/12/02 07:39 PM How can I save a prog. in RAM?
Anonymous
Unregistered


If I have a program running in RAM only and it's not on my hard drive, how can I save it to disk?

Top
Sponsored Links
      
#20481 - 06/12/02 08:41 PM Re: How can I save a prog. in RAM?
Gremelin Offline

Community Owner
*****

Registered: 02/28/02
Posts: 7193
Loc: Portland, OR; USA
Please register a nickname before you post. To the moderator who turned everyone on in the control pannel, I will be removing BOTH curse AND defcon the next time this happens.

IP of this poster: 206.130.179.100
_________________________
Donate to UGN Security here.
UGN Security, Back of the Web, Elite Web Gamers & VNC Web Design Owner

Top
#20482 - 06/12/02 09:03 PM Re: How can I save a prog. in RAM?
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
Well, might as well answer the question for the unwitting fool.

The only frickin possible way for a program to run entirely in and from memory is if you have a RAM disk. RAM disks are virtual "harddrives" which take a chunk of your REAL memory for use. In that case, just copy the file from your RAM disk to your hard disk.

Since this is NOT your case - cause RAM disks haven't been used really since the reign of DOS - you just don't know what you're talking about. In the EXTREMELY UNLIKELY possibility that you can even do that, there is no way to save the file to disk unless that program gives you the option to do this. Even when a program is run from the disk - the entire thing isn't stored into memory. It's not about a file being put in memory, it's about various modules of code within that file being loaded and unloaded.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#20483 - 06/12/02 10:48 PM Re: How can I save a prog. in RAM?
Le4rner Offline
UGN Supporter

Registered: 03/05/02
Posts: 562
Actualy SR my Brother in law has a job doing high end vide editing. He told me of a 40 gig ram hard drive that some vendor is trying to get them to but... It can act at a HD but more importantly you have 40 FUCKING GIGS of RAM
_________________________
http://promodtecnologies.com/rrfn

Top
#20484 - 06/13/02 06:37 AM Re: How can I save a prog. in RAM?
Gremelin Offline

Community Owner
*****

Registered: 02/28/02
Posts: 7193
Loc: Portland, OR; USA
omg, 40 gigs of ram, i'd cum over and over...
_________________________
Donate to UGN Security here.
UGN Security, Back of the Web, Elite Web Gamers & VNC Web Design Owner

Top
#20485 - 06/13/02 08:06 AM Re: How can I save a prog. in RAM?
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
yes, I'm also aware of that. I just didn't bother to mention that some businesses DO have everything running in RAM for speed. But it is a rare occurance. They've been doing that for years.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#20486 - 06/14/02 11:46 AM Re: How can I save a prog. in RAM?
Anonymous
Unregistered


Quote:
Originally posted by Gizmo:
Please register a nickname before you post. To the moderator who turned everyone on in the control pannel, I will be removing BOTH curse AND defcon the next time this happens.
I have registered. You can call me anonymous, like in my sig. And what do you mean by "I will be removing BOTH curse AND defcon the next time this happens"? EDIT: My mistake, you mean the moderators. Please don't remove them, they have done nothing. I am a registered user. (number 269.)
Quote:
The only frickin possible way for a program to run entirely in and from memory is if you have a RAM disk. RAM disks are virtual "harddrives" which take a chunk of your REAL memory for use. In that case, just copy the file from your RAM disk to your hard disk.
I don't think so. Some programs you can run off the hard drive, and then delete. This doesn't alter the functionality of the program so it must all be there running in memory so there should be a way to save it.

Top
#20487 - 06/14/02 02:36 PM Re: How can I save a prog. in RAM?
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
I still don't think you know what's really going on. But I'll humor you and ask for more info. Do you have a good task monitor? I recommend TaskInfo2002 which you can download from download.com. Get that, run it, look for your phantom process in it - and tell me what it says the cmd line is. This should be at least the path of the executeable.

And no there's no way you can save it from RAM unless the program itself gave you that option. It is possible, but the required tools do not exist, and it may not be something a tool can do. You'd have to write a program to specifically save that program. Also, the technique you refer to in having it execute and delete itself - isn't useful and therefor I don't see why anybody would do it. Rebooting the computer would cease its existance.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#20488 - 06/17/02 10:38 AM Re: How can I save a prog. in RAM?
0perator Offline
Junior Member

Registered: 06/17/02
Posts: 3
Loc: Matrix
Quote:
Originally posted by SilentRage:
I still don't think you know what's really going on. But I'll humor you
and ask for more info. Do you have a good task monitor? I recommend
TaskInfo2002 which you can download from download.com. Get that, run it,
look for your phantom process in it - and tell me what it says the cmd
line is. This should be at least the path of the executeable.
I usually use process explorer by sysinternals, but I'll check it out.
Quote:
And no there's no way you can save it from RAM unless the program itself gave you that option. It is possible, but the required tools do not exist, and it may not be something a tool can do. You'd have to write a program to specifically save that program.
So I could
write a program to do it then right? Are you sure you couldn't write a program that could save any program in RAM?
Quote:
Also, the technique you refer to in having it execute and delete
itself - isn't useful and therefor I don't see why anybody would do it. Rebooting the computer would cease its existance.
I meant, if you have a program on your computer and you run it, then delete the program, can you save it from the RAM in which it's running in any way? Thanks for your patience.

BTW, you may have realized I was the one with the null username.

Top
#20489 - 06/17/02 10:07 PM Re: How can I save a prog. in RAM?
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
I'm familiar with the sysinternals process explorer - while I'm a big fan of sysinternals... TaskInfo2002 kicks all ass.

"Are you sure you couldn't write a program that could save any program in RAM?"

Ah, what a difficult question. I wish I knew more about how programs are executed, but I'll speak from heresay. The technique you describe may involve the program sticking it's entire file into some chunk of memory. And from that memory, it will load various modules as needed. All programs have their virtual address space (literal address space is swapped in and out just like process code for the processor to enable multi-tasking) in memory to run in, and it may not be contiguous - nor ordered in any consistent fashion. So the trick is to hope that the file IS stored in a contiguous fashion in memory (or using some means of keeping track of the order of file chunks) for dumping to file. The location of the file's memory location may be determined in the program's own code. This is why it may not be possible to save just any ole program running in memory. You'd have to know the program code itself. You can probably find and copy the program's address space and stack to file using the process handle, but anything else is program-specific.

Erm, if somebody knew more than I did on the subject, they could probably point out a few things where I'm mistaken, but I hope to at least show you how difficult this undertaking would be.

But anyway, here we speak about programming theory. I'd like to know what TaskInfo2002 has to say about your phantom process.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#20490 - 06/19/02 01:54 PM Re: How can I save a prog. in RAM?
Paragon Offline
Member

Registered: 06/14/02
Posts: 168
Sorry about using another username (password problems).

Phantom process? ...Oh, this is only theoretical. I don't have a "phantom process" actually running, I was just wondering if it could be done. I didn't see what you meant when you suggested taskinfo for some reason. Thanks anyway though, I like it!

About what you said:
Quote:
The location of the file's memory location may be determined in the program's own code. This is why it may not be possible to save just any ole program running in memory. You'd have to know the program code itself. You can probably find and copy the program's address space and stack to file using the process handle, but anything else is program-specific.
I don't see why that should be a problem. There are dissasemblers that work by running the code (sort of) I guess in a "sandbox" environment, so you should be able to write a program that goes through the code of the program looking for all the parts that load other modules, etc. and put it back in sequence, and then save it.
Essentially, if the CPU can follow the code through and have no problem running every part of the program, then another program should be able to go through every part of the program and save it sequentially the way it must have been originally (an exe or whatever). Do you see what I mean? I think it can be done.

Top
#20491 - 06/19/02 03:05 PM Re: How can I save a prog. in RAM?
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
well, if some delete-happy fricker would stop deleting posts I might be able to read what you said before to get a better idea what you were talking about.

But anyway... *grumble*... yes, you can run a dissassembler and do exactly as you said. But the fact remains - it's NOT useful! NO program out there runs and deletes itself! This is what they do instead:

* Place Program1 on your desktop, and execute it.
* Program1 copies itself to another location and names itself Program2
* Program1 then terminates
* Program2 then deletes Program1 and may continue running

(to hide oneself from task monitors you may execute your program in another program's address space - I have no idea how this is done - but it has been)

From the user's point of view, the program is running and had deleted itself - but that is not the case. Windows will not allow this cause IT DOES NOT WORK THAT WAY!!! It's infuriating cause I'm one to believe that nothing is impossible, but that is so against how everything is setup. Windows is what passes the program code to the processor. Windows is what juggles all the running processes around in the processor and memory - giving each program a certain priority level in how often it's code is run in that processor. Windows is in control, and all programs must adhere to its rules or it won't work! This is how all operating systems work. For a program to rest control away from windows and to run completely on its own and only FROM memory... I just don't see the point. Until I see how this can be useful - and possible - I refuse to consider for another moment that this can be done.

So, you can't make that utility cause it would have no purpose.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#20492 - 06/20/02 08:04 AM Re: How can I save a prog. in RAM?
Paragon Offline
Member

Registered: 06/14/02
Posts: 168
Quote:
Originally posted by SilentRage:
yes, you can run a dissassembler and do exactly as you said. But the fact remains - it's NOT useful! NO program out there runs and deletes itself! This is what they do instead...
I know what they do. I'm not stupid. And actually it could be useful. What if you ran a program then deleted it, and decided you wanted it back? If it was still running you could use this theoretical utility to recover it.
Quote:
(to hide oneself from task monitors you may execute your program in another program's address space - I have no idea how this is done - but it has been)
Now THAT's interesting. I was wondering about this before, trying to think of a way to hide a program even from a task monitor, and thought of doing that. But I couldn't think of exactly how it would be done either...yet. Oh, and you say it HAS been done. Can you tell me how you know? Maybe post a link or something?
Quote:
For a program to rest control away from windows and to run completely on its own and only FROM memory... I just don't see the point.
You don't see the point? If a program could run with the same amount of power as the OS (or greater) say, by interecepting the system hooks, then it could do anything! you could take control over windows <img src=" title="" src="graemlins/devil.gif" /> But I don't see why it couldn't be run within windows.
Quote:
Until I see how this can be useful - and possible - I refuse to consider for another moment that this can be done.
See above.
Quote:
So, you can't make that utility cause it would have no purpose.
I'm sorry, but that statement is just funny. You cannot do it because there is no reason to?! Ever heard of logic?
...Forgive me, maybe I misunderstood what you meant. I'll give you a chance to explain.

Top
#20493 - 06/20/02 09:25 AM Re: How can I save a prog. in RAM?
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
"What if you ran a program then deleted it, and decided you wanted it back?"

Since windows is in control, and it has a certain way of doing things, it won't let files be deleted unless the program is first terminated. So 1: you can't delete a running program - 2: if you did delete a program - then it's not running in memory. If you try to delete the program by executing low-level instructions meant straight for the harddrive - then you run the risk of crashing windows - or at least that program.

"Oh, and you say it HAS been done. Can you tell me how you know?"

I have discussed this topic with a very knowledgeable person and he told me it has been done. He said the BackOrifice 2000 code does this. This code is freely available on the internet. I have a copy if you can't find it.

"For a program to rest control away from windows and to run completely on its own and only FROM memory... I just don't see the point."

I did not mean that remark at face value. I don't see the point of doing all that just to be able to run from memory. It's overkill - and not worth it.

"So, you can't make that utility cause it would have no purpose."

Shall I make an example? Let's say you made a utility who's purpose is to erase a picture of an egg that some virus loves to draw to screen. Even though this virus can never be removed from the computer - unless you reformat - you can still lose no data if you run your utility that makes sure the egg is never drawn to screen. You make this utility very very smart, in how it analyzes the screen picture and filters for all egg pictures - AND hooks into various graphics API to look for telltale signs of a egg about to be drawn - and block it. Pretty powerful program no? Well, guess what. Nobody wants it. It has no purpose. There is no such thing as a program which draws eggs to the screen and cannot be removed except by reformatting. Good job son, here's a cookie.

This fits right into your theoretical utility that debugs another process looking for something that has never been done - cause nobody would want to do it anyway - cause it gains you nothing - and much better and easier and more possible and proven workable methods exist out there. And don't give me crap about - "what if it DOES happen?" - cause you cannot possibly predict all the methods a program may save itself into memory - all the techniques and formats this data may be represented in memory. Only AFTER it has been done may you make a utility which handles whatever technique they employed. THEN it will be useful - so THAT is why I don't want to know if you even can. The argument has no purpose and gains nothing.

Can I express myself any more clearly?
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#20494 - 06/20/02 11:18 AM Re: How can I save a prog. in RAM?
Paragon Offline
Member

Registered: 06/14/02
Posts: 168
Quote:
Originally posted by SilentRage:
Since windows is in control, and it has a certain way of doing things, it won't let files be deleted unless the program is first terminated. So 1: you can't delete a running program - 2: if you did delete a program - then it's not running in memory. If you try to delete the program by executing low-level instructions meant straight for the harddrive - then you run the risk of crashing windows - or at least that program.
Not true. I just tested it myself to make sure I was right. I copied a program, ran it, then while it was running, deleted the program from the location I ran it in. No problems.
Quote:
I have discussed this topic with a very knowledgeable person and he told me it has been done. He said the BackOrifice 2000 code does this. This code is freely available on the internet. I have a copy if you can't find it.
You have the source code? I'd be interested in looking at that. I could get the program and dissasemble it, but the assembly version wouldn't help me.
Quote:
Let's say you made a utility who's purpose is to erase a picture of an egg that some virus loves to draw to screen. Even though this virus can never be removed from the computer - unless you reformat - you can still lose no data if you run your utility that makes sure the egg is never drawn to screen. You make this utility very very smart, in how it analyzes the screen picture and filters for all egg pictures - AND hooks into various graphics API to look for telltale signs of a egg about to be drawn - and block it. Pretty powerful program no? Well, guess what. Nobody wants it. It has no purpose. There is no such thing as a program which draws eggs to the screen and cannot be removed except by reformatting. Good job son, here's a cookie.
*Sigh* You don't seem to understand. I just gave you a reason why this program could be useful. Your analogy doesn't apply. I NEVER said there was a program that runs and deletes itself. I said "what if you ran a program and deleted it yourself and wanted it back". Now you were saying it couldn't be done, but it can. I just did it a couple of minutes ago when I started this post.
Quote:
...you cannot possibly predict all the methods a program may save itself into memory - all the techniques and formats this data may be represented in memory. Only AFTER it has been done may you make a utility which handles whatever technique they employed. THEN it will be useful - so THAT is why I don't want to know if you even can. The argument has no purpose and gains nothing.
...When a program runs it gets loaded into a certain part of memory, just like every other program. The program can't alter this because it has to be loaded before it can even execute any commands to change that! Since it's done the same way for each program (except maybe the difference between DOS and Win32 apps. but it's just loaded to a different part of memory which can also be checked) the program should be able to detect each program that's been loaded and follow each instruction it executes and dissasemble it and compile the assembly language into a program and save it. Before you start your counter argument please check out this website . They made a very powerful program called digital cortex. Read what it can do.

Top
Page 1 of 2 1 2 >

Featured Member
Registered: 03/02/02
Posts: 136
Forum Stats
2148 Members
46 Forums
34718 Topics
69888 Posts

Max Online: 1567 @ 04/25/10 05:20 AM
Top Posters
UGN Security 27880
Gremelin 7193
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
Tim050, Gecko666, defghi795767, Devo60, ali
2148 Registered Users
Who's Online
0 registered (), 299 Guests and 251 Spiders online.
Key: Admin, Global Mod, Mod
Latest News


Donate
  Get Firefox!
Get FireFox!