The latest articles on DEV Community by iamsopotatoe (@iamsopotatoecoder). https://dev.to/iamsopotatoecoder https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3608549%2Fe9eaea80-529a-4e2d-a441-97b7a73c82f1.jpeg https://dev.to/iamsopotatoecoder en iamsopotatoe Wed, 06 May 2026 12:15:13 +0000 https://dev.to/iamsopotatoecoder/how-i-load-an-exe-directly-into-memory-without-touching-disk-manual-pe-mapping-24le https://dev.to/iamsopotatoecoder/how-i-load-an-exe-directly-into-memory-without-touching-disk-manual-pe-mapping-24le <p>most people think running an exe means writing it to disk first. it doesn't. </p> <p>as part of building TinyLoad, a Windows PE packer, I had to write a PE loader that maps an executable directly into memory and runs it without ever creating a file. here's how it works.</p> <h2> what is a PE file </h2> <p>PE (Portable Executable) is the format Windows uses for .exe and .dll files. it's basically a structured blob with a header describing how to load it, followed by sections containing code, data, resources etc.</p> <p>to run a PE file manually you have to do what the Windows loader does — but yourself, in memory.</p> <h2> step 1: parse the headers </h2> <p>every PE starts with a DOS header, then an NT header. the NT header tells you everything you need:</p> <ul> <li> <code>SizeOfImage</code> — how much memory to allocate</li> <li> <code>ImageBase</code> — where the linker expected the binary to live</li> <li> <code>AddressOfEntryPoint</code> — where to jump to start execution</li> <li> <code>SizeOfHeaders</code> — how much of the front to copy as-is </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">IMAGE_DOS_HEADER</span><span class="o">*</span> <span class="n">dos</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_DOS_HEADER</span><span class="o">*</span><span class="p">)</span><span class="n">data</span><span class="p">.</span><span class="n">data</span><span class="p">();</span> <span class="n">IMAGE_NT_HEADERS64</span><span class="o">*</span> <span class="n">nt</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_NT_HEADERS64</span><span class="o">*</span><span class="p">)(</span><span class="n">data</span><span class="p">.</span><span class="n">data</span><span class="p">()</span> <span class="o">+</span> <span class="n">dos</span><span class="o">-&gt;</span><span class="n">e_lfanew</span><span class="p">);</span> </code></pre> </div> <h2> step 2: allocate memory and copy sections </h2> <p>allocate a block of memory the size of the image, then copy the headers in. after that, iterate the section table and copy each section to its virtual address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="kt">void</span><span class="o">*</span> <span class="n">base</span> <span class="o">=</span> <span class="n">VirtualAlloc</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">nt</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">SizeOfImage</span><span class="p">,</span> <span class="n">MEM_COMMIT</span> <span class="o">|</span> <span class="n">MEM_RESERVE</span><span class="p">,</span> <span class="n">PAGE_EXECUTE_READWRITE</span><span class="p">);</span> <span class="n">memcpy</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">data</span><span class="p">(),</span> <span class="n">nt</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">SizeOfHeaders</span><span class="p">);</span> <span class="n">IMAGE_SECTION_HEADER</span><span class="o">*</span> <span class="n">sect</span> <span class="o">=</span> <span class="n">IMAGE_FIRST_SECTION</span><span class="p">(</span><span class="n">nt</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">nt</span><span class="o">-&gt;</span><span class="n">FileHeader</span><span class="p">.</span><span class="n">NumberOfSections</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">sect</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">SizeOfRawData</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="n">memcpy</span><span class="p">((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">sect</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">VirtualAddress</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">data</span><span class="p">()</span> <span class="o">+</span> <span class="n">sect</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">PointerToRawData</span><span class="p">,</span> <span class="n">sect</span><span class="p">[</span><span class="n">i</span><span class="p">].</span><span class="n">SizeOfRawData</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> step 3: fix relocations </h2> <p>the linker assumed the binary would load at <code>ImageBase</code>. if it lands somewhere else (which it usually does since ASLR), every absolute address in the binary is wrong by <code>delta = actual_base - preferred_base</code>.</p> <p>the relocation table tells you exactly which addresses need fixing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="kt">size_t</span> <span class="n">delta</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="n">base</span> <span class="o">-</span> <span class="n">nt</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">ImageBase</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">delta</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">auto</span><span class="o">*</span> <span class="n">rel</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_BASE_RELOCATION</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">relDir</span><span class="o">-&gt;</span><span class="n">VirtualAddress</span><span class="p">);</span> <span class="k">while</span> <span class="p">(</span><span class="n">rel</span><span class="o">-&gt;</span><span class="n">VirtualAddress</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">WORD</span><span class="o">*</span> <span class="n">list</span> <span class="o">=</span> <span class="p">(</span><span class="n">WORD</span><span class="o">*</span><span class="p">)(</span><span class="n">rel</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="n">DWORD</span> <span class="n">count</span> <span class="o">=</span> <span class="p">(</span><span class="n">rel</span><span class="o">-&gt;</span><span class="n">SizeOfBlock</span> <span class="o">-</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">IMAGE_BASE_RELOCATION</span><span class="p">))</span> <span class="o">/</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">WORD</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="n">DWORD</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">count</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="n">list</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&gt;&gt;</span> <span class="mi">12</span><span class="p">)</span> <span class="o">==</span> <span class="n">IMAGE_REL_BASED_DIR64</span><span class="p">)</span> <span class="p">{</span> <span class="kt">size_t</span><span class="o">*</span> <span class="n">p</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">rel</span><span class="o">-&gt;</span><span class="n">VirtualAddress</span> <span class="o">+</span> <span class="p">(</span><span class="n">list</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xFFF</span><span class="p">));</span> <span class="o">*</span><span class="n">p</span> <span class="o">+=</span> <span class="n">delta</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="n">rel</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_BASE_RELOCATION</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">rel</span> <span class="o">+</span> <span class="n">rel</span><span class="o">-&gt;</span><span class="n">SizeOfBlock</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> step 4: resolve imports </h2> <p>the import directory tells you which DLLs the binary needs and which functions to load from each. iterate the import descriptors, load each DLL, resolve each function by name or ordinal, and write the function addresses into the import address table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">auto</span><span class="o">*</span> <span class="n">imp</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_IMPORT_DESCRIPTOR</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">impDir</span><span class="o">-&gt;</span><span class="n">VirtualAddress</span><span class="p">);</span> <span class="k">while</span> <span class="p">(</span><span class="n">imp</span><span class="o">-&gt;</span><span class="n">Name</span><span class="p">)</span> <span class="p">{</span> <span class="n">HMODULE</span> <span class="n">mod</span> <span class="o">=</span> <span class="n">LoadLibraryA</span><span class="p">((</span><span class="kt">char</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">imp</span><span class="o">-&gt;</span><span class="n">Name</span><span class="p">));</span> <span class="k">auto</span><span class="o">*</span> <span class="n">thunk</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_THUNK_DATA64</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">imp</span><span class="o">-&gt;</span><span class="n">FirstThunk</span><span class="p">);</span> <span class="k">auto</span><span class="o">*</span> <span class="n">orig</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_THUNK_DATA64</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">imp</span><span class="o">-&gt;</span><span class="n">OriginalFirstThunk</span><span class="p">);</span> <span class="k">while</span> <span class="p">(</span><span class="n">orig</span><span class="o">-&gt;</span><span class="n">u1</span><span class="p">.</span><span class="n">AddressOfData</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">IMAGE_SNAP_BY_ORDINAL64</span><span class="p">(</span><span class="n">orig</span><span class="o">-&gt;</span><span class="n">u1</span><span class="p">.</span><span class="n">Ordinal</span><span class="p">))</span> <span class="p">{</span> <span class="n">thunk</span><span class="o">-&gt;</span><span class="n">u1</span><span class="p">.</span><span class="n">Function</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">mod</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span><span class="o">*</span><span class="p">)(</span><span class="n">orig</span><span class="o">-&gt;</span><span class="n">u1</span><span class="p">.</span><span class="n">Ordinal</span> <span class="o">&amp;</span> <span class="mh">0xFFFF</span><span class="p">));</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">auto</span><span class="o">*</span> <span class="n">name</span> <span class="o">=</span> <span class="p">(</span><span class="n">IMAGE_IMPORT_BY_NAME</span><span class="o">*</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">orig</span><span class="o">-&gt;</span><span class="n">u1</span><span class="p">.</span><span class="n">AddressOfData</span><span class="p">);</span> <span class="n">thunk</span><span class="o">-&gt;</span><span class="n">u1</span><span class="p">.</span><span class="n">Function</span> <span class="o">=</span> <span class="p">(</span><span class="kt">size_t</span><span class="p">)</span><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">mod</span><span class="p">,</span> <span class="n">name</span><span class="o">-&gt;</span><span class="n">Name</span><span class="p">);</span> <span class="p">}</span> <span class="n">thunk</span><span class="o">++</span><span class="p">;</span> <span class="n">orig</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="n">imp</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> step 5: jump to entry point </h2> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">using</span> <span class="n">EntryPoint</span> <span class="o">=</span> <span class="kt">void</span><span class="p">(</span><span class="n">WINAPI</span><span class="o">*</span><span class="p">)();</span> <span class="n">EntryPoint</span> <span class="n">entry</span> <span class="o">=</span> <span class="p">(</span><span class="n">EntryPoint</span><span class="p">)((</span><span class="n">BYTE</span><span class="o">*</span><span class="p">)</span><span class="n">base</span> <span class="o">+</span> <span class="n">nt</span><span class="o">-&gt;</span><span class="n">OptionalHeader</span><span class="p">.</span><span class="n">AddressOfEntryPoint</span><span class="p">);</span> <span class="n">entry</span><span class="p">();</span> </code></pre> </div> <p>that's it. the exe runs directly from the allocated memory block, no file on disk, no Windows loader involved.</p> <h2> where this is used in TinyLoad </h2> <p>TinyLoad packs your exe with LZ77 compression and VM encryption. when the packed stub runs, it decrypts and decompresses the original exe in memory, then calls this loader directly. the original exe never exists as a file — it goes straight from encrypted bytes to running process.</p> <p>full source (single .cpp file, no deps): <a href="https://github.com/iamsopotatoe-coder/TinyLoad" rel="noopener noreferrer">https://github.com/iamsopotatoe-coder/TinyLoad</a></p> cpp programming security packing iamsopotatoe Tue, 05 May 2026 13:26:48 +0000 https://dev.to/iamsopotatoecoder/i-built-a-pe-packer-with-a-custom-vm-that-randomizes-its-own-instruction-set-every-build-single-2285 https://dev.to/iamsopotatoecoder/i-built-a-pe-packer-with-a-custom-vm-that-randomizes-its-own-instruction-set-every-build-single-2285 <p>PE packers are one of those things that sound complex until you actually build one. then they sound complex again but for different reasons.</p> <p>I built TinyLoad — a Windows PE packer in a single C++ file with no external dependencies. v3 just shipped and the main change is replacing rolling XOR with a custom virtual machine for decryption.</p> <h2> what it does </h2> <p>you give it an exe. it spits out a new exe that:</p> <ol> <li>stores your original exe compressed and VM-encrypted inside itself</li> <li>at runtime, spins up a tiny VM interpreter, runs the decryption bytecode, and loads the result directly into RAM via manual PE mapping</li> </ol> <p>the packed exe never writes anything to disk. the original binary just materializes in memory and runs.</p> <h2> why a VM instead of XOR </h2> <p>rolling XOR is trivially broken. an analyst sets a breakpoint on <code>VirtualAlloc</code>, runs the stub, and dumps the decrypted payload from memory. takes about 30 seconds. the decryption loop is native x86 and immediately recognizable to any disassembler.</p> <p>the VM changes the problem completely. instead of decrypting with native x86 instructions, the stub runs a custom bytecode interpreter. the decryption logic is stored as VM bytecode — not x86. there's no native decryption loop to find.</p> <p>more importantly: the opcode table is randomly shuffled at pack time and baked into the binary. every packed file has a completely different instruction set. an analyst can't reuse their work across builds. they have to reverse the interpreter first, then figure out what the bytecode is doing.</p> <h2> how the VM works </h2> <p>20 opcodes: loads, moves, arithmetic, bitwise ops, memory read/write, jumps, halt. nothing exotic.</p> <p>at pack time:</p> <ul> <li>generate a random permutation of the 20 opcode IDs</li> <li>emit the decryption program using the shuffled opcode table</li> <li>encrypt the payload with the matching key</li> <li>store: opmap + bytecode + encrypted payload</li> </ul> <p>at runtime:</p> <ul> <li>read the opmap from the binary</li> <li>run the interpreter against the bytecode</li> <li>the bytecode decrypts the payload byte by byte</li> <li>load and execute</li> </ul> <p>the cipher is a 128-bit stream cipher using rotl/rotr key mixing. the keys are embedded as immediates directly inside the VM program — there are no separate key fields in the file format.</p> <h2> the compression </h2> <p>custom LZ77 with hash-chain matching, 64KB sliding window, and lazy evaluation. runs on the raw PE first, then VM encryption goes on top. on a 3MB test exe it compressed down to ~878KB before encryption, so the final packed output was ~1.9MB including the ~1MB stub.</p> <p>PE files compress well because of their structure — repeated import patterns, padding sections, predictable headers.</p> <h2> single file, no dependencies </h2> <p>the whole thing compiles with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>g++ <span class="nt">-o</span> TinyLoad.exe TinyLoad.cpp <span class="nt">-static</span> <span class="nt">-O2</span> <span class="nt">-s</span> </code></pre> </div> <p>no cmake, no vcpkg, no submodules. the LZ77, VM interpreter, bytecode emitter, PE loader, and resource cloner are all in one ~400 line .cpp file.</p> <h2> usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TinyLoad.exe --i myapp.exe --vm --c </code></pre> </div> <p><code>--vm</code> for VM encryption, <code>--c</code> for LZ77 compression. you need at least one.</p> <h2> what's next </h2> <p>v4 is going to be PE-aware compression — preprocessing the binary structure before LZ77 to get better ratios on code sections specifically. probably also a more complex key schedule inside the VM program.</p> <p>source: <a href="https://github.com/iamsopotatoe-coder/TinyLoad" rel="noopener noreferrer">https://github.com/iamsopotatoe-coder/TinyLoad</a></p> pepacker compression packer virtualmachine iamsopotatoe Wed, 12 Nov 2025 18:39:24 +0000 https://dev.to/iamsopotatoecoder/why-i-built-my-own-windows-installer-in-c-5ap9 https://dev.to/iamsopotatoecoder/why-i-built-my-own-windows-installer-in-c-5ap9 <p>Ive been working on C# projects lately, and I kept running into the same problem: making a simple installer was way too complicated. NSIS, Inno Setup, WiX etc.. were way to complicated.</p> <p>So I decided to build my own: Flex Installer.</p> <p>What it does:</p> <p>Downloads your app from Dropbox (GitHub support coming soon)</p> <p>Installs it on Windows</p> <p>Adds an uninstaller entry in Windows Settings</p> <p>Fully customizable via a config file</p> <p>Its simple: customize the config file to your liking and add your dropbox link and done!</p> <p>Its open source on GitHub: <a href="https://github.com/iamsopotatoe-coder/Flex-Installer" rel="noopener noreferrer">https://github.com/iamsopotatoe-coder/Flex-Installer</a></p> <p>Still in early development but it works.</p> <p>Id love to hear feedback, suggestions, or ideas for features from anyone!</p> programming csharp resources sideprojects