Execute a child process that is not on the filesystem but in memory?

jochemstoel profile image Jochem Stoel ・1 min read

I have been hanging on something for a while, maybe someone can explain it to me as if I'm five.

Is it possible to execute a child process from memory? For instance HTTP request an executable file foo.exe and exec/spawn it from buffer? I can't imagine it has to be on the filesystem.

I tried npm installing browserfs but I get stuck on the same thing.


markdown guide

I'd have to try this out, but on Linux, you should be able to use memfd_create to create a file handle to a chunk of memory, use file I/O to write to it, and use fork + execve + /dev/fd/{file_descriptor_number} to run the program. I don't know how the region of memory allocated by memfd_create and execve would interact, but I think it should work fine! If not, you could always create a temporary file, unlink it, and then use the same fork + execve + /dev/fd/{file_descriptor_number} trick.

Out of curiosity, what made you think of this? Why would you like to avoid the filesystem?


Initially I wanted to measure the performance difference of (repeatedly) executing from RAM rather than filesystem but now it has become somewhat of an obsession and I just have to know if it is possible and how to do it.

Do you know the Windows equivalent (if any) of what you are describing?


I'm sorry - my experience with programming on Windows is very limited. A cursory look at CreateProcess seems to hint that the program needs to reside on the filesystem.

Regarding the performance difference, I would expect that if you're starting the same program repeatedly, any advantage you would gain from loading the program image from RAM would be made up, since the program and its libraries would all likely be in the OS' filesystem cache after the first run. But, I haven't measured this, so I can't say for sure!


As has been noted - using techniques like this will make your code smell like malware, and probably set off a heap of heuristic alerts, however for learning purposes, Joachim Bauch provides a good tutorial on Windows, and of course SO has things to say:


Effectively you are re-implementing the binary loader (PE/COFF or ELF usually) that's built into the kernel.

Note that this becomes waay easier with a runtime like the JVM, which explicitly supports creating new executable objects from memory buffers:


Create a small ramdisk. Then use it as storage.

You'll need to call a low-level library/executable that creates the ramdisk for you.

Performance benefits should be negligible when compared to running multiple times from an SSD.

A related option is RunPE, commonly used in malware, but the general advice is "don't do it". It has side effects, including being flagged as a potential virus by antivirus software.