I am dumping a sample of relec malware to hexadecimal using xxd to embed it in a c++ file and execute it with createprocess. When I get the hexadecimal relec file I copy it to an array and write it to disk. I call createprocess to execute the relec executable but I get the following error message: "The program can´t be run because it is incompatible with 64-bits Windows Versions...". Maybe the problem is that using xxd modify the content of the malware. I have also tried online conversors and it fails showing the same message. If the original exe is called with createprocess it work but I need it to be embedded. I use Linux to use xxd and use the resulting dump in windows 10. The IDE I am using is visual studio community 2019. Here is the code:
unsigned char relec[] = {
0x4d, 0x5a, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0xff, 0xff, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00...
void main(){
FILE* f = fopen("relec", "w");
fwrite(relec, sizeof(relec), 1, f);
fclose(f);
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
if (!CreateProcessA("relec", // No module name (use command line)
NULL, // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
0, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi) // Pointer to PROCESS_INFORMATION structure
)
{
printf("CreateProcess failed (%d).\n", GetLastError());
return;
}
}
I changed the fopen writing mode. Instead I used the write binary mode as @TedLyngmo suggested. Thank u all for your answers.