Failed to run with "file-to-pretend-to-be"

[IlanKalendarov]

I have some issues with the file-to-pretend-to-be option, I'm trying to run net.exe with svchost.exe and it gives the above error:

RunPE.exe ---f C:\Windows\System32\svchost.exe ---b QzpcV2luZG93c1xTeXN0ZW0zMlxuZXQuZXhl ---a bG9jYWxncm91cCBhZG1pbmlzdHJhdG9ycw==
[*] Running base64 encoded binary as file C:\Windows\System32\svchost.exe with args: 'localgroup administrators'
[*] Mapping PE into memory
[*] Mapped PE Base Address: 0x0
[-] Error running RunPE: System.ArgumentNullException: Value cannot be null.
Parameter name: destination
   at System.Runtime.InteropServices.Marshal.CopyToNative(Object source, Int32 startIndex, IntPtr destination, Int32 length)
   at RunPE.Patchers.PEMapper.MapPEIntoMemory(Byte[] unpacked, PELoader& peLoader, Int64& currentBase) in C:\Users\user\Desktop\RunPE-main\RunPE\Patchers\PEMapper.cs:line 31
   at RunPE.Program.Main(String[] args) in C:\Users\user\Desktop\RunPE-main\RunPE\Program.cs:line 53

[synap5e]

Update MapPEIntoMemory so it doesnt try to copy 0-sized sections

                if (_pe.ImageSectionHeaders[i].SizeOfRawData > 0)
                {
                    Marshal.Copy(_pe.RawBytes, (int)_pe.ImageSectionHeaders[i].PointerToRawData, y, (int)_pe.ImageSectionHeaders[i].SizeOfRawData);
                }

[riskydissonance]

Hi @IlanKalendarov the ---b option takes the base64 bob of the file bytes not the name, if you change that it should work.

The idea is it can be run down C2 where you can provide the bytes to any file to run without having to drop that file to disk.