Starting Application Directly from Memory

Overview

Once you have a virtual executable file created in memory, you can start an application directly from it — without ever writing it to disk.

Any standard Windows process-creation API can be used, such as CreateProcess, WinExec, or ShellExecute.
BoxedApp SDK intercepts these calls and recognizes when a process is being created from a virtual file.

How It Works

When a process creation request targets a virtual executable, BoxedApp SDK automatically performs the following steps:

1. Loads a small stub executable.
2. Creates a process based on that stub (in suspended mode).
3. Injects the contents of the virtual executable file into the process memory.
4. Passes control to the injected executable’s entry point.

This results in a virtual process, which behaves exactly like a normal Windows process — except it originated entirely from memory.

Example

#include "BoxedAppSDK.h"
 
void RunAppFromMemory(const BYTE* pData, DWORD dwSize)
{
  BoxedAppSDK_Init();
 
  // Create a virtual EXE file in memory
  HANDLE hFile = BoxedAppSDK_CreateVirtualFile(
      _T("MyVirtualApp.exe"),
      GENERIC_WRITE,
      FILE_SHARE_READ,
      NULL,
      CREATE_ALWAYS,
      0,
      NULL);
 
  DWORD written;
  WriteFile(hFile, pData, dwSize, &written, NULL);
  CloseHandle(hFile);
 
  // Run the virtual EXE directly from memory
  STARTUPINFO si = { sizeof(si) };
  PROCESS_INFORMATION pi = { 0 };
 
  if (CreateProcess(
          _T("MyVirtualApp.exe"),
          NULL,
          NULL,
          NULL,
          FALSE,
          0,
          NULL,
          NULL,
          &si,
          &pi))
  {
      WaitForSingleObject(pi.hProcess, INFINITE);
      CloseHandle(pi.hProcess);
      CloseHandle(pi.hThread);
  }
}

uses
Windows, BoxedAppSDK;
 
procedure RunAppFromMemory(pData: Pointer; dwSize: DWORD);
var
hFile: THandle;
written: DWORD;
si: TStartupInfo;
pi: TProcessInformation;
begin
BoxedAppSDK_Init();
 
// Create a virtual EXE file in memory
hFile := BoxedAppSDK_CreateVirtualFile('MyVirtualApp.exe',
  GENERIC_WRITE, FILE_SHARE_READ, nil, CREATE_ALWAYS, 0, 0);
 
WriteFile(hFile, pData^, dwSize, written, nil);
CloseHandle(hFile);
 
// Start the application directly from memory
ZeroMemory(@si, SizeOf(si));
si.cb := SizeOf(si);
ZeroMemory(@pi, SizeOf(pi));
 
if CreateProcess('MyVirtualApp.exe', nil, nil, nil, False, 0, nil, nil, si, pi) then
begin
  WaitForSingleObject(pi.hProcess, INFINITE);
  CloseHandle(pi.hProcess);
  CloseHandle(pi.hThread);
end;
end;

Benefits

• Run executables directly from memory, no disk writes required
• Enables secure and portable execution scenarios
• Prevents tampering or inspection of files
• Works seamlessly with all standard process creation APIs

See Also

• BoxedAppSDK_CreateVirtualFile
• Virtual Process
• Virtual Environment