flat assembler
Message board for the users of flat assembler.

Index > Windows > How to modify file on process running

Author
Thread Post new topic Reply to topic
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp 24 Dec 2011, 20:00
Hello everyone!
Merry Christmas!

I had a problem,when process running,how can I change the process file?
cause the file has been mapping in memory,How to modify self process file codes before exit ?

Thanks for you!

_________________
This guy is clever, what also did not leave.
Post 24 Dec 2011, 20:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 25 Dec 2011, 01:09
You can't modify the active process's exe file because it is locked by the OS.

You can do this:
  1. Open a new process with a different exe file; or inject code into an existing process.
  2. Close the original process.
  3. Modify the original file from the new process.
Also search for "self deleting exe" it uses similar tricks to enable manipulation of running exe files. But all of the tricks still require you to stop the current exe, you will never be able to modify it while it is still active.
Post 25 Dec 2011, 01:09
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 Dec 2011, 14:33
Stopping your executable and launching another exe is the only way to do this reliably - and even that will trigger some anti-malware applications.

Injecting code into other processes to do the modification will trigger even more anti-malware, and hacks like attempting to unmap your executable and keep running from VirtualAlloc'ed memory is simply too fragile.
Post 25 Dec 2011, 14:33
View user's profile Send private message Visit poster's website Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp 25 Dec 2011, 20:08
Thanks for revolution and f0dder reply.
So don't use other process to modify self process and exe file,
my mean is use UnmapViewOfFile and etc functions to modify self process...

I said this way can realize it?

Thanks for everybody!
Post 25 Dec 2011, 20:08
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 25 Dec 2011, 20:15
hihelp wrote:
my mean is use UnmapViewOfFile and etc functions to modify self process...
DON'T do that - you're lucky if it works, it's a major hack.

As revolution said, launch a second exe, terminate current process, let the second exe modify the first one, and (possibly) re-launch the first exe.

_________________
Image - carpe noctem
Post 25 Dec 2011, 20:15
View user's profile Send private message Visit poster's website Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp 26 Dec 2011, 14:38
I cried..thanks
Post 26 Dec 2011, 14:38
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 28 Dec 2011, 01:08
Post 28 Dec 2011, 01:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20485
Location: In your JS exploiting you and your system
revolution 28 Dec 2011, 06:58
typedef wrote:
Here's a good read http://en.wikipedia.org/wiki/Self_modifying_code
That is a different thing from what the OP is asking.
Post 28 Dec 2011, 06:58
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 28 Dec 2011, 09:07
Indeed, you can use self-modifying programs, as long as everything happens in the memory. Writing it to the .exe file is a problem.
It is sad, because it was very useful in the old DOS days to keep preferences and settings directly in the executable file. Now the programmer is forced to use external files for this simple task.
Post 28 Dec 2011, 09:07
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp 28 Dec 2011, 13:46
Thanks everyone!
Post 28 Dec 2011, 13:46
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.