Writing to a running (in-use) executable file
 

There are some methods of writing to an in-use file like ForceDel but they can't write to a running executable file. Maybe some Ring-0 instructions can do this job ?!!!!!!! :confused:

Writing to a file running is very danger. When system has lower memory. It may reload code from the file. If you modify the file. It may crash.

I know my job. Thanx 4 Your Advice.

Windows XP SP2 don't block execute file. You may delete,write,and execute again him.

:eek: no this is not true. I'm using SP2.

omidgl, I think it would be too hard to write to the file being executed since the file is exclusively locked by windows for write access - it is nessesary for the memory manager be behave correctly.

There is a tool called Unlocker that can close exclusive file handles (it uses kernel mode driver internally). But Unlocker won't help you in this case - it say's it failed to find exclusive file handles for the process being executed.

The best you can do is to rename the executable (WinNT dosn't prevent this), then copy the file data back to the original file and modify the original file as you need.

How does ollydbg works when copy to executale and overwrite the old exe?

@heXer
i don't know 100%, but to me it seems olly writes modifications back when closing / restarting the exe.

@heXer:
olly creates backup file at : 44d8f1 and moves specified exe to backup with movefilea which will delete running file and you can write to it's place whatever you want. Old trick I've been using long time ago.

You can't use od to overwrite an existing running executable file.
od lets you save as a new one.

@deroko:
You are right.It will create a bak file,the bak file is locked,and the old exe can be write freely by other program.But od itself can modify one time only.
@goldenegg :
I can use od to overwrite the exefile being debugged.

The finall result and the answer is that it's not possible to overwrite a running exe, dll file because the system use the exe file pages instead of using the system page file.

My test app:
1. Run the running.exe.
2. Run the unlock_running.exe.
3. Modify running.exe use any editor.
4. Have you write to running.exe success?

@heXer

your attachment .
Threat detected by nod32.

Win32/PSW.Legendmir.SY trojan
but i see any harmfull to my computer :)


After runn unlock_running.exe
i can write to running.exe.

Don't forget cache implications...

Git

Yes, i can write to running.exe file.

How did you solve the problem?

@Teerayoot
The nod32 is too foolish.

He uses:

MoveFileA(<original.exe>, <original.bak>);
CopyFileA(<original.bak>, <original.exe>);
WaitForSingleObject(hProcess, INIFINITE);
DeleteFileA(<original.bak>);

Just as I've proposed above. Nothing extremely interesting. :)

If you have time to spend and admin rights on the system, you might try to play with "\\.\PhysicalDriveN" access -be careful, anyway.
(CreateFile&DeviceIOControl)

If your file system is NTFS, you could get into very big trouble when accessing the drive on psysical level, since much of NTFS is still undocumented and many structures change with every Windows version (or even service pack).

My idea would be to use WinHex scripting. I don't know if this works, but with the normal WinHex you can hex-edit files directly on disk when browsing psysical or logical disks. So I guess with the WinHex scripting system you could do the same.

And buggy...
I faced an incredible NTFS bug that blocked, in order:
WinXp, Win2k, WinXp Installer CD, Win2k Installer CD, UBCD winXP(!!).
I installed Linux on an fresh mounted hd -the only way to run sw-, formatted 1st partition to fat, and recovered there.
*deadly* code somewhere...