#1
|
|||
|
|||
Writing to a running (in-use) executable file
There are some methods of writing to an in-use file like ForceDel but they can't write to a running executable file. Maybe some Ring-0 instructions can do this job ?!!!!!!!
|
#2
|
|||
|
|||
Writing to a file running is very danger. When system has lower memory. It may reload code from the file. If you modify the file. It may crash.
|
#3
|
|||
|
|||
I know my job. Thanx 4 Your Advice.
|
#4
|
|||
|
|||
Windows XP SP2 don't block execute file. You may delete,write,and execute again him.
|
#5
|
|||
|
|||
no this is not true. I'm using SP2.
|
#6
|
|||
|
|||
omidgl, I think it would be too hard to write to the file being executed since the file is exclusively locked by windows for write access - it is nessesary for the memory manager be behave correctly.
There is a tool called Unlocker that can close exclusive file handles (it uses kernel mode driver internally). But Unlocker won't help you in this case - it say's it failed to find exclusive file handles for the process being executed. The best you can do is to rename the executable (WinNT dosn't prevent this), then copy the file data back to the original file and modify the original file as you need. Last edited by Sten; 11-13-2005 at 19:42. |
#7
|
|||
|
|||
How does ollydbg works when copy to executale and overwrite the old exe?
|
#8
|
||||
|
||||
@heXer
i don't know 100%, but to me it seems olly writes modifications back when closing / restarting the exe. |
#9
|
||||
|
||||
@heXer:
olly creates backup file at : 44d8f1 and moves specified exe to backup with movefilea which will delete running file and you can write to it's place whatever you want. Old trick I've been using long time ago. |
#10
|
|||
|
|||
Quote:
od lets you save as a new one. |
#11
|
||||
|
||||
@deroko:
You are right.It will create a bak file,the bak file is locked,and the old exe can be write freely by other program.But od itself can modify one time only. @goldenegg : I can use od to overwrite the exefile being debugged.
__________________
UpK һ�����ꡭ����ƽ��! http://www.unpack.cn |
#12
|
|||
|
|||
The finall result and the answer is that it's not possible to overwrite a running exe, dll file because the system use the exe file pages instead of using the system page file.
|
#13
|
|||
|
|||
My test app:
1. Run the running.exe. 2. Run the unlock_running.exe. 3. Modify running.exe use any editor. 4. Have you write to running.exe success? |
#14
|
|||
|
|||
@heXer
your attachment . Threat detected by nod32. Win32/PSW.Legendmir.SY trojan but i see any harmfull to my computer Quote:
i can write to running.exe. |
#15
|
||||
|
||||
Don't forget cache implications...
Git |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Running program from memory | Spiyre | General Discussion | 6 | 09-18-2004 09:34 |
Need to find a pattern in a running file | merlin | General Discussion | 14 | 07-20-2002 06:59 |