Writing to a running (in-use) executable file

omidgl · #1 11-12-2005, 12:42

There are some methods of writing to an in-use file like ForceDel but they can't write to a running executable file. Maybe some Ring-0 instructions can do this job ?!!!!!!!

#2 11-12-2005, 14:21

Writing to a file running is very danger. When system has lower memory. It may reload code from the file. If you modify the file. It may crash.

omidgl · #3 11-12-2005, 15:10

I know my job. Thanx 4 Your Advice.

#4 11-12-2005, 23:25

Windows XP SP2 don't block execute file. You may delete,write,and execute again him.

omidgl · #5 11-13-2005, 03:41

no this is not true. I'm using SP2.

Sten · #6 11-13-2005, 19:39

omidgl, I think it would be too hard to write to the file being executed since the file is exclusively locked by windows for write access - it is nessesary for the memory manager be behave correctly.

There is a tool called Unlocker that can close exclusive file handles (it uses kernel mode driver internally). But Unlocker won't help you in this case - it say's it failed to find exclusive file handles for the process being executed.

The best you can do is to rename the executable (WinNT dosn't prevent this), then copy the file data back to the original file and modify the original file as you need.

heXer · #7 11-13-2005, 19:56

How does ollydbg works when copy to executale and overwrite the old exe?

MaRKuS-DJM · #8 11-13-2005, 20:09

@heXer
i don't know 100%, but to me it seems olly writes modifications back when closing / restarting the exe.

deroko · #9 11-14-2005, 10:55

@heXer:
olly creates backup file at : 44d8f1 and moves specified exe to backup with movefilea which will delete running file and you can write to it's place whatever you want. Old trick I've been using long time ago.

#10 11-14-2005, 14:55

Quote:

Originally Posted by heXer

How does ollydbg works when copy to executale and overwrite the old exe?

You can't use od to overwrite an existing running executable file.
od lets you save as a new one.

fly [CUG] · #11 11-14-2005, 15:16

@deroko:
You are right.It will create a bak file,the bak file is locked,and the old exe can be write freely by other program.But od itself can modify one time only.
@goldenegg :
I can use od to overwrite the exefile being debugged.

memo-5 · #12 11-14-2005, 18:00

The finall result and the answer is that it's not possible to overwrite a running exe, dll file because the system use the exe file pages instead of using the system page file.

heXer · #13 11-14-2005, 21:29

My test app:
1. Run the running.exe.
2. Run the unlock_running.exe.
3. Modify running.exe use any editor.
4. Have you write to running.exe success?

Teerayoot · #14 11-15-2005, 00:02

@heXer

your attachment .
Threat detected by nod32.

Win32/PSW.Legendmir.SY trojan
but i see any harmfull to my computer

Quote:

4. Have you write to running.exe success?

After runn unlock_running.exe
i can write to running.exe.

Git · #15 11-15-2005, 00:16

Don't forget cache implications...

Git

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Running program from memory	Spiyre	General Discussion	6	09-18-2004 09:34
Need to find a pattern in a running file	merlin	General Discussion	14	07-20-2002 06:59