How I Can Edit A Exe File When It's Run

Question

1.22/5 (2 votes)

See more:

i want to change some byte of an .exe file that is running in my source file to destroy it(NOT DELETE) and not run next time. how i can do this?

assume that my source file is Test.C, i want to write a code in this source file that change some byte of my Tese.exe file before exit. i can delete this exe file completely befor exit with http://www.catch22.net/tuts/self-deleting-executables[^]
can i use a second executable file like test2.exe to write on test1.exe in runtime? if this is possible,how?

Posted 11-Mar-14 8:40am

ninomimi

Updated 11-Mar-14 9:02am

v2

Add a Solution

Comments

Krunal Rohit 11-Mar-14 14:48pm

elaborate it.

-KR

Sergey Alexandrovich Kryukov 11-Mar-14 15:13pm

Do you really want any elaboration? Even though the purpose of it is totally unclear, what is already said is quite enough.
It makes the answer quite obvious. Please see my answer to see what I mean.
—SA

Krunal Rohit 11-Mar-14 15:16pm

Question was updated right after I commented.

-KR

Sergey Alexandrovich Kryukov 11-Mar-14 15:33pm

Got it, thank you.
—SA

ninomimi 11-Mar-14 15:19pm

yeah i'am update my question ;)

Richard MacCutchan 11-Mar-14 15:07pm

Generally speaking you cannot do this without a thorough understanding of the structure of the program, and the linker details that show where each module gets loaded.

Sergey Alexandrovich Kryukov 11-Mar-14 15:34pm

Well... do you know the case when one can do such thing even with "thorough understanding"? I don't know...
—SA

Richard MacCutchan 11-Mar-14 15:38pm

Yes, in the debugger.

Sergey Alexandrovich Kryukov 11-Mar-14 15:46pm

I never done that, but I think this is done via some debugging API, not directly. Am I right? Just wanted to understand your point, which might be important thing to understand...
—SA

Richard MacCutchan 11-Mar-14 16:21pm

I was really referring to all the debug tools that come with a development environment. Using those tools it is, in theory, possible to do this, but it is not easy, and only very experienced developers are likely to have the necessary skills.

Gone are the days when you could analyse a raw memory dump and use it to change the code of the OS on the fly. Which is something I have done in the dim and distant past.

ninomimi 11-Mar-14 15:48pm

i'm not to write in MEMORY of process, i want to write in every place in EXE in runtime. remember that assume that you have the source code

Richard MacCutchan 11-Mar-14 16:18pm

It doesn't matter, because there is no direct, simple link between the source code and the executable. That was the point of my first comment: unless you have a thorough understanding of the structure of an executable module, you have no chance of achieving this.

Sergey Alexandrovich Kryukov 11-Mar-14 16:46pm

You have been answered already, you cannot modify executable file. You actually can modify the memory, but I would not advise to go for it from the separate process. Processes are well isolated, and executable files are well protected from modification.

I don't think you have any good reasons for doing what you want. If you can explain your ultimate goals, we can discuss some solutions. If not, if goes nowhere.

—SA

ninomimi 11-Mar-14 18:53pm

My ultimate goal is the program change .Exe file that exist in disk itself(not it's memory space) and this program can't run again. Maybe I can't explain my goal obviously.

Sergey Alexandrovich Kryukov 11-Mar-14 19:16pm

No, it is not. What is the goal of the program change? No, it cannot explain anything.
—SA

Matt T Heffron 11-Mar-14 19:36pm

Sergey, it appears he is trying to DISABLE any future attempt to run the executable by corrupting it.
Kind of like Mission Impossible: "This message will self-destruct in ..." !

Sergey Alexandrovich Kryukov 11-Mar-14 19:40pm

Well, that's another good reason for OS to protect loaded executable modules (PE files) from any modifications...
—SA

[no name] 11-Mar-14 20:19pm

What's wrong with using registry (or /etc) as is normal for this requirement?

Philippe Mori 11-Mar-14 23:20pm

And in some case like when deleting a file from an installed DLL, Windows is smart enough to repair that program... I d'ont know if it would detect modified files or only missing ones.

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2014-03-11T09:09:00

Seriously?
There is a very good chance that you can't, not on a modern OS with a halfway-decent virus scanner.

Because that kind of activity is exactly what heuristic antivirus systems are looking for: anything trying to modify executable files...

If you can, it's simple: Open the file for read/write access, and overwrite the original DOS header. That should kill the file...
But...I suspect it won't work in production. And if it tries and fails, your app will be flagged to the user as virus infected, which will not improve the image of your company in the slightest.

I wouldn't do it, if I was you.

Sergey Alexandrovich Kryukov · Answer 2 · 2014-03-11T09:12:00

No way you can do so. All executable files are protected form any modification and deletion when they are loaded in any of the loaded and executing processes. This is the important security feature of most systems, and the important fool-proof feature . So, it's important not to try to play the role of one. :-)

—SA

pasztorpisti · Answer 3 · 2014-03-11T13:08:00

In case of a modern operating system every single piece of memory allocated by a normal process is backed by disk storage. Executables/DLLs are backed by the files from which they were loaded while other kind of dynamically allocated memory block are backed by the system page file (this isn't etirely true, you can create your own memory mapped files, loaded exes/dlls are also special memory mapped files...). This way if a process is inactive the OS can throw out pages from the memory to give more memory for active processes. Of course before throwing out the pages of of writable/dirty memory blocks the OS writes these into the mapped files to be able to restore these memory blocks if the owner process tries to use them again.

For this very simple reason modifying a file that participates in memory mapping is not a good idea. On linux you can delete a running executable easily because the actual storage of a deleted file can exists without the directory entry - the actual storage can be referenced not only by directory entries but also by open file handles and the file contents are actually erased only when all referencing directory entries are deleted and all open file handles are closed. To be honest I have no clue how the "delete running executable file" magic works on windows as the windows filesystem works in a different (and in my opinion worse) way.

There is one more thing, you were talking about memory modification. Debuggers and hack programs exploit debugging functions. With these debugging functions you can launch an executable and you (the debugger) can read/modify the memory (even the code) of the debugged process (with the ReadProcessMemory and WriteProcessMemory functions) without affecting its executable file. Debuggers use these functions to implement variable watch/variable modification/memory view/debug breakpoint placement.

Krunal Rohit · Answer 4 · 2014-03-11T09:12:00

Solution 3

Near to impossible.
Because you're about to be modifying EXE.

As simple as that :)

-KR

Posted 11-Mar-14 9:12am

Krunal Rohit

Comments

ninomimi 11-Mar-14 15:26pm

in this link: http://www.catch22.net/tuts/self-deleting-executables , the author can delete a exe file in runtime before exit, that's way not work for this? i try that and not work

How I Can Edit A Exe File When It's Run

4 solutions

Solution 1

Solution 2

Solution 4

Solution 3

Add your solution here

Preview 0