I'm probably WAY out of my league here, but I thought I'd ask if it's even possible before I start digging for the how and what.

When a program runs, the exe gets loaded into memory, so far so good. However, Windows still locks the original .exe file on the HD for writing, I assume the PE loader does that.
What I would like to do is unlock that exe, so I can write to it from the running process (that belongs to that exe). I assume this requires some low level tricks, if it's even possible.
Thanks to Opcode, I now have functioning ring 0 access from any program. I don't know if it's even remotely related, but I would think that with ring 0 access, it should be possible to change or remove any file lock on any file... correct me if I'm wrong.

Does anybody have any idea in which direction I should start searching?

Thanks,
- Fahr
Posted on 2005-04-09 12:35:25 by Fahr
uh. make the process map its own file.
Posted on 2005-04-09 18:59:53 by Drocon

What I would like to do is unlock that exe, so I can write to it from the running process (that belongs to that exe).

Forget about it. There are good reasons why you shouldn't be doing this. Consider what happens if you modify the disk image, and a discarded page has to be paged back in?
Posted on 2005-04-10 06:40:15 by f0dder
A good point, but I'm not planning on modifying the CODE. I was just wondering if it'd be possible to append bytes to the exe while it's running. Nothing official, just config data or whatever.

- Fahr
Posted on 2005-04-10 13:13:31 by Fahr
Unfortunately, it's not really doable... you could inject code into another process, terminate the main app, update the exe, etc... but that is hacky. Or you could drop a "configuration-writer exe" on disk, terminate the main app (etc) - again, dirty. It was doable in the DOS days, but it requires too much work and is too hacky under windows.

The best you can do is using the registry, and storing config in HKEY_CURRENT_USER - that way, your app will also work on NT machines where the user runs a non-admin account.
Posted on 2005-04-11 03:21:38 by f0dder
Too bad then. It's not really about storing config info, I can do that anywhere - it's about pushing the possibilities and see what can be accomplished, really.
Oh, how I miss the DOS days :(

I have already accomplished this by injecting code, I just wondered if I could also do it by forcing Windows to loose its grip on the file in question... guess not then :(

Thanks for the feedback anyway,
- Fahr
Posted on 2005-04-11 03:42:18 by Fahr

I just wondered if I could also do it by forcing Windows to loose its grip on the file in question

It might be possible, but it'd probably require some pretty dirty code (like the "execute-on-stack-after-unmapping-view-of-image" code that doesn't work on all windows versions), or some dodgy ring0 code...
Posted on 2005-04-11 05:31:50 by f0dder
Not something I want to mess with then I think... Sounds a tad too dangerous.
I figured Ring0 would be the place to do this, but if no info is present as to how, it might just be a tad too tricky...
Posted on 2005-04-11 05:38:11 by Fahr