I know that in 16 bit, you could change a running .exe by opening it, making your change, and then closing it.

Can I do that in a 32 bit program?

I would like to store some data in the code section for referencing later in my program.
For ex. a key value

I would later check for a certain condition and if it was not met, I would then like to
change or delete that value so that it was "Gone for good."

Thanks.
Posted on 2009-10-29 16:47:18 by skywalker
Not under Windows, or at least not without kernel pathing or direct writing to disk-sectors. When a file is executed, first a file handle is created with sharing mode set to read.
However you can create, modify and delete new data stream in the executable (on NTFS partitions):
invoke GetModuleFileName, 0, offset path, MAX_PATH
invoke lstrcat, path, ":mysettings"
invoke CreateFile, path, ...
Posted on 2009-10-29 17:16:11 by sapero
I don't think the second line makes much sense.

It looks like it's appending :mysettings to the path of the .exe.

?

Andy
Posted on 2009-10-29 18:16:02 by skywalker

It looks like it's appending :mysettings to the path of the .exe.


You're right, it is. Look up "alternate data streams", it's NTFS feature.

If you insist on writing to .Exe, you may write helper program that main program will execute and shutdown itself. Helper will modify .Exe and restart it. Not a piece of cake (main process' handle should be duped and inherited by helper that will wait on it for main process' termination), but probably doable.

By the way, writing to PE .Exe will invalidate it's checksum (in most cases).
Posted on 2009-10-30 02:16:55 by baldr
I would like to store some data in the code section for referencing later in my program.
For ex. a key value

I would later check for a certain condition and if it was not met, I would then like to
change or delete that value so that it was "Gone for good."


Some linkers support an attribute to set your code section to writeable. Alternatively, after you build you could write a separate application that maps your file into memory, walks the PE header's section table, and alters the section's characteristics to read/write/execute.
Posted on 2009-10-30 04:14:50 by Synfire
You can use Microsoft's Editbin.exe tool to change the section flags after it's built.
Posted on 2009-10-30 04:19:55 by Scali
I can't figure how it works.

I tried editbin /SECTION:c,erw data_cs.exe but it says that "code" does not exist.

Andy
Posted on 2009-10-30 08:49:29 by skywalker
Still, even with the code section writeable (use a PE editor and set it manually so you can test what you'd like) I don't believe that you can edit it while loaded and save it at the same time.

How about having your exe just load a big .bin file into memory... and jump to it. (Like an unpacker?) if need be you can edit that bin file and delete whatever you want.
Posted on 2009-10-30 08:54:45 by JimmyClif

I tried editbin /SECTION:c,erw data_cs.exe but it says that "code" does not exist.


Quote from MSDN:
"After the colon ( : ), specify the name of the section."

Are you sure that your code section has name "c"?

Anyway, be more specific about your problem. Do you want to modify PE .Exe on disk? It has nothing to do with section attributes. Modify some location in running process? If by itself, section attributes are way to go, if by another process, WriteProcessMemory can be used.
Posted on 2009-10-30 12:31:55 by baldr
baldr,

Actually, making the code section writeable will work for his problem either way. If he's wanting to simply change memory, he gets it that way. however if he's trying to do something more polymorphic a quick way to commit his changes is to map his entire PE to disk after he's done executing and then fork off a new process which, after the parent has closed, copies the bin file to executable on disk as after the executable closes there is no more write protection.
Posted on 2009-10-31 04:28:26 by Synfire
Synfire,

Do you want to modify PE .Exe on disk? It has nothing to do with section attributes.


Actually, making the code section writeable will work for his problem either way.

(Either was emphasized by myself)

Tell me, since when WriteFile checks PE section flags (or even takes them into consideration)? Mapping file to change several bytes may be overkill, but even then section flags are ignored (unless you specify SEC_IMAGE in flProtect for CreateFileMapping, and this is quite different story).

For running process safe bet probably can be VirtualProtect to make those bytes writeable, then local/remote write, then VirtualProtect to restore protection.
Posted on 2009-10-31 08:15:16 by baldr


I tried editbin /SECTION:c,erw data_cs.exe but it says that "code" does not exist.


Quote from MSDN:
"After the colon ( : ), specify the name of the section."

Are you sure that your code section has name "c"?

Anyway, be more specific about your problem. Do you want to modify PE .Exe on disk? It has nothing to do with section attributes. Modify some location in running process? If by itself, section attributes are way to go, if by another process, WriteProcessMemory can be used.


/Section lets you set attributes for your code. To make it writeable for example.

Yes, I would like to make it writeable on disk. Specifically, I would like my program to be able to write over some data in the .data area.

For example

Orig. .exe  .data
              value db 8

After running .exe .data
                        value  db  21

Andy

Posted on 2009-10-31 10:26:40 by skywalker

Still, even with the code section writeable (use a PE editor and set it manually so you can test what you'd like) I don't believe that you can edit it while loaded and save it at the same time.

How about having your exe just load a big .bin file into memory... and jump to it. (Like an unpacker?) if need be you can edit that bin file and delete whatever you want.


Changing part of the data in the .exe permanently is the goal.

Andy
Posted on 2009-10-31 10:28:55 by skywalker
Changing part of the data in the .exe permanently is the goal.


a) Very unlikely that this is possible under 32bit windows. (afaik) Unless you would spawn seperate processes after you exe has closed (Synfire)
b) A quick file compare would show exactly what you changed.
c) Time Date Stamp would change, Checksum would change, chances are virus scanners would prevent your change from happenening. (or at least point it out)

All in all - I don't think this idea is going to go somewhere. (my opinion)
Posted on 2009-10-31 10:48:08 by JimmyClif

Changing part of the data in the .exe permanently is the goal.


a) Very unlikely that this is possible under 32bit windows. (afaik) Unless you would spawn seperate processes after you exe has closed (Synfire)
b) A quick file compare would show exactly what you changed.
c) Time Date Stamp would change, Checksum would change, chances are virus scanners would prevent your change from happenening. (or at least point it out)

All in all - I don't think this idea is going to go somewhere. (my opinion)


For now, I will go on to something else.

Regarding (b) ... file compare would not work since file has changed when it was run the first time.

Andy
Posted on 2009-10-31 13:34:15 by skywalker


Changing part of the data in the .exe permanently is the goal.


a) Very unlikely that this is possible under 32bit windows. (afaik) Unless you would spawn seperate processes after you exe has closed (Synfire)
b) A quick file compare would show exactly what you changed.
c) Time Date Stamp would change, Checksum would change, chances are virus scanners would prevent your change from happenening. (or at least point it out)

All in all - I don't think this idea is going to go somewhere. (my opinion)


For now, I will go on to something else.

Regarding (b) ... file compare would not work since file has changed when it was run the first time.

Andy


the time stamp of last write, creation date, last opened is easily reset back to what it was :)
alternatively, a 'safe' way of doing this would be to put the data you want to change into a dll
unload the dll (if its loaded) with freelibrary, then try and open it, patch it, change time stamps
etc..  however if the location of the file is in a protected area (like uac with vista / windows 7)
and you're not admin it might fail..

Posted on 2009-11-01 04:30:32 by evlncrn8
Forget about changing .exe on disk - running executables are write-protected, so it's not possible to do without jumping through a shitload of hoops. It isn't going to help you for software protection in any way, you're only going to annoy legitimate users by triggering their anti-virus / HIPS software.
Posted on 2009-11-01 08:26:01 by f0dder
Everything can be done, but ask yourself why you are doing it.
Posted on 2009-11-02 03:49:50 by Homer