如何在运行时编辑Exe文件 [英] How I Can Edit A Exe File When It's Run

问题描述

我想更改我的源文件中运行的.exe文件的某个字节以销毁它（NOT DELETE）而不是下次运行。我怎么能这样做？



假设我的源文件是 Test.C ，我想在这个源文件中编写一个代码在退出之前更改我的 Tese.exe 文件的某个字节。我可以使用 http://www.catch22.net/tuts/self-deleting-完全删除此exe文件。可执行文件 [ ^ ]

我可以使用第二个可执行文件，如 test2.exe 在运行时写入 test1.exe 吗？如果这是可能的，怎么办？

i want to change some byte of an .exe file that is running in my source file to destroy it(NOT DELETE) and not run next time. how i can do this?

assume that my source file is Test.C, i want to write a code in this source file that change some byte of my Tese.exe file before exit. i can delete this exe file completely befor exit with http://www.catch22.net/tuts/self-deleting-executables[^]
can i use a second executable file like test2.exe to write on test1.exe in runtime? if this is possible,how?

推荐答案

说真的吗？

有一个很好的机会，你不能，不是现代的操作系统有一个中等体面的病毒扫描程序。



因为这种活动正是启发式防病毒系统正在寻找的东西：任何试图修改可执行文件......



如果可以，这很简单：打开文件进行读/写访问，并覆盖原始的DOS标头。这应该会杀死文件......

但是......我怀疑它在生产中不起作用。如果尝试失败，您的应用程序将被标记为用户感染病毒，这不会改善您公司的形象。



我不会如果我是你，那就去做吧。

Seriously?
There is a very good chance that you can't, not on a modern OS with a halfway-decent virus scanner.

Because that kind of activity is exactly what heuristic antivirus systems are looking for: anything trying to modify executable files...

If you can, it's simple: Open the file for read/write access, and overwrite the original DOS header. That should kill the file...
But...I suspect it won't work in production. And if it tries and fails, your app will be flagged to the user as virus infected, which will not improve the image of your company in the slightest.

I wouldn't do it, if I was you.

你不能这样做。所有可执行文件在任何已加载和正在执行的进程中加载​​时都受到保护，不受任何修改和删除。这是大多数系统的重要安全功能，也是重要的万无一失的功能。因此，重要的是不要尝试扮演一个角色。 :-)

-SA

No way you can do so. All executable files are protected form any modification and deletion when they are loaded in any of the loaded and executing processes. This is the important security feature of most systems, and the important fool-proof feature . So, it's important not to try to play the role of one. :-)

—SA

如果是现代操作系统的每一件正常进程分配的内存由磁盘存储支持。可执行文件/ DLL由加载它们的文件支持，而其他类型的动态分配的内存块由系统页面文件支持（这不是真的，你可以创建自己的内存映射文件，加载的exes / dll是还有特殊的内存映射文件......）。这样，如果进程处于非活动状态，操作系统可以从内存中丢弃页面，为活动进程提供更多内存。当然，在丢弃可写/脏内存块的页面之前，操作系统会将这些内容写入映射文件，以便在所有者进程再次尝试使用它们时能够恢复这些内存块。



由于这个非常简单的原因，修改参与内存映射的文件并不是一个好主意。在linux上，您可以轻松删除正在运行的可执行文件，因为删除文件的实际存储可以在没有目录条目的情况下存在 - 实际存储不仅可以通过目录条目引用，还可以通过打开文件句柄引用，文件内容实际上仅在将删除所有引用目录条目，并关闭所有打开的文件句柄。说实话，我不知道删除正在运行的可执行文件魔术是如何在Windows上工作的，因为Windows文件系统的工作方式不同（在我看来更糟糕）。



还有一件事，你在谈论内存修改。调试器和黑客程序利用调试功能。使用这些调试功能，您可以启动可执行文件，并且您（调试器）可以读取/修改调试进程的内存（甚至是代码）（使用ReadProcessMemory和WriteProcessMemory函数），而不会影响其可执行文件。调试器使用这些函数来实现变量监视/变量修改/内存视图/调试断点放置。

In case of a modern operating system every single piece of memory allocated by a normal process is backed by disk storage. Executables/DLLs are backed by the files from which they were loaded while other kind of dynamically allocated memory block are backed by the system page file (this isn't etirely true, you can create your own memory mapped files, loaded exes/dlls are also special memory mapped files...). This way if a process is inactive the OS can throw out pages from the memory to give more memory for active processes. Of course before throwing out the pages of of writable/dirty memory blocks the OS writes these into the mapped files to be able to restore these memory blocks if the owner process tries to use them again.

For this very simple reason modifying a file that participates in memory mapping is not a good idea. On linux you can delete a running executable easily because the actual storage of a deleted file can exists without the directory entry - the actual storage can be referenced not only by directory entries but also by open file handles and the file contents are actually erased only when all referencing directory entries are deleted and all open file handles are closed. To be honest I have no clue how the "delete running executable file" magic works on windows as the windows filesystem works in a different (and in my opinion worse) way.

There is one more thing, you were talking about memory modification. Debuggers and hack programs exploit debugging functions. With these debugging functions you can launch an executable and you (the debugger) can read/modify the memory (even the code) of the debugged process (with the ReadProcessMemory and WriteProcessMemory functions) without affecting its executable file. Debuggers use these functions to implement variable watch/variable modification/memory view/debug breakpoint placement.

这篇关于如何在运行时编辑Exe文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！