Change / replace Exe on the fly

Question

Change / replace Exe on the fly

Whenever I download an update in firefox and apply it, Kaspersky Antivirus warns me that the FIREFOX.EXE file has been modified. I want to know how they do it. Is it possible to make a simple program to demonstrate this trick. Like the executable, it initially displays "Hello, World!" at the prompt and when replacing / modifying the sample executable, it should display "Hello, World! Mod".

Thank.

+1

windows executable

ardsrk 02 dec. '08 at 17:16

source to share

4 answers

ceejayoz · Answer 1 · 2008-12-02T17:30:42+0000

I was under the impression that Firefox, when it has an update, launches another application and exits. The helper application then replaces the .exe. This way it doesn't change itself at runtime.

joegtp · Answer 2 · 2008-12-02T17:24:05+0000

An easy way is to use the FindFirstChangeNotification method . But my guess is that Anti-Virus connects at a lower level using a system hook or some other mechanism.

Will dean · Answer 3 · 2008-12-02T17:27:07+0000

I don't know how Firefox performs its updates, but there are a number of common approaches:

On a file system that permits it (like NTFS), then rename the current executable .exe, write in its replacement, and then move on to the new one.
You have a small launcher that does any update to the main exe before switching to it.
Various tricks related to creating temporary exes, jumping on them and bouncing backwards, etc.

losthound · Answer 4 · 2009-05-02T12:06:56+0000

I am looking for self-modifying code in C ++. I think that programs can modify themselves by separating them from windows.

0

losthound May 02 '09 at 12:06

source to share

Change / replace Exe on the fly

Thank.

More articles: