0

Which WinAPI functions should I use to make a program unlock its own executable file so I can update or recompile it at runtime even if it's running? Should I use the regular file unlocking functions, and in that case, how do I get the file handle of the executable from its own process?

I want to make a stub program that can be compiled and that contains the actual program to run. It would have the same icon and would pass the same parameters to the child program. Then it would terminate itself to let the child running.

It would also contain the source code for being able to recompile, update and repack itself.

alt.126
  • 1,097
  • 1
  • 9
  • 22
  • 1
    You cannot do that. You cannot modify the executable file of a running process. – David Heffernan Mar 29 '16 at 18:03
  • True, but you can make a copy of it while it is running, and then modify that copy as needed. You would just need to come up with a way to replace the original with the copy after the program stops running. – Remy Lebeau Mar 29 '16 at 19:11

2 Answers2

0

Answered in CreateProcess from memory buffer

"Call the CreateProcess function with CREATE_SUSPENDED flag, that tells the API to keep the process suspended until the ResumeThread function is called.

This gives us time to grab the suspended thread's context using GetThreadContext function, ... use WriteProcessMemory to write in-memory exe into the memory space of the suspended process."

The other way, of course, is to emulate a CD drive. Executables on CD drives are run from cache anyway. On older versions of Windows (XP-), the same was true of network shares.

Community
  • 1
  • 1
david
  • 2,435
  • 1
  • 21
  • 33
-3

In short, since Windows 7 and probably later, executable files are always unlocked no matter if they are loaded, and they need to be explicitly locked to prevent modification or deletion.

In Windows 9x and NT/XP, executable files are locked while running and they would need to be unlocked by some API call.


Probably it's a very basic way to determine/detect the Windows version as a rough approximate, at least in a practical way (trying to rename or write the executable file from itself).

Under Windows 95, 98 (9x) and XP (2000, NT...) we all remember that all executable files are automatically locked while they are running.

But under Windows 7, executable files seem to remain unlocked by default, which allows to delete, uninstall, modify, recompile or alter them in the file system at all times, no matter whether they are currently running or not.

Just try to compile a test program under Windows 7 and you will see that you can rename and even delete it (try running and then deleting a program like http://devel.archefire.org/tmp/ClockCount.zip).

Probably a program like Unlocker could be investigated to use a sequence of API calls that doesn't involve terminating the process:

http://www.emptyloop.com/unlocker/#download

This is the list of imported API calls of the Unlocker binary:

  Ç        ┤╪☺             n┌☺     \┌☺             ☼ GetModuleFileNameExW  ♪ Ge
tModuleBaseNameW  ♦ EnumProcessModules  PSAPI.DLL ^ InitCommonControlsEx  S Ima
geList_ReplaceIcon T ImageList_SetBkColor  8 ImageList_Create  COMCTL32.dll  WS
2_32.dll  ö SHDeleteKeyA  z PathSkipRootW ↨☺StrToIntA 9☺wvnsprintfA 0 PathFindE
xtensionW  ¶☺StrStrW D PathIsDirectoryW  r PathRemoveFileSpecW ☼☺StrStrA p Path
RemoveExtensionW  | PathStripPathW  ~ PathStripToRootW  SHLWAPI.dll ╬♥lstrcmpiW
 ¶☺GetCommandLineW ╫♥lstrlenW  d☺GetFileAttributesW  ç DeleteFileW ┴☻RemoveDire
ctoryW  !♥SetFileAttributesW  ╕☺GetShortPathNameW ╤♥lstrcpyW  m☻MoveFileW ☺☻Glo
balFree  ♀☻GlobalUnlock  ♣☻GlobalLock  ◘☻GlobalReAlloc ·☺GlobalAlloc ╤ FindClos
e α FindNextFileW ╦♥lstrcmpW  ╪ FindFirstFileW  ü☺GetModuleHandleA  6 CloseHand
le è♥VirtualFreeEx û♥WaitForSingleObject m CreateRemoteThread  ╨♥lstrcpyA  ó☺Ge
tProcAddress  │♥WriteProcessMemory  ê♥VirtualAllocEx  é☻OpenProcess X☻LocalFree
 N☻LoadLibraryA  ▒☻ReadFile  ╩♥lstrcmpA  }☺GetLongPathNameW  Y CreateFileW ¬♥Wr
iteFile q☻MultiByteToWideChar δ☺GetVersionExA ╓♥lstrlenA  l☻MoveFileExW û Dupli
cateHandle E☺GetCurrentProcess d♥TerminateProcess  ò☻Process32NextW  i☻Module32
NextW g☻Module32FirstW  Ç☺GetModuleFileNameW  ô☻Process32FirstW t CreateToolhel
p32Snapshot  ¢☻QueryDosDeviceA V CreateFileA ╝ ExitProcess q CreateThread  KERN
EL32.dll  ▀☻wsprintfW Ö DestroyWindow ♥☻PeekMessageA  í DispatchMessageA  ▒☻Tra
nslateMessage  Ö☻ShowWindow  >☻SendMessageA  ‼☺GetDlgItem  U CreateDialogParamA
  Γ☺MessageBoxA ╝ DrawTextA ♫☺GetDC ë☻SetWindowPlacement  ╞ EndDialog w☺GetWind
owPlacement  x☺GetWindowRect ♣☻PostMessageA  ì☻SetWindowTextA  Y☻SetDlgItemText
W X☻SetDlgItemTextA û DestroyIcon ┴☺LoadIconA ▬☺GetDlgItemTextW ₧ DialogBoxPara
mA 9☻SendDlgItemMessageA ├☻UpdateWindow  û☺InvalidateRect  \☺GetSysColor ∩☺Move
Window  ☺☺GetClientRect @ ClientToScreen  ▐☻wsprintfA 7 CharUpperW  ← CallWindo
wProcA ò DestroyCursor å☻SetWindowLongPtrA G☻SetCapture  R☻SetCursor ╜☺LoadCurs
orA ☼☻PtInRect  ,☻ReleaseCapture  _☺GetSystemMetrics  USER32.dll  ♫☻SelectObjec
t  : CreateFontIndirectA ò☺GetObjectA  GDI32.dll ♀ GetSaveFileNameW  comdlg32.d
ll  ♦☻RegSetValueExA  ♣☻RegSetValueExW  ╦☺RegCloseKey ╤☺RegCreateKeyExA ∞☺RegOp
enKeyExA ≈☺RegQueryValueExA  Γ FreeSid 6☻SetNamedSecurityInfoW *☻SetEntriesInAc
lA  ↔ AllocateAndInitializeSid  ADVAPI32.dll  • CommandLineToArgvW  ¢ SHFileOpe
rationW  å SHCreateDirectoryExW  ╜ SHGetPathFromIDListW  z SHBrowseForFolderW
╖ SHGetMalloc ◙☺ShellExecuteExW . ExtractIconExW  •☺ShellExecuteA SHELL32.dll m
 CoUninitialize  ? CoInitialize  ole32.dll
alt.126
  • 1,097
  • 1
  • 9
  • 22