Stores simple states in exe

[Kwai chang caine]

Yeeeess !!! never heard spoken of this way

Furthermore the second link have a code more at the zero level of KCC (Only several lines)
I try this example soon

Today you are my miracle bearer



Thanks a lot

[firace]

Haha, enjoy

Just one thing to be aware of: ADS is a property of the NTFS file system, so the information is lost if you copy the file to another drive (or if you zip it).

[normeus]

KCC,
your simpler solution is better:

#FILE_ATTRIBUTE_TEMPORARY = 256

The system will not delete this file.
You will be safe changing this FLAG
It is used when you are creating documents so that the system will know you are going to delete this file so it has an option to save to cache.
since you are not creating the file then the system will just ignore #FILE_ATTRIBUTE_TEMPORARY.

The only problem I see is that, some backup and replication programs will not copy files marked as temp.


Thank you.
Norm

[Mijikai]

Run shellcode in another application to override the stateflag once ur application closes.

[RSBasic]

Just one thing to be aware of: ADS is a property of the NTFS file system, so the information is lost if you copy the file to another drive (or if you zip it).

+1

[HanPBF]

Normally an exe is not allowed to be changed as malicious software could do so and that's prevented.

A file storing the state beside the exe is the only way or writing in the registry of the user.

To have one file for start, maybe UPX exe packer could help (https://upx.github.io/).
Pack all files together; when started, config file gets unzipped.

Surprisingly that an exe can not store a state in a sandboxed area...

[RSBasic]

To have one file for start, maybe UPX exe packer could help (https://upx.github.io/).

But be careful: Some antivirus programs sound the alarm.

[HanPBF]

It's all hacking...

http://ro.ecu.edu.au/cgi/viewcontent.cg ... ontext=adf
http://edn.embarcadero.com/article/27979

Even an assembler integration to change a flag should be seen once by an antivirus or OS.

[RSBasic]

Yes, therefore it is better to save the file with the state in the current program directory or temp folder or AppData.

[Kwai chang caine]

First, one thousand of thanks at all, for your interest to my problem

Just one thing to be aware of: ADS is a property of the NTFS file system, so the information is lost if you copy the file to another drive (or if you zip it).

I suppose you talk about a drive in FAT32 ? or even if the drive is in NTFS ?
It's sure i think my tips is not the most secure of the world
But except the case name, it's the more simple i have found
So your way is when even very interesting, at less for learning

It is used when you are creating documents so that the system will know you are going to delete this file so it has an option to save to cache.
since you are not creating the file then the system will just ignore #FILE_ATTRIBUTE_TEMPORARY.

Happy to read your advice about my choice
There surely another flag or another simple old function forgotten, or simply not really knowing by everybody, who can be deturned for do something completely different that the first and original function
Anyway, it's the main activity of the hacker to search this style of functions, forgotten of all

The only problem I see is that, some backup and replication programs will not copy files marked as temp.

It's good to know that, before throwing his pc in the trash, because he decided not to backup our programs anymore

Run shellcode in another application to override the stateflag once ur application closes.

I don't know really what is Shellcode
You mean, like a batch ? i have do one time this style of way, when i close the exe, i write a batch in tempfolder, with inside the rename of the exe, and after the batch can delete itself
But i don't know it's possible to poke an exe with a script

Normally an exe is not allowed to be changed as malicious software could do so and that's prevented.
A file storing the state beside the exe is the only way or writing in the registry of the user.

Yes you have right, an EXE is not an ACCESS file
I understand perfectly what you say, and it's normal, when we see the engineering of hacker for put something just at the place where nobody thinking
But my request is not for store DATAS, it's all the cool members of this thread who talk about DATAS, me i just ask for store one bit, 0/1, or better 0/255, and i don't think even Kevin Mitnick before the better hacker of the world

can be create malicious thing wit one value 0/255..
Finally i hope because the legend say he so much strong the judge not allow him to have even a simple calculator when he is condamned

So your two links is very interesting, i don't understand all, but it's more easy to understand how the PE works
Now, i'm not sure that even the ASM can writing in the EXE when it works, because it's surely windows who not allow this behaviour no ??

To have one file for start, maybe UPX exe packer could help (https://upx.github.io/).

Interesting new way, even if use it for just a txt file with 0 or 1 inside, it's a little bit, use an elephant for carry your stylus for your smartphone



It's always good to know for sandboxed area...

But be careful: Some antivirus programs sound the alarm.

Yes you have right, it's also a thing to consider

[Mijikai]

I don't know really what is Shellcode
You mean, like a batch ? i have do one time this style of way, when i close the exe, i write a batch in tempfolder, with inside the rename of the exe, and after the batch can delete itself
But i don't know it's possible to poke an exe with a script

Shellcode is basically code that can run by itself anywhere in memory.
The only problem in this case is that we cant run it in the same addresspace as the executable.

However using the registry/ ads / another file are all good (and more sane) solutions.

[Mijikai]

Normally an exe is not allowed to be changed as malicious software could do so and that's prevented.
...

Afaik - patching itself is normal practise

[walbus]

It's like eating soup with a shoehorn
You can, it's going more or less well
But it leaves a bad taste
For the above purpose simple unprofessionall, sorry KCC

[Michael Vogel]

KCC - I did a small snippet for you, 'cause you're one of the really good characters here...

You need to compile the code to kcc.exe - Daisy will copy this exe to the temporary directory and start it to allow Donald to set the file date, return to the main porgram and delete all temporary files again.

Code: Select all

#Q=#DOUBLEQUOTE$
#KccExe="kcc.exe"
#KccCmd="kcc.cmd"

Procedure Daisy(value)

	Protected temp.s
	Protected original.s
	Protected new.s

	original=ProgramFilename()
	temp=GetTemporaryDirectory()

	If CopyFile(original,temp+#KccExe)
		RunProgram(temp+#KccExe,"! "+Str(value)+" "+#Q+original+#Q,temp)
		End
	Else
		MessageRequester("Daisy",": (")
	EndIf

EndProcedure
Procedure Donald(value,original.s)

	Protected temp.s
	temp=GetTemporaryDirectory()
	
	If Left(ProgramFilename(),Len(temp))=temp
		SetCurrentDirectory(temp)
		SetFileDate(original,#PB_Date_Modified,Date(2000,1,1,0,0,value))
		If CreateFile(0,#KccCmd)
			WriteStringN(0,"@del "+#Q+#KccExe+#Q)
			WriteStringN(0,"@del "+#Q+#KccCmd+#Q)
			CloseFile(0)
			WinExec_("cmd.exe /c "+#KccCmd,#SW_HIDE)
			RunProgram(original)
			End
		EndIf
	EndIf

	MessageRequester("Donald",": (")

EndProcedure

If CountProgramParameters()=3
	If ProgramParameter(0)="!"
		Donald(Val(ProgramParameter(1)),ProgramParameter(2))
	EndIf
	
Else
	value=GetFileDate(ProgramFilename(),#PB_Date_Modified)
	If Year(value)>2000
		value=0
	Else
		value=value%60
	EndIf

	If MessageRequester("Main - "+GetPathPart(ProgramFilename()),"Value: "+Str(value),#PB_MessageRequester_YesNo)=#PB_MessageRequester_Yes
		Debug "!"
		Daisy(value+1)
	Else
		End
	EndIf
EndIf

[Kwai chang caine]

Thanks Michael for your disney code

@Walbus
Never mind, you know the words "kcc" and "professionnal" are rarely in the same sentence