views:

463

answers:

4

Hi,

Whenever I download an update to firefox and apply it Kaspersky Antivirus alerts me that the file FIREFOX.EXE has been modified. I want to know how do they do it. Is it possible to do a simple program to demonstrate this trick. Like the executable would initially display "Hello, World!" on the prompt and when I replace/modify the sample executable it must display "Hello, World! Mod".

Thank you.

A: 

The easy way is to use the method FindFirstChangeNotification. But my guess is that the Anti-virus is hooking in at some lower level using a system hook or some other mechanism.

joegtp
A: 

I don't specifically know how Firefox does its upgrades, but there are a number of common approaches:

  • On a file system which allows it (like NTFS), then rename the currently running .exe, write in its replacement and then chain to the new one

  • Have a little startup program which does any updating of the main exe before switching to it.

  • Various tricks involving making temporary exes jumping to them and jumping back, etc.

Will Dean
+1  A: 

I was under the impression that Firefox, when it has an update, runs another application and quits itself. The helper app then replaces the .exe. That way, it is not modifying itself at runtime.

ceejayoz
A: 

I am searching for a self modifying code in c++. I think programs can modify themselves by detaching them from the windows