[DUG] Renaming file in use

Kyley Harris kyleyharris at gmail.com
Fri Dec 2 23:08:36 NZDT 2005 

Like it or hate it..

   if RenameFile(ParamStr(0),ChangeFileExt(paramStr(0),'.bak')) then
   begin
     CopyFile(PChar(ExtractFilePath(Paramstr(0))+'new.exe'),pchar( ParamStr(0)),true);
     ShellExecute(0,'open',pchar(ParamStr(0)),'','',sw_show);
     Halt;
   end;

This is a valid method of updating an application under windows, and is a  
design feature.

I completely dispute the fact that this helps viruses.

If a virus wants to replace ditto.exe, with ditto.exe (which is now a  
virus) its certainly doesn't need
to sneak around and rename a file. If the virus is there, then its going  
to do a kill process/or a copyfile.
if they want to takeover a dll that is in use, typically they would bind  
them selves in as a startup process to
override the dll's etc before those dll's are used. Windows XP  
automatically kills any dlls and replaces them if they are system dlls for  
just such a virus prevention, so no real concern there either.

It doesn't need to worry about renaming something????  besides that.  
Viruses hijack processes by binding themselves in as stubs on the  
application which still runs the normal code so that you don't find out...  
if they
renamed a file to replace it with something else you would find out very  
quickly when the job is not getting done anymore....

On Fri, 02 Dec 2005 18:28:48 +1300, Rohit Gupta <r.gupta at xtra.co.nz> wrote:

> Sean,
>
> I thought I would try this out and you are right, another crappo from  
> Microsoft.  Not only can you rename the file, it also renames the path  
> in the shortcut that launched it.  Another way a virus can get in.  And  
> you can even rename the dll thats in use.  Further to that if you rename  
> a system dll, it silently copies it from the backup.  All test on  
> win2k.  Will all this really work the same way on XP, 2kserver,  
> 2k3server, Terminal Services, a pc using Domain Server and Longhorn ????
>
> I would still maintain that its is idotic to rely on this mechanism. Any  
> primitive virus protection thingy should foil this.  But does it ?  :-(   
> Zonealarm certainly did not complain.
>
> I despair.  Its worth the effort to write a virus to teach MS a lesson.

More information about the Delphi mailing list