simple-gui-app is a small windows app whose sole purpose is to display the number of times it was launched which is stored in a global variable. To update said variable it uses another app, simple-pe-editor.
After gui-app closes, the following sequence of events occurs:
- gui-app creates a copy of pe-editor in the temporary folder, creates a new process for it and closes
- pe-editor waits until gui-app is closed, finds aforementioned global variable in image of gui-app and increments it
- then, it creates a gui-app process and closes
- after pe-editor is closed, gui-app removes it
So, basically, this is like carrying a small config variable within an image. Or like simply having a config file but with extra steps and bad design decisions.
- Compile bin2hexarr and simple-pe-editor as console subsystem apps
- Run something like
bin2hexarr simple-pe-editor.exe simple-pe-editor.hexarr - Put
simple-pe-editor.hexarrto gui-app source folder and compile it as a window subsystem app
No makefile. At all.
If the image isn't modifiable at the moment, pe-editor will omit the incrementing part and will be removed silently, indistinguishable from if it actually incremented it.
The RVA is set to 0xcccccccc by default, this is a reserved value that makes it search first 256 bytes of specified section for global variable. Global variable had better be in .data section. Pointing RVA at correct global variable location will do as well.
Shouldn't happen, probably. gui-app removes a file only when it's the exact byte copy of pe-editor it carries within itself. pe-editor checks for 0xfadedbee signature before incrementing global variable. Should be sufficient most of the time. This is important because, unlike gui-app, pe-editor can't handle unicode. And, since it receives gui-app path as one of its arguments, launching gui-app with unicode in its path is bad. bin2hexarr isn't very unicode friendly as well.