crashdemons Posted March 30, 2008 Share Posted March 30, 2008 (edited) Please see Trancexx's ResHacker project for a much better project of this nature.------------------------ScreenshotWhat does this Script do? - - It allows you to view the header structure of Portable Executables. - - Including the main header (DOS/MZ), the PE Header, File Header, Data Directories, Optional header and the section headers. - - As a side-option you can change file attributes and times, but that's beside the point.What Data Directories are currently supported for extended information? - - Just the Import and Export Tables at the moment. - - It Is my hope that I will eventually support all the Data Directories and their tables, if possible.Where did you get your information? - - After realizing I was using a bad method of getting information in "Application Headers.au3" I sought out how to correctly get the information. The answer was that the application headers were a lot of Data Structures - After some heavy testing and going through tutorials and documents I was able to put it all together. - - Tutorials: - - - Iczelion's PE Tutorial: http://win32assembly.online.fr/pe-tut1.html (change the 1 for 1-6 etc.) - - Constants and structure information was specified and verified by reading through the Microsoft Developer's Network, with their extensive documentations.Are there any known issues? - - Yes, I will list them here - - - When a file is closed, the "info" controls are set to be 'hidden' and the listview is set to be 'shown' but the reverse happens, oddly. (see the "----CHECK 1" comment in PEScope.au3)Where are the files? - - Right Here (last ran with Au3.2.12.1)PEAppConstants.au3 (v1.1 - Constants used)PEAppLib.au3 (v3.3 - processes used to get PE info)PEScope.au3 (v1.2 - this is the example program)Updates:8/25/2008 - Update to remove Au3Check warnings and errors.9/7/2008 - Added option to menu for a quick RVA2Offset, Added Export Table entries (are the ordinals right?) Edited March 14, 2009 by crashdemons My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
crashdemons Posted August 23, 2008 Author Share Posted August 23, 2008 As you read this post, tell me if you think of anything reasonable to add. My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
WeMartiansAreFriendly Posted August 24, 2008 Share Posted August 24, 2008 (edited) Very nice! I'm getting quite a few warnings and errors, but nothing too serious, it runs just fine though. [Edit] As for something new to add, Can't think of anything at the moment, but I'd say writing documentation and cleaning the code up a bit before you continue would save you from *alot* of trouble in the long run Edited August 24, 2008 by mrRevoked Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet() Link to comment Share on other sites More sharing options...
crashdemons Posted August 25, 2008 Author Share Posted August 25, 2008 Very nice! I'm getting quite a few warnings and errors, but nothing too serious, it runs just fine though. [Edit] As for something new to add, Can't think of anything at the moment, but I'd say writing documentation and cleaning the code up a bit before you continue would save you from *alot* of trouble in the long run Did I ever tell you I hate Au3Check? Alot of the warnings come because Au3Check doesn't check the execution of the program's functions where Globals are defined - - Thinking about it, it's probably right. Predefining would save possible flaws (whereas I may not forsee every condition in which a global is called before creation) Alot of the errors come because I use Dim sometimes as a work-around to OnEvent functions not defining optional parameters. - - I may not need to do this and I'll look over what I have. Personally, I don't see the problem with Dim'ing optionals if it keeps the No. of functions and work down while accomplishing what needs to be done unless there's a major issue. I will post a modified version that removes all of the warnings and all of the errors if possible - I will also post a reply when I do. My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
crashdemons Posted August 25, 2008 Author Share Posted August 25, 2008 UPDATEPEScope.au3 (v1.1)PEAppLib (v3.2)Minor issues causing Au3Check errors and warnings seem to have been fixed. (at least for me)>"C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /prod /AU3Check /in "C:\...\PEScope.au3"+>03:00:19 Starting AutoIt3Wrapper v.1.9.2>Running AU3Check (1.54.13.0) from:C:\Program Files\AutoIt3+>03:00:22 AU3Check ended.rc:0+>03:00:22 AutoIt3Wrapper Finished>Exit code: 0 Time: 4.177 My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
peppercorngiant Posted September 1, 2008 Share Posted September 1, 2008 I just LOVE looking inside exe's to see what kind of interesting (unencrypted)strings i can find. This could mean some automation for me when i feel like poking a few exe's until something falls out that shouldnt. (mostly work related) [font="Lucida Console"]The truth is out there[/font] Link to comment Share on other sites More sharing options...
crashdemons Posted September 7, 2008 Author Share Posted September 7, 2008 (edited) UPDATE PEAppConstants.au3 (v1.1) PEAppLib.au3 (v3.3) PEScope.au3 (v1.2) Moved some processes for identifying the names of constants when reading values into PEAppLib.au3 so they can be reused in some form or another. - This update required modifying Scope and AppLib files. Added the ability to read a file's exported functions. (See Headers>PE/COFF>Data Dir>Exports) (I'm not sure if all of the Ordinal Values are correct, but all of the names and the number of entries should be correct.) - This update required modifying all three files. Added an option under a new "Search" menu to get the file offset (0-based) of an RVA - Note: if the RVA is out-of-bounds or invalid you will get 0 as a result. Also, this was mainly added for my testing reasons. - This update required modifying Scope. Edited September 7, 2008 by crashdemons My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
WeMartiansAreFriendly Posted September 7, 2008 Share Posted September 7, 2008 Thanks for the update! Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet() Link to comment Share on other sites More sharing options...
Digisoul Posted March 5, 2009 Share Posted March 5, 2009 Screenshot What does this Script do? - - It allows you to view the header structure of Portable Executables. - - Including the main header (DOS/MZ), the PE Header, File Header, Data Directories, Optional header and the section headers. - - As a side-option you can change file attributes and times, but that's beside the point. What Data Directories are currently supported for extended information? - - Just the Import and Export Tables at the moment. - - It Is my hope that I will eventually support all the Data Directories and their tables, if possible. Where did you get your information? - - After realizing I was using a bad method of getting information in "Application Headers.au3" I sought out how to correctly get the information. The answer was that the application headers were a lot of Data Structures - After some heavy testing and going through tutorials and documents I was able to put it all together. - - Tutorials: - - - Iczelion's PE Tutorial: http://win32assembly.online.fr/pe-tut1.html (change the 1 for 1-6 etc.) - - Constants and structure information was specified and verified by reading through the Microsoft Developer's Network, with their extensive documentations. Are there any known issues? - - Yes, I will list them here - - - When a file is closed, the "info" controls are set to be 'hidden' and the listview is set to be 'shown' but the reverse happens, oddly. (see the "----CHECK 1" comment in PEScope.au3) Where are the files? - - Right Here (last ran with Au3.2.12.1) PEAppConstants.au3 (v1.1 - Constants used) PEAppLib.au3 (v3.3 - processes used to get PE info) PEScope.au3 (v1.2 - this is the example program) Updates: 8/25/2008 - Update to remove Au3Check warnings and errors. 9/7/2008 - Added option to menu for a quick RVA2Offset, Added Export Table entries (are the ordinals right?) Your Whole program is Awesome, but its much difficult to modify i only need the Sections and their offsets , how can i get the piece of code from your program ? 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
deathday Posted March 5, 2009 Share Posted March 5, 2009 Sounds interesting to me ,i havent tested yet , just downloaded ,ill test it today , , by the way , if you don't mind can u make your app to read other application windows in real time i mean like a .exe application widow in real time, im finding it difficult to do that .... Link to comment Share on other sites More sharing options...
crashdemons Posted March 12, 2009 Author Share Posted March 12, 2009 Your Whole program is Awesome,but its much difficult to modifyi only need the Sections and their offsets , how can i get the piece of code from your program ?Sorry that I took so long to respond - What parts would you like to have, if you still need them? My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
crashdemons Posted March 12, 2009 Author Share Posted March 12, 2009 (edited) Sounds interesting to me ,i havent tested yet , just downloaded ,ill test it today , , by the way , if you don't mind can u make your app to read other application windows in real time i mean like a .exe application widow in real time, im finding it difficult to do that .... I would love to but without fully supporting the DLLStruct functions (nomatter what alignment I used, the results were not what I expected) the processing speed is just too slow. Edited March 12, 2009 by crashdemons My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
Digisoul Posted March 12, 2009 Share Posted March 12, 2009 (edited) Sorry that I took so long to respond - What parts would you like to have, if you still need them?Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet. Edited March 12, 2009 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted March 12, 2009 Share Posted March 12, 2009 I would love to but without fully supporting the DLLStruct functions (nomatter what alignment I used, the results were not what I expected) the processing speed is just too slow.What do you mean fully supporting the DLLStruct functions? ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
crashdemons Posted March 12, 2009 Author Share Posted March 12, 2009 (edited) What do you mean fully supporting the DLLStruct functions? I'm not using DLLStruct functions currently because I cannot get *ANY* of the DLLStruct alignments to give me values with the right data for the specified data types. I tried all combinations I could think of until I gave up and did the only other thing I could think of - process it manually. Currently, I'm cheating by doing manual string processing to read struct entries. Slow, but I left the project mostly open for my easy conversion back to DLLStruct if I ever figured out a workaround. (I even used the complete original struct definitions! - the exception being the values which don't have specific lengths) Sighs, try it before you prejudge that little tidbit though - I *REALLY* tried everything I could figure to try. I don't see why the alignment should have been an issue anyway - doesn't seem to matter when I manually read it [everything organized as it should be according to MSDN documenation]. Edited March 12, 2009 by crashdemons My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
crashdemons Posted March 12, 2009 Author Share Posted March 12, 2009 Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.I'll whip something up as soon as I can - don't expect it immediately though.(I'm assuming you meant the positions and names of the respective "Section Headers") My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
crashdemons Posted March 13, 2009 Author Share Posted March 13, 2009 (edited) Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File. Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet. This should work for valid files with an "PE" NT Header signature. At least until the AppLib undergoes major updates sometime in the future. #include <PEAppConstants.au3> #include <PEAppLib.au3> #include <String.au3> ; this is as good as it gets until someone debugs the DLLStruct alignment mess, making PseudoStruct obsolete. ; with this stupid PseudoStruct I have set up "$PSOldPos" to be the "next position" after the processed struct ;NOTE: This example ASSUMES you chose a Win32 PE file that are NT-based and actually HAVE section headers. Local $data=FileReadFull("C:\path\to\someprogram.exe") _Data_ClearCache($data) Global $_Pseudo_HexArray=True $hdos=PseudoStruct(PseudoTagStruct($tagIMAGE_DOS_HEADER),$data) $e_lfanew=Dec($hdos[18]) $PSOldPos=$e_lfanew+4; skip the NT header - it's only a signature anyway! ; be SURE to check the signature of the NT header in your full app. $hfile=PseudoStruct(PseudoTagStruct($tagIMAGE_FILE_HEADER),$data,$PSOldPos) $NumberOfSections=Dec($hfile[1]) $PSOldPos+=96; skip OPTIONAL headers $PSOldPos+=8*16; skip all 16 DATA DIR's (two ulong's each - 8 bytes) $_Pseudo_HexArray=False; we want raw data from our PseudoStruct Local $spos For $i=1 To $NumberOfSections ConsoleWrite('Physical position: '&$PSOldPos&@CRLF) $Section=PseudoStruct(PseudoTagStruct($tagIMAGE_SECTION_HEADER),$data,$PSOldPos) $Section[0]=StringReplace($Section[0],Chr(0),'') ;^^ yes, this is still 8 characters long, Nulls and all - shave them off! ConsoleWrite(@TAB&'Section: '&$Section[0]&@CRLF) $VirtualAddress=_StringToHex($Section[2]) ConsoleWrite(@TAB&@TAB&'Virtual Address: '&$VirtualAddress&@CRLF) Next Output I got with this for a random program: Physical position: 504 Section: UPX0 Virtual Address: 00100000 Physical position: 544 Section: UPX1 Virtual Address: 00400600 Physical position: 584 Section: .rsrc Virtual Address: 00B00900 Edits: typos and more info. Edited March 13, 2009 by crashdemons My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
UEZ Posted March 13, 2009 Share Posted March 13, 2009 (edited) I'm getting this error when I try to run it:+>09:05:30 Starting AutoIt3Wrapper v.2.0.0.0 Environment(Language:0409 Keyboard:00000407 OS:WIN_VISTA/ CPU:X86)>Running AU3Check (1.54.14.0) from:C:\Program Files\AutoIt3C:\Coding\Scripts\AU3\Tools\PE-Scope\PEAppLib.au3(477,28) : ERROR: undefined macro. Switch @ProcessorArch ~~~~~~~~~~~~~~~~~~~~~^C:\Coding\Scripts\AU3\Tools\PE-Scope\PEScope.au3(143,17) : ERROR: $Error previously declared as a 'Const' $Error = @error ~~~~~~~~~~~~~~~^C:\Coding\Scripts\AU3\Tools\PE-Scope\PEScope.au3 - 2 error(s), 0 warning(s)!>09:05:30 AU3Check ended.rc:2I'm using AutoIt v3.3.0.0 and Vista x32. UEZ Edited March 13, 2009 by UEZ Please don't send me any personal message and ask for support! I will not reply! Selection of finest graphical examples at Codepen.io The own fart smells best! ✌Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!¯\_(ツ)_/¯ ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ Link to comment Share on other sites More sharing options...
trancexx Posted March 13, 2009 Share Posted March 13, 2009 I'm not using DLLStruct functions currently because I cannot get *ANY* of the DLLStruct alignments to give me values with the right data for the specified data types. I tried all combinations I could think of until I gave up and did the only other thing I could think of - process it manually. Currently, I'm cheating by doing manual string processing to read struct entries. Slow, but I left the project mostly open for my easy conversion back to DLLStruct if I ever figured out a workaround. (I even used the complete original struct definitions! - the exception being the values which don't have specific lengths) Sighs, try it before you prejudge that little tidbit though - I *REALLY* tried everything I could figure to try. I don't see why the alignment should have been an issue anyway - doesn't seem to matter when I manually read it [everything organized as it should be according to MSDN documenation].Well, it's not related to alignment. Thing is that you should simulate state of loaded module to get things to work properly. System does different things when loading that module. If you are going to use virtual addresses and just read the module than you need to correct read values. Try this: expandcollapse popup#NoTrayIcon Global $sModule = @SystemDir & "\user32.dll"; or whatever _WriteMiscDataToConsole($sModule) Func _WriteMiscDataToConsole($sModule) Local $tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]") $hModule = FileOpen($sModule, 16) DllStructSetData($tBinary, 1, FileRead($hModule)) FileClose($hModule) Local $pPointer = DllStructGetPtr($tBinary) Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader"); move to PE file header Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer); IMAGE_NT_SIGNATURE = 17744 If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then Return SetError(1, 0, ""); Wrong NTSIGNATURE EndIf $pPointer += 4; size of $tIMAGE_NT_SIGNATURE structure Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ConsoleWrite("NumberOfSections: " & $iNumberOfSections & @CRLF & @CRLF) $pPointer += 20; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) $pPointer += 96; size of $tIMAGE_OPTIONAL_HEADER Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") ConsoleWrite("Magic " & $iMagic & @CRLF) ConsoleWrite("ImageBase " & Ptr(DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")) & @CRLF) ConsoleWrite("NumberOfRvaAndSizes " & DllStructGetData($tIMAGE_OPTIONAL_HEADER, "NumberOfRvaAndSizes") & @CRLF) ConsoleWrite(@CRLF) If Not ($iMagic = 267) Then Return SetError(0, 1, 1); not 32-bit application. Structures are for 32-bit EndIf ; Export Directory Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8; size of $tIMAGE_DIRECTORY_ENTRY_EXPORT ConsoleWrite("+VirtualAddress Exports " & Ptr(DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "VirtualAddress")) & @CRLF) ConsoleWrite(@CRLF) If DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "Size") Then Local $tIMAGE_EXPORT_DIRECTORY = DllStructCreate("dword Characteristics;" & _ "dword TimeDateStamp;" & _ "ushort MajorVersion;" & _ "ushort MinorVersion;" & _ "dword Name;" & _ "dword Base;" & _ "dword NumberOfFunctions;" & _ "dword NumberOfNames;" & _ "dword AddressOfFunctions;" & _ "dword AddressOfNames;" & _ "dword AddressOfNameOrdinals", _ DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "VirtualAddress") - 3072) Local $iBase = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "Base") Local $iNumberOfExporedFunctions = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") ;Local $tBufferAddress = DllStructCreate("dword[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfFunctions") - 3072) Local $tBufferNames = DllStructCreate("dword[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfNames") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfNames") - 3072) Local $tBufferNamesOrdinals = DllStructCreate("ushort[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfNameOrdinals") - 3072) Local $iNumNames = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfNames"); number of functions exported by name Local $iFuncOrdinal Local $tFuncName, $sFuncName Local $iFuncAddress For $i = 1 To $iNumberOfExporedFunctions ; All ordinals Next ConsoleWrite("!!! Exported functions:" & @CRLF) For $i = 1 To $iNumNames $tFuncName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tBufferNames, 1, $i) - 3072) $sFuncName = DllStructGetData($tFuncName, 1); name of the function $iFuncOrdinal = $iBase + DllStructGetData($tBufferNamesOrdinals, 1, $i) ConsoleWrite($iFuncOrdinal & " " & $sFuncName & @CRLF) Next EndIf ConsoleWrite(@CRLF) ; Import Directory Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT ConsoleWrite("+VirtualAddress Imports " & Ptr(DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress")) & @CRLF) ConsoleWrite(@CRLF) If DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "Size") Then Local $tIMAGE_IMPORT_MODULE_DIRECTORY Local $iOffset, $iOffset2, $tModuleName, $iBufferOffset, $sModuleName, $iInitialOffset, $tBufferOffset, $tBuffer, $sFunctionName Local $i, $j, $k While 1 $i += 1 $tIMAGE_IMPORT_MODULE_DIRECTORY = DllStructCreate("dword RVAOriginalFirstThunk;" & _; actually union "dword TimeDateStamp;" & _ "dword ForwarderChain;" & _ "dword RVAModuleName;" & _ "dword RVAFirstThunk", _ DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress") + $iOffset - 3072) If Not DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") Then; the end ExitLoop EndIf If DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") Then $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") - 3072 Else $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") - 3072 EndIf $tModuleName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName") - 3072) $sModuleName = DllStructGetData($tModuleName, 1) ConsoleWrite("! " & $sModuleName & @CRLF) $iOffset2 = 0 $j = 0 While 1 $j += 1 $tBufferOffset = DllStructCreate("dword", $iInitialOffset + $iOffset2) $iBufferOffset = DllStructGetData($tBufferOffset, 1) If Not $iBufferOffset Then; zero value is the end ExitLoop EndIf If BitShift($iBufferOffset, 24) Then; MSB is set for imports by ordinal, otherwise not ConsoleWrite("Ordinal " & BitAND($iBufferOffset, 0xFFFFFF) & @CRLF) $iOffset2 += 4; size of $tBufferOffset ContinueLoop EndIf $tBuffer = DllStructCreate("ushort Ordinal; char Name[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + $iBufferOffset - 3072) $sFunctionName = DllStructGetData($tBuffer, "Name") ConsoleWrite($sFunctionName & @CRLF) $iOffset2 += 4; size of $tBufferOffset WEnd $k += $j - 1 $iOffset += 20; size of $tIMAGE_IMPORT_MODULE_DIRECTORY WEnd EndIf ConsoleWrite(@CRLF) $pPointer += 112; size of the rest of the structures before IMAGE_SECTION_HEADER (14 of them) Local $tIMAGE_SECTION_HEADER For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ConsoleWrite(">Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF) ConsoleWrite("VirtualAddress: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF) ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF) ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF) ConsoleWrite(@CRLF) $pPointer += 40; size of $tIMAGE_SECTION_HEADER structure Next EndFunc ;==>_WriteMiscDataToConsole That method uses RAM much more than it should because it's filling that buffer $tBinary fully. I would recommend other methods of doing this (See ResourcesViewerAndCompiler.au3). @UEZ, fixing that is a trivial task. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
UEZ Posted March 13, 2009 Share Posted March 13, 2009 (edited) @trancexx: I already fixed that but I just wanted to mention it I forgot to mention: well done crashdemons! UEZ Edited March 13, 2009 by UEZ Please don't send me any personal message and ask for support! I will not reply! Selection of finest graphical examples at Codepen.io The own fart smells best! ✌Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!¯\_(ツ)_/¯ ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now