Jump to content

[UDF] Get EOF(End Of File) Data


IchBistTod
 Share

Recommended Posts

Just made this in my spare time. It returns the EOF data at the end of just about any executable. This is useful for compressing files, running files that need EOF data from memory and much more.

func _getEOFData($file)
$file = FileRead($file)
$file = StringSplit($file, "")  
Return $file[$file[0]]
EndFunc

[center][/center][center]=][u][/u][/center][center][/center]

Link to comment
Share on other sites

Also I am aware that the forums show "$file = StringSplit($file, " ") " however when copied into scite the characters are all shown.

Posted Image

Can you give an example of an exe where this would show something? The script shows nothing for me, and using a hex editor I haven't found that string in any exes. (0X18130F0C1B1512080F or 0x0F0812151B0C0F1318)

Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.
Link to comment
Share on other sites

simply test it on any file that has eof data and you will see the eof data.

I made this function by opening exe's in scite and veiwing all the possible last or next to last characters in the end of an exe all of which are shown above.

it splits the exe at all these characters and then uses all text after the very last one (the last few bytes of the exe + the eof data).

for example if you use it on any autoit compiled script it should return "AU3!" as those are the last few bytes.

Also the stringsplit function doesnt use the whole string, but EACH character to find the very last special PE encoded character in the file.

If you want to see these characters in a PE file, open them in scite or notepad++/

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Link to comment
Share on other sites

I wonder what's your definition of EOF data?

Anyways I wouldn't locate the EOF by a string :mellow:

EOF= End Of File Data. Data placed at the end of an executable file that contains information necessary for the executable to properly execute. Also as I said it might not be the most efficient way, but it works next to flawlessly, and I dont want to hear criticism unless anyone else can do better.

Also as stated its not located by A string but by a set of several control characters used at the end of all EXE files, and pulling all data after the last one of is found.

Test it on any file you like, simply write EOF data to the end of it using autoit, then retrieve the EOF data with this function.

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Link to comment
Share on other sites

whatever Edited by MvGulik

"Straight_and_Crooked_Thinking" : A "classic guide to ferreting out untruths, half-truths, and other distortions of facts in political and social discussions."
"The Secrets of Quantum Physics" : New and excellent 2 part documentary on Quantum Physics by Jim Al-Khalili. (Dec 2014)

"Believing what you know ain't so" ...

Knock Knock ...
 

Link to comment
Share on other sites

Don't worry about that. I don't think there is a change for that. :mellow:

I requested help on this matter several weeks ago with not even 1 response, which leads me to assume no one here can do it another way, or at least knows how to do it any other way, nor thought of this way.

When someone does after a way to find the end of the pe data via the pe structure and use that to retreive all data thereafer(EOF) then I will applaud them.

Until then please do not criticize my script, as it works, and as of now is the only one to preform the function it does.

[center][/center][center]=][u][/u][/center][center][/center]

Link to comment
Share on other sites

Actually... I responded to you. I suggested you read up on the PE-structure. But you found your own way. That is OK. If "noone has done this" it might be because they didn't need to. Keep working! :mellow:

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

I requested help on this matter several weeks ago with not even 1 response, ......

Yes, it's disappointing when a post is ignored.

Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.
Link to comment
Share on other sites

Actually... I responded to you. I suggested you read up on the PE-structure. But you found your own way. That is OK. If "noone has done this" it might be because they didn't need to. Keep working! :mellow:

/Manko

Yes thank you, but I had already thought of this.

It would have been a little more helpful had you provided at least one link to a website that properly documented the PE-Structure, as I couldnt find one.

And my only point was in to say quite simply, unless there is another oen or better one, to please not criticize my work, as there is nothing else to compare it to.

Although it is useful for exefrommem functions, to make sure EOF data is transfered.

[center][/center][center]=][u][/u][/center][center][/center]

Link to comment
Share on other sites

Yes thank you, but I had already thought of this.

It would have been a little more helpful had you provided at least one link to a website that properly documented the PE-Structure, as I couldnt find one.

Yes, I'm sorry about that.. I didn't have any good ones in memory... Googling now I found a few... this is one that I found useful before... (adittedly it was harder to find again. It is perhaps not the best, but....)

http://www.pelib.com/resources/kath.txt

About searching the net... It is one of the most important skills... But when we are still just in practice, patience and persistence is our most valued tools...

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

The 'External Links' section on Wikipedia has some good resources.

Link to comment
Share on other sites

Yes, I'm sorry about that.. I didn't have any good ones in memory... Googling now I found a few... this is one that I found useful before... (adittedly it was harder to find again. It is perhaps not the best, but....)

http://www.pelib.com/resources/kath.txt

About searching the net... It is one of the most important skills... But when we are still just in practice, patience and persistence is our most valued tools...

/Manko

Thanks I will look into it in a while. I am currently occupied with another project now, and this UDF does the job for now.

[center][/center][center]=][u][/u][/center][center][/center]

Link to comment
Share on other sites

#include <winapi.au3>
Func READEOF ($sModule)
Local $iLoaded
Local $a_hCall = DllCall("kernel32.dll", "hwnd", "GetModuleHandleW", "wstr", $sModule)
If @error Then
Return SetError(1, 0, "")
EndIf
Local $pPointer = $a_hCall[0]

If Not $a_hCall[0] Then
        $a_hCall = DllCall("kernel32.dll", "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 1)
        If @error Or Not $a_hCall[0] Then
            Return SetError(2, 0, "")
        EndIf
        $iLoaded = 1
        $pPointer = $a_hCall[0]
    EndIf


Local $hModule = $a_hCall[0]
Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)
$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")
Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then
If $iLoaded Then
Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule)
EndIf
Return SetError(3, 0, "")
EndIf
$pPointer += 4
Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)
Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
$pPointer += 20
Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)
$pPointer += 96
 Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_RESOURCE = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_EXCEPTION = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_SECURITY = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_DEBUG = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_COPYRIGHT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_GLOBALPTR = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_TLS = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
Local $tIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)
$pPointer += 8
$pPointer += 40
Local $tIMAGE_SECTION_HEADER
For $i = 1 To $iNumberOfSections
$tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfData;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)
if $i = $iNumberOfSections Then
            Dim $array[2]
            $array[0] = Hex(DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData"))
            $array[1] = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
            $FilePath = $sModule
            $Offset = Dec($array[0]) + $array[1]
            $Length = FileGetSize ($sModule) - $Offset

        Local $Buffer, $ptr, $fLen, $hFile, $Result, $Read, $err, $Pos

            If Not FileExists($FilePath)    Then    Return SetError(1, @error, 0)
            $fLen = FileGetSize($FilePath)
            If $Offset > $fLen              Then    Return SetError(2, @error, 0)
            If $fLen < $Offset + $Length    Then    Return SetError(3, @error, 0)

            $Buffer = DllStructCreate("byte[" & $Length & "]")
            $ptr = DllStructGetPtr($Buffer)

            $hFile = _WinAPI_CreateFile($FilePath, 2, 2, 0)
            If $hFile = 0 Then Return SetError(5, @error, 0)

            $Pos = $Offset
            $Result = _WinAPI_SetFilePointer($hFile, $Pos)
            $err = @error
            If $Result = 0xFFFFFFFF Then
                _WinAPI_CloseHandle($hFile)
                Return SetError(6, $err, 0)
            EndIf

            $Read = 0
            $Result = _WinAPI_ReadFile($hFile, $ptr, $Length, $Read)
            $err = @error
            If Not $Result Then
                _WinAPI_CloseHandle($hFile)
                Return SetError(7, $err, 0)
            EndIf

            _WinAPI_CloseHandle($hFile)
            If Not $Result Then Return SetError(8, @error, 0)

            $Result = DllStructGetData($Buffer, 1)
            DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule)
            Return $Result
        EndIf

        $pPointer += 40

    Next

EndFunc

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...