IchBistTod Posted June 18, 2010 Posted June 18, 2010 Just made this in my spare time. It returns the EOF data at the end of just about any executable. This is useful for compressing files, running files that need EOF data from memory and much more. func _getEOFData($file) $file = FileRead($file) $file = StringSplit($file, "") Return $file[$file[0]] EndFunc [center][/center][center]=][u][/u][/center][center][/center]
IchBistTod Posted June 18, 2010 Author Posted June 18, 2010 (edited) Also I am aware that the forums show "$file = StringSplit($file, "") " however when copied into scite the characters are all shown. Edited June 18, 2010 by IchBistTod [center][/center][center]=][u][/u][/center][center][/center]
martin Posted June 20, 2010 Posted June 20, 2010 Also I am aware that the forums show "$file = StringSplit($file, " ") " however when copied into scite the characters are all shown.Can you give an example of an exe where this would show something? The script shows nothing for me, and using a hex editor I haven't found that string in any exes. (0X18130F0C1B1512080F or 0x0F0812151B0C0F1318) Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.
Zibit Posted June 20, 2010 Posted June 20, 2010 very useful though but is it working ? Creator Of Xtreme DevelopersPixel Pattern UDFTray GUI UDFMathssend & recive register scriptMouse Control via Webcam
IchBistTod Posted June 21, 2010 Author Posted June 21, 2010 (edited) simply test it on any file that has eof data and you will see the eof data. I made this function by opening exe's in scite and veiwing all the possible last or next to last characters in the end of an exe all of which are shown above. it splits the exe at all these characters and then uses all text after the very last one (the last few bytes of the exe + the eof data). for example if you use it on any autoit compiled script it should return "AU3!" as those are the last few bytes. Also the stringsplit function doesnt use the whole string, but EACH character to find the very last special PE encoded character in the file. If you want to see these characters in a PE file, open them in scite or notepad++/ Edited June 21, 2010 by IchBistTod [center][/center][center]=][u][/u][/center][center][/center]
Splash Posted June 25, 2010 Posted June 25, 2010 Can you use hex values? AutoIt forum doesn't show values correctly. Automatic Update UDF - IP Address UDF - WinPcap AutoIt _FindDevice()[font="Verdana"][size="2"]AutoIt Spanish/Brasil/World community!!![/size][/font]Use you wanna a dot.tk domain please use my link:
JFX Posted June 25, 2010 Posted June 25, 2010 I wonder what's your definition of EOF data? Anyways I wouldn't locate the EOF by a string
IchBistTod Posted June 26, 2010 Author Posted June 26, 2010 Can you use hex values?AutoIt forum doesn't show values correctly.it shows proper characters when copied into scite. when thusforth shows no need for hex. [center][/center][center]=][u][/u][/center][center][/center]
IchBistTod Posted June 26, 2010 Author Posted June 26, 2010 (edited) I wonder what's your definition of EOF data?Anyways I wouldn't locate the EOF by a string EOF= End Of File Data. Data placed at the end of an executable file that contains information necessary for the executable to properly execute. Also as I said it might not be the most efficient way, but it works next to flawlessly, and I dont want to hear criticism unless anyone else can do better.Also as stated its not located by A string but by a set of several control characters used at the end of all EXE files, and pulling all data after the last one of is found.Test it on any file you like, simply write EOF data to the end of it using autoit, then retrieve the EOF data with this function. Edited June 26, 2010 by IchBistTod [center][/center][center]=][u][/u][/center][center][/center]
MvGulik Posted June 26, 2010 Posted June 26, 2010 (edited) whatever Edited February 7, 2011 by MvGulik "Straight_and_Crooked_Thinking" : A "classic guide to ferreting out untruths, half-truths, and other distortions of facts in political and social discussions.""The Secrets of Quantum Physics" : New and excellent 2 part documentary on Quantum Physics by Jim Al-Khalili. (Dec 2014) "Believing what you know ain't so" ... Knock Knock ...
IchBistTod Posted June 26, 2010 Author Posted June 26, 2010 Don't worry about that. I don't think there is a change for that. I requested help on this matter several weeks ago with not even 1 response, which leads me to assume no one here can do it another way, or at least knows how to do it any other way, nor thought of this way.When someone does after a way to find the end of the pe data via the pe structure and use that to retreive all data thereafer(EOF) then I will applaud them.Until then please do not criticize my script, as it works, and as of now is the only one to preform the function it does. [center][/center][center]=][u][/u][/center][center][/center]
Manko Posted June 27, 2010 Posted June 27, 2010 Actually... I responded to you. I suggested you read up on the PE-structure. But you found your own way. That is OK. If "noone has done this" it might be because they didn't need to. Keep working! /Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
martin Posted June 27, 2010 Posted June 27, 2010 I requested help on this matter several weeks ago with not even 1 response, ......Yes, it's disappointing when a post is ignored. Serial port communications UDF Includes functions for binary transmission and reception.printing UDF Useful for graphs, forms, labels, reports etc.Add User Call Tips to SciTE for functions in UDFs not included with AutoIt and for your own scripts.Functions with parameters in OnEvent mode and for Hot Keys One function replaces GuiSetOnEvent, GuiCtrlSetOnEvent and HotKeySet.UDF IsConnected2 for notification of status of connected state of many urls or IPs, without slowing the script.
IchBistTod Posted June 28, 2010 Author Posted June 28, 2010 Actually... I responded to you. I suggested you read up on the PE-structure. But you found your own way. That is OK. If "noone has done this" it might be because they didn't need to. Keep working! /MankoYes thank you, but I had already thought of this.It would have been a little more helpful had you provided at least one link to a website that properly documented the PE-Structure, as I couldnt find one.And my only point was in to say quite simply, unless there is another oen or better one, to please not criticize my work, as there is nothing else to compare it to.Although it is useful for exefrommem functions, to make sure EOF data is transfered. [center][/center][center]=][u][/u][/center][center][/center]
Manko Posted June 28, 2010 Posted June 28, 2010 Yes thank you, but I had already thought of this.It would have been a little more helpful had you provided at least one link to a website that properly documented the PE-Structure, as I couldnt find one.Yes, I'm sorry about that.. I didn't have any good ones in memory... Googling now I found a few... this is one that I found useful before... (adittedly it was harder to find again. It is perhaps not the best, but....)http://www.pelib.com/resources/kath.txtAbout searching the net... It is one of the most important skills... But when we are still just in practice, patience and persistence is our most valued tools.../Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Ascend4nt Posted June 28, 2010 Posted June 28, 2010 The 'External Links' section on Wikipedia has some good resources. My contributions: Performance Counters in Windows - Measure CPU, Disk, Network etc Performance | Network Interface Info, Statistics, and Traffic | CPU Multi-Processor Usage w/o Performance Counters | Disk and Device Read/Write Statistics | Atom Table Functions | Process, Thread, & DLL Functions UDFs | Process CPU Usage Trackers | PE File Overlay Extraction | A3X Script Extract | File + Process Imports/Exports Information | Windows Desktop Dimmer Shade | Spotlight + Focus GUI - Highlight and Dim for Eyestrain Relief | CrossHairs (FullScreen) | Rubber-Band Boxes using GUI's (_GUIBox) | GUI Fun! | IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) | Magnifier (Vista+) Functions UDF | _DLLStructDisplay (Debug!) | _EnumChildWindows (controls etc) | _FileFindEx | _ClipGetHTML | _ClipPutHTML + ClipPutHyperlink | _FileGetShortcutEx | _FilePropertiesDialog | I/O Port Functions | File(s) Drag & Drop | _RunWithReducedPrivileges | _ShellExecuteWithReducedPrivileges | _WinAPI_GetSystemInfo | dotNETGetVersions | Drive(s) Power Status | _WinGetDesktopHandle | _StringParseParameters | Screensaver, Sleep, Desktop Lock Disable | Full-Screen Crash Recovery Wrappers/Modifications of others' contributions: _DOSWildcardsToPCRegEx (original code: RobSaunder's) | WinGetAltTabWinList (original: Authenticity) UDF's added support/programming to: _ExplorerWinGetSelectedItems | MIDIEx UDF (original code: eynstyne) (All personal code/wrappers centrally located at Ascend4nt's AutoIT Code)
IchBistTod Posted June 28, 2010 Author Posted June 28, 2010 Yes, I'm sorry about that.. I didn't have any good ones in memory... Googling now I found a few... this is one that I found useful before... (adittedly it was harder to find again. It is perhaps not the best, but....)http://www.pelib.com/resources/kath.txtAbout searching the net... It is one of the most important skills... But when we are still just in practice, patience and persistence is our most valued tools.../MankoThanks I will look into it in a while. I am currently occupied with another project now, and this UDF does the job for now. [center][/center][center]=][u][/u][/center][center][/center]
snify Posted July 5, 2010 Posted July 5, 2010 expandcollapse popup#include <winapi.au3> Func READEOF ($sModule) Local $iLoaded Local $a_hCall = DllCall("kernel32.dll", "hwnd", "GetModuleHandleW", "wstr", $sModule) If @error Then Return SetError(1, 0, "") EndIf Local $pPointer = $a_hCall[0] If Not $a_hCall[0] Then $a_hCall = DllCall("kernel32.dll", "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 1) If @error Or Not $a_hCall[0] Then Return SetError(2, 0, "") EndIf $iLoaded = 1 $pPointer = $a_hCall[0] EndIf Local $hModule = $a_hCall[0] Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then If $iLoaded Then Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) EndIf Return SetError(3, 0, "") EndIf $pPointer += 4 Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") $pPointer += 20 Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) $pPointer += 96 Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_RESOURCE = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_EXCEPTION = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_SECURITY = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_DEBUG = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_COPYRIGHT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_GLOBALPTR = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_TLS = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 Local $tIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 $pPointer += 40 Local $tIMAGE_SECTION_HEADER For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) if $i = $iNumberOfSections Then Dim $array[2] $array[0] = Hex(DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")) $array[1] = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $FilePath = $sModule $Offset = Dec($array[0]) + $array[1] $Length = FileGetSize ($sModule) - $Offset Local $Buffer, $ptr, $fLen, $hFile, $Result, $Read, $err, $Pos If Not FileExists($FilePath) Then Return SetError(1, @error, 0) $fLen = FileGetSize($FilePath) If $Offset > $fLen Then Return SetError(2, @error, 0) If $fLen < $Offset + $Length Then Return SetError(3, @error, 0) $Buffer = DllStructCreate("byte[" & $Length & "]") $ptr = DllStructGetPtr($Buffer) $hFile = _WinAPI_CreateFile($FilePath, 2, 2, 0) If $hFile = 0 Then Return SetError(5, @error, 0) $Pos = $Offset $Result = _WinAPI_SetFilePointer($hFile, $Pos) $err = @error If $Result = 0xFFFFFFFF Then _WinAPI_CloseHandle($hFile) Return SetError(6, $err, 0) EndIf $Read = 0 $Result = _WinAPI_ReadFile($hFile, $ptr, $Length, $Read) $err = @error If Not $Result Then _WinAPI_CloseHandle($hFile) Return SetError(7, $err, 0) EndIf _WinAPI_CloseHandle($hFile) If Not $Result Then Return SetError(8, @error, 0) $Result = DllStructGetData($Buffer, 1) DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) Return $Result EndIf $pPointer += 40 Next EndFunc
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now