KaFu Posted July 16, 2011 Share Posted July 16, 2011 That's a great piece of code there, thanks for the clarification m8 ! OS: Win10-22H2 - 64bit - German, AutoIt Version: 3.3.16.1, AutoIt Editor: SciTE, Website: https://funk.eu AMT - Auto-Movie-Thumbnailer (2024-Oct-13) BIC - Batch-Image-Cropper (2023-Apr-01) COP - Color Picker (2009-May-21) DCS - Dynamic Cursor Selector (2024-Oct-13) HMW - Hide my Windows (2024-Oct-19) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2018-Sep-16) SMF - Search my Files (2024-Oct-20) - THE file info and duplicates search tool SSD - Set Sound Device (2017-Sep-16) Link to comment Share on other sites More sharing options...
Skitty Posted September 1, 2011 Share Posted September 1, 2011 Mobius's example was very relevant to what I was after, I added a few other compressor signature strings to his function. expandcollapse popup$Test = _IsPKD(@DesktopDir & "\1.exe", 1) MsgBox(0, "compressor detector", $Test[0] & @CRLF & $Test[1]) Func _IsPKD($sFilePath, $iDeep = 0) Local $iValue[2] = [0, False], $sData, _ $hFileOpen = FileOpen($sFilePath, 16) If $hFileOpen = -1 Then Return SetError(1, 0, -1) If FileRead($hFileOpen, 2) <> "MZ" Then FileClose($hFileOpen) Return SetError(2, 0, 0) EndIf FileSetPos($hFileOpen, 0, 0) Switch $iDeep Case True $sData = FileRead($hFileOpen) Case Else $sData = FileRead($hFileOpen, 1024) EndSwitch FileClose($hFileOpen) Select Case StringInStr($sData, '58436F6D70', 2, 1) ;XCompw StringReplace($sData, 'C00000D02E58436F6D70', 'C00000D02E58436F6D70', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "XCompw" Case StringInStr($sData, '585061636B', 2, 1) ;XPackw StringReplace($sData, 'D02E585061636B', 'D02E585061636B', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "XPackw" Case StringInStr($sData, '5757503332', 2, 1) ;wwpack StringReplace($sData, '57575061636B3332', '57575061636B3332', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "wwpack" Case StringInStr($sData, '2E524C5061636B00', 2, 1) ;RLPack StringReplace($sData, '7061636B6564', '7061636B6564', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "RLPack" Case StringInStr($sData, '6E737061636B', 2, 1) ;nSpack StringReplace($sData, '6E737030', '6E737030', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "nSpack" Case StringInStr($sData, '557061636B', 2, 1) Or StringInStr($sData, 'C80346382BC7ABE2E55E', 2, 1);WinUpackE StringReplace($sData, 'C075FB380674EA8B', 'C075FB380674EA8B', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "WinUpackE" Case StringInStr($sData, '65786533327061636B20', 2, 1);exe32pack StringReplace($sData, '65786533327061636B20', '65786533327061636B20', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "exe32pack" Case StringInStr($sData, '46534721', 2, 1);FSG StringReplace($sData, 'C073FA753A', 'C073FA753A', 0, 2);Maybe shouldn't use this value If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "FSG" Case StringInStr($sData, '61737061636B', 2, 1);ASPack StringReplace($sData, '00400000E000', '00400000E000', 0, 2);Maybe shouldn't use this value If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "ASPack" Case StringInStr($sData, '50454332', 2, 1);PECompact StringReplace($sData, '5045436F6D70616374', '5045436F6D70616374', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "PECompact" Case StringInStr($sData, '555058', 2, 1);UPX StringReplace($sData, '555058', '555058', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "UPX" Case StringInStr($sData, '4D5052455353', 2, 1);MPress StringReplace($sData, '4D5052455353', '4D5052455353', 0, 2) If $iDeep = 0 Then Return SetError(0, @extended, 1) EndIf $iValue[0] += 1 $iValue[1] = "MPress" Case Else If $iDeep = 0 Then Return SetError(3, 0, 0) EndIf EndSelect If @extended Then $iValue[0] += 1 EndIf Return SetError(0, @extended, $iValue) EndFunc ;==>_IsPKD Link to comment Share on other sites More sharing options...
Skitty Posted March 6, 2012 Share Posted March 6, 2012 I came up with another method using work done by trancexx, is this a good way about doing this? in the process I even added other miscellaneous detentions, but aside from that, it seems to detect most packed PE files I've encountered. PACKED file detector.rar Link to comment Share on other sites More sharing options...
guinness Posted October 9, 2012 Author Share Posted October 9, 2012 I've updated the syntax of both functions as well as the documentation headers. See the original post for more details. UDF List: _AdapterConnections() • _AlwaysRun() • _AppMon() • _AppMonEx() • _ArrayFilter/_ArrayReduce • _BinaryBin() • _CheckMsgBox() • _CmdLineRaw() • _ContextMenu() • _ConvertLHWebColor()/_ConvertSHWebColor() • _DesktopDimensions() • _DisplayPassword() • _DotNet_Load()/_DotNet_Unload() • _Fibonacci() • _FileCompare() • _FileCompareContents() • _FileNameByHandle() • _FilePrefix/SRE() • _FindInFile() • _GetBackgroundColor()/_SetBackgroundColor() • _GetConrolID() • _GetCtrlClass() • _GetDirectoryFormat() • _GetDriveMediaType() • _GetFilename()/_GetFilenameExt() • _GetHardwareID() • _GetIP() • _GetIP_Country() • _GetOSLanguage() • _GetSavedSource() • _GetStringSize() • _GetSystemPaths() • _GetURLImage() • _GIFImage() • _GoogleWeather() • _GUICtrlCreateGroup() • _GUICtrlListBox_CreateArray() • _GUICtrlListView_CreateArray() • _GUICtrlListView_SaveCSV() • _GUICtrlListView_SaveHTML() • _GUICtrlListView_SaveTxt() • _GUICtrlListView_SaveXML() • _GUICtrlMenu_Recent() • _GUICtrlMenu_SetItemImage() • _GUICtrlTreeView_CreateArray() • _GUIDisable() • _GUIImageList_SetIconFromHandle() • _GUIRegisterMsg() • _GUISetIcon() • _Icon_Clear()/_Icon_Set() • _IdleTime() • _InetGet() • _InetGetGUI() • _InetGetProgress() • _IPDetails() • _IsFileOlder() • _IsGUID() • _IsHex() • _IsPalindrome() • _IsRegKey() • _IsStringRegExp() • _IsSystemDrive() • _IsUPX() • _IsValidType() • _IsWebColor() • _Language() • _Log() • _MicrosoftInternetConnectivity() • _MSDNDataType() • _PathFull/GetRelative/Split() • _PathSplitEx() • _PrintFromArray() • _ProgressSetMarquee() • _ReDim() • _RockPaperScissors()/_RockPaperScissorsLizardSpock() • _ScrollingCredits • _SelfDelete() • _SelfRename() • _SelfUpdate() • _SendTo() • _ShellAll() • _ShellFile() • _ShellFolder() • _SingletonHWID() • _SingletonPID() • _Startup() • _StringCompact() • _StringIsValid() • _StringRegExpMetaCharacters() • _StringReplaceWholeWord() • _StringStripChars() • _Temperature() • _TrialPeriod() • _UKToUSDate()/_USToUKDate() • _WinAPI_Create_CTL_CODE() • _WinAPI_CreateGUID() • _WMIDateStringToDate()/_DateToWMIDateString() • Au3 script parsing • AutoIt Search • AutoIt3 Portable • AutoIt3WrapperToPragma • AutoItWinGetTitle()/AutoItWinSetTitle() • Coding • DirToHTML5 • FileInstallr • FileReadLastChars() • GeoIP database • GUI - Only Close Button • GUI Examples • GUICtrlDeleteImage() • GUICtrlGetBkColor() • GUICtrlGetStyle() • GUIEvents • GUIGetBkColor() • Int_Parse() & Int_TryParse() • IsISBN() • LockFile() • Mapping CtrlIDs • OOP in AutoIt • ParseHeadersToSciTE() • PasswordValid • PasteBin • Posts Per Day • PreExpand • Protect Globals • Queue() • Resource Update • ResourcesEx • SciTE Jump • Settings INI • SHELLHOOK • Shunting-Yard • Signature Creator • Stack() • Stopwatch() • StringAddLF()/StringStripLF() • StringEOLToCRLF() • VSCROLL • WM_COPYDATA • More Examples... Updated: 22/04/2018 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now