crashdemons Posted March 14, 2009 Author Share Posted March 14, 2009 @UEZ - I was using Au3.2.12.1, so the macros and constants have changed @trancexx - thank you, your example seems to work great, I will have a look at it - also, you seem to have added everything I could have wanted into ResourcesViewerAndCompiler - is there any point to me continuing this project? (besides making an eXeScope replica) My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
Digisoul Posted March 14, 2009 Share Posted March 14, 2009 (edited) This should work for valid files with an "PE" NT Header signature. At least until the AppLib undergoes major updates sometime in the future. #include <PEAppConstants.au3> #include <PEAppLib.au3> #include <String.au3> ; this is as good as it gets until someone debugs the DLLStruct alignment mess, making PseudoStruct obsolete. ; with this stupid PseudoStruct I have set up "$PSOldPos" to be the "next position" after the processed struct ;NOTE: This example ASSUMES you chose a Win32 PE file that are NT-based and actually HAVE section headers. Local $data=FileReadFull("C:\path\to\someprogram.exe") _Data_ClearCache($data) Global $_Pseudo_HexArray=True $hdos=PseudoStruct(PseudoTagStruct($tagIMAGE_DOS_HEADER),$data) $e_lfanew=Dec($hdos[18]) $PSOldPos=$e_lfanew+4; skip the NT header - it's only a signature anyway! ; be SURE to check the signature of the NT header in your full app. $hfile=PseudoStruct(PseudoTagStruct($tagIMAGE_FILE_HEADER),$data,$PSOldPos) $NumberOfSections=Dec($hfile[1]) $PSOldPos+=96; skip OPTIONAL headers $PSOldPos+=8*16; skip all 16 DATA DIR's (two ulong's each - 8 bytes) $_Pseudo_HexArray=False; we want raw data from our PseudoStruct Local $spos For $i=1 To $NumberOfSections ConsoleWrite('Physical position: '&$PSOldPos&@CRLF) $Section=PseudoStruct(PseudoTagStruct($tagIMAGE_SECTION_HEADER),$data,$PSOldPos) $Section[0]=StringReplace($Section[0],Chr(0),'') ;^^ yes, this is still 8 characters long, Nulls and all - shave them off! ConsoleWrite(@TAB&'Section: '&$Section[0]&@CRLF) $VirtualAddress=_StringToHex($Section[2]) ConsoleWrite(@TAB&@TAB&'Virtual Address: '&$VirtualAddress&@CRLF) Next Output I got with this for a random program: Physical position: 504 Section: UPX0 Virtual Address: 00100000 Physical position: 544 Section: UPX1 Virtual Address: 00400600 Physical position: 584 Section: .rsrc Virtual Address: 00B00900 Edits: typos and more info. Thank you very much for that function Edited March 14, 2009 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted March 15, 2009 Share Posted March 15, 2009 (edited) @UEZ - I was using Au3.2.12.1, so the macros and constants have changed@trancexx - thank you, your example seems to work great, I will have a look at it- also, you seem to have added everything I could have wanted into ResourcesViewerAndCompiler - is there any point to me continuing this project? (besides making an eXeScope replica) Actually, I think you should continue.And If you ever would wonder what 3072 in that script is, just ask Edited March 15, 2009 by trancexx ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now