Jump to content

Recommended Posts

Posted

Of course I don't mind.

That guy from the third post did that what you want/need. Search the forums for PEScope crashdemons (what a nick - mean mdfk).

You should locate $tagIMAGE_SECTION_HEADER in his script(s) and everything arround it. If you would have troubles doing that I'm sure he (...or me, or someone else) will help you.

Isn't there any other method ? the source of PEScope is uncommented & lots of variables make it more difficult to understand properly.

73 108 111 118 101 65 117 116 111 105 116

Posted

Isn't there any other method ? the source of PEScope is uncommented & lots of variables make it more difficult to understand properly.

Try this:

#NoTrayIcon

Global $sModule = @SystemDir & "\user32.dll"


_WriteSectionsToConsole($sModule)


Func _WriteSectionsToConsole($sModule)

    Local $iLoaded
    Local $a_hCall = DllCall("kernel32.dll", "hwnd", "GetModuleHandleW", "wstr", $sModule)

    If @error Then
        Return SetError(1, 0, "") ; GetModuleHandle failed
    EndIf

    Local $pPointer = $a_hCall[0]

    If Not $a_hCall[0] Then
        $a_hCall = DllCall("kernel32.dll", "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 34) ; LOAD_LIBRARY_AS_IMAGE_RESOURCE|LOAD_LIBRARY_AS_DATAFILE
        If @error Or Not $a_hCall[0] Then
            Return SetError(2, 0, "") ; LoadLibraryEx failed
        EndIf
        $iLoaded = 1
        $pPointer = $a_hCall[0] - 1
    EndIf

    Local $hModule = $a_hCall[0]

    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744

    If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then
        If $iLoaded Then
            Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) ; will not check this
        EndIf
        Return SetError(3, 0, "") ; Wrong NTSIGNATURE
    EndIf

    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; this is related to you

    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER structure

    ; Export Directory
    Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Import Directory
    Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Resource Directory
    Local $tIMAGE_DIRECTORY_ENTRY_RESOURCE = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Exception Directory
    Local $tIMAGE_DIRECTORY_ENTRY_EXCEPTION = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Security Directory
    Local $tIMAGE_DIRECTORY_ENTRY_SECURITY = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Base Relocation Directory
    Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Debug Directory
    Local $tIMAGE_DIRECTORY_ENTRY_DEBUG = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Description String
    Local $tIMAGE_DIRECTORY_ENTRY_COPYRIGHT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Machine Value (MIPS GP)
    Local $tIMAGE_DIRECTORY_ENTRY_GLOBALPTR = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; TLS Directory
    Local $tIMAGE_DIRECTORY_ENTRY_TLS = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Load Configuration Directory
    Local $tIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    $pPointer += 40 ; five more unused data directories

    ConsoleWrite(@CRLF)

    Local $tIMAGE_SECTION_HEADER

    For $i = 1 To $iNumberOfSections ; finally what you want

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfData;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        ConsoleWrite("Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF)
        ConsoleWrite("Address: " & DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF)
        ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF)
        ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF)
        ConsoleWrite(@CRLF)

        $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

    Next


    If $iLoaded Then
        Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule)
    EndIf

EndFunc   ;==>_WriteSectionsToConsole

Btw, you can make it a lot shorter if you skip creating some of the structures (don't forget to move pointer).

Read this and this and...

@ALG, thanks.

Third parameter of ImageList_Create function in ResourcesViewerAndCompiler.au3 is ILC_COLOR24 ("dword", 24) and should be changed to ILC_COLOR32 (ARGB obviously) to add transparency for transparent images. I will make that change with new update. I have few more improvements.

Posted

Just to say that I've made an update. New script is attached in post No1.

New things are tabs. Two of them, one is for resources section of the file and the oter is for some additional data. Digisoul provoked this change. I'm glad he is.

There are some fixes. ImageList_Create is creating transparent images now, no more black (or whatever) background.

Treeview and listviev memory leak is fixed by deleting these controls and building new ones before populating them with items. I was going to do this by destroying image list created by autoit when adding images to controls and decrementing number of items (destroying handles too) but that turned to be unneeded complication. So I decided to simply delete that controls.

Btw, list of exports and imports is the most complete one that I saw - ever... It will show e.g. funcions exported by name or ordinal value. monoceres, for example, in his DEE was focused on functions exported by name only.

Items in this other treeview control are editable so you can copy to clipboard if you want to search the net for the specific function. Just select an item and click-and-hold it for second or two.

Posted (edited)

Try this:

#NoTrayIcon

Global $sModule = @SystemDir & "\user32.dll"


_WriteSectionsToConsole($sModule)


Func _WriteSectionsToConsole($sModule)

    Local $iLoaded
    Local $a_hCall = DllCall("kernel32.dll", "hwnd", "GetModuleHandleW", "wstr", $sModule)

    If @error Then
        Return SetError(1, 0, "") ; GetModuleHandle failed
    EndIf

    Local $pPointer = $a_hCall[0]

    If Not $a_hCall[0] Then
        $a_hCall = DllCall("kernel32.dll", "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 34) ; LOAD_LIBRARY_AS_IMAGE_RESOURCE|LOAD_LIBRARY_AS_DATAFILE
        If @error Or Not $a_hCall[0] Then
            Return SetError(2, 0, "") ; LoadLibraryEx failed
        EndIf
        $iLoaded = 1
        $pPointer = $a_hCall[0] - 1
    EndIf

    Local $hModule = $a_hCall[0]

    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744

    If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then
        If $iLoaded Then
            Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) ; will not check this
        EndIf
        Return SetError(3, 0, "") ; Wrong NTSIGNATURE
    EndIf

    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; this is related to you

    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER structure

    ; Export Directory
    Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Import Directory
    Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Resource Directory
    Local $tIMAGE_DIRECTORY_ENTRY_RESOURCE = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Exception Directory
    Local $tIMAGE_DIRECTORY_ENTRY_EXCEPTION = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Security Directory
    Local $tIMAGE_DIRECTORY_ENTRY_SECURITY = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Base Relocation Directory
    Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Debug Directory
    Local $tIMAGE_DIRECTORY_ENTRY_DEBUG = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Description String
    Local $tIMAGE_DIRECTORY_ENTRY_COPYRIGHT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Machine Value (MIPS GP)
    Local $tIMAGE_DIRECTORY_ENTRY_GLOBALPTR = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; TLS Directory
    Local $tIMAGE_DIRECTORY_ENTRY_TLS = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    ; Load Configuration Directory
    Local $tIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8

    $pPointer += 40 ; five more unused data directories

    ConsoleWrite(@CRLF)

    Local $tIMAGE_SECTION_HEADER

    For $i = 1 To $iNumberOfSections ; finally what you want

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfData;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        ConsoleWrite("Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF)
        ConsoleWrite("Address: " & DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF)
        ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF)
        ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF)
        ConsoleWrite(@CRLF)

        $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

    Next


    If $iLoaded Then
        Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule)
    EndIf

EndFunc   ;==>_WriteSectionsToConsole

Btw, you can make it a lot shorter if you skip creating some of the structures (don't forget to move pointer).

Read this and this and...

Thank you very much for that function.

but its seems some problem or my mistake,

This is the result from your provided function:

Section Name: .text
Address: 0x01051000
SizeOfRawData: 51.96 Kb
NumberOfRelocations: 0

but the actual Offset of this section is 00001000

2nd problem is that _WinAPI_SetFilePointer use Decimal value for jump to the desired position,

how can i convert the return value into accessible value?

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

Posted

Thank you very much for that function.

but its seems some problem or my mistake,

This is the result from your provided function:

Section Name: .text
Address: 0x01051000
SizeOfRawData: 51.96 Kb
NumberOfRelocations: 0

but the actual Offset of this section is 00001000

2nd problem is that _WinAPI_SetFilePointer use Decimal value for jump to the desired position,

how can i convert the return value into accessible value?

That code shows you absolute address of that section for loaded module. If you look at the code you will see that is gained by adding "VirtualAddress" to base address. Just remove DllStructGetPtr($tIMAGE_DOS_HEADER) and you will have virtual one.

0x10 is 0x00000010 is 16 - AutoIt makes no difference. Try this:

ConsoleWrite(0x00000010 & @CRLF)

ResourcesViewerAndCompiler.au3 uses more proper way of loading that module. Peak there.

Posted

That code shows you absolute address of that section for loaded module. If you look at the code you will see that is gained by adding "VirtualAddress" to base address. Just remove DllStructGetPtr($tIMAGE_DOS_HEADER) and you will have virtual one.

0x10 is 0x00000010 is 16 - AutoIt makes no difference. Try this:

ConsoleWrite(0x00000010 & @CRLF)

ResourcesViewerAndCompiler.au3 uses more proper way of loading that module. Peak there.

Thank You very much Trancexx for your kind help, it gives me lot for learning the structure of PE Files, thanks again.

"ResourcesViewerAndCompiler.au3 ",i will try it. :P

73 108 111 118 101 65 117 116 111 105 116

Posted

what a nick - mean mdfk

LOL - Didn't want to appear mean, perhaps intimidating.

Also, I put a link in my thread to yours since your script is a more well-rounded example of the related features.

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Posted

Hi trancexx

I found a new problem, the offset which i get by virtual address, actually not jump to the data of the section.

After deep search i found that , the information which i get by your provided function , ResourcesViewerAndCompiler.au3 or PEScope never give the offset for the data of section.

e.g.

We get this information for .text section:

Section Name: .text
Offset: 4096
Address: 0x01741000
SizeOfRawData: 303.5 Kb | 310784 BYTES
NumberOfRelocations: 0

But the data of .text section actually exists at following position:

In decimal: 1020

In hex: 0x000003FC

now I m unable to figure out that how can I create or get this actual offset?

73 108 111 118 101 65 117 116 111 105 116

Posted

Hi trancexx

I found a new problem, the offset which i get by virtual address, actually not jump to the data of the section.

After deep search i found that , the information which i get by your provided function , ResourcesViewerAndCompiler.au3 or PEScope never give the offset for the data of section.

e.g.

We get this information for .text section:

Section Name: .text
Offset: 4096
Address: 0x01741000
SizeOfRawData: 303.5 Kb | 310784 BYTES
NumberOfRelocations: 0

But the data of .text section actually exists at following position:

In decimal: 1020

In hex: 0x000003FC

now I m unable to figure out that how can I create or get this actual offset?

"VirtualAddress" is one thing and the offset is another. You are obviously not loading the module so you have to virtually load it. I mentioned this in that other thread. In fact my last post there is all about this.

You need to correct that reading by (I'm sure you will find the proper location to put this code):

Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") -  DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")

Usually that number is 3072 (bytes), but it should be calculated for every specific file if you want to be exact.

Posted

You need to correct that reading by (I'm sure you will find the proper location to put this code):

Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") -  DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")

Usually that number is 3072 (bytes), but it should be calculated for every specific file if you want to be exact.

Thanks again, i will try. :P

73 108 111 118 101 65 117 116 111 105 116

Posted

You need to correct that reading by (I'm sure you will find the proper location to put this code):

Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") -  DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
Well i tried this

Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") -  DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
ConsoleWrite("Data Offset: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") - $iCorrector & @CRLF)

but i think its wrong place, because its only work for .text section, not for other sections & if any Pe File never have section of ".text" like .UPX1 it will never return accurate offset. :P

Usually that number is 3072 (bytes), but it should be calculated for every specific file if you want to be exact.

Now please tell me how can i manage the $iCorrector for every section & fle , because i have only 2 days for complete that project :unsure:

Thanks in advance for your kind help.

73 108 111 118 101 65 117 116 111 105 116

Posted

Well i tried this

Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") -  DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")
ConsoleWrite("Data Offset: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") - $iCorrector & @CRLF)

but i think its wrong place, because its only work for .text section, not for other sections & if any Pe File never have section of ".text" like .UPX1 it will never return accurate offset. :P

Now please tell me how can i manage the $iCorrector for every section & fle , because i have only 2 days for complete that project :unsure:

Thanks in advance for your kind help.

Well, i pretty much explained everything and ilustrated that with AutoIt code in this and crashdemon's topic. I fail to see what exactly you don't comprehend.

All i can do more is write that code for you. You want me to write it for you?

Please try more, it's a matter of deductive reasoning.

Posted

Hi trancexx

First of all thank you for reply,

Well, i pretty much explained everything and ilustrated that with AutoIt code in this and crashdemon's topic. I fail to see what exactly you don't comprehend.

Actually this is totally new things for me thats why I am not getting the exact points. :P

Here is the image from CFF explorer, which will represent the actual need & the problem.

post-36752-1237324330_thumb.jpg

Please try more, it's a matter of deductive reasoning.

Believe me I tried really hard, and also read the topics you sent in the post, But currently its take time to understand the internal structure of PE files.

Thanks again for your kind reply.

73 108 111 118 101 65 117 116 111 105 116

Posted (edited)

Yes, I see what you mean.

You want raw raw data. Try this:

#NoTrayIcon

Global $sModule = @SystemDir & "\lz32.dll"

;$sModule = FileOpenDialog("", "", "(*)")
_WriteMiscDataToConsole($sModule)
If @error Then
    MsgBox(48, "Error", "Error number: " & @error)
EndIf



Func _WriteMiscDataToConsole($sModule)

    Local $tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]")
    $hModule = FileOpen($sModule, 16)
    DllStructSetData($tBinary, 1, FileRead($hModule))
    FileClose($hModule)

    Local $pPointer = DllStructGetPtr($tBinary)

    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    If Not (DllStructGetData($tIMAGE_DOS_HEADER, "Magic") == "MZ") Then
        Return SetError(1, 0, "") ; not PE file
    EndIf

    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744

    If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then
        Return SetError(2, 0, "") ; wrong NTSIGNATURE
    EndIf

    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

    ConsoleWrite("NumberOfSections: " & $iNumberOfSections & @CRLF & @CRLF)

    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER

    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

    Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")

    If Not ($iMagic = 267) Then
        Return SetError(0, 1, 1) ; not 32-bit application. Structures are for 32-bit
    EndIf

    ConsoleWrite(@CRLF)

    $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them)

    Local $tIMAGE_SECTION_HEADER
    Local $iSizeOfRawData, $pPointerToRawData, $tRawData, $bRawData

    For $i = 1 To $iNumberOfSections

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfData;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        ConsoleWrite("> Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF)
        ConsoleWrite("Hex dump:" & @CRLF)

        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")

        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")

        $tRawData = DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData)

        $bRawData = DllStructGetData($tRawData, 1)

        ConsoleWrite(_HexEncode($bRawData) & @CRLF)

        $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

    Next

EndFunc   ;==>_WriteMiscDataToConsole



Func _HexEncode($bInput)

    Local $tInput = DllStructCreate("byte[" & BinaryLen($bInput) & "]")

    DllStructSetData($tInput, 1, $bInput)

    Local $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _
            "ptr", DllStructGetPtr($tInput), _
            "dword", DllStructGetSize($tInput), _
            "dword", 11, _
            "ptr", 0, _
            "dword*", 0)

    If @error Or Not $a_iCall[0] Then
        Return SetError(1, 0, "")
    EndIf

    Local $iSize = $a_iCall[5]
    Local $tOut = DllStructCreate("char[" & $iSize & "]")

    $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _
            "ptr", DllStructGetPtr($tInput), _
            "dword", DllStructGetSize($tInput), _
            "dword", 11, _
            "ptr", DllStructGetPtr($tOut), _
            "dword*", $iSize)

    If @error Or Not $a_iCall[0] Then
        Return SetError(2, 0, "")
    EndIf

    Return SetError(0, 0, DllStructGetData($tOut, 1))

EndFunc   ;==>_HexEncode

That will write plenty of data to console depending on file so it could be a bit slow.

...I bet you are gonna ask what if there is no "SizeOfRawData"

Edited by trancexx
Posted

Yes, I see what you mean.

You want raw raw data. Try this:

#NoTrayIcon

Global $sModule = @SystemDir & "\lz32.dll"

;$sModule = FileOpenDialog("", "", "(*)")
_WriteMiscDataToConsole($sModule)
If @error Then
    MsgBox(48, "Error", "Error number: " & @error)
EndIf



Func _WriteMiscDataToConsole($sModule)

    Local $tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]")
    $hModule = FileOpen($sModule, 16)
    DllStructSetData($tBinary, 1, FileRead($hModule))
    FileClose($hModule)

    Local $pPointer = DllStructGetPtr($tBinary)

    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    If Not (DllStructGetData($tIMAGE_DOS_HEADER, "Magic") == "MZ") Then
        Return SetError(1, 0, "") ; not PE file
    EndIf

    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744

    If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then
        Return SetError(2, 0, "") ; wrong NTSIGNATURE
    EndIf

    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

    ConsoleWrite("NumberOfSections: " & $iNumberOfSections & @CRLF & @CRLF)

    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER

    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

    Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders")

    If Not ($iMagic = 267) Then
        Return SetError(0, 1, 1) ; not 32-bit application. Structures are for 32-bit
    EndIf

    ConsoleWrite(@CRLF)

    $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them)

    Local $tIMAGE_SECTION_HEADER
    Local $iSizeOfRawData, $pPointerToRawData, $tRawData, $bRawData

    For $i = 1 To $iNumberOfSections

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfData;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        ConsoleWrite("> Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF)
        ConsoleWrite("Hex dump:" & @CRLF)

        $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")

        $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")

        $tRawData = DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData)

        $bRawData = DllStructGetData($tRawData, 1)

        ConsoleWrite(_HexEncode($bRawData) & @CRLF)

        $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure

    Next

EndFunc   ;==>_WriteMiscDataToConsole



Func _HexEncode($bInput)

    Local $tInput = DllStructCreate("byte[" & BinaryLen($bInput) & "]")

    DllStructSetData($tInput, 1, $bInput)

    Local $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _
            "ptr", DllStructGetPtr($tInput), _
            "dword", DllStructGetSize($tInput), _
            "dword", 11, _
            "ptr", 0, _
            "dword*", 0)

    If @error Or Not $a_iCall[0] Then
        Return SetError(1, 0, "")
    EndIf

    Local $iSize = $a_iCall[5]
    Local $tOut = DllStructCreate("char[" & $iSize & "]")

    $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _
            "ptr", DllStructGetPtr($tInput), _
            "dword", DllStructGetSize($tInput), _
            "dword", 11, _
            "ptr", DllStructGetPtr($tOut), _
            "dword*", $iSize)

    If @error Or Not $a_iCall[0] Then
        Return SetError(2, 0, "")
    EndIf

    Return SetError(0, 0, DllStructGetData($tOut, 1))

EndFunc   ;==>_HexEncode

That will write plenty of data to console depending on file so it could be a bit slow.

...I bet you are gonna ask what if there is no "SizeOfRawData"

Thank You very much for that Function & your kind help. :unsure:

I simply make CRC of the return data as signature. and now my application works really fast.

Thanks again, your really great :P

73 108 111 118 101 65 117 116 111 105 116

  • 3 weeks later...
Posted

New version. Script is in the first post.

What's new?

- RT_DIALOG part is rewritten and now supports all languages

- I started working on command line section. This code is my suggestion for parents:

Local $hResourcesExe = Run("Resources.exe -add -compile Res.dll -res animated.gif -type GIF -name 1 -lang 0", "", @SW_HIDE, 6); $STDERR_CHILD + $STDOUT_CHILD
Local $sLine, $sLineError

While 1
    $sLineError = StderrRead($hResourcesExe)
    If @error Then ExitLoop
    If $sLineError Then
        ConsoleWrite("! " & $sLineError)
    EndIf
    Sleep(100)
WEnd

While 1
    $sLine = StdoutRead($hResourcesExe)
    If @error Then ExitLoop
    If $sLine Then
        ConsoleWrite($sLine)
    EndIf
    Sleep(100)
WEnd

- lots of other modifications (I like to call them improvements - if you used older scripts you will see them, if not...)

- I consider this new version to be 0.0.0.0

Posted

It is really great. For viewing resources it's even better than ResHacker, since it doesn't show an out-of-mem error if there's a PNG-icon in an icongroup.

The only thing i wish to have is modifying resources in already existing Exes or DLLs.

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...