Digisoul Posted March 5, 2009 Share Posted March 5, 2009 Of course I don't mind.That guy from the third post did that what you want/need. Search the forums for PEScope crashdemons (what a nick - mean mdfk).You should locate $tagIMAGE_SECTION_HEADER in his script(s) and everything arround it. If you would have troubles doing that I'm sure he (...or me, or someone else) will help you.Isn't there any other method ? the source of PEScope is uncommented & lots of variables make it more difficult to understand properly. 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
GHOSTSKIKDA Posted March 6, 2009 Share Posted March 6, 2009 woooooooow ! very nice [center]I LOVE ALGERIA .... ;-)[/center] Link to comment Share on other sites More sharing options...
trancexx Posted March 6, 2009 Author Share Posted March 6, 2009 Isn't there any other method ? the source of PEScope is uncommented & lots of variables make it more difficult to understand properly.Try this: expandcollapse popup#NoTrayIcon Global $sModule = @SystemDir & "\user32.dll" _WriteSectionsToConsole($sModule) Func _WriteSectionsToConsole($sModule) Local $iLoaded Local $a_hCall = DllCall("kernel32.dll", "hwnd", "GetModuleHandleW", "wstr", $sModule) If @error Then Return SetError(1, 0, "") ; GetModuleHandle failed EndIf Local $pPointer = $a_hCall[0] If Not $a_hCall[0] Then $a_hCall = DllCall("kernel32.dll", "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 34) ; LOAD_LIBRARY_AS_IMAGE_RESOURCE|LOAD_LIBRARY_AS_DATAFILE If @error Or Not $a_hCall[0] Then Return SetError(2, 0, "") ; LoadLibraryEx failed EndIf $iLoaded = 1 $pPointer = $a_hCall[0] - 1 EndIf Local $hModule = $a_hCall[0] Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744 If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then If $iLoaded Then Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) ; will not check this EndIf Return SetError(3, 0, "") ; Wrong NTSIGNATURE EndIf $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; this is related to you $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER structure ; Export Directory Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Import Directory Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Resource Directory Local $tIMAGE_DIRECTORY_ENTRY_RESOURCE = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Exception Directory Local $tIMAGE_DIRECTORY_ENTRY_EXCEPTION = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Security Directory Local $tIMAGE_DIRECTORY_ENTRY_SECURITY = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Base Relocation Directory Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Debug Directory Local $tIMAGE_DIRECTORY_ENTRY_DEBUG = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Description String Local $tIMAGE_DIRECTORY_ENTRY_COPYRIGHT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Machine Value (MIPS GP) Local $tIMAGE_DIRECTORY_ENTRY_GLOBALPTR = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; TLS Directory Local $tIMAGE_DIRECTORY_ENTRY_TLS = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Load Configuration Directory Local $tIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 $pPointer += 40 ; five more unused data directories ConsoleWrite(@CRLF) Local $tIMAGE_SECTION_HEADER For $i = 1 To $iNumberOfSections ; finally what you want $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ConsoleWrite("Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF) ConsoleWrite("Address: " & DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF) ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF) ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF) ConsoleWrite(@CRLF) $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next If $iLoaded Then Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) EndIf EndFunc ;==>_WriteSectionsToConsole Btw, you can make it a lot shorter if you skip creating some of the structures (don't forget to move pointer). Read this and this and... @ALG, thanks. Third parameter of ImageList_Create function in ResourcesViewerAndCompiler.au3 is ILC_COLOR24 ("dword", 24) and should be changed to ILC_COLOR32 (ARGB obviously) to add transparency for transparent images. I will make that change with new update. I have few more improvements. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
trancexx Posted March 8, 2009 Author Share Posted March 8, 2009 Just to say that I've made an update. New script is attached in post No1. New things are tabs. Two of them, one is for resources section of the file and the oter is for some additional data. Digisoul provoked this change. I'm glad he is. There are some fixes. ImageList_Create is creating transparent images now, no more black (or whatever) background. Treeview and listviev memory leak is fixed by deleting these controls and building new ones before populating them with items. I was going to do this by destroying image list created by autoit when adding images to controls and decrementing number of items (destroying handles too) but that turned to be unneeded complication. So I decided to simply delete that controls. Btw, list of exports and imports is the most complete one that I saw - ever... It will show e.g. funcions exported by name or ordinal value. monoceres, for example, in his DEE was focused on functions exported by name only. Items in this other treeview control are editable so you can copy to clipboard if you want to search the net for the specific function. Just select an item and click-and-hold it for second or two. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Digisoul Posted March 12, 2009 Share Posted March 12, 2009 (edited) Try this: expandcollapse popup#NoTrayIcon Global $sModule = @SystemDir & "\user32.dll" _WriteSectionsToConsole($sModule) Func _WriteSectionsToConsole($sModule) Local $iLoaded Local $a_hCall = DllCall("kernel32.dll", "hwnd", "GetModuleHandleW", "wstr", $sModule) If @error Then Return SetError(1, 0, "") ; GetModuleHandle failed EndIf Local $pPointer = $a_hCall[0] If Not $a_hCall[0] Then $a_hCall = DllCall("kernel32.dll", "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 34) ; LOAD_LIBRARY_AS_IMAGE_RESOURCE|LOAD_LIBRARY_AS_DATAFILE If @error Or Not $a_hCall[0] Then Return SetError(2, 0, "") ; LoadLibraryEx failed EndIf $iLoaded = 1 $pPointer = $a_hCall[0] - 1 EndIf Local $hModule = $a_hCall[0] Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744 If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then If $iLoaded Then Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) ; will not check this EndIf Return SetError(3, 0, "") ; Wrong NTSIGNATURE EndIf $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ; this is related to you $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER structure ; Export Directory Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Import Directory Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Resource Directory Local $tIMAGE_DIRECTORY_ENTRY_RESOURCE = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Exception Directory Local $tIMAGE_DIRECTORY_ENTRY_EXCEPTION = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Security Directory Local $tIMAGE_DIRECTORY_ENTRY_SECURITY = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Base Relocation Directory Local $tIMAGE_DIRECTORY_ENTRY_BASERELOC = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Debug Directory Local $tIMAGE_DIRECTORY_ENTRY_DEBUG = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Description String Local $tIMAGE_DIRECTORY_ENTRY_COPYRIGHT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Machine Value (MIPS GP) Local $tIMAGE_DIRECTORY_ENTRY_GLOBALPTR = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; TLS Directory Local $tIMAGE_DIRECTORY_ENTRY_TLS = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 ; Load Configuration Directory Local $tIMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) $pPointer += 8 $pPointer += 40 ; five more unused data directories ConsoleWrite(@CRLF) Local $tIMAGE_SECTION_HEADER For $i = 1 To $iNumberOfSections ; finally what you want $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ConsoleWrite("Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF) ConsoleWrite("Address: " & DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF) ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF) ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF) ConsoleWrite(@CRLF) $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next If $iLoaded Then Local $a_iCall = DllCall("kernel32.dll", "int", "FreeLibrary", "hwnd", $hModule) EndIf EndFunc ;==>_WriteSectionsToConsole Btw, you can make it a lot shorter if you skip creating some of the structures (don't forget to move pointer). Read this and this and... Thank you very much for that function. but its seems some problem or my mistake, This is the result from your provided function: Section Name: .text Address: 0x01051000 SizeOfRawData: 51.96 Kb NumberOfRelocations: 0 but the actual Offset of this section is 00001000 2nd problem is that _WinAPI_SetFilePointer use Decimal value for jump to the desired position, how can i convert the return value into accessible value? Edited March 12, 2009 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted March 12, 2009 Author Share Posted March 12, 2009 Thank you very much for that function. but its seems some problem or my mistake, This is the result from your provided function: Section Name: .text Address: 0x01051000 SizeOfRawData: 51.96 Kb NumberOfRelocations: 0 but the actual Offset of this section is 00001000 2nd problem is that _WinAPI_SetFilePointer use Decimal value for jump to the desired position, how can i convert the return value into accessible value?That code shows you absolute address of that section for loaded module. If you look at the code you will see that is gained by adding "VirtualAddress" to base address. Just remove DllStructGetPtr($tIMAGE_DOS_HEADER) and you will have virtual one. 0x10 is 0x00000010 is 16 - AutoIt makes no difference. Try this: ConsoleWrite(0x00000010 & @CRLF) ResourcesViewerAndCompiler.au3 uses more proper way of loading that module. Peak there. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Digisoul Posted March 12, 2009 Share Posted March 12, 2009 That code shows you absolute address of that section for loaded module. If you look at the code you will see that is gained by adding "VirtualAddress" to base address. Just remove DllStructGetPtr($tIMAGE_DOS_HEADER) and you will have virtual one. 0x10 is 0x00000010 is 16 - AutoIt makes no difference. Try this: ConsoleWrite(0x00000010 & @CRLF) ResourcesViewerAndCompiler.au3 uses more proper way of loading that module. Peak there. Thank You very much Trancexx for your kind help, it gives me lot for learning the structure of PE Files, thanks again. "ResourcesViewerAndCompiler.au3 ",i will try it. 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
crashdemons Posted March 14, 2009 Share Posted March 14, 2009 what a nick - mean mdfkLOL - Didn't want to appear mean, perhaps intimidating.Also, I put a link in my thread to yours since your script is a more well-rounded example of the related features. My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.) Link to comment Share on other sites More sharing options...
trancexx Posted March 14, 2009 Author Share Posted March 14, 2009 LOL - Didn't want to appear mean, perhaps intimidating.Also, I put a link in my thread to yours since your script is a more well-rounded example of the related features.See the number of my posts ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
E1M1 Posted March 14, 2009 Share Posted March 14, 2009 Nice job edited Link to comment Share on other sites More sharing options...
Digisoul Posted March 15, 2009 Share Posted March 15, 2009 Hi trancexxI found a new problem, the offset which i get by virtual address, actually not jump to the data of the section.After deep search i found that , the information which i get by your provided function , ResourcesViewerAndCompiler.au3 or PEScope never give the offset for the data of section.e.g.We get this information for .text section:Section Name: .text Offset: 4096 Address: 0x01741000 SizeOfRawData: 303.5 Kb | 310784 BYTES NumberOfRelocations: 0But the data of .text section actually exists at following position:In decimal: 1020In hex: 0x000003FCnow I m unable to figure out that how can I create or get this actual offset? 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted March 15, 2009 Author Share Posted March 15, 2009 Hi trancexx I found a new problem, the offset which i get by virtual address, actually not jump to the data of the section. After deep search i found that , the information which i get by your provided function , ResourcesViewerAndCompiler.au3 or PEScope never give the offset for the data of section. e.g. We get this information for .text section: Section Name: .text Offset: 4096 Address: 0x01741000 SizeOfRawData: 303.5 Kb | 310784 BYTES NumberOfRelocations: 0 But the data of .text section actually exists at following position: In decimal: 1020 In hex: 0x000003FC now I m unable to figure out that how can I create or get this actual offset?"VirtualAddress" is one thing and the offset is another. You are obviously not loading the module so you have to virtually load it. I mentioned this in that other thread. In fact my last post there is all about this. You need to correct that reading by (I'm sure you will find the proper location to put this code): Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") Usually that number is 3072 (bytes), but it should be calculated for every specific file if you want to be exact. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Digisoul Posted March 16, 2009 Share Posted March 16, 2009 You need to correct that reading by (I'm sure you will find the proper location to put this code): Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") Usually that number is 3072 (bytes), but it should be calculated for every specific file if you want to be exact. Thanks again, i will try. 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
Digisoul Posted March 16, 2009 Share Posted March 16, 2009 You need to correct that reading by (I'm sure you will find the proper location to put this code): Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") Well i tried this Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ConsoleWrite("Data Offset: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") - $iCorrector & @CRLF) but i think its wrong place, because its only work for .text section, not for other sections & if any Pe File never have section of ".text" like .UPX1 it will never return accurate offset. Usually that number is 3072 (bytes), but it should be calculated for every specific file if you want to be exact.Now please tell me how can i manage the $iCorrector for every section & fle , because i have only 2 days for complete that project Thanks in advance for your kind help. 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted March 16, 2009 Author Share Posted March 16, 2009 Well i tried this Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ConsoleWrite("Data Offset: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") - $iCorrector & @CRLF) but i think its wrong place, because its only work for .text section, not for other sections & if any Pe File never have section of ".text" like .UPX1 it will never return accurate offset. Now please tell me how can i manage the $iCorrector for every section & fle , because i have only 2 days for complete that project Thanks in advance for your kind help.Well, i pretty much explained everything and ilustrated that with AutoIt code in this and crashdemon's topic. I fail to see what exactly you don't comprehend. All i can do more is write that code for you. You want me to write it for you? Please try more, it's a matter of deductive reasoning. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Digisoul Posted March 17, 2009 Share Posted March 17, 2009 Hi trancexx First of all thank you for reply, Well, i pretty much explained everything and ilustrated that with AutoIt code in this and crashdemon's topic. I fail to see what exactly you don't comprehend.Actually this is totally new things for me thats why I am not getting the exact points. Here is the image from CFF explorer, which will represent the actual need & the problem. Please try more, it's a matter of deductive reasoning.Believe me I tried really hard, and also read the topics you sent in the post, But currently its take time to understand the internal structure of PE files. Thanks again for your kind reply. 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted March 18, 2009 Author Share Posted March 18, 2009 (edited) Yes, I see what you mean. You want raw raw data. Try this:expandcollapse popup#NoTrayIcon Global $sModule = @SystemDir & "\lz32.dll" ;$sModule = FileOpenDialog("", "", "(*)") _WriteMiscDataToConsole($sModule) If @error Then MsgBox(48, "Error", "Error number: " & @error) EndIf Func _WriteMiscDataToConsole($sModule) Local $tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]") $hModule = FileOpen($sModule, 16) DllStructSetData($tBinary, 1, FileRead($hModule)) FileClose($hModule) Local $pPointer = DllStructGetPtr($tBinary) Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) If Not (DllStructGetData($tIMAGE_DOS_HEADER, "Magic") == "MZ") Then Return SetError(1, 0, "") ; not PE file EndIf $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744 If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then Return SetError(2, 0, "") ; wrong NTSIGNATURE EndIf $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ConsoleWrite("NumberOfSections: " & $iNumberOfSections & @CRLF & @CRLF) $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") If Not ($iMagic = 267) Then Return SetError(0, 1, 1) ; not 32-bit application. Structures are for 32-bit EndIf ConsoleWrite(@CRLF) $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them) Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData, $tRawData, $bRawData For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ConsoleWrite("> Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF) ConsoleWrite("Hex dump:" & @CRLF) $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $tRawData = DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData) $bRawData = DllStructGetData($tRawData, 1) ConsoleWrite(_HexEncode($bRawData) & @CRLF) $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next EndFunc ;==>_WriteMiscDataToConsole Func _HexEncode($bInput) Local $tInput = DllStructCreate("byte[" & BinaryLen($bInput) & "]") DllStructSetData($tInput, 1, $bInput) Local $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "dword", 11, _ "ptr", 0, _ "dword*", 0) If @error Or Not $a_iCall[0] Then Return SetError(1, 0, "") EndIf Local $iSize = $a_iCall[5] Local $tOut = DllStructCreate("char[" & $iSize & "]") $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "dword", 11, _ "ptr", DllStructGetPtr($tOut), _ "dword*", $iSize) If @error Or Not $a_iCall[0] Then Return SetError(2, 0, "") EndIf Return SetError(0, 0, DllStructGetData($tOut, 1)) EndFunc ;==>_HexEncodeThat will write plenty of data to console depending on file so it could be a bit slow....I bet you are gonna ask what if there is no "SizeOfRawData" Edited March 18, 2009 by trancexx ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Digisoul Posted March 18, 2009 Share Posted March 18, 2009 Yes, I see what you mean. You want raw raw data. Try this: expandcollapse popup#NoTrayIcon Global $sModule = @SystemDir & "\lz32.dll" ;$sModule = FileOpenDialog("", "", "(*)") _WriteMiscDataToConsole($sModule) If @error Then MsgBox(48, "Error", "Error number: " & @error) EndIf Func _WriteMiscDataToConsole($sModule) Local $tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]") $hModule = FileOpen($sModule, 16) DllStructSetData($tBinary, 1, FileRead($hModule)) FileClose($hModule) Local $pPointer = DllStructGetPtr($tBinary) Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) If Not (DllStructGetData($tIMAGE_DOS_HEADER, "Magic") == "MZ") Then Return SetError(1, 0, "") ; not PE file EndIf $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744 If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then Return SetError(2, 0, "") ; wrong NTSIGNATURE EndIf $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer) Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ConsoleWrite("NumberOfSections: " & $iNumberOfSections & @CRLF & @CRLF) $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") Local $iCorrector = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "BaseOfCode") - DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") If Not ($iMagic = 267) Then Return SetError(0, 1, 1) ; not 32-bit application. Structures are for 32-bit EndIf ConsoleWrite(@CRLF) $pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them) Local $tIMAGE_SECTION_HEADER Local $iSizeOfRawData, $pPointerToRawData, $tRawData, $bRawData For $i = 1 To $iNumberOfSections $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ConsoleWrite("> Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF) ConsoleWrite("Hex dump:" & @CRLF) $iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") $pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData") $tRawData = DllStructCreate("byte[" & $iSizeOfRawData & "]", $pPointerToRawData) $bRawData = DllStructGetData($tRawData, 1) ConsoleWrite(_HexEncode($bRawData) & @CRLF) $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure Next EndFunc ;==>_WriteMiscDataToConsole Func _HexEncode($bInput) Local $tInput = DllStructCreate("byte[" & BinaryLen($bInput) & "]") DllStructSetData($tInput, 1, $bInput) Local $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "dword", 11, _ "ptr", 0, _ "dword*", 0) If @error Or Not $a_iCall[0] Then Return SetError(1, 0, "") EndIf Local $iSize = $a_iCall[5] Local $tOut = DllStructCreate("char[" & $iSize & "]") $a_iCall = DllCall("crypt32.dll", "int", "CryptBinaryToString", _ "ptr", DllStructGetPtr($tInput), _ "dword", DllStructGetSize($tInput), _ "dword", 11, _ "ptr", DllStructGetPtr($tOut), _ "dword*", $iSize) If @error Or Not $a_iCall[0] Then Return SetError(2, 0, "") EndIf Return SetError(0, 0, DllStructGetData($tOut, 1)) EndFunc ;==>_HexEncode That will write plenty of data to console depending on file so it could be a bit slow. ...I bet you are gonna ask what if there is no "SizeOfRawData"Thank You very much for that Function & your kind help. I simply make CRC of the return data as signature. and now my application works really fast. Thanks again, your really great 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted April 4, 2009 Author Share Posted April 4, 2009 New version. Script is in the first post. What's new? - RT_DIALOG part is rewritten and now supports all languages - I started working on command line section. This code is my suggestion for parents: Local $hResourcesExe = Run("Resources.exe -add -compile Res.dll -res animated.gif -type GIF -name 1 -lang 0", "", @SW_HIDE, 6); $STDERR_CHILD + $STDOUT_CHILD Local $sLine, $sLineError While 1 $sLineError = StderrRead($hResourcesExe) If @error Then ExitLoop If $sLineError Then ConsoleWrite("! " & $sLineError) EndIf Sleep(100) WEnd While 1 $sLine = StdoutRead($hResourcesExe) If @error Then ExitLoop If $sLine Then ConsoleWrite($sLine) EndIf Sleep(100) WEnd - lots of other modifications (I like to call them improvements - if you used older scripts you will see them, if not...) - I consider this new version to be 0.0.0.0 ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
ProgAndy Posted April 4, 2009 Share Posted April 4, 2009 It is really great. For viewing resources it's even better than ResHacker, since it doesn't show an out-of-mem error if there's a PNG-icon in an icongroup. The only thing i wish to have is modifying resources in already existing Exes or DLLs. *GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now