FILESCAN

[felipe]

This is a very simple program that allow us to check if a file is a win32 based executable. Is very simple because let windows do the analysis of the file with an (old?  ::)) function  . I have tested the program succesfully: it detects a 32 bit executable, but for files like .sys, .dll it doesn't. I have tried to cheat the program with no executable files but with a .exe extension and the program still works ok. Also 64 bit executables aren't detected as win32 based apps. In this regard if you know of a function or maybe an updated version of this function that allows to detect 64 bit windows executables, please let me know  :idea:.

As i say the program is very simple so is a text based program (console program). You need to write the full path of the executable or other file you want to test. It will be nice to see this function with a dialogbox, but i'm learning the windows api slowly... :redface: but you can do it!  :P

Finally, i have implemented for the program the maximum size of the console's window permited for each user. In this regard if you have any doubts you can askme here or comment...this post is getting too large... :icon_cool:. But don't you worry all the functions are properly used, really  :icon14:. At least from the documentation point of view. If you don't have the user experience you dream with, you can always change the source code supplied!  :P

Later i will make the 64 bit version  (or maybe not  :redface:), so don't you worry if you want to do it  . Ok, bye  :t.

[jj2007]

It's even documented by Micros**t: GetBinaryTypeA :icon_mrgreen: 8) :t

[fearless]

Here is a link with some c# code that could be adapted to read the header and check it (dll/exe) for 64bit (IMAGE_FILE_MACHINE_AMD64 = 0x8664) or 32bit (IMAGE_FILE_MACHINE_I386 = 0x14c)

https://stackoverflow.com/a/1002672

[mineiro]

Hello sir Felipe;
I see an excellent project ahead, keep working.
Executable files (.exe), from MS-DOS to Windows 64 are structures, always see them like this. Open "executable" files (.exe, .sys, .scr, .dll, ...) using a hexadecimal editor and you will notice that all begin with the initials "MZ", this acronym is the name of the creator of this structure, Mark Zbikowski. This is the "signature" required to verify that a given file is executable. From there, the more deeply in the structure there will be fields, these fields will set the file if it is a DLL, SYS, ....
A quick preview tells us if the file contains "MZ", "LE", "NE", "PE", ..., I mean, if the file was made for ms-dos, or for windows 3.11, windows 98, ....
Compressed .rar files have a signature, "Rar!". I mean, the first few bytes of the .rar compress file have that signature.
Linux executable files, well, have 2 types, one of them start with "ELF" signature, other with extension .out have a structure.
There are few files that do not have a structure, one of them are .com, .bin, .rom, ..., and of course, .raw files. Here we need a heuristic search to determine what kind of file we are dealing with. Something like utf8 files without BOM.

Your program can be useful for recognizing deleted files on a hard disk for example; instead of verifying the file itself, the analysis is done on the disk and if find those "signatures" then it is possible to recover the file, I speak in a simple way only. Partitions FAT32, NTFS, EXT2,3, REISERFS, are structures, ie, structure the raw disk.
I'm not sure about the present, but in the past when we deleted a file in reality we just removed the index, the contents of the file were still on the disk. Just when we continued working on the disk and when writing a file to disk, the sector to which the file was placed was underwritten.
This is why I recommend using hex editors to recognize patterns.

Search for "header" and/or "signatures". An old, probably outdated site is wotsit, you might find it on waybackmachine.
https://en.wikipedia.org/wiki/List_of_file_signatures

Structured hugs.

[zedd151]

look in your masm32 folder, \masm32\tutorial\petute\petute.chm

You already have most of the information you need there.

Some of the info is dated, needs to be updated to include info on 64 bit etc...

But most of it is still valid information.

[felipe]

Wow! i'm truly surprised with so quick replies...thank you so much! you guys are the best!
 

[hutch--]

Hi felipe,

The win64.inc file has the PE structures you need.

IMAGE_DOS_HEADER to get the DWORD "e_lfanew" member for the offset of the PE header. I think the one you are looking for is,

  IMAGE_FILE_HEADER STRUCT
    Machine               WORD    ?    <<<<<<<<<<< This one.

[felipe]

Here it is a modified version of the program that can detect if the file scanned is a 32 bit or a 64 bit executable or neither of both.  :idea:
Some extra notes in this reply: The program is a 32 bit application. It will create a console screen buffer with a big size for the console window, but it will not change your default settings for your cmd.exe program. After the program terminates, your cmd.exe will show as was before (the default or your customized option).  :idea:
And, of course the .exe and the .asm files are in the .zip file.  :idea:

[jj2007]

That's great, and so simple: Instead of peeking inside the file for strange DWORDs called "e_lfanew" or similar, you just use GetBinaryType. So simple :t

[zedd151]

Instead of peeking inside the file for strange DWORDs called "e_lfanew" or similar

I never knew there was another way.   :t

, you just use GetBinaryType. So simple :t

I agree wholeheartedly. I like simple, no need to overcomplicate if there is another way...

[felipe]

  It will be interesting to scan files byte by byte but it may be a project for another day...

Here it is the same last program but in 64 bits version. .exe and .asm in the .zip.  ;)

[aw27]

The GetBinaryType works as well across Network Shares, for example \\MyRemoteSystem\MyShare\MyFolder\MyFile.exe .

A related exercise, would be to check whether the MyRemoteSystem is 32-bit or 64-bit OS. Anyone?

[felipe]

aw that sounds great. It will require to do a socket? I have never programmed  for networking...:idea:

[hutch--]

I have a sneaking suspicion that you would have to be able to run an executable on the remote system to get the OS version. Long ago I did some high level work using normal TCP/IP but I ran an app that I wrote to collect data and send it back. I don't know if there is another way to do it.

[aw27]

No need to use sockets programming and no need to launch an application on the remote system.
This is an Egg of Colombus 
I will provide the solution within one week if nobody finds it (writting the date on the agenda ).