Author Topic: Tiny Lousy (TL) programs  (Read 7652 times)

jj2007

  • Member
  • *****
  • Posts: 9733
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #30 on: March 01, 2019, 04:58:58 AM »
I like it :t

Vortex

  • Moderator
  • Member
  • *****
  • Posts: 2016
Re: Tiny Lousy (TL) programs
« Reply #31 on: March 01, 2019, 05:03:01 AM »
Hi Timo,

Once again, very good work :t

TimoVJL

  • Member
  • ***
  • Posts: 475
Re: Tiny Lousy (TL) programs
« Reply #32 on: March 03, 2019, 01:28:25 AM »
TLPEView is available in UNICODE version, package TLPEViewUC.zip
These version are able to open file using for example cyrillic name / path.
What kind of things have to take care of ?
Any suggestions ?
May the source be with you

jj2007

  • Member
  • *****
  • Posts: 9733
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #33 on: March 03, 2019, 04:45:32 AM »
You could search for suspicious functions such as WriteProcessMemory, and show a red alert in the statusbar 8)

TimoVJL

  • Member
  • ***
  • Posts: 475
Re: Tiny Lousy (TL) programs
« Reply #34 on: March 03, 2019, 05:04:03 AM »
I have another program for that, result:
PEFindFunc.exe C:\Windows\system32\*.exe WriteProcessMemory
Code: [Select]
C:\Windows\system32\DWWIN.EXE    WriteProcessMemoryBut program can use functions dynamically and an invisible method.

May the source be with you

guga

  • Member
  • *****
  • Posts: 1062
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #35 on: March 03, 2019, 09:32:21 AM »
TLPEView is available in UNICODE version, package TLPEViewUC.zip
These version are able to open file using for example cyrillic name / path.
What kind of things have to take care of ?
Any suggestions ?

Packer identifier (UPX, etc etc), Function name unmangler, recoignition of Delphi or VB structures on the resources .
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

jj2007

  • Member
  • *****
  • Posts: 9733
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #36 on: March 03, 2019, 02:26:06 PM »
Packer identifier (UPX, etc etc)

Here is one - place the attached TLPEViewUpx.exe in the TLPEView folder and drag any exe over it. Note that upx.exe must also be in that folder! Source:

include \masm32\MasmBasic\MasmBasic.inc         ; download
  Init
  invoke CopyFileW, wCL$(), wChr$("PeViewTemp.exe"), 0  ; make a copy of the exe
  Let esi=FileRead$("PeViewTemp.exe")   ; check if it's UPXed
  mov edx, LastFileSize
  .if Instr_(FAST, esi, "UPX", 64) && edx<800   ; the match (in edx) is usually at pos 377 or so
        Launch "upx -d PeViewTemp.exe", SW_RESTORE, 5000
  .endif
  Launch "TLPEViewSrc64 PeViewTemp.exe", SW_RESTORE, 127
  .if WinByTitle("TLPEView64 - PeViewTemp.exe")
        xchg eax, ecx           ; the handle in eax will be trashed, so better use a safe reg32 ;-)
        wSetWin$ ecx="TLPEViewSrc64 - "+wCL$()  ; set the proper title
  .endif
  Kill "PeViewTemp.exe"         ; remove garbage
EndOfCode


The code might look unnecessarily complicated, but note that upx.exe -d somefile.exe modifies somefile.exe, which I wanted to avoid by using a temp file.

One weird thing is that Timo's exe does not load "exotic" files directly: I made a copy of \Masm32\MasmBasic\RichMasm.exe, called it БогатыеMasm.exe and dragged it over TLPEViewSrc64.exe - no success, empty screen :(

Dragging a "Russian" file over my exe works, though, only that the caption will be incorrectly set to TLPEView64 - ????Masm.exe (for unknown reasons, Timo's window does not accept Unicode).

guga

  • Member
  • *****
  • Posts: 1062
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #37 on: March 03, 2019, 05:11:20 PM »
Hi JJ

Good idea :t, although i  wasn´t thinking in loading (dumping/unpacking) a packed file. I thought in do it more simple than loading or unpacking, is only checking for their signatures which  avoids using the packer itself. All it is needed is it´s signature to recognize or calculating the entropy of the sections etc. The same technique used for recognize functions inside libraries reading their digital signatures.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

TimoVJL

  • Member
  • ***
  • Posts: 475
Re: Tiny Lousy (TL) programs
« Reply #38 on: March 03, 2019, 06:54:34 PM »
One weird thing is that Timo's exe does not load "exotic" files directly: I made a copy of \Masm32\MasmBasic\RichMasm.exe, called it БогатыеMasm.exe and dragged it over TLPEViewSrc64.exe - no success, empty screen :(

Dragging a "Russian" file over my exe works, though, only that the caption will be incorrectly set to TLPEView64 - ????Masm.exe (for unknown reasons, Timo's window does not accept Unicode).
http://masm32.com/board/index.php?topic=7435.msg84612#msg84612
Added support for Drag and Drop in a37
May the source be with you

jj2007

  • Member
  • *****
  • Posts: 9733
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #39 on: March 03, 2019, 09:09:51 PM »
Good idea :t, although i  wasn´t thinking in loading (dumping/unpacking) a packed file.

But the unpacked version is the only one that I would find worth looking at in a PE viewer... :icon_rolleyes:

(for unknown reasons, Timo's window does not accept Unicode).
http://masm32.com/board/index.php?topic=7435.msg84612#msg84612
Added support for Drag and Drop in a37

Sorry, I had not seen that version, it differs from the one I used by only three characters (see reply #36):

  Launch "TLPEViewSrc64 PeViewTemp.exe", SW_RESTORE, 127

Voilà, it works like a charm :t

guga

  • Member
  • *****
  • Posts: 1062
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #40 on: March 03, 2019, 11:53:09 PM »
But the unpacked version is the only one that I would find worth looking at in a PE viewer... :icon_rolleyes:

Indeed. UPX is a excellent packer/unpacker. It has been years since i last analysed any packer. I remember of aspack too, etc. Personally, i think that packers (in general) are useless and offers few or no protection whatsoever. The only valid reason of a packer is reduce the size of the exe but at the cost of polluting the virtual memory when they are running. Years ago, i started a routine to identify different packers in RosAsm, but gave up after some time.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Vortex

  • Moderator
  • Member
  • *****
  • Posts: 2016
Re: Tiny Lousy (TL) programs
« Reply #41 on: March 04, 2019, 05:43:52 AM »
Hi guga,

Quote
The only valid reason of a packer is reduce the size of the exe but at the cost of polluting the virtual memory when they are running.

Very good explanation. That's right. If I am not wrong, the executables built with RapidQ are compressed with UPX. RapidQ applications are based on P-Code.

TimoVJL

  • Member
  • ***
  • Posts: 475
Re: Tiny Lousy (TL) programs
« Reply #42 on: March 04, 2019, 05:56:32 AM »
If you want to talk about exe-packers, please start a new topic ;)
TLPEView don't support UPX and others ;)
« Last Edit: March 04, 2019, 05:08:24 PM by TimoVJL »
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 475
Re: Tiny Lousy (TL) programs
« Reply #43 on: March 04, 2019, 07:06:22 AM »
Antivirus false alarms for TLPEView.exe:
Avast      Win32:Evo-gen [Susp]
AVG         Win32:Evo-gen [Susp]
Qihoo-360   HEUR/QVM20.1.9A39.Malware.Gen
May the source be with you

jj2007

  • Member
  • *****
  • Posts: 9733
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #44 on: March 04, 2019, 07:14:17 AM »
TLPEView don't support UPX and others ;)

Well, now it does, Timo :biggrin:

Seriously: Your program is excellent. My little wrapper just adds the option to analyse also a UPX'ed executable.