Tiny Lousy (TL) programs

[jj2007]

I like it :t

[Vortex]

Hi Timo,

Once again, very good work :t

[TimoVJL]

TLPEView is available in UNICODE version, package TLPEViewUC.zip
These version are able to open file using for example cyrillic name / path.
What kind of things have to take care of ?
Any suggestions ?

[jj2007]

You could search for suspicious functions such as WriteProcessMemory, and show a red alert in the statusbar 8)

[TimoVJL]

I have another program for that, result:
PEFindFunc.exe C:\Windows\system32\*.exe WriteProcessMemory

Code: [Select]

C:\Windows\system32\DWWIN.EXE    WriteProcessMemoryBut program can use functions dynamically and an invisible method.

[guga]

TLPEView is available in UNICODE version, package TLPEViewUC.zip
These version are able to open file using for example cyrillic name / path.
What kind of things have to take care of ?
Any suggestions ?

Packer identifier (UPX, etc etc), Function name unmangler, recoignition of Delphi or VB structures on the resources .

[jj2007]

Packer identifier (UPX, etc etc)

Here is one - place the attached TLPEViewUpx.exe in the TLPEView folder and drag any exe over it. Note that upx.exe must also be in that folder! Source:

include \masm32\MasmBasic\MasmBasic.inc         ; download
  Init
  invoke CopyFileW, wCL$(), wChr$("PeViewTemp.exe"), 0  ; make a copy of the exe
  Let esi=FileRead$("PeViewTemp.exe")   ; check if it's UPXed
  mov edx, LastFileSize
  .if Instr_(FAST, esi, "UPX", 64) && edx<800   ; the match (in edx) is usually at pos 377 or so
        Launch "upx -d PeViewTemp.exe", SW_RESTORE, 5000
  .endif
  Launch "TLPEViewSrc64 PeViewTemp.exe", SW_RESTORE, 127
  .if WinByTitle("TLPEView64 - PeViewTemp.exe")
        xchg eax, ecx           ; the handle in eax will be trashed, so better use a safe reg32 ;-)
        wSetWin$ ecx="TLPEViewSrc64 - "+wCL$()  ; set the proper title
  .endif
  Kill "PeViewTemp.exe"         ; remove garbage
EndOfCode

The code might look unnecessarily complicated, but note that upx.exe -d somefile.exe modifies somefile.exe, which I wanted to avoid by using a temp file.

One weird thing is that Timo's exe does not load "exotic" files directly: I made a copy of \Masm32\MasmBasic\RichMasm.exe, called it БогатыеMasm.exe and dragged it over TLPEViewSrc64.exe - no success, empty screen :(

Dragging a "Russian" file over my exe works, though, only that the caption will be incorrectly set to TLPEView64 - ????Masm.exe (for unknown reasons, Timo's window does not accept Unicode).

[guga]

Hi JJ

Good idea :t, although i  wasn´t thinking in loading (dumping/unpacking) a packed file. I thought in do it more simple than loading or unpacking, is only checking for their signatures which  avoids using the packer itself. All it is needed is it´s signature to recognize or calculating the entropy of the sections etc. The same technique used for recognize functions inside libraries reading their digital signatures.

[TimoVJL]

One weird thing is that Timo's exe does not load "exotic" files directly: I made a copy of \Masm32\MasmBasic\RichMasm.exe, called it БогатыеMasm.exe and dragged it over TLPEViewSrc64.exe - no success, empty screen :(

Dragging a "Russian" file over my exe works, though, only that the caption will be incorrectly set to TLPEView64 - ????Masm.exe (for unknown reasons, Timo's window does not accept Unicode).

http://masm32.com/board/index.php?topic=7435.msg84612#msg84612
Added support for Drag and Drop in a37

[jj2007]

Good idea :t, although i  wasn´t thinking in loading (dumping/unpacking) a packed file.

But the unpacked version is the only one that I would find worth looking at in a PE viewer... :icon_rolleyes:

(for unknown reasons, Timo's window does not accept Unicode).

http://masm32.com/board/index.php?topic=7435.msg84612#msg84612
Added support for Drag and Drop in a37

Sorry, I had not seen that version, it differs from the one I used by only three characters (see reply #36):

  Launch "TLPEViewSrc64 PeViewTemp.exe", SW_RESTORE, 127

Voilà, it works like a charm :t

[guga]

But the unpacked version is the only one that I would find worth looking at in a PE viewer... :icon_rolleyes:

Indeed. UPX is a excellent packer/unpacker. It has been years since i last analysed any packer. I remember of aspack too, etc. Personally, i think that packers (in general) are useless and offers few or no protection whatsoever. The only valid reason of a packer is reduce the size of the exe but at the cost of polluting the virtual memory when they are running. Years ago, i started a routine to identify different packers in RosAsm, but gave up after some time.

[Vortex]

Hi guga,

The only valid reason of a packer is reduce the size of the exe but at the cost of polluting the virtual memory when they are running.

Very good explanation. That's right. If I am not wrong, the executables built with RapidQ are compressed with UPX. RapidQ applications are based on P-Code.

[TimoVJL]

If you want to talk about exe-packers, please start a new topic ;)
TLPEView don't support UPX and others ;)

[TimoVJL]

Antivirus false alarms for TLPEView.exe:
Avast      Win32:Evo-gen [Susp]
AVG         Win32:Evo-gen [Susp]
Qihoo-360   HEUR/QVM20.1.9A39.Malware.Gen

[jj2007]

TLPEView don't support UPX and others ;)

Well, now it does, Timo

Seriously: Your program is excellent. My little wrapper just adds the option to analyse also a UPX'ed executable.