Author Topic: Tiny Lousy (TL) programs  (Read 4629 times)

Vortex

  • Moderator
  • Member
  • *****
  • Posts: 1954
Re: Tiny Lousy (TL) programs
« Reply #45 on: March 04, 2019, 08:08:39 AM »
Code: [Select]
Seriously: Your program is excellent.
I agree with Jochen. Timo is doing a very nice job.

guga

  • Member
  • *****
  • Posts: 1041
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #46 on: March 04, 2019, 08:19:30 AM »
Timo

You do realize that we are talking about signatures identifier, right ? You asked suggestions on more features to your app. So, a signature identifier is not only to identify a packer but, libraries, images, specific data in the resources section etc. Take a look at flirt technology and you will see what it is all about. It also helps to avoid your app to crash on some problematic files (not necessarily packed) but containing different ways to display the data inside the sections of a PE, like in some Watcom files for example, or can help identify files whose section were not properly aligned etc etc.

Agree with Jochen and Vortex. The app is excellent, although some more features may be necessary. What about loading old file types, such NE executables or Name unmangler on the apis functions, recognition of delphi structures in the resources section etc ?
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

TimoVJL

  • Member
  • ***
  • Posts: 281
Re: Tiny Lousy (TL) programs
« Reply #47 on: March 04, 2019, 05:53:09 PM »
Maybe a Plugin interface needs changes, like parameter filename, window handle ?
Then user can execute an another instance.
Plugin example for a40:
Code: [Select]
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>

#define IDM_CMDLINE 6002
#define IDM_CLOSE   6004

#ifdef _WIN64
BOOL WINAPI DllMainCRTStartup(HANDLE hInstDLL, DWORD dwReason, LPVOID lpvReserved) {return 1;}
#else
BOOL WINAPI _DllMainCRTStartup(HANDLE hInstDLL, DWORD dwReason, LPVOID lpvReserved) {return 1;}
#endif

__declspec(dllexport)
int WINAPI Plugin(PBYTE pBase, PBYTE pPtr, DWORD nSize, DWORD nType, TCHAR *szFilename, HWND hWnd)
{
TCHAR szTmp[1024];
PROCESS_INFORMATION pi;
STARTUPINFO si = { 0 };
if (((PIMAGE_DOS_HEADER)pBase)->e_magic != IMAGE_DOS_SIGNATURE)
return 1;
OutputDebugString(TEXT("IMAGE_DOS_SIGNATURE"));
PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS) (pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
if (pNTHeaders->Signature != IMAGE_NT_SIGNATURE)
return 2;
OutputDebugString(TEXT("IMAGE_NT_SIGNATURE"));
PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)((PBYTE)pNTHeaders+sizeof(IMAGE_NT_HEADERS));
if (*(DWORD*)pSection == 0x30585055) // UPX0 ?
return 3;
OutputDebugString(TEXT("UPX0"));
wsprintf(szTmp, TEXT("upx -d %s -o%s.tmp"), szFilename, szFilename);
OutputDebugString(szTmp);
MessageBox(hWnd, szTmp, 0, 0);
if (CreateProcess(NULL, szTmp, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
{
SendMessage(hWnd, WM_COMMAND, IDM_CLOSE, 0); // close the original file
WaitForSingleObject(pi.hProcess, 30000); // wait processing
wsprintf(szTmp, TEXT("%s.tmp"), szFilename); // create the same temporary filename again
lstrcpy(szFilename, szTmp); // copy the temporary filename to the buffer size MAX 260
SendMessage(hWnd, WM_COMMAND, IDM_CMDLINE, 0); // open the temporary file
DeleteFile(szTmp); // delete the temporary file
}
else
MessageBox(hWnd, TEXT("Error running upx.exe"), 0, 0);
return 0;
}
EDIT 2019-03-06: TLPEViewUC-a41.zip, a bit better ordered tree by file offsets, but not finished :(, like IMPORT Directory Table, as packed files can be tricky. Also some fixes for lib.

EDIT 2019-03-07: a42 BOUND IMPORT was missing.
EDIT 2019-03-11: TLPEPlgZydis3, a42UC-1, fix for last object in library
« Last Edit: April 26, 2019, 07:16:48 PM by TimoVJL »
May the source be with you

guga

  • Member
  • *****
  • Posts: 1041
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #48 on: March 05, 2019, 11:24:31 PM »
Great work :) :t
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

TimoVJL

  • Member
  • ***
  • Posts: 281
Re: Tiny Lousy (TL) programs
« Reply #49 on: March 07, 2019, 03:54:20 AM »
How important is the file analysis?

A call to Plugin with specific name like TLPEAnal.dll :P or TLPEFileChk.dll
With that user make own checks and then make warnings and alarms.
A security problem ?

PS: some fixes made for some long term bugs in a41.

EDIT 2019-03-07: fix for TLPEPlgZydis364.dll, now works with .lib a bit better. (needs Zydis364.dll)

« Last Edit: April 09, 2019, 01:52:30 AM by TimoVJL »
May the source be with you

jj2007

  • Member
  • *****
  • Posts: 9401
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #50 on: March 10, 2019, 09:55:44 PM »
Works like a charm, Timo! The find string function does not always work, it seems. When searching for CreateWindowEx in the attached Win64 exe, I sometimes get a match, sometimes not (and you might consider a little feedback like "no matches" or "3 matches found").

TimoVJL

  • Member
  • ***
  • Posts: 281
Re: Tiny Lousy (TL) programs
« Reply #51 on: March 16, 2019, 05:15:37 AM »
Zydis 3 is an active development, so just test it ;)
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 281
Re: Tiny Lousy (TL) programs
« Reply #52 on: April 25, 2019, 05:48:42 PM »
2019-04-25: TLOMFView, fix for LNAMES and PUBDEF
Hopefully works better than that an older one.
« Last Edit: May 26, 2019, 10:47:03 PM by TimoVJL »
May the source be with you

Vortex

  • Moderator
  • Member
  • *****
  • Posts: 1954
Re: Tiny Lousy (TL) programs
« Reply #53 on: April 28, 2019, 08:05:12 PM »
Hi Timo,

Thanks for the new tool. Nice work :t

TimoVJL

  • Member
  • ***
  • Posts: 281
Re: Tiny Lousy (TL) programs
« Reply #54 on: May 26, 2019, 10:22:23 PM »
TLElfView1 for ELF object files, like nVidia GPU file .cubin or AMD GPU file.
Only limited ELF Header and Section info.
Only binaries at this time.
« Last Edit: Today at 05:43:06 AM by TimoVJL »
May the source be with you