Author Topic: Tiny Lousy (TL) programs  (Read 6819 times)

Vortex

  • Moderator
  • Member
  • *****
  • Posts: 1987
Re: Tiny Lousy (TL) programs
« Reply #45 on: March 04, 2019, 08:08:39 AM »
Code: [Select]
Seriously: Your program is excellent.
I agree with Jochen. Timo is doing a very nice job.

guga

  • Member
  • *****
  • Posts: 1041
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #46 on: March 04, 2019, 08:19:30 AM »
Timo

You do realize that we are talking about signatures identifier, right ? You asked suggestions on more features to your app. So, a signature identifier is not only to identify a packer but, libraries, images, specific data in the resources section etc. Take a look at flirt technology and you will see what it is all about. It also helps to avoid your app to crash on some problematic files (not necessarily packed) but containing different ways to display the data inside the sections of a PE, like in some Watcom files for example, or can help identify files whose section were not properly aligned etc etc.

Agree with Jochen and Vortex. The app is excellent, although some more features may be necessary. What about loading old file types, such NE executables or Name unmangler on the apis functions, recognition of delphi structures in the resources section etc ?
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #47 on: March 04, 2019, 05:53:09 PM »
Maybe a Plugin interface needs changes, like parameter filename, window handle ?
Then user can execute an another instance.
Plugin example for a40:
Code: [Select]
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>

#define IDM_CMDLINE 6002
#define IDM_CLOSE   6004

#ifdef _WIN64
BOOL WINAPI DllMainCRTStartup(HANDLE hInstDLL, DWORD dwReason, LPVOID lpvReserved) {return 1;}
#else
BOOL WINAPI _DllMainCRTStartup(HANDLE hInstDLL, DWORD dwReason, LPVOID lpvReserved) {return 1;}
#endif

__declspec(dllexport)
int WINAPI Plugin(PBYTE pBase, PBYTE pPtr, DWORD nSize, DWORD nType, TCHAR *szFilename, HWND hWnd)
{
TCHAR szTmp[1024];
PROCESS_INFORMATION pi;
STARTUPINFO si = { 0 };
if (((PIMAGE_DOS_HEADER)pBase)->e_magic != IMAGE_DOS_SIGNATURE)
return 1;
OutputDebugString(TEXT("IMAGE_DOS_SIGNATURE"));
PIMAGE_NT_HEADERS pNTHeaders = (PIMAGE_NT_HEADERS) (pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
if (pNTHeaders->Signature != IMAGE_NT_SIGNATURE)
return 2;
OutputDebugString(TEXT("IMAGE_NT_SIGNATURE"));
PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)((PBYTE)pNTHeaders+sizeof(IMAGE_NT_HEADERS));
if (*(DWORD*)pSection == 0x30585055) // UPX0 ?
return 3;
OutputDebugString(TEXT("UPX0"));
wsprintf(szTmp, TEXT("upx -d %s -o%s.tmp"), szFilename, szFilename);
OutputDebugString(szTmp);
MessageBox(hWnd, szTmp, 0, 0);
if (CreateProcess(NULL, szTmp, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
{
SendMessage(hWnd, WM_COMMAND, IDM_CLOSE, 0); // close the original file
WaitForSingleObject(pi.hProcess, 30000); // wait processing
wsprintf(szTmp, TEXT("%s.tmp"), szFilename); // create the same temporary filename again
lstrcpy(szFilename, szTmp); // copy the temporary filename to the buffer size MAX 260
SendMessage(hWnd, WM_COMMAND, IDM_CMDLINE, 0); // open the temporary file
DeleteFile(szTmp); // delete the temporary file
}
else
MessageBox(hWnd, TEXT("Error running upx.exe"), 0, 0);
return 0;
}
EDIT 2019-03-06: TLPEViewUC-a41.zip, a bit better ordered tree by file offsets, but not finished :(, like IMPORT Directory Table, as packed files can be tricky. Also some fixes for lib.

EDIT 2019-03-07: a42 BOUND IMPORT was missing.
EDIT 2019-03-11: TLPEPlgZydis3, a42UC-1, fix for last object in library
« Last Edit: April 26, 2019, 07:16:48 PM by TimoVJL »
May the source be with you

guga

  • Member
  • *****
  • Posts: 1041
  • Assembly is a state of art.
    • RosAsm
Re: Tiny Lousy (TL) programs
« Reply #48 on: March 05, 2019, 11:24:31 PM »
Great work :) :t
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #49 on: March 07, 2019, 03:54:20 AM »
How important is the file analysis?

A call to Plugin with specific name like TLPEAnal.dll :P or TLPEFileChk.dll
With that user make own checks and then make warnings and alarms.
A security problem ?
« Last Edit: August 06, 2019, 03:49:54 AM by TimoVJL »
May the source be with you

jj2007

  • Member
  • *****
  • Posts: 9635
  • Assembler is fun ;-)
    • MasmBasic
Re: Tiny Lousy (TL) programs
« Reply #50 on: March 10, 2019, 09:55:44 PM »
Works like a charm, Timo! The find string function does not always work, it seems. When searching for CreateWindowEx in the attached Win64 exe, I sometimes get a match, sometimes not (and you might consider a little feedback like "no matches" or "3 matches found").

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #51 on: March 16, 2019, 05:15:37 AM »
Zydis 3 is an active development, so just test it ;)
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #52 on: April 25, 2019, 05:48:42 PM »
2019-04-25: TLOMFView, fix for LNAMES and PUBDEF
Hopefully works better than that an older one.
« Last Edit: May 26, 2019, 10:47:03 PM by TimoVJL »
May the source be with you

Vortex

  • Moderator
  • Member
  • *****
  • Posts: 1987
Re: Tiny Lousy (TL) programs
« Reply #53 on: April 28, 2019, 08:05:12 PM »
Hi Timo,

Thanks for the new tool. Nice work :t

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #54 on: May 26, 2019, 10:22:23 PM »
TLElfView1 for ELF object files, like nVidia GPU file .cubin or AMD GPU file.
Only limited ELF Header and Section info.
Only binaries at this time.
« Last Edit: May 27, 2019, 05:43:06 AM by TimoVJL »
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #55 on: June 10, 2019, 03:56:53 AM »
A tiny program for .msp files, to list files in it's CAB file.
It just try to guess that cab-file, so not a perfect way to do that.

7Zip is good, but i wanted to save list to stdout or redirect to a file.

PS. Have anyone found how to uncompress packed msi/msp filenames like 7Zip do ?
« Last Edit: June 19, 2019, 06:55:32 PM by TimoVJL »
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #56 on: June 13, 2019, 02:58:27 AM »
Have anyone found any bugs in TLMsiViewEx or ListMSPEx ?

Upcoming TLMsiViewEx 1.1.5 don't drop internal cab anymore, as it was just a waste of space, as that old FDI API support user  mem / stream handling.
TLMsiViewEx don't support .msp, as i just don't understand that MSI API for it :sad:
ListMSPEx is just a different beast, it don't use MSI API, just compound file interface and FDI.
« Last Edit: June 19, 2019, 06:54:48 PM by TimoVJL »
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #57 on: August 03, 2019, 09:11:33 PM »
SrcFileCC2 Add-In for Pelles C v9, a second opinion insert a button to toolbar for additional compilers, to make easy way to use another C compiler or assembler to show errors and warnings.

ini-file example
Code: [Select]
[compiler0]
title=UAsm
ccpath=uasm32.exe
path=C:\code\UAsm\
[options]
check_only=1

usage ?

copy SrcFileCC2x64.dll to Addins64
from poide menu Tools -> Customize... -> Add-ins select Compile source with C compiler
without SrcFileCC2x64.ini it should open a template file in poide
after filling and saving restart poide or reload Add-In.

in toolbar should be a button C2
pushing that button, it opens a menu of compilers from ini-file.

to access ini-file later, from poide menu Tools -> Options... -> Add-ins select Compile source with C compiler and press Options...
it opens ini-file in poide for editing.
after editing, refresh menu from button menu -> update menu

example for ml assembler/driver
[compiler0] ... [compiler1] ... ... [compiler19] should be defined with continuous numbers
Code: [Select]
[compiler0]
title=ml
ccpath=ml.exe
path=C:\code\msvc2019\bin
[compiler1]
title=ml64
ccpath=ml64.exe
path=C:\code\msvc2019\bin
templates for creating exe with ml
Code: [Select]
; x86
.model flat
option dotname
.drectve segment info
db "-subsystem:console",0
.drectve ends
.code
mainCRTStartup proc
ret
mainCRTStartup endp
end
Code: [Select]
; x64
option dotname
.drectve segment info
db "-subsystem:console",0
.drectve ends
.code
mainCRTStartup proc
ret
mainCRTStartup endp
end
EDIT: a6 update menu updates ini location too.
« Last Edit: August 12, 2019, 07:22:08 PM by TimoVJL »
May the source be with you

TimoVJL

  • Member
  • ***
  • Posts: 408
Re: Tiny Lousy (TL) programs
« Reply #58 on: August 20, 2019, 01:47:39 AM »
Pelles C poide users can create their own Add-In loaders, an example provided.
Before starting poide, download Add-Ins to avoid file locking errors.
Put AddInLoad to Pelles C bin folder and start it from there, as admin, if necessary.
An example offers to download some of Add-Ins from my collection, not all.
UI is quite simple.
« Last Edit: August 26, 2019, 04:53:33 PM by TimoVJL »
May the source be with you