This is a very simple program that allow us to check if a file is a win32 based executable. Is very simple because let windows do the analysis of the file with an (old? ::)) function :biggrin:. I have tested the program succesfully: it detects a 32 bit executable, but for files like .sys, .dll it doesn't. I have tried to cheat the program with no executable files but with a .exe extension and the program still works ok. Also 64 bit executables aren't detected as win32 based apps. In this regard if you know of a function or maybe an updated version of this function that allows to detect 64 bit windows executables, please let me know :idea:.
As i say the program is very simple so is a text based program (console program). You need to write the full path of the executable or other file you want to test. It will be nice to see this function with a dialogbox, but i'm learning the windows api slowly... :redface: but you can do it! :P
Finally, i have implemented for the program the maximum size of the console's window permited for each user. In this regard if you have any doubts you can askme here or comment...this post is getting too large... :icon_cool:. But don't you worry all the functions are properly used, really :icon14:. At least from the documentation point of view. If you don't have the user experience you dream with, you can always change the source code supplied! :P
Later i will make the 64 bit version :biggrin: (or maybe not :redface:), so don't you worry if you want to do it :biggrin:. Ok, bye :t.
It's even documented by Micros**t: GetBinaryTypeA (https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-getbinarytypea) :greenclp: :bgrin: :icon_mrgreen: :biggrin: 8) :t
Here is a link with some c# code that could be adapted to read the header and check it (dll/exe) for 64bit (IMAGE_FILE_MACHINE_AMD64 = 0x8664) or 32bit (IMAGE_FILE_MACHINE_I386 = 0x14c)
https://stackoverflow.com/a/1002672
Hello sir Felipe;
I see an excellent project ahead, keep working.
Executable files (.exe), from MS-DOS to Windows 64 are structures, always see them like this. Open "executable" files (.exe, .sys, .scr, .dll, ...) using a hexadecimal editor and you will notice that all begin with the initials "MZ", this acronym is the name of the creator of this structure, Mark Zbikowski. This is the "signature" required to verify that a given file is executable. From there, the more deeply in the structure there will be fields, these fields will set the file if it is a DLL, SYS, ....
A quick preview tells us if the file contains "MZ", "LE", "NE", "PE", ..., I mean, if the file was made for ms-dos, or for windows 3.11, windows 98, ....
Compressed .rar files have a signature, "Rar!". I mean, the first few bytes of the .rar compress file have that signature.
Linux executable files, well, have 2 types, one of them start with "ELF" signature, other with extension .out have a structure.
There are few files that do not have a structure, one of them are .com, .bin, .rom, ..., and of course, .raw files. Here we need a heuristic search to determine what kind of file we are dealing with. Something like utf8 files without BOM.
Your program can be useful for recognizing deleted files on a hard disk for example; instead of verifying the file itself, the analysis is done on the disk and if find those "signatures" then it is possible to recover the file, I speak in a simple way only. Partitions FAT32, NTFS, EXT2,3, REISERFS, are structures, ie, structure the raw disk.
I'm not sure about the present, but in the past when we deleted a file in reality we just removed the index, the contents of the file were still on the disk. Just when we continued working on the disk and when writing a file to disk, the sector to which the file was placed was underwritten.
This is why I recommend using hex editors to recognize patterns.
Search for "header" and/or "signatures". An old, probably outdated site is wotsit, you might find it on waybackmachine.
https://en.wikipedia.org/wiki/List_of_file_signatures
Structured hugs.
look in your masm32 folder, \masm32\tutorial\petute\petute.chm
You already have most of the information you need there.
Some of the info is dated, needs to be updated to include info on 64 bit etc...
But most of it is still valid information.
Wow! i'm truly surprised with so quick replies...thank you so much! you guys are the best!
:greenclp:
Hi felipe,
The win64.inc file has the PE structures you need.
IMAGE_DOS_HEADER to get the DWORD "e_lfanew" member for the offset of the PE header. I think the one you are looking for is,
IMAGE_FILE_HEADER STRUCT
Machine WORD ? <<<<<<<<<<< This one.
Here it is a modified version of the program that can detect if the file scanned is a 32 bit or a 64 bit executable or neither of both. :idea:
Some extra notes in this reply: The program is a 32 bit application. It will create a console screen buffer with a big size for the console window, but it will not change your default settings for your cmd.exe program. After the program terminates, your cmd.exe will show as was before (the default or your customized option). :idea:
And, of course the .exe and the .asm files are in the .zip file. :idea:
That's great, and so simple: Instead of peeking inside the file for strange DWORDs called "e_lfanew" or similar, you just use GetBinaryType. So simple :t
Quote from: jj2007 on August 09, 2018, 05:46:30 AMInstead of peeking inside the file for strange DWORDs called "e_lfanew" or similar
I never knew there was another way. :t
Quote, you just use GetBinaryType. So simple :t
I agree wholeheartedly. I like simple, no need to overcomplicate if there is another way...
:biggrin: It will be interesting to scan files byte by byte but it may be a project for another day... :bgrin:
Here it is the same last program but in 64 bits version. .exe and .asm in the .zip. ;)
The GetBinaryType works as well across Network Shares, for example \\MyRemoteSystem\MyShare\MyFolder\MyFile.exe .
A related exercise, would be to check whether the MyRemoteSystem is 32-bit or 64-bit OS. Anyone?
aw that sounds great. It will require to do a socket? I have never programmed for networking...:idea:
I have a sneaking suspicion that you would have to be able to run an executable on the remote system to get the OS version. Long ago I did some high level work using normal TCP/IP but I ran an app that I wrote to collect data and send it back. I don't know if there is another way to do it.
No need to use sockets programming and no need to launch an application on the remote system.
This is an Egg of Colombus :biggrin:
I will provide the solution within one week if nobody finds it (writting the date on the agenda ).
Now that i readed again your first reply i think you mean to just give the right path to the function (as an example, like if was another drive letter) :idea:. But i still don't know how to get that info from the OS. I will keep thinking about it...(maybe... :icon_mrgreen:)
Felipe,
Sure, you can even use your application to find the solution because a good carpenter does not depend on the chisel or, as we say here, when we don't have a dog we can hunt with a cat (in English, make do with what we have). :t
Nice work felipe :t
Do it recognize .com files too?
Yes, GetBinaryType does recognise COM files, too:
remote Win32 0
COM 1
16-bit DOS 1
16-bit Windows 2
include \masm32\include\masm32rt.inc
.code
start:
print "remote Win32", 9
push eax
invoke GetBinaryType, chr$("\\Notebook9\Users\JJ\test.exe"), esp ; modify according to your setup
pop ecx
inkey str$(ecx)
exit
end start
This is what MSDN says on the function.
SCS_32BIT_BINARY 0
A 32-bit Windows-based application
SCS_64BIT_BINARY 6
A 64-bit Windows-based application.
SCS_DOS_BINARY 1
An MS-DOS based application
SCS_OS216_BINARY 5
A 16-bit OS/2-based application
SCS_PIF_BINARY 3
A PIF file that executes an MS-DOS based application
SCS_POSIX_BINARY 4
A POSIX – based application
SCS_WOW_BINARY 2
A 16-bit Windows-based application
All right! I decided to give the solution right now because people is leaning towards mind blowing alternatives when all required is a small batch file. Yes, you read well, a batch file. :biggrin:
Quote from: AW on August 11, 2018, 04:42:12 AM
....because people is leaning towards mind blowing alternatives..... :biggrin:
You're funny. :biggrin:
I was looking into more complex alternatives too.
Doesn't work here; it just displays the name of the remote PC and waits forever (and I can see that PC in Explorer).
What works is this - but I cannot access the remote machine's Windows folder:
C:\Windows\system32>dir \\RemotePC\Users\Default\*.dat
Il volume nell'unità \\RemotePC\Users è Acer
Numero di serie del volume: xxxxxxxxxx
Directory di \\RemotePC\Users\Default
09/06/2018 18:08 262,144 NTUSER.DAT
But that looks that you still execute something in the remote machine isn't it? :idea:
Anyway, i was thinking in an assembly program... :(
:P
Quote
Doesn't work here; it just displays the name of the remote PC and waits forever (and I can see that PC in Explorer).
I see the problem. Insert this into the batch file (the reference point is the :: If disconnected) and replace the mypassword (the administrator password on the remote computer).
:: If disconnected:
NET USE \\%RemotePC% /delete
NET USE \\%RemotePC%\IPC$ /USER:administrator mypassword
Quote
Anyway, i was thinking in an assembly program...
You can modify your program accordingly in order to simply check the bitness of explorer.exe. This will correspond to the bitness of the OS
Quote from: AW on August 10, 2018, 12:37:29 AM
A related exercise, would be to check whether the MyRemoteSystem is 32-bit or 64-bit OS. Anyone?
Hello sir José, I hope you're fine.
I was thinking about searching for string "(x86)" inside root folder.
The environment variable path to "Arquivos de programas" that changes from language to language, well, "Program Files". Can be done using .bat files; not sure if windows 7 to up have "find"(grep) program, so with a simple dir list can be done.
This is a no brain solution, well, simple solution.
Quote from: mineiro on August 11, 2018, 11:23:21 AM
... Can be done using .bat files; not sure if windows 7 to up have "find"(grep) program, so with a simple dir list can be done.
Hey, you guys are cheating, this is an assembly forum, not a bat forum. :icon_mrgreen:
(https://www.dropbox.com/s/wccifynmfi2uhx1/index.jpg?dl=1)
® TM DC Comics to make this post legal. 8)
hehehe :), nice.
;-----edited
We can use GetEnvironmentVariable function and some 'cmp' instructions. I think that "shell execute" can do this job.
Why make things simple if we can make it harder :icon_cool:
@mineiro,Esq.
Quote
We can use GetEnvironmentVariable function
But we are not executing on the Remote computer.
So, GetEnvironmentVariable would spell the variables of the Local computer not the Remote one.
Quote
I was thinking about searching for string "(x86)" inside root folder
There is no Administrative Share that provides you the Root folder.
There is also no rule that folders with (x86) in the name can only be that standard Windows folder you are thinking about.
@zedd,
Quote
this is an assembly forum, not a bat forum
It is true, but the idea was just to show how easy it is.
Conversion to ASM is trivial unless you don't know the equivalent for the NET USE commands on the Windows API. Do you? :exclaim:
Quote from: AW on August 11, 2018, 05:02:33 PM
@zedd,
It is true, but the idea was just to show how easy it is.
Of course. :t You still sent everyone on a 'wild goose' chase with that one.
Quote
Conversion to ASM is trivial unless you don't know the equivalent for the NET USE commands on the Windows API. Do you? :exclaim:
No.
@Zedd,
Knowing these things might be useful for people that has multiple OS working at the same time.
Why don't you add a batch files subforum to your Hardware FIXMEs and TODOs forums ?
Quote from: AW on August 11, 2018, 06:31:26 PM
@Zedd,
Knowing these things might be useful for people that has multiple OS working at the same time.
I never disagreed. I was simply making humor in reference to 'bat' files. I am sorry if you misunderstood. bat files, bat forum, Batman.... nevermind. :(
Quote from: zedd151 on August 11, 2018, 06:40:50 PM
I never disagreed. I was simply making humor in reference to 'bat' files. I am sorry if you misunderstood. bat files, bat forum, Batman.... nevermind. :(
I got that, life is short don't waste it being sad. :bgrin:
:biggrin: And now i finally understand that batman logo, hahahahaha!!! that's actually funny!! :lol: .