News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

FILESCAN

Started by felipe, August 07, 2018, 09:59:48 AM

Previous topic - Next topic

felipe

This is a very simple program that allow us to check if a file is a win32 based executable. Is very simple because let windows do the analysis of the file with an (old?  ::)) function  :biggrin:. I have tested the program succesfully: it detects a 32 bit executable, but for files like .sys, .dll it doesn't. I have tried to cheat the program with no executable files but with a .exe extension and the program still works ok. Also 64 bit executables aren't detected as win32 based apps. In this regard if you know of a function or maybe an updated version of this function that allows to detect 64 bit windows executables, please let me know  :idea:.

As i say the program is very simple so is a text based program (console program). You need to write the full path of the executable or other file you want to test. It will be nice to see this function with a dialogbox, but i'm learning the windows api slowly... :redface: but you can do it!  :P

Finally, i have implemented for the program the maximum size of the console's window permited for each user. In this regard if you have any doubts you can askme here or comment...this post is getting too large... :icon_cool:. But don't you worry all the functions are properly used, really  :icon14:. At least from the documentation point of view. If you don't have the user experience you dream with, you can always change the source code supplied!  :P

Later i will make the 64 bit version  :biggrin: (or maybe not  :redface:), so don't you worry if you want to do it  :biggrin:. Ok, bye  :t.

jj2007

It's even documented by Micros**t: GetBinaryTypeA :greenclp: :bgrin: :icon_mrgreen: :biggrin: 8) :t

fearless

Here is a link with some c# code that could be adapted to read the header and check it (dll/exe) for 64bit (IMAGE_FILE_MACHINE_AMD64 = 0x8664) or 32bit (IMAGE_FILE_MACHINE_I386 = 0x14c)

https://stackoverflow.com/a/1002672

mineiro

Hello sir Felipe;
I see an excellent project ahead, keep working.
Executable files (.exe), from MS-DOS to Windows 64 are structures, always see them like this. Open "executable" files (.exe, .sys, .scr, .dll, ...) using a hexadecimal editor and you will notice that all begin with the initials "MZ", this acronym is the name of the creator of this structure, Mark Zbikowski. This is the "signature" required to verify that a given file is executable. From there, the more deeply in the structure there will be fields, these fields will set the file if it is a DLL, SYS, ....
A quick preview tells us if the file contains "MZ", "LE", "NE", "PE", ..., I mean, if the file was made for ms-dos, or for windows 3.11, windows 98, ....
Compressed .rar files have a signature, "Rar!". I mean, the first few bytes of the .rar compress file have that signature.
Linux executable files, well, have 2 types, one of them start with "ELF" signature, other with extension .out have a structure.
There are few files that do not have a structure, one of them are .com, .bin, .rom, ..., and of course, .raw files. Here we need a heuristic search to determine what kind of file we are dealing with. Something like utf8 files without BOM.

Your program can be useful for recognizing deleted files on a hard disk for example; instead of verifying the file itself, the analysis is done on the disk and if find those "signatures" then it is possible to recover the file, I speak in a simple way only. Partitions FAT32, NTFS, EXT2,3, REISERFS, are structures, ie, structure the raw disk.
I'm not sure about the present, but in the past when we deleted a file in reality we just removed the index, the contents of the file were still on the disk. Just when we continued working on the disk and when writing a file to disk, the sector to which the file was placed was underwritten.
This is why I recommend using hex editors to recognize patterns.

Search for "header" and/or "signatures". An old, probably outdated site is wotsit, you might find it on waybackmachine.
https://en.wikipedia.org/wiki/List_of_file_signatures

Structured hugs.
I'd rather be this ambulant metamorphosis than to have that old opinion about everything

zedd151

look in your masm32 folder, \masm32\tutorial\petute\petute.chm

You already have most of the information you need there.

Some of the info is dated, needs to be updated to include info on 64 bit etc...

But most of it is still valid information.

felipe

Wow! i'm truly surprised with so quick replies...thank you so much! you guys are the best!
  :greenclp:

hutch--

Hi felipe,

The win64.inc file has the PE structures you need.

IMAGE_DOS_HEADER to get the DWORD "e_lfanew" member for the offset of the PE header. I think the one you are looking for is,

  IMAGE_FILE_HEADER STRUCT
    Machine               WORD    ?    <<<<<<<<<<< This one.

felipe

Here it is a modified version of the program that can detect if the file scanned is a 32 bit or a 64 bit executable or neither of both.  :idea:
Some extra notes in this reply: The program is a 32 bit application. It will create a console screen buffer with a big size for the console window, but it will not change your default settings for your cmd.exe program. After the program terminates, your cmd.exe will show as was before (the default or your customized option).  :idea:
And, of course the .exe and the .asm files are in the .zip file.  :idea:

jj2007

That's great, and so simple: Instead of peeking inside the file for strange DWORDs called "e_lfanew" or similar, you just use GetBinaryType. So simple :t

zedd151

Quote from: jj2007 on August 09, 2018, 05:46:30 AMInstead of peeking inside the file for strange DWORDs called "e_lfanew" or similar

I never knew there was another way.   :t

Quote, you just use GetBinaryType. So simple :t

I agree wholeheartedly. I like simple, no need to overcomplicate if there is another way...

felipe

 :biggrin: It will be interesting to scan files byte by byte but it may be a project for another day... :bgrin:

Here it is the same last program but in 64 bits version. .exe and .asm in the .zip.  ;)

aw27

The GetBinaryType works as well across Network Shares, for example \\MyRemoteSystem\MyShare\MyFolder\MyFile.exe .

A related exercise, would be to check whether the MyRemoteSystem is 32-bit or 64-bit OS. Anyone?

felipe

aw that sounds great. It will require to do a socket? I have never programmed  for networking...:idea:

hutch--

I have a sneaking suspicion that you would have to be able to run an executable on the remote system to get the OS version. Long ago I did some high level work using normal TCP/IP but I ran an app that I wrote to collect data and send it back. I don't know if there is another way to do it.

aw27

No need to use sockets programming and no need to launch an application on the remote system.
This is an Egg of Colombus  :biggrin:
I will provide the solution within one week if nobody finds it (writting the date on the agenda ).