zalomalo

__AutoSelfDelete() - AutoDelete the running executable.

6 posts in this topic

#1 ·  Posted (edited)

Inpired by a script by guinness, here:

'?do=embed' frameborder='0' data-embedContent>>

he gave me an idea and i did another one for autodelete for some compiled scripts i dont want to execute out of his intended directory (privileges stuff). Thanks   :zorro:

; #FUNCTION# ====================================================================================================================
; Name .......:    __AutoSelfDelete; Author: Zalomalo, inspired in guinness's _SelfRename.
; Description.:    AutoDelete executing script because unauthorized bad conditions (bad finemame, wrong path, etc.).
;        The purpose is it autodelete as fast as possible and force relog session after return this function, and exiting.
;        Is assumed the script is running compiled (exe), and all conditions have been set before.
; Do no error comprobations since have no sense for this purposes.
; Parameters:    $iDelay [optional]    An integer value for the delay to wait (in seconds) before beging trying to delete the executable.
; Return values: Success - Returns the PID of the bat file.
;     Failure - Returns 0 & sets @error to non-zero
; -------------------------------------------------------------------------------------------------------------------------------
Func __AutoSelfDelete($iDelay=1)
If Not StringInStr(@ScriptName,'.exe',2) Then Return
Local $sTmpBat=@TempDir &'\TmpFile.bat'
While FileExists($sTmpBat)
    $sTmpBat=@TempDir &'\TmpFile'& Chr(Random(65,122,1)) &'.bat'
WEnd
Local Const $sTmpBatData='@ECHO OFF' &@CRLF _
    & 'PING -n '& Int($iDelay) &' -w 1000 127.0.0.1>nul' &@CRLF _
    & 'TASKKILL /PID '& @AutoItPID &' /F'&@CRLF _        ; The script must have been exited allready, just by the case
    & 'DEL /F /Q "'& @AutoItExe &'"' &@CRLF _
    & 'DEL /F /Q "'& @TempDir &'\*.bat"'
Local Const $hfBat=FileOpen($sTmpBat,2)
FileWrite($hfBat,$sTmpBatData)
FileClose($hfBat)
Return Run($sTmpBat, @TempDir, @SW_HIDE)
EndFunc    ;==>__AutoSelfDelete
Edited by zalomalo

My english shucks, i know it.

Share this post


Link to post
Share on other sites



What does your script do that _selfDelete (also by guinness) doesn't?


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Guinnness's one is _SelfRename(). Well, the purpose is totally diferent. Mine is much more simpler and faster because the needs. I put the context where i going to using it, (autodeleting the script, relog windows sesion without any track) so you can realise:

; #FUNCTION# ====================================================================================================================
; Nombre: _RelogSesion  ; Author: Zalomalo                                                                                      1
; Cierra la sesion de usuario debido a un error o violacion grave (Motivo), despues de escribir el Error en el log.
; -------------------------------------------------------------------------------------------------------------------------------
Func _RelogSesion($CODCall)
   _Error(10,0,0,'Relog}'&@ScriptFullPath&' %'&$CODCall)    ; Descomentar en la definitiva
If $UserGame='adminsuper' Or $UserGame='adminprog' Then
   MsgBox(0x1010,'AVISO:'&$UserGame,'^^ JODER',$CODCall)    ; dejar esto para prevenir fallos
Else
   ;  MsgBox(0x1010,'AVISO:'&$UserGame,'^^ JODER',$CODCall) ; Comentar esto en la definitiva ///
   If $CODCall=3 Then __AutoSelfDelete(3)                   ; Descomentar en la definitiva
   Shutdown(4)                                              ; Intenta cerrar sesion una vez
   Exit($CODCall)                                           ; Descomentar en la definitiva
EndIf
EndFunc ;==>_RelogSesion
Edited by zalomalo

My english shucks, i know it.

Share this post


Link to post
Share on other sites

guinness has a _SelfDelete(), as well as the _SelfRename(), which is why I asked. I put the link in the thread so you can realise:

'?do=embed' frameborder='0' data-embedContent>>


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

I also mentioned it in my _SelfRename() thread as well!

Edit: I don't mind, I'm just curious as JLogan3o13 to know how your version brings value?

Edited by guinness

_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 04/09/2015

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Well, its true. I didnt saw it, my fault.  :

To compensate the ridiculous, someone could neeed a simple function to change the Gateways of the NIC in windows 8, by using PowerShell ? :P

Edited by zalomalo

My english shucks, i know it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • RC86
      By RC86
      Afternoon!
      Just a quick one as this has dawned on me recently when creating a little program.  When calling an executable I've created like Run(otherapp.exe) from within my executable is there a best practice to ensure things have gone smoothly?  So for example, should I monitor the PID to ensure it runs and closes within an acceptable timeframe?  Or within my other executable should I do EXITs in a certain way after functions and return codes etc?
      Could be a silly question but thought I'd ask.
    • mihaijulien
      By mihaijulien
      Hello,
      I compiled a script I made that takes a command line parameter (the version of a .msi installer) when launched. The script was compiled with the /console option. The script (.au3) works fine but the executable returns  the following error:  
      Error: array variable has incorrect number of subscripts or subscript dimension range exceeded  
    • ur
      By ur
      How to retrieve the target executable path from a process.
      My system is effected with IMG001.exe virus and I remove the folders created by it daily but still it is creating the folders everytime I login to my PC.
      My Antivirus is not detecting it.

       
      So I thought to create a process in AutoIT to check for the process name IMG001.exe and retrieve the process target exe to a log file, so that I can track where it is putting these files.
      With  ProcessExists ( "process" ) , i can get the process ID.
      But how to get the target location of the executable of the process.??
    • corgano
      By corgano
      How do you read the STDout stream from an already running process? I know you can launch a program via run() with flags to get the SDTout stream, but being able to change and re-run a script without needing to restart the running process would be very useful
      In this thread, it is suggested that one could use the GetStartupInfo methiod, but I'm not sure how to call it or what dll it's in
      '?do=embed' frameborder='0' data-embedContent>>
      Edit: Here is my attempt at changing it to autoit. I'm confused as to how you're supposed to specify what process you're trying to get the stream of, and am probably doing it wrong.
      $STARTUPINFO=DllStructCreate("" & _ "DWORD cb;" & _ "ptr lpReserved;" & _ "ptr lpDesktop;" & _ "ptr lpTitle;" & _ "DWORD dwX;" & _ "DWORD dwY;" & _ "DWORD dwXSize;" & _ "DWORD dwYSize;" & _ "DWORD dwXCountChars;" & _ "DWORD dwYCountChars;" & _ "DWORD dwFillAttribute;" & _ "DWORD dwFlags;" & _ "USHORT wShowWindow;" & _ "USHORT cbReserved2;" & _ "ptr lpReserved2;" & _ "HANDLE hStdInput;" & _ "HANDLE hStdOutput;" & _ "HANDLE hStdError;") DllCall("Kernel32.dll","none","GetStartupInfo","ptr",DllStructGetPtr($STARTUPINFO)) $handle = DllStructGetData($STARTUPINFO,"hStdOutput") #include <Constants.au3> Local $line While 1 $line = StdoutRead($handle) If @error Then ExitLoop if StringLen($line) > 3 Then ConsoleWrite($line) WEnd  I appreciate any help
    • Ascend4nt
      By Ascend4nt
      PE File Overlay Extraction
      (and Certificate info)

      Executable and other PE files can contain "overlays", which is data that is appended to the end of the file.  This data can be important, such as setup packages, Authenticode signatures*, and overlays for AutoIt scripts. Or it could just be extra unneeded cruft (sometimes).  Whatever the case is, I wanted to find a way to detect if this data was present.
      This project is actually a result of dealing with so-called 'File Optimizer' programs that would strip Overlay information from Executables (leaving compiled AutoIt scripts crippled!). And also a legit >answer to my topic in Help and Support.
      While future versions of AutoIt (new beta releases and any official release after v3.3.8.1) are putting tokenized scripts into a resource within the executable, all current compiled scripts are still put together with the tokenized script appended as an overlay.
      The UDF here allows you to detect any overlay a PE (Portable Executable) file may have, and allows you to extract the Overlay into a separate file - or alternatively extract the exe without the overlay.  You can actually extract AutoIt scripts and write them to .A3X files using this method, if you so desire.  But don't be a hacker! Mommy will scold you..
      If you separate both the exe and overlay, you can combine them again using a simple file-append, something like:
      copy /b stripped.exe+script.a3x myscript.exe _
      Anyway, the method to detect overlays is relatively simple - we need to look through the PE file's various headers and find out where the last section of data/code is and its size.  If that last section doesn't reach the end of the file, then you will find an Overlay waiting at the end of the final section. However, there's an issue with Certificate Tables (or signatures) which makes it a bit more tricky to detect - basically the end of the last section and the beginning of the Certificate must be examined to find the sandwiched-in overlay.
      *Auhenticode signatures note: These and other certificates are actually linked to in the PE Data Directory, which I had missed in earlier versions.  Now they are accounted for however, and not considered overlays nor are they allowed to be extracted (well, you could extract them but the signature is bound to the unique checksum of the file and needs to be referenced from the Data Directory).
      IMPORTANT: The example now queries which part to save, and "No" button means 'yes' to Exe extract. (I didn't want to mess around with creating dialog windows, sorry).
      So, here's the UDF with a working example (note the 128MB limit can easily be worked around):
      ; ======================================================================================================== ; <FilePEOverlayExtract.au3> ; ; UDF and Example of getting Overlay info and optionally extracting that info to a file. ; ; NOTE that this isn't intended to be used to hack or decompile AutoIt executables!! ;  It's main purpose is to find Overlays and Certificates and extract/save or just report the info ; ; Functions: ;    _PEFileGetOverlayInfo()    ; Returns a file offset for overlay data (if found), and the size ; ; Author: Ascend4nt ; ======================================================================================================== ; Arry indexing Global Enum $PEI_OVL_START = 0, $PEI_OVL_SIZE, $PEI_CERT_START, $PEI_CERT_SIZE, $PEI_FILE_SIZE ; ---------------------- MAIN CODE ------------------------------- Local $sFile, $sLastDir, $sLastFile, $aOverlayInfo $sLastDir = @ScriptDir While 1     $sFile=FileOpenDialog("Select PE File To Find Overlay Data In",$sLastDir,"PE Files (*.exe;*.dll;*.drv;*.scr;*.cpl;*.sys;*.ocx;*.tlb;*.olb)|All Files (*.*)",3,$sLastFile)     If @error Or $sFile="" Then Exit     $sLastFile=StringMid($sFile,StringInStr($sFile,'\',1,-1)+1)     $sLastDir=StringLeft($sFile,StringInStr($sFile,'\',1,-1)-1)     $aOverlayInfo = _PEFileGetOverlayInfo($sFile)     If $aOverlayInfo[$PEI_OVL_START] = 0 Then         ConsoleWrite("Failed Return from _PEGetOverlayOffset(), @error = " & @error & ", @extended = " & @extended & @CRLF)         MsgBox(64, "No Overlay Found", "No overlay found in " & $sLastFile)         ContinueLoop     EndIf     ConsoleWrite("Return from _PEFileGetOverlayInfo() = " & $aOverlayInfo[$PEI_OVL_START] & ", @extended = " & $aOverlayInfo[$PEI_OVL_SIZE] & @CRLF)     If $aOverlayInfo[$PEI_OVL_START] Then         Local $hFileIn = -1, $hFileOut = -1, $sOutFile, $iMsgBox, $bBuffer, $bSuccess = 0         $iMsgBox = MsgBox(35, "Overlay found in " & $sLastFile, "Overlay Found. File size: " & $aOverlayInfo[$PEI_FILE_SIZE] & ", Overlay size: " & $aOverlayInfo[$PEI_OVL_SIZE] & @CRLF & @CRLF & _             "Would you like to:" & @CRLF & _             "[Yes]: extract and save Overlay" & @CRLF & _             "[No]: extract Exe without Overlay" & @CRLF & _             "[Cancel]: Do Nothing")         If $iMsgBox = 6 Then             If $aOverlayInfo[$PEI_OVL_SIZE] > 134217728 Then                 MsgBox(48, "Overlay is too huge", "Overlay is > 128MB, skipping..")                 ContinueLoop             EndIf             $sOutFile = FileSaveDialog("Overlay - SAVE: Choose a file to write Overlay data to (from " & $sLastFile&")", $sLastDir, "All (*.*)", 2 + 16)             If Not @error Then                 While 1                     $hFileOut = FileOpen($sOutFile, 16 + 2)                     If $hFileOut = -1 Then ExitLoop                     $hFileIn = FileOpen($sFile, 16)                     If $hFileIn = -1 Then ExitLoop                     If Not FileSetPos($hFileIn, $aOverlayInfo[$PEI_OVL_START], 0) Then ExitLoop                     ; AutoIt 2/3 Signature check requires 32 bytes min.                     If $aOverlayInfo[$PEI_FILE_SIZE] > 32 Then                         $bBuffer = FileRead($hFileIn, 32)                         If @error Then ExitLoop                         ; AutoIt2 & AutoIt3 signatures                         If BinaryMid($bBuffer, 1, 16) = "0xA3484BBE986C4AA9994C530A86D6487D" Or _                             BinaryMid($bBuffer, 1 + 16, 4) = "0x41553321" Then    ; "AU3!"                             ConsoleWrite("AutoIt overlay file found" & @CRLF)                         EndIf                         FileWrite($hFileOut, $bBuffer)                         ; subtract amount we read in above                         $bSuccess = FileWrite($hFileOut, FileRead($hFileIn, $aOverlayInfo[$PEI_OVL_SIZE] - 32))                     Else                         $bSuccess = FileWrite($hFileOut, FileRead($hFileIn, $aOverlayInfo[$PEI_OVL_SIZE]))                     EndIf                     ExitLoop                 WEnd                 If $hFileOut <> -1 Then FileClose($hFileOut)                 If $hFileIn <> -1 Then FileClose($hFileIn)             EndIf         ElseIf $iMsgBox = 7 Then             If $aOverlayInfo[$PEI_FILE_SIZE] - $aOverlayInfo[$PEI_OVL_SIZE] > 134217728 Then                 MsgBox(48, "EXE is too huge", "EXE (minus overlay) is > 128MB, skipping..")                 ContinueLoop             EndIf             $sOutFile = FileSaveDialog("EXE {STRIPPED} - SAVE: Choose a file to write EXE (minus Overlay) to. (from " & $sLastFile&")", $sLastDir, "All (*.*)", 2 + 16)             If Not @error Then                 $bSuccess = FileWrite($sOutFile, FileRead($sFile, $aOverlayInfo[$PEI_OVL_START]))             EndIf         Else             ContinueLoop         EndIf         If $bSuccess Then             ShellExecute(StringLeft($sOutFile,StringInStr($sOutFile,'\',1,-1)-1))         Else             MsgBox(64, "Error Opening or writing to file", "Error opening, reading or writing overlay info")         EndIf     EndIf WEnd Exit ; ------------------------  UDF Function ---------------------------- ; =================================================================================================================== ; Func _PEFileGetOverlayInfo($sPEFile) ; ; Returns information on Overlays present in a Windows PE file (.EXE, .DLL etc files), as well as Certificate Info. ; ; Only certain executables contain Overlays, and these are always located after the last PE Section, ; and most times before any Certificate info. Setup/install programs typically package their data in Overlays, ; and AutoIt compiled executables (at least up to v3.3.8.1) contain an overlay in .A3X tokenized format. ; ; Certificate info is available with or without an overlay, and comes after the last section and typically after ; an Overlay. Certificates are included with signed executables (such as Authenticode-signed) ; ; The returned info can be used to examine or extract the Overlay or Certificate, or just to examine the data ; (for example, to see if its an AutoIt tokenized script). ; ; NOTE: Any Overlays packaged into Certificate blocks are ignored, and the methods to extract this info may ; fail if the Certificate Table entries have their sizes modified to include the embedded Overlay. ; ; The returned information can be useful in preventing executable 'optimizers' from stripping the Overlay info, ;  which was the primary intent in creating this UDF. ; ; ; Returns: ;  Success: A 5-element array, @error = 0 ;    [0] = Overlay Start (if any) ;    [1] = Overlay Size ;    [2] = Certificate Start (if any) ;    [3] = Certificate Size ;    [4] = File Size ; ;  Failure: Same 5-element array as above (with all 0's), and @error set: ;    @error = -1 = Could not open file ;    @error = -2 = FileRead error (most likely an invalid PE file). @extended = FileRead() @error ;    @error = -3 = FileSetPos error (most likely an invalid PE file) ;    @error =  1 = File does not exist ;    @error =  2 = 'MZ' signature could not be found (not a PE file) ;    @error =  3 = 'PE' signature could not be found (not a PE file) ;    @error =  4 = 'Magic' number not recognized (not PE32, PE32+, could be 'ROM (0x107), or unk.) @extended=number ; ; Author: Ascend4nt ; =================================================================================================================== Func _PEFileGetOverlayInfo($sPEFile) ;~     If Not FileExists($sPEFile) Then Return SetError(1,0,0)     Local $hFile, $nFileSize, $bBuffer, $iOffset, $iErr, $iExit, $aRet[5] = [0, 0, 0, 0]     Local $nTemp, $nSections, $nDataDirectories, $nLastSectionOffset, $nLastSectionSz     Local $iSucces=0, $iCertificateAddress = 0, $nCertificateSz = 0, $stEndian = DllStructCreate("int")     $nFileSize = FileGetSize($sPEFile)     $hFile = FileOpen($sPEFile, 16)     If $hFile = -1 Then Return SetError(-1,0,$aRet)     ; A once-only loop helps where "goto's" would be helpful     Do         ; We keep different exit codes for different operations in case of failure (easier to track down what failed)         ;    The function can be altered to remove these assignments of course         $iExit = -2         $bBuffer = FileRead($hFile, 2)         If @error Then ExitLoop         $iExit = 2 ;~     'MZ' in hex (endian-swapped):         If $bBuffer <> 0x5A4D Then ExitLoop         ;ConsoleWrite("MZ Signature found:"&BinaryToString($bBuffer)&@CRLF)         $iExit = -3 ;~     Move to Windows PE Signature Offset location         If Not FileSetPos($hFile, 0x3C, 0) Then ExitLoop         $iExit = -2         $bBuffer = FileRead($hFile, 4)         If @error Then ExitLoop         $iOffset = Number($bBuffer)    ; Though the data is in little-endian, because its a binary variant, the conversion works          ;ConsoleWrite("Offset to Windows PE Header="&$iOffset&@CRLF)         $iExit = -3 ;~     Move to Windows PE Header Offset         If Not FileSetPos($hFile, $iOffset, 0) Then ExitLoop         $iExit = -2 ;~     Read in IMAGE_FILE_HEADER + Magic Number         $bBuffer = FileRead($hFile, 26)         If @error Then ExitLoop         $iExit = 3         ; "PE/0/0" in hex (endian swapped)         If BinaryMid($bBuffer, 1, 4) <> 0x00004550 Then ExitLoop         ; Get NumberOfSections (need to use endian conversion)         DllStructSetData($stEndian, 1, BinaryMid($bBuffer, 6 + 1, 2))         $nSections = DllStructGetData($stEndian, 1)         ; Sanity check         If $nSections * 40 > $nFileSize Then ExitLoop ;~         ConsoleWrite("# of Sections: " & $nSections & @CRLF)         $bBuffer = BinaryMid($bBuffer, 24 + 1, 2)         ; Magic Number check (0x10B = PE32, 0x107 = ROM image, 0x20B = PE32+ (x64)         If $bBuffer = 0x10B Then             ; Adjust offset to where "NumberOfRvaAndSizes" is on PE32 (offset from IMAGE_FILE_HEADER)             $iOffset += 116         ElseIf $bBuffer = 0x20B Then             ; Adjust offset to where "NumberOfRvaAndSizes" is on PE32+ (offset from IMAGE_FILE_HEADER)             $iOffset += 132         Else             $iExit = 4             SetError(Number($bBuffer))        ; Set the error (picked up below and set in @extended) to the unrecognized Number found             ExitLoop         EndIf ;~     'Optional' Header Windows-Specific fields         $iExit = -3 ;~     -> Move to "NumberOfRvaAndSizes" at the end of IMAGE_OPTIONAL_HEADER         If Not FileSetPos($hFile, $iOffset, 0) Then ExitLoop         $iExit = -2 ;~     Read in NumberOfRvaAndSizes         $nDataDirectories = Number(FileRead($hFile, 4))         ; Sanity and error check         If $nDataDirectories <= 0 Or $nDataDirectories > 16 Then ExitLoop ;~         ConsoleWrite("# of IMAGE_DATA_DIRECTORY's: " & $nDataDirectories & @CRLF) ;~     Read in IMAGE_DATA_DIRECTORY's (also moves file position to IMAGE_SECTION_HEADER)         $bBuffer = FileRead($hFile, $nDataDirectories * 8)         If @error Then ExitLoop ;~     IMAGE_DIRECTORY_ENTRY_SECURITY entry is special - it's "VirtualAddress" is actually a file offset         If $nDataDirectories >= 5 Then             DllStructSetData($stEndian, 1, BinaryMid($bBuffer, 4 * 8 + 1, 4))             $iCertificateAddress = DllStructGetData($stEndian, 1)             DllStructSetData($stEndian, 1, BinaryMid($bBuffer, 4 * 8 + 4 + 1, 4))             $nCertificateSz = DllStructGetData($stEndian, 1)             If $iCertificateAddress Then ConsoleWrite("Certificate Table address found, offset = " & $iCertificateAddress & ", size = " & $nCertificateSz & @CRLF)         EndIf         ; Read in ALL sections         $bBuffer = FileRead($hFile, $nSections * 40)         If @error Then ExitLoop ;~     DONE Reading File info..         ; Now to traverse the sections..         ; $iOffset Now refers to the location within the binary data         $iOffset = 1         $nLastSectionOffset = 0         $nLastSectionSz = 0         For $i = 1 To $nSections             ; Within IMAGE_SECTION_HEADER: RawDataPtr = offset 20, SizeOfRawData = offset 16             DllStructSetData($stEndian, 1, BinaryMid($bBuffer, $iOffset + 20, 4))             $nTemp = DllStructGetData($stEndian, 1)             ;ConsoleWrite("RawDataPtr, iteration #"&$i&" = " & $nTemp & @CRLF)             ; Is it further than last section offset?             ;  AND - check here for rare situation where section Offset may be outside Filesize bounds             If $nTemp > $nLastSectionOffset And $nTemp < $nFileSize Then                 $nLastSectionOffset = $nTemp                 DllStructSetData($stEndian, 1, BinaryMid($bBuffer, $iOffset + 16, 4))                 $nLastSectionSz = DllStructGetData($stEndian, 1)             EndIf             ; Next IMAGE_SECTION_HEADER             $iOffset += 40         Next ;~         ConsoleWrite("$nLastSectionOffset = " & $nLastSectionOffset & ", $nLastSectionSz = " & $nLastSectionSz & @CRLF)         $iSucces = 1    ; Everything was read in correctly     Until 1     $iErr = @error     FileClose($hFile)     ; No Success?     If Not $iSucces Then Return SetError($iExit, $iErr, $aRet) ;~     Now to calculate the last section offset and size to get the 'real' Executable end-of-file     ; [0] = Overlay Start     $aRet[0] = $nLastSectionOffset + $nLastSectionSz     ; Less than FileSize means there's Overlay info     If $aRet[0] And $aRet[0] < $nFileSize Then         ; Certificate start after last section? It should         If $iCertificateAddress >= $aRet[0]  Then             ; Get size of overlay IF Certificate doesn't start right after last section             ; 'squeezed-in overlay'             $aRet[1] = $iCertificateAddress - $aRet[0]         Else             ; No certificate, or < last section - overlay will be end of last section -> end of file             $aRet[1] = $nFileSize - $aRet[0]         EndIf         ; Size of Overlay = 0 ?  Reset overlay start to 0         If Not $aRet[1] Then $aRet[0] = 0     EndIf     $aRet[2] = $iCertificateAddress     $aRet[3] = $nCertificateSz     $aRet[4] = $nFileSize     Return $aRet EndFunc FilePEOverlayExtract.au3 ~prev downloads: 34
      Updates:
      2013-08-09-rev2:
      Fixed: Didn't detect 'sandwiched-in' Overlays - Overlays appearing between the end of code/data and before a Certificate section
      Changed: UDF now returns an array of information: Overlay offset and size, Certificate offset and size, and filesize
      Fixed: Overlays < 32 bytes may have been written incorrectly
      2013-08-09:
      Fix: Certificate Table now identified and excluded from false detection as Overlay.
      2013-08-07:
      Fix: Section Offsets that start beyond the filesize are now accounted for.  I'm not sure when this happens, but it's been reported to happen on other sites.
      Modified: A more reasonable filesize limit.
      Modified: Option to Extract just the Executable without Overlay, or the Overlay itself
      2013-08-03:
      Fixed: Calculation of FileRead data was off by 16 (which still worked okay, but was not coded correctly!)
      Fixed: @extended checking after calls to other code