Followers 0

# PE-Scope

## 23 posts in this topic

#1 ·  Posted (edited)

Please see Trancexx's ResHacker project for a much better project of this nature.

------------------------

Screenshot

What does this Script do?

- - It allows you to view the header structure of Portable Executables.

- - As a side-option you can change file attributes and times, but that's beside the point.

What Data Directories are currently supported for extended information?

- - Just the Import and Export Tables at the moment.

- - It Is my hope that I will eventually support all the Data Directories and their tables, if possible.

Where did you get your information?

- - After realizing I was using a bad method of getting information in "Application Headers.au3" I sought out how to correctly get the information. The answer was that the application headers were a lot of Data Structures - After some heavy testing and going through tutorials and documents I was able to put it all together.

- - Tutorials:

- - - Iczelion's PE Tutorial: http://win32assembly.online.fr/pe-tut1.html (change the 1 for 1-6 etc.)

- - Constants and structure information was specified and verified by reading through the Microsoft Developer's Network, with their extensive documentations.

Are there any known issues?

- - Yes, I will list them here

- - - When a file is closed, the "info" controls are set to be 'hidden' and the listview is set to be 'shown' but the reverse happens, oddly. (see the "----CHECK 1" comment in PEScope.au3)

Where are the files?

- - Right Here (last ran with Au3.2.12.1)

PEAppConstants.au3 (v1.1 - Constants used)

PEAppLib.au3 (v3.3 - processes used to get PE info)

PEScope.au3 (v1.2 - this is the example program)

8/25/2008 - Update to remove Au3Check warnings and errors.

9/7/2008 - Added option to menu for a quick RVA2Offset, Added Export Table entries (are the ordinals right?)

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

As you read this post, tell me if you think of anything reasonable to add.

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

#3 ·  Posted (edited)

Very nice!

I'm getting quite a few warnings and errors, but nothing too serious, it runs just fine though.

 As for something new to add, Can't think of anything at the moment, but I'd say writing documentation and cleaning the code up a bit before you continue would save you from *alot* of trouble in the long run

Edited by mrRevoked

Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet()

##### Share on other sites

Very nice!

I'm getting quite a few warnings and errors, but nothing too serious, it runs just fine though.

 As for something new to add, Can't think of anything at the moment, but I'd say writing documentation and cleaning the code up a bit before you continue would save you from *alot* of trouble in the long run

Did I ever tell you I hate Au3Check?

Alot of the warnings come because Au3Check doesn't check the execution of the program's functions where Globals are defined

- - Thinking about it, it's probably right. Predefining would save possible flaws (whereas I may not forsee every condition in which a global is called before creation)

Alot of the errors come because I use Dim sometimes as a work-around to OnEvent functions not defining optional parameters.

- - I may not need to do this and I'll look over what I have.

Personally, I don't see the problem with Dim'ing optionals if it keeps the No. of functions and work down while accomplishing what needs to be done unless there's a major issue.

I will post a modified version that removes all of the warnings and all of the errors if possible - I will also post a reply when I do.

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

UPDATE

PEScope.au3 (v1.1)

PEAppLib (v3.2)

Minor issues causing Au3Check errors and warnings seem to have been fixed. (at least for me)

>"C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /prod /AU3Check /in "C:\...\PEScope.au3"

+>03:00:19 Starting AutoIt3Wrapper v.1.9.2

>Running AU3Check (1.54.13.0) from:C:\Program Files\AutoIt3

+>03:00:22 AU3Check ended.rc:0

+>03:00:22 AutoIt3Wrapper Finished

>Exit code: 0 Time: 4.177

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

I just LOVE looking inside exe's to see what kind of interesting (unencrypted)strings i can find. This could mean some automation for me when i feel like poking a few exe's until something falls out that shouldnt. (mostly work related)

[font="Lucida Console"]The truth is out there[/font]

##### Share on other sites

#7 ·  Posted (edited)

UPDATE

PEAppConstants.au3 (v1.1)

PEAppLib.au3 (v3.3)

PEScope.au3 (v1.2)

Moved some processes for identifying the names of constants when reading values into PEAppLib.au3 so they can be reused in some form or another. - This update required modifying Scope and AppLib files.

(I'm not sure if all of the Ordinal Values are correct, but all of the names and the number of entries should be correct.) - This update required modifying all three files.

Added an option under a new "Search" menu to get the file offset (0-based) of an RVA

- Note: if the RVA is out-of-bounds or invalid you will get 0 as a result. Also, this was mainly added for my testing reasons.

- This update required modifying Scope.

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

Thanks for the update!

Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet()

##### Share on other sites

What does this Script do?

- - It allows you to view the header structure of Portable Executables.

- - As a side-option you can change file attributes and times, but that's beside the point.

What Data Directories are currently supported for extended information?

- - Just the Import and Export Tables at the moment.

- - It Is my hope that I will eventually support all the Data Directories and their tables, if possible.

Where did you get your information?

- - After realizing I was using a bad method of getting information in "Application Headers.au3" I sought out how to correctly get the information. The answer was that the application headers were a lot of Data Structures - After some heavy testing and going through tutorials and documents I was able to put it all together.

- - Tutorials:

- - - Iczelion's PE Tutorial: http://win32assembly.online.fr/pe-tut1.html (change the 1 for 1-6 etc.)

- - Constants and structure information was specified and verified by reading through the Microsoft Developer's Network, with their extensive documentations.

Are there any known issues?

- - Yes, I will list them here

- - - When a file is closed, the "info" controls are set to be 'hidden' and the listview is set to be 'shown' but the reverse happens, oddly. (see the "----CHECK 1" comment in PEScope.au3)

Where are the files?

- - Right Here (last ran with Au3.2.12.1)

PEAppConstants.au3 (v1.1 - Constants used)

PEAppLib.au3 (v3.3 - processes used to get PE info)

PEScope.au3 (v1.2 - this is the example program)

8/25/2008 - Update to remove Au3Check warnings and errors.

9/7/2008 - Added option to menu for a quick RVA2Offset, Added Export Table entries (are the ordinals right?)

but its much difficult to modify

i only need the Sections and their offsets , how can i get the piece of code from your program ?

73 108 111 118 101 65 117 116 111 105 116

##### Share on other sites

Sounds interesting to me ,i havent tested yet , just downloaded ,ill test it today , , by the way , if you don't mind can u make your app to read other application windows in real time i mean like a .exe application widow in real time, im finding it difficult to do that ....

##### Share on other sites

but its much difficult to modify

i only need the Sections and their offsets , how can i get the piece of code from your program ?

Sorry that I took so long to respond - What parts would you like to have, if you still need them?

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

#12 ·  Posted (edited)

Sounds interesting to me ,i havent tested yet , just downloaded ,ill test it today , , by the way , if you don't mind can u make your app to read other application windows in real time i mean like a .exe application widow in real time, im finding it difficult to do that ....

I would love to but without fully supporting the DLLStruct functions (nomatter what alignment I used, the results were not what I expected) the processing speed is just too slow.

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

#13 ·  Posted (edited)

Sorry that I took so long to respond - What parts would you like to have, if you still need them?

Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.

Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

##### Share on other sites

I would love to but without fully supporting the DLLStruct functions (nomatter what alignment I used, the results were not what I expected) the processing speed is just too slow.

What do you mean fully supporting the DLLStruct functions?

.

eMyvnE

##### Share on other sites

#15 ·  Posted (edited)

What do you mean fully supporting the DLLStruct functions?

I'm not using DLLStruct functions currently because I cannot get *ANY* of the DLLStruct alignments to give me values with the right data for the specified data types.

I tried all combinations I could think of until I gave up and did the only other thing I could think of - process it manually.

Currently, I'm cheating by doing manual string processing to read struct entries.

Slow, but I left the project mostly open for my easy conversion back to DLLStruct if I ever figured out a workaround.

(I even used the complete original struct definitions! - the exception being the values which don't have specific lengths)

Sighs, try it before you prejudge that little tidbit though - I *REALLY* tried everything I could figure to try.

I don't see why the alignment should have been an issue anyway - doesn't seem to matter when I manually read it [everything organized as it should be according to MSDN documenation].

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.

Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.

I'll whip something up as soon as I can - don't expect it immediately though.

(I'm assuming you meant the positions and names of the respective "Section Headers")

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

#17 ·  Posted (edited)

Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.

Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.

This should work for valid files with an "PE" NT Header signature.

At least until the AppLib undergoes major updates sometime in the future.

#include <PEAppConstants.au3>
#include <PEAppLib.au3>
#include <String.au3>
; this is as good as it gets until someone debugs the DLLStruct alignment mess, making PseudoStruct obsolete.
; with this stupid PseudoStruct I have set up "$PSOldPos" to be the "next position" after the processed struct ;NOTE: This example ASSUMES you chose a Win32 PE file that are NT-based and actually HAVE section headers. Local$data=FileReadFull("C:\path\to\someprogram.exe")
_Data_ClearCache($data) Global$_Pseudo_HexArray=True

$hdos=PseudoStruct(PseudoTagStruct($tagIMAGE_DOS_HEADER),$data)$e_lfanew=Dec($hdos[18])$PSOldPos=$e_lfanew+4; skip the NT header - it's only a signature anyway! ; be SURE to check the signature of the NT header in your full app.$hfile=PseudoStruct(PseudoTagStruct($tagIMAGE_FILE_HEADER),$data,$PSOldPos)$NumberOfSections=Dec($hfile[1])$PSOldPos+=96; skip OPTIONAL headers
$PSOldPos+=8*16; skip all 16 DATA DIR's (two ulong's each - 8 bytes)$_Pseudo_HexArray=False; we want raw data from our PseudoStruct
Local $spos For$i=1 To $NumberOfSections ConsoleWrite('Physical position: '&$PSOldPos&@CRLF)
$Section=PseudoStruct(PseudoTagStruct($tagIMAGE_SECTION_HEADER),$data,$PSOldPos)
$Section[0]=StringReplace($Section[0],Chr(0),'')
;^^ yes, this is still 8 characters long, Nulls and all - shave them off!
ConsoleWrite(@TAB&'Section: '&$Section[0]&@CRLF)$VirtualAddress=_StringToHex($Section[2]) ConsoleWrite(@TAB&@TAB&'Virtual Address: '&$VirtualAddress&@CRLF)
Next

Output I got with this for a random program:

Physical position: 504
Section: UPX0
Physical position: 544
Section: UPX1
Physical position: 584
Section: .rsrc
Virtual Address: 00B00900

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

##### Share on other sites

#18 ·  Posted (edited)

I'm getting this error when I try to run it:

+>09:05:30 Starting AutoIt3Wrapper v.2.0.0.0 Environment(Language:0409 Keyboard:00000407 OS:WIN_VISTA/ CPU:X86)

>Running AU3Check (1.54.14.0) from:C:\Program Files\AutoIt3

C:\Coding\Scripts\AU3\Tools\PE-Scope\PEAppLib.au3(477,28) : ERROR: undefined macro.

Switch @ProcessorArch

~~~~~~~~~~~~~~~~~~~~~^

C:\Coding\Scripts\AU3\Tools\PE-Scope\PEScope.au3(143,17) : ERROR: $Error previously declared as a 'Const'$Error = @error

~~~~~~~~~~~~~~~^

C:\Coding\Scripts\AU3\Tools\PE-Scope\PEScope.au3 - 2 error(s), 0 warning(s)

!>09:05:30 AU3Check ended.rc:2

I'm using AutoIt v3.3.0.0 and Vista x32.

UEZ

Edited by UEZ

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

##### Share on other sites

I'm not using DLLStruct functions currently because I cannot get *ANY* of the DLLStruct alignments to give me values with the right data for the specified data types.

I tried all combinations I could think of until I gave up and did the only other thing I could think of - process it manually.

Currently, I'm cheating by doing manual string processing to read struct entries.

Slow, but I left the project mostly open for my easy conversion back to DLLStruct if I ever figured out a workaround.

(I even used the complete original struct definitions! - the exception being the values which don't have specific lengths)

Sighs, try it before you prejudge that little tidbit though - I *REALLY* tried everything I could figure to try.

I don't see why the alignment should have been an issue anyway - doesn't seem to matter when I manually read it [everything organized as it should be according to MSDN documenation].

Well, it's not related to alignment.

Thing is that you should simulate state of loaded module to get things to work properly. System does different things when loading that module. If you are going to use virtual addresses and just read the module than you need to correct read values.

Try this:

#NoTrayIcon

Global $sModule = @SystemDir & "\user32.dll"; or whatever _WriteMiscDataToConsole($sModule)

Func _WriteMiscDataToConsole($sModule) Local$tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]")$hModule = FileOpen($sModule, 16) DllStructSetData($tBinary, 1, FileRead($hModule)) FileClose($hModule)

Local $pPointer = DllStructGetPtr($tBinary)

Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _$pPointer)

$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader"); move to PE file header

Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature",$pPointer); IMAGE_NT_SIGNATURE = 17744

If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then Return SetError(1, 0, ""); Wrong NTSIGNATURE EndIf$pPointer += 4; size of $tIMAGE_NT_SIGNATURE structure Local$tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
"ushort NumberOfSections;" & _
"dword TimeDateStamp;" & _
"dword PointerToSymbolTable;" & _
"dword NumberOfSymbols;" & _
"ushort Characteristics", _
$pPointer) Local$iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ConsoleWrite("NumberOfSections: " &$iNumberOfSections & @CRLF & @CRLF)

$pPointer += 20; size of$tIMAGE_FILE_HEADER structure

Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _$pPointer)

$pPointer += 96; size of$tIMAGE_OPTIONAL_HEADER

Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

ConsoleWrite("Magic " & $iMagic & @CRLF) ConsoleWrite("ImageBase " & Ptr(DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")) & @CRLF)
ConsoleWrite("NumberOfRvaAndSizes " & DllStructGetData($tIMAGE_OPTIONAL_HEADER, "NumberOfRvaAndSizes") & @CRLF) ConsoleWrite(@CRLF) If Not ($iMagic = 267) Then
Return SetError(0, 1, 1); not 32-bit application. Structures are for 32-bit
EndIf

; Export Directory
Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _$pPointer)

$pPointer += 8; size of$tIMAGE_DIRECTORY_ENTRY_EXPORT

ConsoleWrite("+VirtualAddress Exports " & Ptr(DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "VirtualAddress")) & @CRLF) ConsoleWrite(@CRLF) If DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "Size") Then

Local $tIMAGE_EXPORT_DIRECTORY = DllStructCreate("dword Characteristics;" & _ "dword TimeDateStamp;" & _ "ushort MajorVersion;" & _ "ushort MinorVersion;" & _ "dword Name;" & _ "dword Base;" & _ "dword NumberOfFunctions;" & _ "dword NumberOfNames;" & _ "dword AddressOfFunctions;" & _ "dword AddressOfNames;" & _ "dword AddressOfNameOrdinals", _ DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "VirtualAddress") - 3072) Local$iBase = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "Base") Local$iNumberOfExporedFunctions = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") ;Local$tBufferAddress = DllStructCreate("dword[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfFunctions") - 3072) Local$tBufferNames = DllStructCreate("dword[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfNames") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfNames") - 3072) Local$tBufferNamesOrdinals = DllStructCreate("ushort[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfNameOrdinals") - 3072) Local$iNumNames = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfNames"); number of functions exported by name Local$iFuncOrdinal
Local $tFuncName,$sFuncName
Local $iFuncAddress For$i = 1 To $iNumberOfExporedFunctions ; All ordinals Next ConsoleWrite("!!! Exported functions:" & @CRLF) For$i = 1 To $iNumNames$tFuncName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tBufferNames, 1, $i) - 3072)$sFuncName = DllStructGetData($tFuncName, 1); name of the function$iFuncOrdinal = $iBase + DllStructGetData($tBufferNamesOrdinals, 1, $i) ConsoleWrite($iFuncOrdinal & "  " & $sFuncName & @CRLF) Next EndIf ConsoleWrite(@CRLF) ; Import Directory Local$tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _
"dword Size", _
$pPointer)$pPointer += 8; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT ConsoleWrite("+VirtualAddress Imports " & Ptr(DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress")) & @CRLF)
ConsoleWrite(@CRLF)

If DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "Size") Then Local$tIMAGE_IMPORT_MODULE_DIRECTORY

Local $iOffset,$iOffset2, $tModuleName,$iBufferOffset, $sModuleName,$iInitialOffset, $tBufferOffset,$tBuffer, $sFunctionName Local$i, $j,$k

While 1

$i += 1$tIMAGE_IMPORT_MODULE_DIRECTORY = DllStructCreate("dword RVAOriginalFirstThunk;" & _; actually union
"dword TimeDateStamp;" & _
"dword ForwarderChain;" & _
"dword RVAModuleName;" & _
"dword RVAFirstThunk", _
DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress") + $iOffset - 3072) If Not DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") Then; the end
ExitLoop
EndIf

If DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") Then$iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") - 3072
Else
$iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") - 3072 EndIf$tModuleName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName") - 3072)
$sModuleName = DllStructGetData($tModuleName, 1)
ConsoleWrite("! " & $sModuleName & @CRLF)$iOffset2 = 0
$j = 0 While 1$j += 1
$tBufferOffset = DllStructCreate("dword",$iInitialOffset + $iOffset2)$iBufferOffset = DllStructGetData($tBufferOffset, 1) If Not$iBufferOffset Then; zero value is the end
ExitLoop
EndIf

If BitShift($iBufferOffset, 24) Then; MSB is set for imports by ordinal, otherwise not ConsoleWrite("Ordinal " & BitAND($iBufferOffset, 0xFFFFFF) & @CRLF)
$iOffset2 += 4; size of$tBufferOffset
ContinueLoop

EndIf

$tBuffer = DllStructCreate("ushort Ordinal; char Name[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + $iBufferOffset - 3072)$sFunctionName = DllStructGetData($tBuffer, "Name") ConsoleWrite($sFunctionName & @CRLF)

$iOffset2 += 4; size of$tBufferOffset

WEnd

$k +=$j - 1

$iOffset += 20; size of$tIMAGE_IMPORT_MODULE_DIRECTORY

WEnd

EndIf

ConsoleWrite(@CRLF)

$pPointer += 112; size of the rest of the structures before IMAGE_SECTION_HEADER (14 of them) Local$tIMAGE_SECTION_HEADER

For $i = 1 To$iNumberOfSections

$tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword UnionOfData;" & _ "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _$pPointer)

ConsoleWrite(">Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF) ConsoleWrite("VirtualAddress: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF)
ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF) ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF)
ConsoleWrite(@CRLF)

$pPointer += 40; size of$tIMAGE_SECTION_HEADER structure

Next

EndFunc  ;==>_WriteMiscDataToConsole

That method uses RAM much more than it should because it's filling that buffer \$tBinary fully. I would recommend other methods of doing this (See ResourcesViewerAndCompiler.au3).

@UEZ, fixing that is a trivial task.

.

eMyvnE

##### Share on other sites

#20 ·  Posted (edited)

@trancexx: I already fixed that but I just wanted to mention it

I forgot to mention: well done crashdemons!

UEZ

Edited by UEZ

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ