Jump to content

PE-Scope


crashdemons
 Share

Recommended Posts

Please see Trancexx's ResHacker project for a much better project of this nature.

------------------------

Posted Image

Screenshot

What does this Script do?

- - It allows you to view the header structure of Portable Executables.

- - Including the main header (DOS/MZ), the PE Header, File Header, Data Directories, Optional header and the section headers.

- - As a side-option you can change file attributes and times, but that's beside the point.

What Data Directories are currently supported for extended information?

- - Just the Import and Export Tables at the moment.

- - It Is my hope that I will eventually support all the Data Directories and their tables, if possible.

Where did you get your information?

- - After realizing I was using a bad method of getting information in "Application Headers.au3" I sought out how to correctly get the information. The answer was that the application headers were a lot of Data Structures - After some heavy testing and going through tutorials and documents I was able to put it all together.

- - Tutorials:

- - - Iczelion's PE Tutorial: http://win32assembly.online.fr/pe-tut1.html (change the 1 for 1-6 etc.)

- - Constants and structure information was specified and verified by reading through the Microsoft Developer's Network, with their extensive documentations.

Are there any known issues?

- - Yes, I will list them here

- - - When a file is closed, the "info" controls are set to be 'hidden' and the listview is set to be 'shown' but the reverse happens, oddly. (see the "----CHECK 1" comment in PEScope.au3)

Where are the files?

- - Right Here (last ran with Au3.2.12.1)

PEAppConstants.au3 (v1.1 - Constants used)

PEAppLib.au3 (v3.3 - processes used to get PE info)

PEScope.au3 (v1.2 - this is the example program)

Updates:

8/25/2008 - Update to remove Au3Check warnings and errors.

9/7/2008 - Added option to menu for a quick RVA2Offset, Added Export Table entries (are the ordinals right?)

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

  • 4 months later...

As you read this post, tell me if you think of anything reasonable to add.

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

Very nice!

I'm getting quite a few warnings and errors, but nothing too serious, it runs just fine though. ;)

[Edit] As for something new to add, Can't think of anything at the moment, but I'd say writing documentation and cleaning the code up a bit before you continue would save you from *alot* of trouble in the long run :D

Edited by mrRevoked
Don't bother, It's inside your monitor!------GUISetOnEvent should behave more like HotKeySet()
Link to comment
Share on other sites

Very nice!

I'm getting quite a few warnings and errors, but nothing too serious, it runs just fine though. ;)

[Edit] As for something new to add, Can't think of anything at the moment, but I'd say writing documentation and cleaning the code up a bit before you continue would save you from *alot* of trouble in the long run ;)

Did I ever tell you I hate Au3Check? :D

Alot of the warnings come because Au3Check doesn't check the execution of the program's functions where Globals are defined

- - Thinking about it, it's probably right. Predefining would save possible flaws (whereas I may not forsee every condition in which a global is called before creation)

Alot of the errors come because I use Dim sometimes as a work-around to OnEvent functions not defining optional parameters.

- - I may not need to do this and I'll look over what I have.

Personally, I don't see the problem with Dim'ing optionals if it keeps the No. of functions and work down while accomplishing what needs to be done unless there's a major issue.

I will post a modified version that removes all of the warnings and all of the errors if possible - I will also post a reply when I do.

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

UPDATE

PEScope.au3 (v1.1)

PEAppLib (v3.2)

Minor issues causing Au3Check errors and warnings seem to have been fixed. (at least for me)

>"C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /prod /AU3Check /in "C:\...\PEScope.au3"

+>03:00:19 Starting AutoIt3Wrapper v.1.9.2

>Running AU3Check (1.54.13.0) from:C:\Program Files\AutoIt3

+>03:00:22 AU3Check ended.rc:0

+>03:00:22 AutoIt3Wrapper Finished

>Exit code: 0 Time: 4.177

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

UPDATE

PEAppConstants.au3 (v1.1)

PEAppLib.au3 (v3.3)

PEScope.au3 (v1.2)

Moved some processes for identifying the names of constants when reading values into PEAppLib.au3 so they can be reused in some form or another. - This update required modifying Scope and AppLib files.

Added the ability to read a file's exported functions. (See Headers>PE/COFF>Data Dir>Exports)

(I'm not sure if all of the Ordinal Values are correct, but all of the names and the number of entries should be correct.) - This update required modifying all three files.

Added an option under a new "Search" menu to get the file offset (0-based) of an RVA

- Note: if the RVA is out-of-bounds or invalid you will get 0 as a result. Also, this was mainly added for my testing reasons.

- This update required modifying Scope.

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

  • 5 months later...

Posted Image

Screenshot

What does this Script do?

- - It allows you to view the header structure of Portable Executables.

- - Including the main header (DOS/MZ), the PE Header, File Header, Data Directories, Optional header and the section headers.

- - As a side-option you can change file attributes and times, but that's beside the point.

What Data Directories are currently supported for extended information?

- - Just the Import and Export Tables at the moment.

- - It Is my hope that I will eventually support all the Data Directories and their tables, if possible.

Where did you get your information?

- - After realizing I was using a bad method of getting information in "Application Headers.au3" I sought out how to correctly get the information. The answer was that the application headers were a lot of Data Structures - After some heavy testing and going through tutorials and documents I was able to put it all together.

- - Tutorials:

- - - Iczelion's PE Tutorial: http://win32assembly.online.fr/pe-tut1.html (change the 1 for 1-6 etc.)

- - Constants and structure information was specified and verified by reading through the Microsoft Developer's Network, with their extensive documentations.

Are there any known issues?

- - Yes, I will list them here

- - - When a file is closed, the "info" controls are set to be 'hidden' and the listview is set to be 'shown' but the reverse happens, oddly. (see the "----CHECK 1" comment in PEScope.au3)

Where are the files?

- - Right Here (last ran with Au3.2.12.1)

PEAppConstants.au3 (v1.1 - Constants used)

PEAppLib.au3 (v3.3 - processes used to get PE info)

PEScope.au3 (v1.2 - this is the example program)

Updates:

8/25/2008 - Update to remove Au3Check warnings and errors.

9/7/2008 - Added option to menu for a quick RVA2Offset, Added Export Table entries (are the ordinals right?)

Your Whole program is Awesome,

but its much difficult to modify

i only need the Sections and their offsets , how can i get the piece of code from your program ?

73 108 111 118 101 65 117 116 111 105 116

Link to comment
Share on other sites

Sounds interesting to me ,i havent tested yet , just downloaded ,ill test it today , :P , by the way , if you don't mind can u make your app to read other application windows in real time i mean like a .exe application widow in real time, im finding it difficult to do that .... :unsure:

Link to comment
Share on other sites

Your Whole program is Awesome,

but its much difficult to modify

i only need the Sections and their offsets , how can i get the piece of code from your program ?

Sorry that I took so long to respond - What parts would you like to have, if you still need them?

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

Sounds interesting to me ,i havent tested yet , just downloaded ,ill test it today , :P , by the way , if you don't mind can u make your app to read other application windows in real time i mean like a .exe application widow in real time, im finding it difficult to do that .... :unsure:

I would love to but without fully supporting the DLLStruct functions (nomatter what alignment I used, the results were not what I expected) the processing speed is just too slow.

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

Sorry that I took so long to respond - What parts would you like to have, if you still need them?

Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.

Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

Link to comment
Share on other sites

What do you mean fully supporting the DLLStruct functions?

I'm not using DLLStruct functions currently because I cannot get *ANY* of the DLLStruct alignments to give me values with the right data for the specified data types.

I tried all combinations I could think of until I gave up and did the only other thing I could think of - process it manually.

Currently, I'm cheating by doing manual string processing to read struct entries.

Slow, but I left the project mostly open for my easy conversion back to DLLStruct if I ever figured out a workaround.

(I even used the complete original struct definitions! - the exception being the values which don't have specific lengths)

Sighs, try it before you prejudge that little tidbit though - I *REALLY* tried everything I could figure to try.

I don't see why the alignment should have been an issue anyway - doesn't seem to matter when I manually read it [everything organized as it should be according to MSDN documenation].

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.

Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.

I'll whip something up as soon as I can - don't expect it immediately though.

(I'm assuming you meant the positions and names of the respective "Section Headers")

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

Thanks for your reply, Actually i want the "Offset and Names" of the exists sections in any PE File.

Hope you will make a short program for me, i m still trying to figuring out with ur project but not successful yet.

This should work for valid files with an "PE" NT Header signature.

At least until the AppLib undergoes major updates sometime in the future.

#include <PEAppConstants.au3>
#include <PEAppLib.au3>
#include <String.au3>
; this is as good as it gets until someone debugs the DLLStruct alignment mess, making PseudoStruct obsolete.
; with this stupid PseudoStruct I have set up "$PSOldPos" to be the "next position" after the processed struct

;NOTE: This example ASSUMES you chose a Win32 PE file that are NT-based and actually HAVE section headers.

Local $data=FileReadFull("C:\path\to\someprogram.exe")
_Data_ClearCache($data)
Global $_Pseudo_HexArray=True

$hdos=PseudoStruct(PseudoTagStruct($tagIMAGE_DOS_HEADER),$data)
$e_lfanew=Dec($hdos[18])
$PSOldPos=$e_lfanew+4; skip the NT header - it's only a signature anyway!
; be SURE to check the signature of the NT header in your full app.
$hfile=PseudoStruct(PseudoTagStruct($tagIMAGE_FILE_HEADER),$data,$PSOldPos)
$NumberOfSections=Dec($hfile[1])
$PSOldPos+=96; skip OPTIONAL headers
$PSOldPos+=8*16; skip all 16 DATA DIR's (two ulong's each - 8 bytes)
$_Pseudo_HexArray=False; we want raw data from our PseudoStruct
Local $spos
For $i=1 To $NumberOfSections
    ConsoleWrite('Physical position: '&$PSOldPos&@CRLF)
    $Section=PseudoStruct(PseudoTagStruct($tagIMAGE_SECTION_HEADER),$data,$PSOldPos)
    $Section[0]=StringReplace($Section[0],Chr(0),'')
;^^ yes, this is still 8 characters long, Nulls and all - shave them off!
    ConsoleWrite(@TAB&'Section: '&$Section[0]&@CRLF)
    $VirtualAddress=_StringToHex($Section[2])
    ConsoleWrite(@TAB&@TAB&'Virtual Address: '&$VirtualAddress&@CRLF)
Next

Output I got with this for a random program:

Physical position: 504
    Section: UPX0
        Virtual Address: 00100000
Physical position: 544
    Section: UPX1
        Virtual Address: 00400600
Physical position: 584
    Section: .rsrc
        Virtual Address: 00B00900

Edits: typos and more info.

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Link to comment
Share on other sites

I'm getting this error when I try to run it:

+>09:05:30 Starting AutoIt3Wrapper v.2.0.0.0 Environment(Language:0409 Keyboard:00000407 OS:WIN_VISTA/ CPU:X86)

>Running AU3Check (1.54.14.0) from:C:\Program Files\AutoIt3

C:\Coding\Scripts\AU3\Tools\PE-Scope\PEAppLib.au3(477,28) : ERROR: undefined macro.

Switch @ProcessorArch

~~~~~~~~~~~~~~~~~~~~~^

C:\Coding\Scripts\AU3\Tools\PE-Scope\PEScope.au3(143,17) : ERROR: $Error previously declared as a 'Const'

$Error = @error

~~~~~~~~~~~~~~~^

C:\Coding\Scripts\AU3\Tools\PE-Scope\PEScope.au3 - 2 error(s), 0 warning(s)

!>09:05:30 AU3Check ended.rc:2

I'm using AutoIt v3.3.0.0 and Vista x32.

UEZ

Edited by UEZ

Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Link to comment
Share on other sites

I'm not using DLLStruct functions currently because I cannot get *ANY* of the DLLStruct alignments to give me values with the right data for the specified data types.

I tried all combinations I could think of until I gave up and did the only other thing I could think of - process it manually.

Currently, I'm cheating by doing manual string processing to read struct entries.

Slow, but I left the project mostly open for my easy conversion back to DLLStruct if I ever figured out a workaround.

(I even used the complete original struct definitions! - the exception being the values which don't have specific lengths)

Sighs, try it before you prejudge that little tidbit though - I *REALLY* tried everything I could figure to try.

I don't see why the alignment should have been an issue anyway - doesn't seem to matter when I manually read it [everything organized as it should be according to MSDN documenation].

Well, it's not related to alignment.

Thing is that you should simulate state of loaded module to get things to work properly. System does different things when loading that module. If you are going to use virtual addresses and just read the module than you need to correct read values.

Try this:

#NoTrayIcon

Global $sModule = @SystemDir & "\user32.dll"; or whatever

_WriteMiscDataToConsole($sModule)


Func _WriteMiscDataToConsole($sModule)

    Local $tBinary = DllStructCreate("byte[" & FileGetSize($sModule) & "]")
    $hModule = FileOpen($sModule, 16)
    DllStructSetData($tBinary, 1, FileRead($hModule))
    FileClose($hModule)

    Local $pPointer = DllStructGetPtr($tBinary)

    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    $pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader"); move to PE file header

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer); IMAGE_NT_SIGNATURE = 17744

    If Not (DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") = 17744) Then
        Return SetError(1, 0, ""); Wrong NTSIGNATURE
    EndIf

    $pPointer += 4; size of $tIMAGE_NT_SIGNATURE structure

    Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
            "ushort NumberOfSections;" & _
            "dword TimeDateStamp;" & _
            "dword PointerToSymbolTable;" & _
            "dword NumberOfSymbols;" & _
            "ushort SizeOfOptionalHeader;" & _
            "ushort Characteristics", _
            $pPointer)

    Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

    ConsoleWrite("NumberOfSections: " & $iNumberOfSections & @CRLF & @CRLF)

    $pPointer += 20; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    $pPointer += 96; size of $tIMAGE_OPTIONAL_HEADER

    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

    ConsoleWrite("Magic " & $iMagic & @CRLF)
    ConsoleWrite("ImageBase " & Ptr(DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase")) & @CRLF)
    ConsoleWrite("NumberOfRvaAndSizes " & DllStructGetData($tIMAGE_OPTIONAL_HEADER, "NumberOfRvaAndSizes") & @CRLF)
    ConsoleWrite(@CRLF)

    If Not ($iMagic = 267) Then
        Return SetError(0, 1, 1); not 32-bit application. Structures are for 32-bit
    EndIf

; Export Directory
    Local $tIMAGE_DIRECTORY_ENTRY_EXPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8; size of $tIMAGE_DIRECTORY_ENTRY_EXPORT

    ConsoleWrite("+VirtualAddress Exports " & Ptr(DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "VirtualAddress")) & @CRLF)
    ConsoleWrite(@CRLF)

    If DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "Size") Then

        Local $tIMAGE_EXPORT_DIRECTORY = DllStructCreate("dword Characteristics;" & _
                "dword TimeDateStamp;" & _
                "ushort MajorVersion;" & _
                "ushort MinorVersion;" & _
                "dword Name;" & _
                "dword Base;" & _
                "dword NumberOfFunctions;" & _
                "dword NumberOfNames;" & _
                "dword AddressOfFunctions;" & _
                "dword AddressOfNames;" & _
                "dword AddressOfNameOrdinals", _
                DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_EXPORT, "VirtualAddress") - 3072)

        Local $iBase = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "Base")
        Local $iNumberOfExporedFunctions = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions")

    ;Local $tBufferAddress = DllStructCreate("dword[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfFunctions") - 3072)
        Local $tBufferNames = DllStructCreate("dword[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfNames") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfNames") - 3072)
        Local $tBufferNamesOrdinals = DllStructCreate("ushort[" & DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfFunctions") & "]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "AddressOfNameOrdinals") - 3072)

        Local $iNumNames = DllStructGetData($tIMAGE_EXPORT_DIRECTORY, "NumberOfNames"); number of functions exported by name
        Local $iFuncOrdinal
        Local $tFuncName, $sFuncName
        Local $iFuncAddress

        For $i = 1 To $iNumberOfExporedFunctions
        ; All ordinals
        Next

        ConsoleWrite("!!! Exported functions:" & @CRLF)
        For $i = 1 To $iNumNames
            $tFuncName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tBufferNames, 1, $i) - 3072)
            $sFuncName = DllStructGetData($tFuncName, 1); name of the function
            $iFuncOrdinal = $iBase + DllStructGetData($tBufferNamesOrdinals, 1, $i)
            ConsoleWrite($iFuncOrdinal & "  " & $sFuncName & @CRLF)
        Next

    EndIf

    ConsoleWrite(@CRLF)

; Import Directory
    Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _
            "dword Size", _
            $pPointer)

    $pPointer += 8; size of $tIMAGE_DIRECTORY_ENTRY_IMPORT

    ConsoleWrite("+VirtualAddress Imports " & Ptr(DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress")) & @CRLF)
    ConsoleWrite(@CRLF)

    If DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "Size") Then

        Local $tIMAGE_IMPORT_MODULE_DIRECTORY

        Local $iOffset, $iOffset2, $tModuleName, $iBufferOffset, $sModuleName, $iInitialOffset, $tBufferOffset, $tBuffer, $sFunctionName
        Local $i, $j, $k

        While 1

            $i += 1

            $tIMAGE_IMPORT_MODULE_DIRECTORY = DllStructCreate("dword RVAOriginalFirstThunk;" & _; actually union
                    "dword TimeDateStamp;" & _
                    "dword ForwarderChain;" & _
                    "dword RVAModuleName;" & _
                    "dword RVAFirstThunk", _
                    DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress") + $iOffset - 3072)

            If Not DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") Then; the end
                ExitLoop
            EndIf

            If DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") Then
                $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") - 3072
            Else
                $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") - 3072
            EndIf

            $tModuleName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName") - 3072)
            $sModuleName = DllStructGetData($tModuleName, 1)
            ConsoleWrite("! " & $sModuleName & @CRLF)

            $iOffset2 = 0
            $j = 0

            While 1

                $j += 1
                $tBufferOffset = DllStructCreate("dword", $iInitialOffset + $iOffset2)

                $iBufferOffset = DllStructGetData($tBufferOffset, 1)
                If Not $iBufferOffset Then; zero value is the end
                    ExitLoop
                EndIf

                If BitShift($iBufferOffset, 24) Then; MSB is set for imports by ordinal, otherwise not

                    ConsoleWrite("Ordinal " & BitAND($iBufferOffset, 0xFFFFFF) & @CRLF)
                    $iOffset2 += 4; size of $tBufferOffset
                    ContinueLoop

                EndIf

                $tBuffer = DllStructCreate("ushort Ordinal; char Name[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + $iBufferOffset - 3072)

                $sFunctionName = DllStructGetData($tBuffer, "Name")

                ConsoleWrite($sFunctionName & @CRLF)

                $iOffset2 += 4; size of $tBufferOffset

            WEnd

            $k += $j - 1

            $iOffset += 20; size of $tIMAGE_IMPORT_MODULE_DIRECTORY

        WEnd

    EndIf

    ConsoleWrite(@CRLF)

    $pPointer += 112; size of the rest of the structures before IMAGE_SECTION_HEADER (14 of them)

    Local $tIMAGE_SECTION_HEADER

    For $i = 1 To $iNumberOfSections

        $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                "dword UnionOfData;" & _
                "dword VirtualAddress;" & _
                "dword SizeOfRawData;" & _
                "dword PointerToRawData;" & _
                "dword PointerToRelocations;" & _
                "dword PointerToLinenumbers;" & _
                "ushort NumberOfRelocations;" & _
                "ushort NumberOfLinenumbers;" & _
                "dword Characteristics", _
                $pPointer)

        ConsoleWrite(">Section Name: " & DllStructGetData($tIMAGE_SECTION_HEADER, "Name") & @CRLF)
        ConsoleWrite("VirtualAddress: " & DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") & @CRLF)
        ConsoleWrite("SizeOfRawData: " & DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData") & " bytes" & @CRLF)
        ConsoleWrite("NumberOfRelocations: " & DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") & @CRLF)
        ConsoleWrite(@CRLF)

        $pPointer += 40; size of $tIMAGE_SECTION_HEADER structure

    Next

EndFunc  ;==>_WriteMiscDataToConsole

That method uses RAM much more than it should because it's filling that buffer $tBinary fully. I would recommend other methods of doing this (See ResourcesViewerAndCompiler.au3).

@UEZ, fixing that is a trivial task.

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

@trancexx: I already fixed that but I just wanted to mention it :unsure:

I forgot to mention: well done crashdemons! :P

UEZ

Edited by UEZ

Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...