Jump to content
Sign in to follow this  
zFrank

searching for compiled AutoIt Exe's

Recommended Posts

zFrank

hi there! i have some exe files in a folder and their attribs are +SHR.

anyone can tell me how can i detect the Exe's which are created using AutoIt Script?

how can i check them to know if they are autoit compiled exe's or not?

maybe any expert or Developer will answer my questions.

Thanks,

WBR,


[font="Georgia"]GSM Expert[/font] but not AutoIt :DProud to be Admin Of : http://www.gsmhosting.net/visit my Forum... http://www.gsmhosting.net/vbb/index.php
$Life = "Happy"
If @Error Then
$Life = "Risk"

Share this post


Link to post
Share on other sites
baghenamoth

hi there! i have some exe files in a folder and their attribs are +SHR.

anyone can tell me how can i detect the Exe's which are created using AutoIt Script?

how can i check them to know if they are autoit compiled exe's or not?

maybe any expert or Developer will answer my questions.

Thanks,

WBR,

Well, maybe it can help even if I think that there is more simple solution but here is mine :

with reshacker you can extract information about each exe.

So you can run this command line :

$s_ReshackerPath = "C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\ResHacker.exe"
$s_Destination = "C:\AutoIT\Test\txt\"
$s_ExePath = "C:\toto\test.exe"
$s_Destination = StringReplace($s_ExePath,".exe",".txt")
RunWait('"' & $s_ReshackerPath & '" -extract ' & '"' & $s_ExePath & '","' & $s_Destination & '",24,1,')

you have to read the txt file created and you can see this inside it :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
    type="win32"
    processorArchitecture="*"
    version="6.0.0.0"
    name="mash"
/>
<description>AutoIt 3</description>
<dependency>
    <dependentAssembly>
        <assemblyIdentity
            type="win32"
            name="Microsoft.Windows.Common-Controls"
            version="6.0.0.0"
            language="*"
            processorArchitecture="*"
        publicKeyToken="6595b64144ccf1df"
        />
   </dependentAssembly>
</dependency>
</assembly>

so you should extract <description>AutoIt 3</description> to guess Exe's created with AutoIt...

Maybe someone have a script to read exe informations, so you'll don't have to use reshacker....

Edited by baghenamoth

Share this post


Link to post
Share on other sites
baghenamoth

but it extracts the info, how can script tell me that it is a Autoit or any other script?

well, what I noticed in my test : for most of the exe the text file is not created because entry 24 doesn't exist. So you don't have to read it, you know that it's not autoit exe...

For some others when entry exists (for exemple 7zG.exe available in 7-zip installation) it returns another description (empty).

so you should read the file (which is xml) and search for this string <description>AutoIt 3</description> for exemple with _FileReadToArray()

Share this post


Link to post
Share on other sites
SmOke_N

It was easier to write it than explain it:

#include <array.au3>
Local $a = _FindAutoItExes()
_ArrayDisplay($a)

Func _FindAutoItExes()
    Local $a_wl = WinList("[REGEXPCLASS:AutoIt v3.*?]")
    Local $a_pl = ProcessList()
    Local $a_info[$a_pl[0][0] + 1][4], $i_add
    For $x = 1 To $a_wl[0][0]
        For $i = 1 To $a_pl[0][0]
            If WinGetProcess($a_wl[$x][1]) = $a_pl[$i][1] Then
                $i_add += 1
                $a_info[$i_add][0] = $a_pl[$i][0]
                $a_info[$i_add][1] = $a_pl[$i][1]
                $a_info[$i_add][2] = $a_wl[$x][0]
                $a_info[$i_add][3] = $a_wl[$x][1]
                ExitLoop
            EndIf
        Next
    Next
    If Not $i_add Then Return SetError(1, 0, 0)
    ReDim $a_info[$i_add + 1][4]
    $a_info[0][0] = $i_add
    Return $a_info
EndFunc


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites
weaponx

From the description it looks like you have some exe's in a folder (not running) and you want to know which ones were made with AutoIt. Correct?

Share this post


Link to post
Share on other sites
SmOke_N

From the description it looks like you have some exe's in a folder (not running) and you want to know which ones were made with AutoIt. Correct?

Oops.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites
rover

reads last 8 bytes of exe file

there are many examples on the forum of this method, look for randallc's APITailRW.au3 UDF

cppman http://www.autoitscript.com/forum/index.php?showtopic=73672 and others

latest beta now has _WinAPI_SetFilePointer().

this examples based on zorphnogs post

http://www.autoitscript.com/forum/index.php?showtopic=74775

and Smashlys _FileListToArrayR (Recursive)

Edit: forgot includes

#include <Array.au3>
#include <WinApi.au3>
Opt("MustDeclareVars", 1)
Global $hInFile, $aResult, $hBuffer, $nRead, $aAU3Files[1][4], $aArray
Global $sAU3Files, $aFileList, $hBuffer, $sBuffer, $sVer1, $sVer2
Global $sFileDialogTitle = "Select a root folder to recursively search for AutoIt3 executables"

Global $sPath = FileSelectFolder($sFileDialogTitle, "", 6, @ScriptDir)
If @error Then Exit

Local $aFL2AR = _FileListToArrayR($sPath, "exe", 1, 1)
If @error Then Exit

ConsoleWrite('-Total EXE files to process = ' & $aFL2AR[0] & @CRLF & @crlf)

For $i = 1 To $aFL2AR[0]
    ;ConsoleWrite($aFL2AR[$i] & @CRLF)
    $hInFile = _WinAPI_CreateFile($aFL2AR[$i], 2, 2, 2)
    If $hInFile = 0 Then ContinueLoop
    $aResult = DllCall("Kernel32.dll", "dword", "SetFilePointer", "hwnd", $hInFile, "int", -8, "ptr", 0, "dword", 2)
    If @error Or IsArray($aResult) = 0 Then 
        _WinAPI_CloseHandle($hInFile)
        ContinueLoop
    EndIf
    ;ConsoleWrite(" File pointer position: " & $aResult[0] & @LF)
    $hBuffer = DllStructCreate("ubyte buffer[8]")
    If _WinAPI_ReadFile($hInFile, DllStructGetPtr($hBuffer), 8, $nRead) Then
        ;ConsoleWrite(" [" & $nRead & "] bytes read" & @LF)
        $sBuffer = StringTrimLeft(DllStructGetData($hBuffer, "buffer"), 2) 
        ;*char[n], byte[n] and ubyte[n] return all element data when index is omitted.
        _WinAPI_CloseHandle($hInFile)
        $hBuffer = ""
    Else
        _WinAPI_CloseHandle($hInFile)
        ContinueLoop
    EndIf

    If StringInStr($sBuffer, "41553321454130") Then 
        ;ConsoleWrite($aFL2AR[$i] & @CRLF)
        ;ConsoleWrite($sBuffer & @CRLF)
        ;ConsoleWrite(BinaryToString("0x"&$sBuffer) & @CRLF & @CRLF)
        $sVer1 = FileGetVersion($aFL2AR[$i])
        $sVer2 = FileGetVersion($aFL2AR[$i], "CompiledScript")
        $sAU3Files &= $aFL2AR[$i] & "|" & BinaryToString("0x"&$sBuffer) & "|" & $sVer1 & "|" & $sVer2 & ";"
    EndIf
Next

$aFileList = StringSplit(StringTrimRight($sAU3Files, 1), ";")
$sAU3Files = 0
$aFL2AR = 0
ReDim $aAU3Files[$aFileList[0]][4]
For $i = 0 To $aFileList[0] -1
    $aArray = StringSplit($aFileList[$i], "|")
    For $i2 = 1 To $aArray[0]
        $aAU3Files[$i][$i2-1] = $aArray[$i2]
    Next
Next
$aFileList = 0
_ArrayDisplay($aAU3Files, "AutoIt3 executables", Default, Default, "|")


Func _FileListToArrayR($sPath, $sExFilter = "", $iFlag = 0, $iRecurse = 0, $iDepth = 0)
    Local $hSearch, $sFile, $sRxpFilter, $asFileList
    If Not $iDepth Then
        Global $sHoldFiles = ''
        If Not FileExists($sPath) Then Return SetError(1, 1, "")
        If StringRegExp($sExFilter, "[\\/<>:*?]", 0) Then Return SetError(2, 2, "")
        If Not ($iFlag = 0 Or $iFlag = 1 Or $iFlag = 2) Then Return SetError(3, 3, "")
        If Not ($iRecurse = 0 Or $iRecurse = 1) Then Return SetError(4, 4, "")
    EndIf
    If StringRight($sPath, 1) <> "\" Then $sPath &= "\"
    If $sExFilter = "" Then
        $sRxpFilter = "."
    Else
        $sRxpFilter = "(?i)\.(" & $sExFilter & ")"
    EndIf
    $hSearch = FileFindFirstFile($sPath & "*")
    If $hSearch = -1 Then Return SetError(5, 5, "")
    While 1
        $sFile = FileFindNextFile($hSearch)
        If @error Then ExitLoop
        If StringInStr(FileGetAttrib($sPath & $sFile), "D") Then
            If Not $iRecurse And $iFlag = 1 Then ContinueLoop
            If $iRecurse Then
                _FileListToArrayR($sPath & $sFile, $sExFilter, $iFlag, $iRecurse, $iDepth + 1)
                If $iFlag <> 1 Then $sHoldFiles &= $sPath & $sFile & "|"
            Else
                $sHoldFiles &= $sPath & $sFile & "|"
            EndIf
        ElseIf StringRegExp($sFile, $sRxpFilter, 0) And $iFlag <> 2 Then
            $sHoldFiles &= $sPath & $sFile & "|"
        EndIf
    WEnd
    FileClose($hSearch)
    If Not $iDepth Then
        $asFileList = StringSplit(StringTrimRight($sHoldFiles, 1), "|")
        $sHoldFiles = ""
        Return $asFileList
    EndIf
EndFunc   ;==>_FileListToArrayR
Edited by rover

I see fascists...

Share this post


Link to post
Share on other sites
zFrank

From the description it looks like you have some exe's in a folder (not running) and you want to know which ones were made with AutoIt. Correct?

yes it's correct. i want to exclude the list of autoit exe's.

[font="Georgia"]GSM Expert[/font] but not AutoIt :DProud to be Admin Of : http://www.gsmhosting.net/visit my Forum... http://www.gsmhosting.net/vbb/index.php
$Life = "Happy"
If @Error Then
$Life = "Risk"

Share this post


Link to post
Share on other sites
zFrank

reads last 8 bytes of exe file

there are many examples on the forum of this method, look for randallc's APITailRW.au3 UDF

cppman http://www.autoitscript.com/forum/index.php?showtopic=73672 and others

latest beta now has _WinAPI_SetFilePointer().

this examples based on zorphnogs post

http://www.autoitscript.com/forum/index.php?showtopic=74775

and Smashlys _FileListToArrayR (Recursive)

Edit: forgot includes

#include <Array.au3>
#include <WinApi.au3>
Opt("MustDeclareVars", 1)
Global $hInFile, $aResult, $hBuffer, $nRead, $aAU3Files[1][4], $aArray
Global $sAU3Files, $aFileList, $hBuffer, $sBuffer, $sVer1, $sVer2
Global $sFileDialogTitle = "Select a root folder to recursively search for AutoIt3 executables"

Global $sPath = FileSelectFolder($sFileDialogTitle, "", 6, @ScriptDir)
If @error Then Exit

Local $aFL2AR = _FileListToArrayR($sPath, "exe", 1, 1)
If @error Then Exit

ConsoleWrite('-Total EXE files to process = ' & $aFL2AR[0] & @CRLF & @crlf)

For $i = 1 To $aFL2AR[0]
    ;ConsoleWrite($aFL2AR[$i] & @CRLF)
    $hInFile = _WinAPI_CreateFile($aFL2AR[$i], 2, 2, 2)
    If $hInFile = 0 Then ContinueLoop
    $aResult = DllCall("Kernel32.dll", "dword", "SetFilePointer", "hwnd", $hInFile, "int", -8, "ptr", 0, "dword", 2)
    If @error Or IsArray($aResult) = 0 Then 
        _WinAPI_CloseHandle($hInFile)
        ContinueLoop
    EndIf
    ;ConsoleWrite(" File pointer position: " & $aResult[0] & @LF)
    $hBuffer = DllStructCreate("ubyte buffer[8]")
    If _WinAPI_ReadFile($hInFile, DllStructGetPtr($hBuffer), 8, $nRead) Then
        ;ConsoleWrite(" [" & $nRead & "] bytes read" & @LF)
        $sBuffer = StringTrimLeft(DllStructGetData($hBuffer, "buffer"), 2) 
        ;*char[n], byte[n] and ubyte[n] return all element data when index is omitted.
        _WinAPI_CloseHandle($hInFile)
        $hBuffer = ""
    Else
        _WinAPI_CloseHandle($hInFile)
        ContinueLoop
    EndIf

    If StringInStr($sBuffer, "41553321454130") Then 
        ;ConsoleWrite($aFL2AR[$i] & @CRLF)
        ;ConsoleWrite($sBuffer & @CRLF)
        ;ConsoleWrite(BinaryToString("0x"&$sBuffer) & @CRLF & @CRLF)
        $sVer1 = FileGetVersion($aFL2AR[$i])
        $sVer2 = FileGetVersion($aFL2AR[$i], "CompiledScript")
        $sAU3Files &= $aFL2AR[$i] & "|" & BinaryToString("0x"&$sBuffer) & "|" & $sVer1 & "|" & $sVer2 & ";"
    EndIf
Next

$aFileList = StringSplit(StringTrimRight($sAU3Files, 1), ";")
$sAU3Files = 0
$aFL2AR = 0
ReDim $aAU3Files[$aFileList[0]][4]
For $i = 0 To $aFileList[0] -1
    $aArray = StringSplit($aFileList[$i], "|")
    For $i2 = 1 To $aArray[0]
        $aAU3Files[$i][$i2-1] = $aArray[$i2]
    Next
Next
$aFileList = 0
_ArrayDisplay($aAU3Files, "AutoIt3 executables", Default, Default, "|")


Func _FileListToArrayR($sPath, $sExFilter = "", $iFlag = 0, $iRecurse = 0, $iDepth = 0)
    Local $hSearch, $sFile, $sRxpFilter, $asFileList
    If Not $iDepth Then
        Global $sHoldFiles = ''
        If Not FileExists($sPath) Then Return SetError(1, 1, "")
        If StringRegExp($sExFilter, "[\\/<>:*?]", 0) Then Return SetError(2, 2, "")
        If Not ($iFlag = 0 Or $iFlag = 1 Or $iFlag = 2) Then Return SetError(3, 3, "")
        If Not ($iRecurse = 0 Or $iRecurse = 1) Then Return SetError(4, 4, "")
    EndIf
    If StringRight($sPath, 1) <> "\" Then $sPath &= "\"
    If $sExFilter = "" Then
        $sRxpFilter = "."
    Else
        $sRxpFilter = "(?i)\.(" & $sExFilter & ")"
    EndIf
    $hSearch = FileFindFirstFile($sPath & "*")
    If $hSearch = -1 Then Return SetError(5, 5, "")
    While 1
        $sFile = FileFindNextFile($hSearch)
        If @error Then ExitLoop
        If StringInStr(FileGetAttrib($sPath & $sFile), "D") Then
            If Not $iRecurse And $iFlag = 1 Then ContinueLoop
            If $iRecurse Then
                _FileListToArrayR($sPath & $sFile, $sExFilter, $iFlag, $iRecurse, $iDepth + 1)
                If $iFlag <> 1 Then $sHoldFiles &= $sPath & $sFile & "|"
            Else
                $sHoldFiles &= $sPath & $sFile & "|"
            EndIf
        ElseIf StringRegExp($sFile, $sRxpFilter, 0) And $iFlag <> 2 Then
            $sHoldFiles &= $sPath & $sFile & "|"
        EndIf
    WEnd
    FileClose($hSearch)
    If Not $iDepth Then
        $asFileList = StringSplit(StringTrimRight($sHoldFiles, 1), "|")
        $sHoldFiles = ""
        Return $asFileList
    EndIf
EndFunc   ;==>_FileListToArrayR
i got some error:

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\zFrank\Desktop\AutoIt exe.au3"

-Total EXE files to process = 19

C:\Documents and Settings\zFrank\Desktop\AutoIt exe.au3 (16) : ==> Unknown function name.:

$hInFile = _WinAPI_CreateFile($aFL2AR[$i], 2, 2, 2)

$hInFile = ^ ERROR

>Exit code: 1 Time: 12.876


[font="Georgia"]GSM Expert[/font] but not AutoIt :DProud to be Admin Of : http://www.gsmhosting.net/visit my Forum... http://www.gsmhosting.net/vbb/index.php
$Life = "Happy"
If @Error Then
$Life = "Risk"

Share this post


Link to post
Share on other sites
weaponx

i got some error:

>"C:\Program Files\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Documents and Settings\zFrank\Desktop\AutoIt exe.au3"

-Total EXE files to process = 19

C:\Documents and Settings\zFrank\Desktop\AutoIt exe.au3 (16) : ==> Unknown function name.:

$hInFile = _WinAPI_CreateFile($aFL2AR[$i], 2, 2, 2)

$hInFile = ^ ERROR

>Exit code: 1 Time: 12.876

You missed his note that he forgot the includes. Re-copy the script from above.

Share this post


Link to post
Share on other sites
rover

You missed his note that he forgot the includes. Re-copy the script from above.

Oops.


I see fascists...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×