| View previous topic :: View next topic |
| Author |
Message |
oib111
I post too much
 Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
 Posted: Sun Jul 20, 2008 11:05 pm Post subject: Detecting Valid PE Files |
 |
|
| Quote: |
1. Verify if the given file has a valid DOS MZ header by comparing the first word of the file with the value IMAGE_DOS_SIGNATURE.
2. If the file has a valid DOS header, use the value in e_lfanew member to find the PE header
3. Comparing the first word of the PE header with the value IMAGE_NT_HEADER. If both values match, then we can assume that the file is a valid PE.
|
Ok, I understand what this is saying. But whats in the bolded part, how do I do that exactly. Like, get the first two bytes of the file?
After finding some tutorials on the PE Header file format I found one that actually has documentation on the structures. And the e_magic member of the IMAGE_DOS_HEADER structure seems to hold that value (0x54AD, or "MZ"). So would the first two bytes of the file would be the e_magic member right (its defined as USHORT which is 2 bytes, so it makes sense)?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
 |
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Jul 20, 2008 11:10 pm Post subject: |
|
|
Get the image base address. (by calling GetModuleHandle with the parameter being NULL it returns the base address)
Edit: its 0x5A4D, not 0x54AD... o.o
Here's an example:
| Code: | | printf("Valid: %s\n", *(WORD*)GetModuleHandleA(0) == 0x5A4D ? "True" : "False"); |
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Jul 20, 2008 11:17 pm Post subject: |
|
|
| Code: |
HMODULE hModule = GetModuleHandle(NULL);
LPVOID lpPEHeader;
if((USHORT)hModule.e_magic == IMAGE_DOS_SIGNATURE) {
lpPEHeader = (LPVOID)hModule+(USHORT)hModule.e_lfanew);
if((USHORT)lpHeader = IMAGE_NT_SIGNATURE) {
//yay valid pe file :roll:
}
else {
//boo not valid :(
}
}
|
?
EDIT:
| Quote: |
The first field, e_magic, is the so-called magic number. This field is used to identify an MS-DOS-compatible file type. All MS-DOS-compatible executable files set this value to 0x54AD, which represents the ASCII characters MZ.
|
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Jul 20, 2008 11:23 pm Post subject: |
|
|
HMODULE doesn't contain "e_magic" member, "IMAGE_DOS_HEADER" does.
Edit: they probably mispelled it, check the ASCII values. (0xAD is not even an alphabetic character)
4D = M, 5A = Z.
Last edited by Symbol on Sun Jul 20, 2008 11:25 pm; edited 1 time in total |
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sun Jul 20, 2008 11:23 pm Post subject: |
|
|
| oib111 wrote: | EDIT:
| Quote: |
The first field, e_magic, is the so-called magic number. This field is used to identify an MS-DOS-compatible file type. All MS-DOS-compatible executable files set this value to 0x54AD, which represents the ASCII characters MZ.
|
|
M = 4D Z = 5A
_________________
Last edited by sponge on Sun Jul 20, 2008 11:25 pm; edited 1 time in total |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Jul 20, 2008 11:24 pm Post subject: |
|
|
Oh right x_x
| Code: |
HMODULE hModule = GetModuleHandle(NULL);
LPVOID lpPEHeader;
if((IMAGE_DOS_HEADER)hModule.e_magic == IMAGE_DOS_SIGNATURE) {
lpPEHeader = (LPVOID)hModule+(LPVOID)(IMAGE_DOS_HEADER)hModule.e_lfanew);
if((USHORT)lpHeader = IMAGE_NT_SIGNATURE) {
//yay valid pe file :roll:
}
else {
//boo not valid :(
}
}
|
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Jul 20, 2008 11:27 pm Post subject: |
|
|
You can't type cast like that, it'll cast "hModule.e_magic" to IMAGE_DOS_HEADER, you should cast hModule first then it'll treat hModule as IMAGE_DOS_HEADER:
((IMAGE_DOS_HEADER)hModule).e_magic
Edit: you can't even type cast that. 
Edit:
| Quote: | | if((USHORT)lpHeader = IMAGE_NT_SIGNATURE) { |
Notice, only 1 equal sign.
Last edited by Symbol on Sun Jul 20, 2008 11:30 pm; edited 2 times in total |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Jul 20, 2008 11:29 pm Post subject: |
|
|
Ok.
| Code: |
HMODULE hModule = GetModuleHandle(NULL);
LPVOID lpPEHeader;
if(((IMAGE_DOS_HEADER)hModule).e_magic == IMAGE_DOS_SIGNATURE) {
lpPEHeader = (LPVOID)hModule+(LPVOID)((IMAGE_DOS_HEADER)hModule).e_lfanew);
if((USHORT)lpHeader = IMAGE_NT_SIGNATURE) {
//yay valid pe file :roll:
}
else {
//boo not valid :(
}
}
|
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Jul 20, 2008 11:30 pm Post subject: |
|
|
Look at my edits on my last post, can't type cast. you also used 1 equal sign.
| x0r wrote: | Uh, if the module has been loaded it has to be a valid PE.
/facepalm |
What about checking the first 2 characters in file? |
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sun Jul 20, 2008 11:33 pm Post subject: |
|
|
| Symbol wrote: | Look at my edits on my last post, can't type cast. you also used 1 equal sign.
| x0r wrote: | Uh, if the module has been loaded it has to be a valid PE.
/facepalm |
What about checking the first 2 characters in file? |
what does that have to do with anything? he loaded it.
_________________
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Jul 20, 2008 11:35 pm Post subject: |
|
|
| I mean, if he didn't load it. |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Jul 20, 2008 11:35 pm Post subject: |
|
|
Yea, I use the one equal sign a lot without using it. My bad, I guess the question is how do I detect if other files have a valid PE? Like have an open dialog and the user selects a program, and it detects if it's valid or not?
Would I have to star the program (CreateProcess) then use GetModuleHandle and do the rest. But, if I tried this wouldn't I have to use RPM or inject a DLL since I don't actually have access to the programs memory, only my programs memory?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
sponge
I'm a spammer
Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Sun Jul 20, 2008 11:37 pm Post subject: |
|
|
| Symbol wrote: | | I mean, if he didn't load it. |
just because the 2 characters match doesn't mean its valid. map file into memory.
_________________
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sun Jul 20, 2008 11:50 pm Post subject: |
|
|
For fuck sakes oib, I gave you a perfectly good tutorial outlining everything from start to finish (Iczelion) and you still just can't read the fucking thing. Stop asking for handouts, stop asking for help, and use google or read a fucking tutorial for a change! In fact half of this shit is common sense, and you wouldn't even be having these problems if you actually did everything yourself without asking someone for fucking permission first.
FUUUUUUUUUUCCCCKKKKKKKKKKKKKKKK
/rant |
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Sun Jul 20, 2008 11:52 pm Post subject: |
|
|
I'm actually reading various things, and if you haven't noticed, Iczelion is for assembly, which I don't really know at all (I know like mov, cmp, jmp  ).
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
