filever?

On 1/29/19 9:56 PM, T wrote:
Hi All,

Windows provides a utility called filever.exe which will
tell you the revision of an exe file.Â* (You can also see this
through the gui with properties).

I would like to write my own Perl module to return the .exe's
version.Â* Does anyone know where the version information is
stored in an .exe file?Â* (I bet Paul does not even have to
look this one up.)

Many thanks,
-T




Well, so far so good. It is a bit slow on larger exe's.
Will have to work on that.

$ FileVer.pl6
filever.exe's version is 5.1.2600.0
/home/temp/procexp64.exe's version is 16.22
java.exe's version is 7.0.800.15

T wrote:

What I really, really could use if the definition of this metadata
so I knew where to look.

Do you need to re-invent the wheel?

http://pefile.net/example

"T" wrote

Just some initial playing around (reading the first 40 bytes):

So if you look at the docs you've got:

4D 5A "magic"
90 major linker version
00
03 00 00 00 size of code
04 00 00 00 size of initial data
[I'm not sure those are used. They seem to
always be the same.]
FF FF 00 00 offset of entry point
B8 00 00 00 base of code
00 00 00 00 base of data
40 00 00 00 image base
00 00 00 00 section alignment
00 00 00 00 file alignment
00 00 major OS version
00 00 minor OS version

Then, of course, there's the task of actually intepreting
what is or isn't stored in those values. But it's impressive
that Perl was able to read 40 bytes.

"T" wrote
|
| I was looking at a corrupted exe. Good one all have
| what I am looking for

Ah. But they might not. Especially with DLLs.
You have to be prepared for some or all missing.
It might not even have a resource section.

"T" wrote

| A C programmer (damn those guys are brilliant) told me it is
| in the "PE Optional Header" not the "Optional Header"
|

It? Version info is in the resource section. The pointer to
it is in the optional header, which is part of the PE file
header. So what?

That's the problem with brilliant C savants. They're
often only partially socialized and would often rather
bicker than understand.

It's what Gurdjieff characterized as the perversion of
sexual energy being used to power the thinking center.
He made the interesting comment that misuse of sexual
energy is the only true perversion.
Gurdjieff listed examples of such perversion, like excessive
athleticism, hysterical religiosity, or dogmatic beliefs, and
said it's always marked by two things: A notable, out of
proportion vehemence with which the activity is carried
out, and the pointlessness of the activity.
(Marathon running, soapbox ministers, intellectual analysis
of love, etc)

When you start talking to Linux people this is common.
They spent years arguing about how to pronounce "Linus".
Many will argue viciously about anything, calling you names
like a 10 year old in a schoolyard, all the while convinced
that they're talking "scientifically". (I don't mean to say
they're all like that, but there are a significant number who
are simply not properly socialized. Their parents probably
thought it was "brilliant" that they spent all day in the cellar
dissecting video games as teenagers.)

They may also call the optional header the "PE optional
header" in Linux. Who cares? There's only one thing called
"optional", so it doesn't matter. (Though it's
worth noting the the optional header isn't optional. So I
guess the name's wrong no matter how you look at it.

"Andy Burns" wrote

| Do you need to re-invent the wheel?
|
| http://pefile.net/example

He's in the mood to reinvent the wheel. It sounds
like he wanted to take Perl out for a spin and "open
'er up" to see what it can do.

He's also on Linux reading Windows PE files. Your
link seems to be Windows only.

"T" wrote

Well, so far so good. It is a bit slow on larger exe's.
Will have to work on that.


Perl, slow? You could go a lot faster if you first get
the pointer in the file header. But if you want to stick
with the brute hack of searching for the string
"VS_VERSION_INFO", you'll do better if you start from
the end. It's typically near the back.

Mayayana wrote:

Andy Burns wrote:

Do you need to re-invent the wheel?
http://pefile.net/example

He's in the mood to reinvent the wheel. It sounds
like he wanted to take Perl out for a spin and "open
'er up" to see what it can do.

He's also on Linux reading Windows PE files. Your
link seems to be Windows only.

I bet it runs under Wine ...

"Andy Burns" wrote

| He's also on Linux reading Windows PE files. Your
| link seems to be Windows only.
|
| I bet it runs under Wine ...

Probably so, but you haven't followed the thread. He's
not working under WINE. (Don't ask me why he needs
Windows file versions *not* under WINE.)

That's how this thread started out. Under WINE he can
use 3rd party utilities, Win32 API using the Perl Win32
library, or the Windows Script Host. But he wants to do
it in Linux using Perl, without WINE. So his only option
is to parse the file directly. I'm guessing his next project
will be to shovel a stranger's driveway with a teaspoon.
Builds character, apparently.

T wrote:
On 2/1/19 3:57 PM, RBFrank wrote:
On Fri, 1 Feb 2019 15:31:29 -0800, T wrote:

On 1/31/19 4:03 PM, Mayayana wrote:
I assume you're in WINE

I am in raw Linux and using Perl 6 (not Perl 5). I have
WINE installed, but am not using it for this.

That's certainly doable.
As I said above, if you want to do it directly then download
my icon extractor script and look up the layout of the
VS_VERSION_INFO resource.

Is that a Windows program?

Doesn't Perl have the ability to
parse byte data?

beyond your wildest imagination.

If so then you just need to walk the PE
header to the resource section and get the data. Or if you
want to use a half-assed hack that wil probably be fine in
most cases, look for the string VS_VERSION_INFO

Is this is your program or hex edit?

, then look
ahead from there for the file version string, then get the
bytes after that. It should be hard to work out the layout
by looking at the FILEVERSIONINFO enum.

What do I look for in Hex Edit?

Judging by the types of questions you're asking, it seems that you might
not be qualified for this task.

Mumble. Apparently, no one else is either. I have been
googling my ass off looking for the definition of this
metadata and where to look for it. I get back a lot
of systems calls. Dot Net has a beautiful one. But
no one will tell me where to look.

In addition to what you've been given already, you could take a target
file and check its version info in Windows, then do a byte-level review
of the file to find the version string, then back up from there to see
what any headers might look like. See if you can find a marker that
tells you that you've definitely found the version string. After that,
it's off to the races.

I have been looking around various exe's with hexedit seeing
if I can find some commonality.

What I really, really could use if the definition of this metadata
so I knew where to look. Once I know where to look, digging out
the version is child's play with Perl (6).

You seem to have managed to create a basic home-grown solution, but
maybe this is still of use:

This thread says that ExifTool also handles EXE files and also runs on
Linux:

https://superuser.com/questions/1060460/how-to-get-from-a-exe-executable-file-the-version-author-publisher-etc-and

(Found by doing a 'where is version in exe file' search in Google.)

The ExifTool page says that it is platform-independent Perl library
'plus a command-line application', but only has Windows and
MacOS *executables*:

'ExifTool by Phil Harvey'
https://sno.phy.queensu.ca/~phil/exiftool

I don't know much about Perl, but AFAICT, the 'command-line
application' "exiftool" is written in Perl (#!/usr/bin/perl -w) and
contained in the 'Download Version 11.26' archive file
Image-ExifTool-11.26.tar.gz

So, as probably most Linux systems have Perl, you should be able to
run the exiftool Perl program on most Linux systems.

See https://sno.phy.queensu.ca/~phil/exiftool/#supported for the
Supported File Types and click on a file type - i.e. EXE - to get
details about that file type.

HTH.

On 2/2/19 5:13 AM, Mayayana wrote:
"T" wrote

Just some initial playing around (reading the first 40 bytes):

So if you look at the docs you've got:

4D 5A "magic"
90 major linker version
00
03 00 00 00 size of code
04 00 00 00 size of initial data
[I'm not sure those are used. They seem to
always be the same.]
FF FF 00 00 offset of entry point
B8 00 00 00 base of code
00 00 00 00 base of data
40 00 00 00 image base
00 00 00 00 section alignment
00 00 00 00 file alignment
00 00 major OS version
00 00 minor OS version

Then, of course, there's the task of actually intepreting
what is or isn't stored in those values. But it's impressive
that Perl was able to read 40 bytes.


The "FileVersion" is located under "VERSION_INFO". There
are several file version in an exe, so I look only for the one
under VERSION_INFO.

On 2/2/19 5:18 AM, Mayayana wrote:
"T" wrote
|
| I was looking at a corrupted exe. Good one all have
| what I am looking for

Ah. But they might not. Especially with DLLs.
You have to be prepared for some or all missing.
It might not even have a resource section.



I am only going after .exe's. At the moment, I don't
care at all about DLL's.

On 2/2/19 5:37 AM, Mayayana wrote:
That's the problem with brilliant C savants. They're
often only partially socialized and would often rather
bicker than understand.


*THAT* I have noticed. The C group is full of
an astonishing number of ass holes. I adjusted my kill
file and they can make fu of me to their hearts contents.
I only see the mensches on that group now.

On 2/2/19 1:57 AM, Andy Burns wrote:
T wrote:

What I really, really could use if the definition of this metadata
so I knew where to look.

Do you need to re-invent the wheel?

http://pefile.net/example

YES !!!!. I want to do it myself and have control over
the code myself. And I am not writing in Windows either.

On 2/2/19 6:24 AM, Mayayana wrote:
"Andy Burns" wrote

| He's also on Linux reading Windows PE files. Your
| link seems to be Windows only.
|
| I bet it runs under Wine ...

Probably so, but you haven't followed the thread. He's
not working under WINE. (Don't ask me why he needs
Windows file versions *not* under WINE.)

That's how this thread started out. Under WINE he can
use 3rd party utilities, Win32 API using the Perl Win32
library, or the Windows Script Host. But he wants to do
it in Linux using Perl, without WINE. So his only option
is to parse the file directly. I'm guessing his next project
will be to shovel a stranger's driveway with a teaspoon.
Builds character, apparently.




You can run Windows' filever.exe under WINE:

$ WINEDEBUG=-all wine filever.exe 'Z:\home\temp\procexp64.exe'
--a-- W32 APP ENU 16.22.0.0 shp 1,449,008 11-16-2018
procexp64.exe

Wine also has their own tool too, but I forgot what it is
called. I would look at it, but C blows my mind.

But, I want full control over the process myself.