If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#31
|
|||
|
|||
filever?
"T" wrote
| What I really, really could use if the definition of this metadata | so I knew where to look. Once I know where to look, digging out | the version is child's play with Perl (6). | I've explained it twice, which is why RBFrank made his comment. It's a resource. In the resource section of PE files. PE files have different sections. Resources is one of them. You find the offset by looking in the header. You can get some help with that by looking at the icon extractor script I already told you about twice. Or you can just look up PE headers. It's all documented. Perl is not going to make anything child's play. It's a very complicated file structure. If Perl can search strings and walk byte arrays then it can do the job, but the hard part is all those details of hunting down pointers to pointers to pointers inside a PE file. Then there's the question of why you need to find versions of Windows PE files on Linux, not under WINE. But I don't dare ask. |
Ads |
#32
|
|||
|
|||
filever?
On 2/1/19 5:35 PM, Paul wrote:
https://en.wikibooks.org/wiki/X86_Di...ecutable_Files I am able to find those headers with hexedit. Not finding the file version in the page. :'( I don't care if I can figure out the file version of an exe dated back from 1935. The most recent will do. The exe's I will be analyzing will all be only months old at that. If from Windows, right clicking on the exe and left click on properties will give you the version, I am happy. I just want to do it from Linux with Perl 6. |
#33
|
|||
|
|||
filever?
"Paul" wrote
| My problem is, I can't even make a list of all the file | formats to be analyzed. I can't be certain that I would | have a complete set. It's one thing to find a little info | in isolation, but does this cover everything I'll find | in the wild ? For example, MINGW compiled programs are | debugged in gdb, while Visual Studio compiled programs | are debugged in windbg. Because apparently at some level, | they're not the same thing. How many variants are there ? I don't know what MINGW is, but a Win32 PE file has a standardized format. I've never looked at a Win64 PE file. I supect it's the same header but with different data sizes, defaulting to 8byte rather than 4-byte data. The format is documented he https://docs.microsoft.com/en-us/win...ebug/pe-format Though I don't think that's a great way to read it. It's easier if you can read it like a chart or struct. ..Net is different. I don't know the details, but .Net EXEs are not actually compiled. Like Java, there's some kind of EXE part that calls the runtime, mscoree, which then takes over. It's useless without mscoree. Similarly, I don't know what file extension the use on Metro apps these days, but last I heard they're basically scripted HTA files. Browser apps. So if they have ome kind of EXE structure it would only be some kind of stub, like what's used to make an SFX, that then calls whatever load of crap makes sense of a Metro app. To put it another way, PE is PE. It hasn't changed. That applies to EXE, DLL, OCX. But some newer gimmicks like .Net and Metro may be just using PE stubs or partial PE files for backward compatibility. program files |
#34
|
|||
|
|||
filever?
On 2/1/19 5:40 PM, Mayayana wrote:
"T" wrote | What I really, really could use if the definition of this metadata | so I knew where to look. Once I know where to look, digging out | the version is child's play with Perl (6). | I've explained it twice, which is why RBFrank made his comment. It's a resource. In the resource section of PE files. PE files have different sections. Resources is one of them. You find the offset by looking in the header. You can get some help with that by looking at the icon extractor script I already told you about twice. Or you can just look up PE headers. It's all documented. Perl is not going to make anything child's play. It's a very complicated file structure. If Perl can search strings and walk byte arrays then it can do the job, but the hard part is all those details of hunting down pointers to pointers to pointers inside a PE file. Then there's the question of why you need to find versions of Windows PE files on Linux, not under WINE. But I don't dare ask. Not finding what you are speaking of in https://en.wikibooks.org/wiki/X86_Di...ecutable_Files "PE Header"? Do you mean "PE Signature"? I would love a link to this documentation you refer to? Google has failed me here. I find this is filever.exe 00002C60 A4 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 ...4...V.S._.V.E. 00002C70 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 R.S.I.O.N._.I.N. 00002C80 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 F.O............. 00002C90 01 00 05 00 00 00 28 0A 01 00 05 00 00 00 28 0A .......(.......(. 00002CA0 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00 ?............... 00002CB0 00 00 00 00 00 00 00 00 00 00 00 00 02 03 00 00 ................. 00002CC0 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 ...S.t.r.i.n.g.F. 00002CD0 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 i.l.e.I.n.f.o... 00002CE0 DE 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 .......0.4.0.9.0. 00002CF0 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 4.B.0...L.....C. 00002D00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 o.m.p.a.n.y.N.a. 00002D10 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 m.e.....M.i.c.r. 00002D20 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 o.s.o.f.t. .C.o. 00002D30 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 r.p.o.r.a.t.i.o. 00002D40 6E 00 00 00 78 00 28 00 01 00 46 00 69 00 6C 00 n...x.(...F.i.l. 00002D50 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p. 00002D60 74 00 69 00 6F 00 6E 00 00 00 00 00 4D 00 69 00 t.i.o.n.....M.i. 00002D70 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 c.r.o.s.o.f.t. . 00002D80 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 20 00 V.e.r.s.i.o.n. . but no where else |
#35
|
|||
|
|||
filever?
On 2/1/19 5:46 PM, T wrote:
On 2/1/19 5:35 PM, Paul wrote: https://en.wikibooks.org/wiki/X86_Di...ecutable_Files I am able to find those headers with hexedit. Not finding the file version in the page.Â* :'( I don't care if I can figure out the file version of an exe dated back from 1935.Â* The most recent will do.Â* The exe's I will be analyzing will all be only months old at that. If from Windows, right clicking on the exe and left click on properties will give you the version, I am happy.Â* I just want to do it from Linux with Perl 6. What just a minute. I double checked a few more exe's and it does not have a revision according to filever. So I checked a third and forth and they do indeed have 00150000 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 ..S.t.r.i.n.g.F. 00150010 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 i.l.e.I.n.f.o... Did you say this was also referenced by a pointer so I did not have to read through the whole file? Okay, I am off to the race! Thank you! |
#36
|
|||
|
|||
filever?
"Mayayana" wrote
A partial example to provide an idea of how this works: If you open a PE file in a hex editor and look at bytes 60/61 (61st and 62nd because it starts at 0) you get a 2 byte big endian integer. The one I'm looking at right now shows C8 00. C8 is hex for decimal 200. That means the PE marker, PE**, where * is a null, is at offset 200. Looking for the string ".rsrc" between the PE marker and the end of the file header, if I find it then there's a resource section and I can find it. At offset 16 into the .rsrc table is the size of the resorce section in bytes, as a big endian, 4-byte integer. The next 4 bytes indicates the offset where the resource section starts. Though there can be a complication if the PE has been aspack compressed, which many are. But that's a sample overview of how it works. Complex data structures arranged systematically with numeric pointers to find them. Once you find the resource section offset, there's a complex system of subsections and pointers. There's lots of stuff like going to an offset to read 4 bytes that, in turn, point to another offset, where you'll find 4 bytes that point to the offset you want. It all works, but it's complicated. So people don't typically parse it directly. I did it to extract icons in VBS because VBS is unique in its abilities and limitations: I can use it to parse a binary file but I can't use it to call API functions to extract icons. So I wrote scripts to extract icons from PE files "by hand". But for most purposes, such as getting version info, there are much easier ways to do it. |
#37
|
|||
|
|||
filever?
On 2/1/19 5:53 PM, Mayayana wrote:
The format is documented he https://docs.microsoft.com/en-us/win...ebug/pe-format Not finding the revision, but I have found that if the file has a revision, it is right after 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E (FileVersion) and terminates with a 0D. I am off to the races! |
#38
|
|||
|
|||
filever?
On 02/02/2019 00.20, T wrote:
On 1/31/19 6:07 PM, Carlos E.R. wrote: I am using Linux Perl 6.Â* The Windows Perl 5 module for this does a system call. Is this what you are referring to? https://en.wikipedia.org/wiki/Portab...VG_f ixed.svg yes. I am not seeing the version number in the table.Â* I could be blind. Because it is possible that the version number doesn't exist as such. It may go like "if this field is present, or this variant, and this field is true, and this other is less than 32 then look into this byte and if 'a' then version is such. Just educated guessing. But the starting point to analyze an exe is to read and decode the header. You can see that some of the sections are optional, others are pointers which may exist or not... You need some exhaustive documentation of the header. Some fields are named "characteristics". version.dll exists. Also scrrun.dll /usr/lib/wine/version.dll.so /usr/lib/wine/fakedlls/version.dll /usr/lib64/wine/version.dll.so /usr/lib64/wine/fakedlls/version.dll /usr/lib/wine/scrrun.dll.so /usr/lib/wine/fakedlls/scrrun.dll /usr/lib64/wine/scrrun.dll.so /usr/lib64/wine/fakedlls/scrrun.dll They are part of wine. Use them. But I do not know how. I would assume the results to be at least as accurate as trying to decode the header from scratch yourself ;-) -- Cheers, Carlos. |
#39
|
|||
|
|||
filever?
"T" wrote
| Not finding what you are speaking of in | | https://en.wikibooks.org/wiki/X86_Di...ecutable_Files | | "PE Header"? Do you mean "PE Signature"? | | I would love a link to this documentation you refer to? Google | has failed me here. | I posted a link in my last post to Paul. Your link looks like it also covers it. But as you can see, it's extremely complex. And it's not easy to grasp it in text format. A PE file has a complex header that provides pointers to sections. Resources is one section. But understanding the layout is almost a 3-D kind of thing. Or like complex, nested outlines, as in A B C 1 2 3 A B 4 D PE signature is just PE00, which I explained in my last post, a minute ago. But this can't all be detailed in a newsgroup. | | I find this is filever.exe | | 00002C60 A4 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 | ..4...V.S._.V.E. | 00002C70 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 | R.S.I.O.N._.I.N. | 00002C80 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 | F.O............. | 00002C90 01 00 05 00 00 00 28 0A 01 00 05 00 00 00 28 0A | ......(.......(. | 00002CA0 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00 | ?............... | 00002CB0 00 00 00 00 00 00 00 00 00 00 00 00 02 03 00 00 | ................ | 00002CC0 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 | ..S.t.r.i.n.g.F. | 00002CD0 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 | i.l.e.I.n.f.o... | 00002CE0 DE 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 | ......0.4.0.9.0. | 00002CF0 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 | 4.B.0...L.....C. | 00002D00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 | o.m.p.a.n.y.N.a. | 00002D10 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 | m.e.....M.i.c.r. | 00002D20 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 | o.s.o.f.t. .C.o. | 00002D30 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 | r.p.o.r.a.t.i.o. | 00002D40 6E 00 00 00 78 00 28 00 01 00 46 00 69 00 6C 00 | n...x.(...F.i.l. | 00002D50 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 | e.D.e.s.c.r.i.p. | 00002D60 74 00 69 00 6F 00 6E 00 00 00 00 00 4D 00 69 00 | t.i.o.n.....M.i. | 00002D70 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 | c.r.o.s.o.f.t. . | 00002D80 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 20 00 | V.e.r.s.i.o.n. . | | | but no where else | Nowhere else? It would be easier to help you if you would be more clear in what you write. First, be aware that a PE file does not have to have resources or version info. In the snippet above it looks like you found the version info in English. Looking for that is a hack, but in general it should work. It will be rare that someone will have stored "VS_VERSION_INFO" in unicode, in a string table. So if you find it then you probably have the right spot. Then you can go from there to find "FileVersion". After that are the version bytes. I'm not sure if it will always have exactly "FileVersion", but if you're going to use a hack method you can't be picky. Just assume it will work and be ready to quit if you can't find that string in, say, the next 1,000 bytes. |
#40
|
|||
|
|||
filever?
On 2/1/19 5:40 PM, Mayayana wrote:
"T" wrote | What I really, really could use if the definition of this metadata | so I knew where to look. Once I know where to look, digging out | the version is child's play with Perl (6). | I've explained it twice, which is why RBFrank made his comment. It's a resource. In the resource section of PE files. PE files have different sections. Resources is one of them. You find the offset by looking in the header. You can get some help with that by looking at the icon extractor script I already told you about twice. Or you can just look up PE headers. It's all documented. Perl is not going to make anything child's play. It's a very complicated file structure. If Perl can search strings and walk byte arrays then it can do the job, but the hard part is all those details of hunting down pointers to pointers to pointers inside a PE file. Then there's the question of why you need to find versions of Windows PE files on Linux, not under WINE. But I don't dare ask. A C programmer (damn those guys are brilliant) told me it is in the "PE Optional Header" not the "Optional Header" |
#41
|
|||
|
|||
filever?
On 2/1/19 6:39 PM, Mayayana wrote:
Nowhere else? I was looking at a corrupted exe. Good one all have what I am looking for |
#42
|
|||
|
|||
filever?
On 2/1/19 6:43 PM, T wrote:
On 2/1/19 5:40 PM, Mayayana wrote: "T" wrote | What I really, really could use if the definition of this metadata | so I knew where to look.Â* Once I know where to look, digging out | the version is child's play with Perl (6). | Â*Â* I've explained it twice, which is why RBFrank made his comment. It's a resource. In the resource section of PE files. PE files have different sections. Resources is one of them. You find the offset by looking in the header. You can get some help with that by looking at the icon extractor script I already told you about twice. Or you can just look up PE headers. It's all documented. Â*Â* Perl is not going to make anything child's play. It's a very complicated file structure. If Perl can search strings and walk byte arrays then it can do the job, but the hard part is all those details of hunting down pointers to pointers to pointers inside a PE file. Â*Â* Then there's the question of why you need to find versions of Windows PE files on Linux, not under WINE. But I don't dare ask. A C programmer (damn those guys are brilliant) told me it is in the "PE Optional Header" not the "Optional Header" That should have been "PE Header" |
#43
|
|||
|
|||
filever?
On 02/02/2019 03.15, T wrote:
On 2/1/19 5:46 PM, T wrote: On 2/1/19 5:35 PM, Paul wrote: https://en.wikibooks.org/wiki/X86_Di...ecutable_Files I am able to find those headers with hexedit. Not finding the file version in the page.Â* :'( I don't care if I can figure out the file version of an exe dated back from 1935.Â* The most recent will do.Â* The exe's I will be analyzing will all be only months old at that. If from Windows, right clicking on the exe and left click on properties will give you the version, I am happy.Â* I just want to do it from Linux with Perl 6. What just a minute.Â* I double checked a few more exe's and it does not have a revision according to filever.Â* So I checked a third and forth and they do indeed have 00150000Â*Â* 01 00 53 00Â* 74 00 72 00Â* 69 00 6E 00Â* 67 00 46 00 ..S.t.r.i.n.g.F. 00150010Â*Â* 69 00 6C 00Â* 65 00 49 00Â* 6E 00 66 00Â* 6F 00 00 00 i.l.e.I.n.f.o... Did you say this was also referenced by a pointer so I did not have to read through the whole file? Okay, I am off to the race!Â* Thank you! Wait. Are you seeking for the version a program reports about itself? Like asking word.exe what version it is? Like in Linux doing: "man --version"? Which is why you are looking at "resources" and strings? Because in that case, I was not talking of that at all. It is impossible to give a generic method to find that "version", it is up to that program programmer. I'm only talking about the format of the exe file. And in that case, the quick bet is using the wine api. -- Cheers, Carlos. |
#44
|
|||
|
|||
filever?
On 2/1/19 7:04 PM, Carlos E.R. wrote:
On 02/02/2019 03.15, T wrote: On 2/1/19 5:46 PM, T wrote: On 2/1/19 5:35 PM, Paul wrote: https://en.wikibooks.org/wiki/X86_Di...ecutable_Files I am able to find those headers with hexedit. Not finding the file version in the page.Â* :'( I don't care if I can figure out the file version of an exe dated back from 1935.Â* The most recent will do.Â* The exe's I will be analyzing will all be only months old at that. If from Windows, right clicking on the exe and left click on properties will give you the version, I am happy.Â* I just want to do it from Linux with Perl 6. What just a minute.Â* I double checked a few more exe's and it does not have a revision according to filever.Â* So I checked a third and forth and they do indeed have 00150000Â*Â* 01 00 53 00Â* 74 00 72 00Â* 69 00 6E 00Â* 67 00 46 00 ..S.t.r.i.n.g.F. 00150010Â*Â* 69 00 6C 00Â* 65 00 49 00Â* 6E 00 66 00Â* 6F 00 00 00 i.l.e.I.n.f.o... Did you say this was also referenced by a pointer so I did not have to read through the whole file? Okay, I am off to the race!Â* Thank you! Wait. Are you seeking for the version a program reports about itself? Like asking word.exe what version it is? Like in Linux doing: "man --version"? Which is why you are looking at "resources" and strings? Yup. |
#45
|
|||
|
|||
filever?
On 2/1/19 6:33 PM, T wrote:
On 2/1/19 5:53 PM, Mayayana wrote: The format is documented he https://docs.microsoft.com/en-us/win...ebug/pe-format Not finding the revision, but I have found that if the file has a revision, it is right after 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00Â* 6F 00 6E (FileVersion) and terminates with a 0D. I am off to the races! Just some initial playing around (reading the first 40 bytes): $ p6 'my $handle=open("filever.exe", :bin, :ro); my Buf $b; $b= $handle.read(40); say $b; if ( $b[2] eq 0x90 ) {say "y";} else {say "n";}; $handle.close;' Buf[uint8]:0x4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 y |
Thread Tools | |
Display Modes | Rate This Thread |
|
|