filever?

"T" wrote

| What I really, really could use if the definition of this metadata
| so I knew where to look. Once I know where to look, digging out
| the version is child's play with Perl (6).
|

I've explained it twice, which is why RBFrank made his comment.
It's a resource. In the resource section of PE files. PE files have
different sections. Resources is one of them. You find the offset
by looking in the header. You can get some help with that by
looking at the icon extractor script I already told you about twice.
Or you can just look up PE headers. It's all documented.

Perl is not going to make anything child's play. It's a very
complicated file structure. If Perl can search strings and walk
byte arrays then it can do the job, but the hard part is all those
details of hunting down pointers to pointers to pointers inside
a PE file.

Then there's the question of why you need to find versions
of Windows PE files on Linux, not under WINE. But I don't
dare ask.

On 2/1/19 5:35 PM, Paul wrote:

https://en.wikibooks.org/wiki/X86_Di...ecutable_Files

I am able to find those headers with hexedit.

Not finding the file version in the page. :'(

I don't care if I can figure out the file version
of an exe dated back from 1935. The most recent
will do. The exe's I will be analyzing will all be
only months old at that.

If from Windows, right clicking on the exe and left
click on properties will give you the version, I am
happy. I just want to do it from Linux with Perl 6.

"Paul" wrote

| My problem is, I can't even make a list of all the file
| formats to be analyzed. I can't be certain that I would
| have a complete set. It's one thing to find a little info
| in isolation, but does this cover everything I'll find
| in the wild ? For example, MINGW compiled programs are
| debugged in gdb, while Visual Studio compiled programs
| are debugged in windbg. Because apparently at some level,
| they're not the same thing. How many variants are there ?

I don't know what MINGW is, but a Win32 PE file has a
standardized format. I've never looked at a Win64 PE
file. I supect it's the same header but with different data
sizes, defaulting to 8byte rather than 4-byte data.

The format is documented he

https://docs.microsoft.com/en-us/win...ebug/pe-format

Though I don't think that's a great way to read it. It's easier
if you can read it like a chart or struct.

..Net is different. I don't know the details, but .Net EXEs are
not actually compiled. Like Java, there's some kind of EXE
part that calls the runtime, mscoree, which then takes over.
It's useless without mscoree.
Similarly, I don't know what file extension the use on Metro
apps these days, but last I heard they're basically scripted HTA
files. Browser apps. So if they have ome kind of EXE structure it
would only be some kind of stub, like what's used to make an
SFX, that then calls whatever load of crap makes sense of a
Metro app.

To put it another way, PE is PE. It hasn't changed. That
applies to EXE, DLL, OCX. But some newer gimmicks like .Net
and Metro may be just using PE stubs or partial PE files for
backward compatibility.
program files

On 2/1/19 5:40 PM, Mayayana wrote:
"T" wrote

| What I really, really could use if the definition of this metadata
| so I knew where to look. Once I know where to look, digging out
| the version is child's play with Perl (6).
|

I've explained it twice, which is why RBFrank made his comment.
It's a resource. In the resource section of PE files. PE files have
different sections. Resources is one of them. You find the offset
by looking in the header. You can get some help with that by
looking at the icon extractor script I already told you about twice.
Or you can just look up PE headers. It's all documented.

Perl is not going to make anything child's play. It's a very
complicated file structure. If Perl can search strings and walk
byte arrays then it can do the job, but the hard part is all those
details of hunting down pointers to pointers to pointers inside
a PE file.

Then there's the question of why you need to find versions
of Windows PE files on Linux, not under WINE. But I don't
dare ask.




Not finding what you are speaking of in

https://en.wikibooks.org/wiki/X86_Di...ecutable_Files

"PE Header"? Do you mean "PE Signature"?

I would love a link to this documentation you refer to? Google
has failed me here.


I find this is filever.exe

00002C60 A4 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00
...4...V.S._.V.E.
00002C70 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00
R.S.I.O.N._.I.N.
00002C80 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00
F.O.............
00002C90 01 00 05 00 00 00 28 0A 01 00 05 00 00 00 28 0A
.......(.......(.
00002CA0 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00
?...............
00002CB0 00 00 00 00 00 00 00 00 00 00 00 00 02 03 00 00
.................
00002CC0 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00
...S.t.r.i.n.g.F.
00002CD0 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00
i.l.e.I.n.f.o...
00002CE0 DE 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00
.......0.4.0.9.0.
00002CF0 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00
4.B.0...L.....C.
00002D00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00
o.m.p.a.n.y.N.a.
00002D10 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00
m.e.....M.i.c.r.
00002D20 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00
o.s.o.f.t. .C.o.
00002D30 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00
r.p.o.r.a.t.i.o.
00002D40 6E 00 00 00 78 00 28 00 01 00 46 00 69 00 6C 00
n...x.(...F.i.l.
00002D50 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00
e.D.e.s.c.r.i.p.
00002D60 74 00 69 00 6F 00 6E 00 00 00 00 00 4D 00 69 00
t.i.o.n.....M.i.
00002D70 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00
c.r.o.s.o.f.t. .
00002D80 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 20 00
V.e.r.s.i.o.n. .


but no where else

On 2/1/19 5:46 PM, T wrote:
On 2/1/19 5:35 PM, Paul wrote:

https://en.wikibooks.org/wiki/X86_Di...ecutable_Files

I am able to find those headers with hexedit.

Not finding the file version in the page.Â* :'(

I don't care if I can figure out the file version
of an exe dated back from 1935.Â* The most recent
will do.Â* The exe's I will be analyzing will all be
only months old at that.

If from Windows, right clicking on the exe and left
click on properties will give you the version, I am
happy.Â* I just want to do it from Linux with Perl 6.


What just a minute. I double checked a few more exe's and it
does not have a revision according to filever. So I checked
a third and forth and they do indeed have


00150000 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00
..S.t.r.i.n.g.F.
00150010 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00
i.l.e.I.n.f.o...

Did you say this was also referenced by a pointer so I did not
have to read through the whole file?

Okay, I am off to the race! Thank you!

"Mayayana" wrote


A partial example to provide an idea of how this works:

If you open a PE file in a hex editor and look at bytes 60/61
(61st and 62nd because it starts at 0) you get a 2 byte
big endian integer. The one I'm looking at right now shows
C8 00. C8 is hex for decimal 200. That means the PE marker,
PE**, where * is a null, is at offset 200. Looking for the
string ".rsrc" between the PE marker and the end of the file
header, if I find it then there's a resource section and I
can find it. At offset 16 into the .rsrc table is the size of
the resorce section in bytes, as a big endian, 4-byte integer.
The next 4 bytes indicates the offset where the resource
section starts. Though there can be a complication if the
PE has been aspack compressed, which many are. But that's
a sample overview of how it works. Complex data structures
arranged systematically with numeric pointers to find them.

Once you find the resource section offset, there's a complex
system of subsections and pointers. There's lots of stuff like
going to an offset to read 4 bytes that, in turn, point to another
offset, where you'll find 4 bytes that point to the offset you
want. It all works, but it's complicated. So people don't
typically parse it directly. I did it to extract icons in VBS because
VBS is unique in its abilities and limitations: I can use it to parse
a binary file but I can't use it to call API functions to extract
icons. So I wrote scripts to extract icons from PE files "by hand".

But for most purposes, such as getting version info, there
are much easier ways to do it.

On 2/1/19 5:53 PM, Mayayana wrote:

The format is documented he

https://docs.microsoft.com/en-us/win...ebug/pe-format

Not finding the revision, but I have found that if the file has a
revision, it is right after

46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E
(FileVersion) and terminates with a 0D.

I am off to the races!

On 02/02/2019 00.20, T wrote:
On 1/31/19 6:07 PM, Carlos E.R. wrote:





I am using Linux Perl 6.Â* The Windows Perl 5 module for this does
a system call.

Is this what you are referring to?

https://en.wikipedia.org/wiki/Portab...VG_f ixed.svg

yes.



I am not seeing the version number in the table.Â* I could be blind.

Because it is possible that the version number doesn't exist as such. It
may go like "if this field is present, or this variant, and this field
is true, and this other is less than 32 then look into this byte and if
'a' then version is such.

Just educated guessing.

But the starting point to analyze an exe is to read and decode the
header. You can see that some of the sections are optional, others are
pointers which may exist or not... You need some exhaustive
documentation of the header. Some fields are named "characteristics".


version.dll exists. Also scrrun.dll

/usr/lib/wine/version.dll.so
/usr/lib/wine/fakedlls/version.dll
/usr/lib64/wine/version.dll.so
/usr/lib64/wine/fakedlls/version.dll

/usr/lib/wine/scrrun.dll.so
/usr/lib/wine/fakedlls/scrrun.dll
/usr/lib64/wine/scrrun.dll.so
/usr/lib64/wine/fakedlls/scrrun.dll

They are part of wine. Use them. But I do not know how. I would assume
the results to be at least as accurate as trying to decode the header
from scratch yourself ;-)


--
Cheers, Carlos.

"T" wrote

| Not finding what you are speaking of in
|
| https://en.wikibooks.org/wiki/X86_Di...ecutable_Files
|
| "PE Header"? Do you mean "PE Signature"?
|
| I would love a link to this documentation you refer to? Google
| has failed me here.
|
I posted a link in my last post to Paul. Your link looks like it
also covers it. But as you can see, it's extremely complex.
And it's not easy to grasp it in text format. A PE file has a
complex header that provides pointers to sections. Resources
is one section. But understanding the layout is almost a
3-D kind of thing. Or like complex, nested outlines, as in
A
B
C
1
2
3
A
B
4
D

PE signature is just PE00, which I explained in my last post,
a minute ago. But this can't all be detailed in a newsgroup.

|
| I find this is filever.exe
|
| 00002C60 A4 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00
| ..4...V.S._.V.E.
| 00002C70 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00
| R.S.I.O.N._.I.N.
| 00002C80 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00
| F.O.............
| 00002C90 01 00 05 00 00 00 28 0A 01 00 05 00 00 00 28 0A
| ......(.......(.
| 00002CA0 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00
| ?...............
| 00002CB0 00 00 00 00 00 00 00 00 00 00 00 00 02 03 00 00
| ................
| 00002CC0 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00
| ..S.t.r.i.n.g.F.
| 00002CD0 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00
| i.l.e.I.n.f.o...
| 00002CE0 DE 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00
| ......0.4.0.9.0.
| 00002CF0 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00
| 4.B.0...L.....C.
| 00002D00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00
| o.m.p.a.n.y.N.a.
| 00002D10 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00
| m.e.....M.i.c.r.
| 00002D20 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00
| o.s.o.f.t. .C.o.
| 00002D30 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00
| r.p.o.r.a.t.i.o.
| 00002D40 6E 00 00 00 78 00 28 00 01 00 46 00 69 00 6C 00
| n...x.(...F.i.l.
| 00002D50 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00
| e.D.e.s.c.r.i.p.
| 00002D60 74 00 69 00 6F 00 6E 00 00 00 00 00 4D 00 69 00
| t.i.o.n.....M.i.
| 00002D70 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00
| c.r.o.s.o.f.t. .
| 00002D80 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 20 00
| V.e.r.s.i.o.n. .
|
|
| but no where else
|

Nowhere else? It would be easier to help you if you would
be more clear in what you write.

First, be aware that a PE file does not have to have resources
or version info. In the snippet above it looks like you found the
version info in English. Looking for that is a hack, but in
general it should work. It will be rare that someone will have
stored "VS_VERSION_INFO" in unicode, in a string table. So
if you find it then you probably have the right spot. Then you
can go from there to find "FileVersion". After that are the
version bytes. I'm not sure if it will always have exactly
"FileVersion", but if you're going to use a hack method you
can't be picky. Just assume it will work and be ready to quit
if you can't find that string in, say, the next 1,000 bytes.

On 2/1/19 5:40 PM, Mayayana wrote:
"T" wrote

| What I really, really could use if the definition of this metadata
| so I knew where to look. Once I know where to look, digging out
| the version is child's play with Perl (6).
|

I've explained it twice, which is why RBFrank made his comment.
It's a resource. In the resource section of PE files. PE files have
different sections. Resources is one of them. You find the offset
by looking in the header. You can get some help with that by
looking at the icon extractor script I already told you about twice.
Or you can just look up PE headers. It's all documented.

Perl is not going to make anything child's play. It's a very
complicated file structure. If Perl can search strings and walk
byte arrays then it can do the job, but the hard part is all those
details of hunting down pointers to pointers to pointers inside
a PE file.

Then there's the question of why you need to find versions
of Windows PE files on Linux, not under WINE. But I don't
dare ask.




A C programmer (damn those guys are brilliant) told me it is
in the "PE Optional Header" not the "Optional Header"

On 2/1/19 6:39 PM, Mayayana wrote:
Nowhere else?

I was looking at a corrupted exe. Good one all have
what I am looking for

On 2/1/19 6:43 PM, T wrote:
On 2/1/19 5:40 PM, Mayayana wrote:
"T" wrote

| What I really, really could use if the definition of this metadata
| so I knew where to look.Â* Once I know where to look, digging out
| the version is child's play with Perl (6).
|

Â*Â* I've explained it twice, which is why RBFrank made his comment.
It's a resource. In the resource section of PE files. PE files have
different sections. Resources is one of them. You find the offset
by looking in the header. You can get some help with that by
looking at the icon extractor script I already told you about twice.
Or you can just look up PE headers. It's all documented.

Â*Â* Perl is not going to make anything child's play. It's a very
complicated file structure. If Perl can search strings and walk
byte arrays then it can do the job, but the hard part is all those
details of hunting down pointers to pointers to pointers inside
a PE file.

Â*Â* Then there's the question of why you need to find versions
of Windows PE files on Linux, not under WINE. But I don't
dare ask.




A C programmer (damn those guys are brilliant) told me it is
in the "PE Optional Header" not the "Optional Header"



That should have been "PE Header"

On 02/02/2019 03.15, T wrote:
On 2/1/19 5:46 PM, T wrote:
On 2/1/19 5:35 PM, Paul wrote:

https://en.wikibooks.org/wiki/X86_Di...ecutable_Files

I am able to find those headers with hexedit.

Not finding the file version in the page.Â* :'(

I don't care if I can figure out the file version
of an exe dated back from 1935.Â* The most recent
will do.Â* The exe's I will be analyzing will all be
only months old at that.

If from Windows, right clicking on the exe and left
click on properties will give you the version, I am
happy.Â* I just want to do it from Linux with Perl 6.


What just a minute.Â* I double checked a few more exe's and it
does not have a revision according to filever.Â* So I checked
a third and forth and they do indeed have


00150000Â*Â* 01 00 53 00Â* 74 00 72 00Â* 69 00 6E 00Â* 67 00 46 00
..S.t.r.i.n.g.F.
00150010Â*Â* 69 00 6C 00Â* 65 00 49 00Â* 6E 00 66 00Â* 6F 00 00 00
i.l.e.I.n.f.o...

Did you say this was also referenced by a pointer so I did not
have to read through the whole file?

Okay, I am off to the race!Â* Thank you!


Wait. Are you seeking for the version a program reports about itself?
Like asking word.exe what version it is? Like in Linux doing: "man
--version"? Which is why you are looking at "resources" and strings?

Because in that case, I was not talking of that at all. It is impossible
to give a generic method to find that "version", it is up to that
program programmer.

I'm only talking about the format of the exe file. And in that case, the
quick bet is using the wine api.

--
Cheers, Carlos.

On 2/1/19 7:04 PM, Carlos E.R. wrote:
On 02/02/2019 03.15, T wrote:
On 2/1/19 5:46 PM, T wrote:
On 2/1/19 5:35 PM, Paul wrote:

https://en.wikibooks.org/wiki/X86_Di...ecutable_Files

I am able to find those headers with hexedit.

Not finding the file version in the page.Â* :'(

I don't care if I can figure out the file version
of an exe dated back from 1935.Â* The most recent
will do.Â* The exe's I will be analyzing will all be
only months old at that.

If from Windows, right clicking on the exe and left
click on properties will give you the version, I am
happy.Â* I just want to do it from Linux with Perl 6.


What just a minute.Â* I double checked a few more exe's and it
does not have a revision according to filever.Â* So I checked
a third and forth and they do indeed have


00150000Â*Â* 01 00 53 00Â* 74 00 72 00Â* 69 00 6E 00Â* 67 00 46 00
..S.t.r.i.n.g.F.
00150010Â*Â* 69 00 6C 00Â* 65 00 49 00Â* 6E 00 66 00Â* 6F 00 00 00
i.l.e.I.n.f.o...

Did you say this was also referenced by a pointer so I did not
have to read through the whole file?

Okay, I am off to the race!Â* Thank you!


Wait. Are you seeking for the version a program reports about itself?
Like asking word.exe what version it is? Like in Linux doing: "man
--version"? Which is why you are looking at "resources" and strings?

Yup.

On 2/1/19 6:33 PM, T wrote:
On 2/1/19 5:53 PM, Mayayana wrote:

The format is documented he

https://docs.microsoft.com/en-us/win...ebug/pe-format

Not finding the revision, but I have found that if the file has a
revision, it is right after

46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00Â* 6F 00 6E
(FileVersion) and terminates with a 0D.

I am off to the races!



Just some initial playing around (reading the first 40 bytes):

$ p6 'my $handle=open("filever.exe", :bin, :ro); my Buf $b; $b=
$handle.read(40); say $b; if ( $b[2] eq 0x90 ) {say "y";} else {say
"n";}; $handle.close;'

Buf[uint8]:0x4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00
00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
y