Is it possible to show the info that is with the file header struct of a pe-file
like the example from iczelion's tut 7 to show the info in a dlg box?
if so how could it be done
Mainly to learn more about pe-files
thanks in advance
like the example from iczelion's tut 7 to show the info in a dlg box?
if so how could it be done
Mainly to learn more about pe-files
thanks in advance
Tweak,
f0dder recently posted a link to a later version of the PE specifications from Microsoft which had been updated in about 2001. It is in PDF format but its a very useful document to have if you are interested in PE specifications.
Regards,
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
f0dder recently posted a link to a later version of the PE specifications from Microsoft which had been updated in about 2001. It is in PDF format but its a very useful document to have if you are interested in PE specifications.
Regards,
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
But this was more like what I was trying to obtain.
Just so I could peek and compare the differences of different pe files on my system.
To see what kind of different info each may contain. Most of it I copied from because
I don't understand SEH that well to write my own SEH. but the rest I wriitten myself
but masm complains about
error A2022: instruction operands must be the same size
plz help me to understand why I get these error
Just so I could peek and compare the differences of different pe files on my system.
To see what kind of different info each may contain. Most of it I copied from because
I don't understand SEH that well to write my own SEH. but the rest I wriitten myself
but masm complains about
mov edi,[edi].FileHeader
error A2022: instruction operands must be the same size
plz help me to understand why I get these error
I got two errors trying to build the file. I have not got the time to debug the cde for you but there are a couple of basic things wrong with it.
From a quick look at the code, you need to get the length of the structures with SIZEOF or similar and copy the correct number of bytes to a memory buffer.
Regards,
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
1st error
invoke ShowTheStuff, hDlg, edi ; 2 parameters passed
ShowTheStuff proc hDlg:DWORD ; proc only has one parameter
; 2nd error
; Add the "DWORD PTR" to SIZE cast the line.
; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mov edi,DWORD PTR [edi].FileHeader
From a quick look at the code, you need to get the length of the structures with SIZEOF or similar and copy the correct number of bytes to a memory buffer.
Regards,
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
I think it should be
But I did not verify...
movzx edi, [edi].FileHeader
But I did not verify...
mov edi,[edi].FileHeader
- That's a sorta strange thing to do. FileHeader is a structure, not a variable. If you want to do anything at all with that, it would make more sense to make EDI point to this structure - like "lea edi,.FileHeader". But considering you're testing EDI for 0 right afterwards, I suspect you're not quite sure what you're doing :)
I tested it for zero thinking that it might contain no info if I got to the wrong place during execution.
I think I fix the problems ya'll pointed out. But I think there is something wrong with my includes file or masm itself
Which gave me the idea that it's has to either masm's or the linker masm v8; linker v5.12.8078
even if I included
it would then give me an error A2111: conflicting parameter definition
Which why I think it's a linker problem I tried re-compiling a simple app I did awhile back that uses wsprintf and it compiled with no problem but now it gives me the same error msg A2111: conflicting parameter definition as above
the above was the simple app I tried which gave the same error msg. Could some explain why this strangeness from now coming from the linker
I think I fix the problems ya'll pointed out. But I think there is something wrong with my includes file or masm itself
error LNK2001: unresolved external symbol _wsprintfA
fatal error LNK1120: 1 unresolved externals
Which gave me the idea that it's has to either masm's or the linker masm v8; linker v5.12.8078
even if I included
wsprintfA PROTO C :DWORD,:DWORD,:VARARG
wsprintf equ <wsprintfA>
or
wsprintfA PROTO C :DWORD,:VARARG
wsprintf equ <wsprintfA>
it would then give me an error A2111: conflicting parameter definition
Which why I think it's a linker problem I tried re-compiling a simple app I did awhile back that uses wsprintf and it compiled with no problem but now it gives me the same error msg A2111: conflicting parameter definition as above
;Feb. 24, 2003
;project: asmtut2
;author: Tweak aka Patrick Pippen
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\gdi32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
wsprintfA PROTO C :DWORD,:VARARG
wsprintf equ <wsprintfA>
.data
bufferforstring db 10 dup(0)
titlestring db "Result of calculation:",0
szformat db "%u",0
.data?
.code
start:
mov eax,5 ;# to multiply with # in ecx
mov ecx,3 ; this is the multiplier
mul ecx ;
add eax,50
xor edx,edx ;set edx to 0
div ecx
invoke wsprintf,ADDR bufferforstring,ADDR szformat,eax
invoke MessageBox,0,ADDR bufferforstring,ADDR titlestring,MB_OK
invoke ExitProcess,0
end start
the above was the simple app I tried which gave the same error msg. Could some explain why this strangeness from now coming from the linker
i copy pasted this wsprintf routine you posted and assembled it
it assembles without any problem nd displays a message box with 21 in it
5*3+50 = 65 /3 = 21 2/3 so its ok whats the problem
btw i tried assembling your earlier peinfo post also by deleting one param at line 157 and making it lea edi,.fileheader it assembles well without any problem in wsprintf
========================
edit
===========================
what do you mean by this
.if lParam==0 <----- this is supposed to be the handle of control is it going to work
did you mean if handle is not 0 ?????????
mov eax,wParam
and you are assuming there can be only one click in open button if it not clicked you asumme it is exit button and jump directly to wm_close you are not checking for exit
invoke ShowExportFunctions,hDlg
.else ; IDM_EXIT
invoke SendMessage,hDlg,WM_CLOSE,0,0
will aseemble like this
00401061 |. 8B45 10 MOV EAX,
00401064 |. 66:83F8 66 CMP AX,66
00401068 |. 75 0A JNZ SHORT 00401074 ; pe-info.00401074
it will exit even before it shows your dialog when as system itself may send wm_command during setting of focus etc ( dunno i ve faced the problem)
what is this
invoke SetDlgItemText,hDlg,IDC_EDIT,0
u are setinng null text ??? lpString is 0 ?????
after setdlg u are using wsprintf what is the use of it
it will vanish into thin air when you return from wsprintf
and the result of your exe when you have corrected all the above queries
0012FA80 ..======[ PE_Header ]======..Machine: 1..Number of Sections: 640
0012FAC0 32..Time Date Stamp: 1179648..Pointer to Symbol Table: 0..Number
0012FB00 of Symbols: 16843009..Sizeof Optional Header: 1243924..Character
0012FB40 istics: 2012971227..C:\masm32\BIN\glit\scrshfun.exe.
it assembles without any problem nd displays a message box with 21 in it
5*3+50 = 65 /3 = 21 2/3 so its ok whats the problem
btw i tried assembling your earlier peinfo post also by deleting one param at line 157 and making it lea edi,.fileheader it assembles well without any problem in wsprintf
========================
edit
===========================
what do you mean by this
.if lParam==0 <----- this is supposed to be the handle of control is it going to work
did you mean if handle is not 0 ?????????
mov eax,wParam
and you are assuming there can be only one click in open button if it not clicked you asumme it is exit button and jump directly to wm_close you are not checking for exit
invoke ShowExportFunctions,hDlg
.else ; IDM_EXIT
invoke SendMessage,hDlg,WM_CLOSE,0,0
will aseemble like this
00401061 |. 8B45 10 MOV EAX,
00401064 |. 66:83F8 66 CMP AX,66
00401068 |. 75 0A JNZ SHORT 00401074 ; pe-info.00401074
it will exit even before it shows your dialog when as system itself may send wm_command during setting of focus etc ( dunno i ve faced the problem)
what is this
invoke SetDlgItemText,hDlg,IDC_EDIT,0
u are setinng null text ??? lpString is 0 ?????
after setdlg u are using wsprintf what is the use of it
it will vanish into thin air when you return from wsprintf
and the result of your exe when you have corrected all the above queries
0012FA80 ..======[ PE_Header ]======..Machine: 1..Number of Sections: 640
0012FAC0 32..Time Date Stamp: 1179648..Pointer to Symbol Table: 0..Number
0012FB00 of Symbols: 16843009..Sizeof Optional Header: 1243924..Character
0012FB40 istics: 2012971227..C:\masm32\BIN\glit\scrshfun.exe.
it will exit even before it shows your dialog when as system itself may send wm_command during setting of focus etc ( dunno i ve faced the problem)
what is this
invoke SetDlgItemText,hDlg,IDC_EDIT,0
u are setinng null text ??? lpString is 0 ?????
after setdlg u are using wsprintf what is the use of it
it will vanish into thin air when you return from wsprintf
and the result of your exe when you have corrected all the above queries
0012FA80 ..======[ PE_Header ]======..Machine: 1..Number of Sections: 640
0012FAC0 32..Time Date Stamp: 1179648..Pointer to Symbol Table: 0..Number
0012FB00 of Symbols: 16843009..Sizeof Optional Header: 1243924..Character
0012FB40 istics: 2012971227..C:\masm32\BIN\glit\scrshfun.exe.
I see what your talking about now. I thought that was the way to use SetDlgItem
could someone plz explain what type a parameters it should be passed to it.
Hi tweak
In the case of SetDlgItemText it expects a pointer to a null terminated string to be passed in the 3rd parameter. So it is used like this :
If you wish to display a number, you use SetDlgItemInt, and pass a DWORD in the 3rd parameter, you must also specify whether it should be displayed as signed or not in the 4th parameter (TRUE = signed). The API will convert it to text and display it properly in your control.
invoke SetDlgItemText,hDlg,IDC_EDIT,0In the case of SetDlgItemText it expects a pointer to a null terminated string to be passed in the 3rd parameter. So it is used like this :
.data
string db "this is a string",0
.code
invoke SetDlgItemText,[hDlg],IDC_EDIT,OFFSET stringIf you wish to display a number, you use SetDlgItemInt, and pass a DWORD in the 3rd parameter, you must also specify whether it should be displayed as signed or not in the 4th parameter (TRUE = signed). The API will convert it to text and display it properly in your control.
.data
dwNumber DD 123
.code
invoke SetDlgItemInt,[hDlg],IDC_EDIT,[dwNumber],TRUEwell in you case you can use the setdlg after wsprintf and pass the address of temp to it for your lpString
but your wsprintf will not give you correct details
as the params you are passing to wsprintf are having words as well as dwords
so the stack will be corrupted and it will diplay all wrong details
study the dump i pasted it shows the the no of sections as 64032
OR WATCH IT IN A DEBUGGER AS IT IS THERE WILL BE SOME ANONYMOUS PUSH 0
BEFORE AND AFTER ONE OF YOUR WORD PARAMS ARE PUSHED LIKE IFH.MACHINE ETC
well some code
invoke GetMod
mov hinstance,eax
mov some reg,eax
add somereg,el?? <--- dos header+3c
add eax,<--- peheader or 45ad so eax will probably be 40000c0 or c8
xor ecx,ecx
mov cx,word ptr <--- machine
push ecx
mov cx,wptr <--no of sections
push ecx
mov ecx,<--- tdstamp
push ecx
***,
***,
movzx ecx word ptr <--size of optional header (see the movzx or you need to 0 out the ecx before you push the word)
***
***
invoke wsprintfa,addr peheader,addr temp
invoke setdlg,***** temp
invoke msgbox,*,temp,*,*
invoke endprocess,0
i got this code some where will attach it when i get to that comp which has it
till then ;)
but your wsprintf will not give you correct details
as the params you are passing to wsprintf are having words as well as dwords
so the stack will be corrupted and it will diplay all wrong details
study the dump i pasted it shows the the no of sections as 64032
OR WATCH IT IN A DEBUGGER AS IT IS THERE WILL BE SOME ANONYMOUS PUSH 0
BEFORE AND AFTER ONE OF YOUR WORD PARAMS ARE PUSHED LIKE IFH.MACHINE ETC
well some code
invoke GetMod
mov hinstance,eax
mov some reg,eax
add somereg,el?? <--- dos header+3c
add eax,<--- peheader or 45ad so eax will probably be 40000c0 or c8
xor ecx,ecx
mov cx,word ptr <--- machine
push ecx
mov cx,wptr <--no of sections
push ecx
mov ecx,<--- tdstamp
push ecx
***,
***,
movzx ecx word ptr <--size of optional header (see the movzx or you need to 0 out the ecx before you push the word)
***
***
invoke wsprintfa,addr peheader,addr temp
invoke setdlg,***** temp
invoke msgbox,*,temp,*,*
invoke endprocess,0
i got this code some where will attach it when i get to that comp which has it
till then ;)
i told that i ll paste the code that did it
here it is
ive also attached the whole package try it out and have fun
.486
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
useless PROTO
.data
PeTable db 0Dh,0Ah, "======[ PE_Header ]======"
db 0Dh,0Ah, "Machine: %lu"
db 0Dh,0Ah,"Number of Sections: %lu"
db 0Dh,0Ah,"Time Date Stamp: %lu"
db 0Dh,0Ah,"Pointer to Symbol Table: %lu"
db 0Dh,0Ah,"Numberof Symbols: %lu"
db 0Dh,0Ah,"Sizeof Optional Header: %lu"
db 0Dh,0Ah,"Characteristics: %lu",0Dh,0Ah,0
.code
start:
invoke GetModuleHandle,NULL
invoke useless
invoke ExitProcess,0
useless proc
LOCAL temp[512]:byte
LOCAL ifh:IMAGE_FILE_HEADER
mov ebx,eax
add ebx,03ch
add eax,
xor ecx,ecx
mov cx,word ptr ds:
mov ifh.Characteristics,cx
push ecx
mov cx,word ptr ds:
mov ifh.SizeOfOptionalHeader,cx
push ecx
mov ecx,dword ptr ds:
mov ifh.NumberOfSymbols,ecx
push ecx
mov ecx,dword ptr ds:
mov ifh.PointerToSymbolTable,ecx
push ecx
mov ecx,dword ptr ds:
mov ifh.TimeDateStamp,ecx
push ecx
movzx ecx,word ptr ds:
mov ifh.NumberOfSections,cx
push ecx
movzx ecx,word ptr ds:
mov ifh.Machine ,cx
push ecx
invoke wsprintf,ADDR temp,ADDR PeTable
invoke MessageBoxA,NULL,ADDR temp,NULL,NULL
ret
useless endp
here it is
ive also attached the whole package try it out and have fun
.486
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
useless PROTO
.data
PeTable db 0Dh,0Ah, "======[ PE_Header ]======"
db 0Dh,0Ah, "Machine: %lu"
db 0Dh,0Ah,"Number of Sections: %lu"
db 0Dh,0Ah,"Time Date Stamp: %lu"
db 0Dh,0Ah,"Pointer to Symbol Table: %lu"
db 0Dh,0Ah,"Numberof Symbols: %lu"
db 0Dh,0Ah,"Sizeof Optional Header: %lu"
db 0Dh,0Ah,"Characteristics: %lu",0Dh,0Ah,0
.code
start:
invoke GetModuleHandle,NULL
invoke useless
invoke ExitProcess,0
useless proc
LOCAL temp[512]:byte
LOCAL ifh:IMAGE_FILE_HEADER
mov ebx,eax
add ebx,03ch
add eax,
xor ecx,ecx
mov cx,word ptr ds:
mov ifh.Characteristics,cx
push ecx
mov cx,word ptr ds:
mov ifh.SizeOfOptionalHeader,cx
push ecx
mov ecx,dword ptr ds:
mov ifh.NumberOfSymbols,ecx
push ecx
mov ecx,dword ptr ds:
mov ifh.PointerToSymbolTable,ecx
push ecx
mov ecx,dword ptr ds:
mov ifh.TimeDateStamp,ecx
push ecx
movzx ecx,word ptr ds:
mov ifh.NumberOfSections,cx
push ecx
movzx ecx,word ptr ds:
mov ifh.Machine ,cx
push ecx
invoke wsprintf,ADDR temp,ADDR PeTable
invoke MessageBoxA,NULL,ADDR temp,NULL,NULL
ret
useless endp