how can i get the filesize of my 'running' exe ?

i get commandline at startup = path/exename
now i try openfile 'path/exename' and get error, i thing because file is running since it works on a file what not runs :(

i want to get the filesize of my tool on startup, then look if filesize is like the filesize in .data
if not exit...

any ideas ?
Posted on 2004-01-18 12:21:53 by xanthos
When using CreateFile on a running process you can't use GENERIC_WRITE and u have to use FILE_SHARE_READ
Posted on 2004-01-18 12:45:42 by ENF
You may also use FindFirstFile to get this information:


.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib

.data?
w32fd WIN32_FIND_DATA <>
szBuf db 512 dup(?)
_st SYSTEMTIME <>
_ft FILETIME <>
szDateBuf db 11 dup(?)
szTimeBuf db 9 dup(?)
szMessage db 1024 dup(?)

.code
szFileName db "FileName: ",9,"%s",13,10,0
szAlternate db "Alternate name: ",9,"%s",13,10,0
szAttr db "Attributes: ",9,"%#08x",13,10,0
szDate_ db "dd-MM-yyyy",0
szTime_ db "hh:mm:ss",0
szCreateTime db "Created: ",9,9,"%s %s",13,10,0
szAccessTime db "Last accessed: ",9,"%s %s",13,10,0
szModifyTime db "Modified: ",9,9,"%s %s",13,10,0
szFileSize db "Size: ",9,9,"%d",0

szTitle db "Self file information",0

start:
invoke GetModuleFileName,NULL,addr szBuf,MAX_PATH
invoke FindFirstFile,addr szBuf,addr w32fd
.if eax!=INVALID_HANDLE_VALUE
invoke FindClose,eax

invoke wsprintf,addr szBuf,addr szFileName,addr w32fd.cFileName
invoke lstrcpy,addr szMessage,addr szBuf

invoke wsprintf,addr szBuf,addr szAlternate,addr w32fd.cAlternate
invoke lstrcat,addr szMessage,addr szBuf

invoke wsprintf,addr szBuf,addr szAttr,w32fd.dwFileAttributes
invoke lstrcat,addr szMessage,addr szBuf

invoke FileTimeToLocalFileTime,addr w32fd.ftCreationTime,addr _ft
invoke FileTimeToSystemTime,addr _ft,addr _st
invoke GetDateFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szDate_,addr szDateBuf,11
invoke GetTimeFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szTime_,addr szTimeBuf,9
invoke wsprintf,addr szBuf,addr szCreateTime,addr szDateBuf,addr szTimeBuf
invoke lstrcat,addr szMessage,addr szBuf

invoke FileTimeToLocalFileTime,addr w32fd.ftLastAccessTime,addr _ft
invoke FileTimeToSystemTime,addr _ft,addr _st
invoke GetDateFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szDate_,addr szDateBuf,11
invoke GetTimeFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szTime_,addr szTimeBuf,9
invoke wsprintf,addr szBuf,addr szAccessTime,addr szDateBuf,addr szTimeBuf
invoke lstrcat,addr szMessage,addr szBuf

invoke FileTimeToLocalFileTime,addr w32fd.ftLastWriteTime,addr _ft
invoke FileTimeToSystemTime,addr _ft,addr _st
invoke GetDateFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szDate_,addr szDateBuf,11
invoke GetTimeFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szTime_,addr szTimeBuf,9
invoke wsprintf,addr szBuf,addr szModifyTime,addr szDateBuf,addr szTimeBuf
invoke lstrcat,addr szMessage,addr szBuf

invoke wsprintf,addr szBuf,addr szFileSize,w32fd.nFileSizeLow
invoke lstrcat,addr szMessage,addr szBuf

invoke MessageBox,0,addr szMessage,addr szTitle,MB_ICONINFORMATION
.endif
invoke ExitProcess,0
end start
Posted on 2004-01-19 02:37:36 by Morris
;FASM version


include '%fasminc%/win32ax.inc'
MAX_PATH = 260
LOCALE_USER_DEFAULT = 0
struc WIN32_FIND_DATA
{ .dwFileAttributes dd ?
.ftCreationTime FILETIME
.ftLastAccessTime FILETIME
.ftLastWriteTime FILETIME
.nFileSizeHigh dd ?
.nFileSizeLow dd ?
.dwReserved0 dd ?
.dwReserved1 dd ?
.cFileName rb MAX_PATH
.cAlternate rb 14 }

.data
w32fd WIN32_FIND_DATA
szBuf rb 512
_st SYSTEMTIME
_ft FILETIME
szDateBuf rb 11
szTimeBuf rb 9
szMessage rb 1024

.code
szFileName db "FileName: ",9,"%s",13,10,0
szAlternate db "Alternate name: ",9,"%s",13,10,0
szAttr db "Attributes: ",9,"%#08x",13,10,0
szDate_ db "dd-MM-yyyy",0
szTime_ db "hh:mm:ss",0
szCreateTime db "Created: ",9,9,"%s %s",13,10,0
szAccessTime db "Last accessed: ",9,"%s %s",13,10,0
szModifyTime db "Modified: ",9,9,"%s %s",13,10,0
szFileSize db "Size: ",9,9,"%d",0

szTitle db "Self file information",0

start:
invoke GetModuleFileName,NULL,addr szBuf,MAX_PATH
invoke FindFirstFile,szBuf,w32fd
cmp eax,INVALID_HANDLE_VALUE
je end_if
invoke FindClose,eax

invoke wsprintf,addr szBuf,addr szFileName,addr w32fd.cFileName
invoke lstrcpy,addr szMessage,addr szBuf

invoke wsprintf,addr szBuf,addr szAlternate,addr w32fd.cAlternate
invoke lstrcat,addr szMessage,addr szBuf

invoke wsprintf,addr szBuf,addr szAttr,w32fd.dwFileAttributes
invoke lstrcat,addr szMessage,addr szBuf

invoke FileTimeToLocalFileTime,addr w32fd.ftCreationTime,addr _ft
invoke FileTimeToSystemTime,addr _ft,addr _st
invoke GetDateFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szDate_,addr szDateBuf,11
invoke GetTimeFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szTime_,addr szTimeBuf,9
invoke wsprintf,addr szBuf,addr szCreateTime,addr szDateBuf,addr szTimeBuf
invoke lstrcat,addr szMessage,addr szBuf

invoke FileTimeToLocalFileTime,addr w32fd.ftLastAccessTime,addr _ft
invoke FileTimeToSystemTime,addr _ft,addr _st
invoke GetDateFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szDate_,addr szDateBuf,11
invoke GetTimeFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szTime_,addr szTimeBuf,9
invoke wsprintf,addr szBuf,addr szAccessTime,addr szDateBuf,addr szTimeBuf
invoke lstrcat,addr szMessage,addr szBuf

invoke FileTimeToLocalFileTime,addr w32fd.ftLastWriteTime,addr _ft
invoke FileTimeToSystemTime,addr _ft,addr _st
invoke GetDateFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szDate_,addr szDateBuf,11
invoke GetTimeFormat,LOCALE_USER_DEFAULT,0,addr _st,addr szTime_,addr szTimeBuf,9
invoke wsprintf,addr szBuf,addr szModifyTime,addr szDateBuf,addr szTimeBuf
invoke lstrcat,addr szMessage,addr szBuf

invoke wsprintf,addr szBuf,addr szFileSize,w32fd.nFileSizeLow
invoke lstrcat,addr szMessage,addr szBuf

invoke MessageBox,0,addr szMessage,addr szTitle,MB_ICONINFORMATION
end_if:
invoke ExitProcess,0
.end start
Posted on 2004-01-19 08:26:06 by HarryTuttle
many thanks !
so much help, dont know what to say :)

T H A N K S !

hopefull i can now end my tool to check for ie hijacker.
since someone ad the trojan.spooner.c to my spooner removel tool id better ad some protection against filejoiner to my file.

hope some cryptet filesize inside the .data section and a filesizecheck will help against this.
this way only warn a user that my tool is infected.

im not familiar with pe file header and methodes of joining files.
so im asking mybe a stupid question : is there a way to check a infection on startup ?

i read something about adding a file at the end of another file and changing the pe header.
some way to check this at startup, so the file wont start the added file ?

anyone know a free program to protect a file ?

greets Xanthos
Posted on 2004-01-19 14:16:28 by xanthos
Do you mean you want your file to do a self check?
There are several ways to do this. If your file has been infected with a virus then it could have its entry point changed to point to the added code so at startup you could look up the entry point in PE header and check the bytes to see if they match what they should be. could also do a crc32 or other crypto of the file.
Posted on 2004-01-19 18:34:17 by ENF
Yes thats what i mean :)
i try a lookup in google for pe header.

thanks :)
Posted on 2004-01-22 00:45:24 by xanthos