Win32 PE Subsystem identifier

Vortex · May 13, 2007, 09:11:11 AM

Here is a simple tool identifiying the subsystem of a Win32 portable executable, it uses the basic PE structures to examine an executable.

Code Select

.386
.model flat,stdcall
option casemap:none

include	FindSubSys.inc

.data
welcome	db 'Win32 PE Subsystem Identifier V1.0 by Vortex',13,10,13,10
		db 'Usage : FindSubsys filename.exe',0
.data?
buffer	db 100 dup(?)
buffer2	db 512 dup(?)
hFile		dd ?
hMem		dd ?
size1		dd ?
hHeap		dd ?

.code

start:

	mov		esi,OFFSET buffer2
	invoke	ParseCmdLine,esi
	cmp		eax,2
	je		@f
	invoke	ConsoleOut,ADDR welcome
	jmp		finish2
@@:
	invoke	CreateFile,DWORD PTR [esi+4],GENERIC_READ,\
			0,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0
	cmp		eax,INVALID_HANDLE_VALUE
	jnz		@f
	fn		ConsoleOut,"could not open the file"
	jmp		finish2
@@:
	mov		hFile,eax
	invoke	GetProcessHeap
	test		eax,eax
	jnz		@f
	fn		ConsoleOut,"could not allocate memory"
	jmp		finish2
@@:
	mov		hHeap,eax
	invoke	HeapAlloc,eax,HEAP_ZERO_MEMORY,MIN_PE_SIZE
	test		eax,eax
	jz		@b
	mov		hMem,eax
	mov		esi,eax
	invoke	ReadFile,hFile,eax,MIN_PE_SIZE,ADDR size1,0
	test		eax,eax
	jnz		@f
	fn		ConsoleOut,"could not read the file"
	jmp		finish1
@@:
	invoke	CloseHandle,hFile
	cmp		IMAGE_DOS_HEADER.e_magic[esi],IMAGE_DOS_SIGNATURE
	je		@f
	fn		ConsoleOut,"not a valid DOS header"
	jmp		finish1
@@:
	add		esi,IMAGE_DOS_HEADER.e_lfanew[esi]
	cmp		IMAGE_NT_HEADERS.Signature[esi],IMAGE_NT_SIGNATURE
	je		@f
	fn		ConsoleOut,"not a valid PE header"
	jmp		finish1
@@:
	mov		ax,IMAGE_NT_HEADERS.OptionalHeader.Subsystem[esi]
	cmp		ax,IMAGE_SUBSYSTEM_WINDOWS_GUI
	jne		@f
	fn		ConsoleOut,"File Subsystem = GUI"
	jmp		finish1
@@:
	cmp		ax,IMAGE_SUBSYSTEM_WINDOWS_CUI
	jne		@f
	fn		ConsoleOut,"File Subsystem = CONSOLE"
	jmp		finish1
@@:
	fn		ConsoleOut,"Not a GUI or CONSOLE subsystem"

finish1:

	invoke	HeapFree,hHeap,0,hMem

finish2:

	invoke	ExitProcess,0

END start

[attachment deleted by admin]

Timbo · May 16, 2007, 12:54:00 AM

Greetings,

Also see:

GetBinaryType on MSDN.

Regards,

Tim

Vortex · May 18, 2007, 07:26:10 PM

Timbo,

Thanks for the info but that function is not supported by Win9x systems.

Timbo · May 19, 2007, 11:23:45 PM

Vortex,

Of course you are right. I was offering an alternative means for doing this under NT.

However, SHGetFileInfo is supported under Win9x/NT.

Regards,

Tim

Vortex · May 20, 2007, 11:17:32 AM

Hi Timbo,

Thanks for the info. I will study SHGetFileInfo

News:

Win32 PE Subsystem identifier

Vortex

Timbo

Vortex

Timbo

Vortex