Text only | Text with Images

The MASM Forum Archive 2004 to 2012

Project Support Forums => The GeneSys Development System => Topic started by: Vortex on May 13, 2007, 09:11:11 AM

Title: Win32 PE Subsystem identifier
Post by: Vortex on May 13, 2007, 09:11:11 AM
Here is a simple tool identifiying the subsystem of a Win32 portable executable, it uses the basic PE structures to examine an executable.

Code Select
.386
.model flat,stdcall
option casemap:none

include FindSubSys.inc

.data
welcome db 'Win32 PE Subsystem Identifier V1.0 by Vortex',13,10,13,10
db 'Usage : FindSubsys filename.exe',0
.data?
buffer db 100 dup(?)
buffer2 db 512 dup(?)
hFile dd ?
hMem dd ?
size1 dd ?
hHeap dd ?

.code

start:

mov esi,OFFSET buffer2
invoke ParseCmdLine,esi
cmp eax,2
je @f
invoke ConsoleOut,ADDR welcome
jmp finish2
@@:
invoke CreateFile,DWORD PTR [esi+4],GENERIC_READ,\
0,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0
cmp eax,INVALID_HANDLE_VALUE
jnz @f
fn ConsoleOut,"could not open the file"
jmp finish2
@@:
mov hFile,eax
invoke GetProcessHeap
test eax,eax
jnz @f
fn ConsoleOut,"could not allocate memory"
jmp finish2
@@:
mov hHeap,eax
invoke HeapAlloc,eax,HEAP_ZERO_MEMORY,MIN_PE_SIZE
test eax,eax
jz @b
mov hMem,eax
mov esi,eax
invoke ReadFile,hFile,eax,MIN_PE_SIZE,ADDR size1,0
test eax,eax
jnz @f
fn ConsoleOut,"could not read the file"
jmp finish1
@@:
invoke CloseHandle,hFile
cmp IMAGE_DOS_HEADER.e_magic[esi],IMAGE_DOS_SIGNATURE
je @f
fn ConsoleOut,"not a valid DOS header"
jmp finish1
@@:
add esi,IMAGE_DOS_HEADER.e_lfanew[esi]
cmp IMAGE_NT_HEADERS.Signature[esi],IMAGE_NT_SIGNATURE
je @f
fn ConsoleOut,"not a valid PE header"
jmp finish1
@@:
mov ax,IMAGE_NT_HEADERS.OptionalHeader.Subsystem[esi]
cmp ax,IMAGE_SUBSYSTEM_WINDOWS_GUI
jne @f
fn ConsoleOut,"File Subsystem = GUI"
jmp finish1
@@:
cmp ax,IMAGE_SUBSYSTEM_WINDOWS_CUI
jne @f
fn ConsoleOut,"File Subsystem = CONSOLE"
jmp finish1
@@:
fn ConsoleOut,"Not a GUI or CONSOLE subsystem"

finish1:

invoke HeapFree,hHeap,0,hMem

finish2:

invoke ExitProcess,0

END start
[attachment deleted by admin]
Title: Re: Win32 PE Subsystem identifier
Post by: Timbo on May 16, 2007, 12:54:00 AM
Greetings,

Also see:

GetBinaryType (http://msdn2.microsoft.com/en-us/library/aa364819.aspx) on MSDN.

Regards,

Tim
Title: Re: Win32 PE Subsystem identifier
Post by: Vortex on May 18, 2007, 07:26:10 PM
Timbo,

Thanks for the info but that function is not supported by Win9x systems.
Title: Re: Win32 PE Subsystem identifier
Post by: Timbo on May 19, 2007, 11:23:45 PM
Vortex,

Of course you are right.  I was offering an alternative means for doing this under NT.

However, SHGetFileInfo (http://msdn2.microsoft.com/en-us/library/ms647761.aspx) is supported under Win9x/NT.

Regards,

Tim
Title: Re: Win32 PE Subsystem identifier
Post by: Vortex on May 20, 2007, 11:17:32 AM
Hi Timbo,

Thanks for the info. I will study SHGetFileInfo
Text only | Text with Images