How to detect the types of executable files

type

  {

  IMAGE_DOS_HEADER:

    DOS .EXE header.

  }

  IMAGE_DOS_HEADER = packed record

    e_magic   : Word;               // Magic number ("MZ")

    e_cblp    : Word;               // Bytes on last page of file

    e_cp      : Word;               // Pages in file

    e_crlc    : Word;               // Relocations

    e_cparhdr : Word;               // Size of header in paragraphs

    e_minalloc: Word;               // Minimum extra paragraphs needed

    e_maxalloc: Word;               // Maximum extra paragraphs needed

    e_ss      : Word;               // Initial (relative) SS value

    e_sp      : Word;               // Initial SP value

    e_csum    : Word;               // Checksum

    e_ip      : Word;               // Initial IP value

    e_cs      : Word;               // Initial (relative) CS value

    e_lfarlc  : Word;               // Address of relocation table

    e_ovno    : Word;               // Overlay number

    e_res     : packed array [..] of Word;  // Reserved words

    e_oemid   : Word;               // OEM identifier (for e_oeminfo)

    e_oeminfo : Word;               // OEM info; e_oemid specific

    e_res2    : packed array [..] of Word;  // Reserved words

    e_lfanew  : Longint;            // File address of new exe header

  end;

  {

  TExeFileKind:

    The kinds of files recognised.

  }

  TExeFileKind = (

    fkUnknown,  // unknown file kind: not an executable

    fkError,    // error file kind: used for files that don't exist

    fkDOS,      // DOS executable

    fkExe32,    // 32 bit executable

    fkExe16,    // 16 bit executable

    fkDLL32,    // 32 bit DLL

    fkDLL16,    // 16 bit DLL

    fkVXD       // virtual device driver

  );

function ExeType(const FileName: string): TExeFileKind;

  {Examines given file and returns a code that indicates the type of

  executable file it is (or if it isn't an executable)}

const

  cDOSRelocOffset = $;  // offset of "pointer" to DOS relocation table

  cWinHeaderOffset = $3C; // offset of "pointer" to windows header in file

  cNEAppTypeOffset = $0D; // offset in NE windows header of app type field

  cDOSMagic = $5A4D;      // magic number for a DOS executable

  cNEMagic = $454E;       // magic number for a NE executable (Win 16)

  cPEMagic = $;       // magic nunber for a PE executable (Win 32)

  cLEMagic = $454C;       // magic number for a Virtual Device Driver

  cNEDLLFlag = $        // flag in NE app type field indicating a DLL

var

  FS: TFileStream;              // stream to executable file

  WinMagic: Word;               // word containing PE or NE magic numbers

  HdrOffset: LongInt;           // offset of windows header in exec file

  ImgHdrPE: IMAGE_FILE_HEADER;  // PE file header record

  DOSHeader: IMAGE_DOS_HEADER;  // DOS header

  AppFlagsNE: Byte;             // byte defining DLLs in NE format

  DOSFileSize: Integer;         // size of DOS file

begin

  try

    // Open stream onto file: raises exception if can't be read

    FS := TFileStream.Create(FileName, fmOpenRead + fmShareDenyNone);

    try

      // Assume unkown file

      Result := fkUnknown;

      // Any exec file is at least size of DOS header long

      if FS.Size < SizeOf(DOSHeader) then

        Exit;

      FS.ReadBuffer(DOSHeader, SizeOf(DOSHeader));

      // DOS files begin with "MZ"

      if DOSHeader.e_magic <> cDOSMagic then

        Exit;

      // DOS files have length >= size indicated at offset $02 and $04

      // (offset $02 indicates length of file mod 512 and offset $04

      // indicates no. of 512 pages in file)

      if (DOSHeader.e_cblp = ) then

        DOSFileSize := DOSHeader.e_cp *

      else

        DOSFileSize := (DOSHeader.e_cp - ) *  + DOSHeader.e_cblp;

      if FS.Size <  DOSFileSize then

        Exit;

      // DOS file relocation offset must be within DOS file size.

      if DOSHeader.e_lfarlc > DOSFileSize then

        Exit;

      // We assume we have an executable file: assume its a DOS program

      Result := fkDOS;

      // Try to find offset of Windows program header

      if FS.Size <= cWinHeaderOffset + SizeOf(LongInt) then

        // file too small for windows header "pointer": it's a DOS file

        Exit;

      // read it

      FS.Position := cWinHeaderOffset;

      FS.ReadBuffer(HdrOffset, SizeOf(LongInt));

      // Now try to read first word of Windows program header

      if FS.Size <= HdrOffset + SizeOf(Word) then

        // file too small to contain header: it's a DOS file

        Exit;

      FS.Position := HdrOffset;

      // This word should be NE, PE or LE per file type: check which

      FS.ReadBuffer(WinMagic, SizeOf(Word));

      case WinMagic of

        cPEMagic:

        begin

          // 32 bit Windows application: now check whether app or DLL

          if FS.Size < HdrOffset + SizeOf(LongWord) + SizeOf(ImgHdrPE) then

            // file not large enough for image header: assume DOS

            Exit;

          // read Windows image header

          FS.Position := HdrOffset + SizeOf(LongWord);

          FS.ReadBuffer(ImgHdrPE, SizeOf(ImgHdrPE));

          if (ImgHdrPE.Characteristics and IMAGE_FILE_DLL)

            = IMAGE_FILE_DLL then

            // characteristics indicate a 32 bit DLL

            Result := fkDLL32

          else

            // characteristics indicate a 32 bit application

            Result := fkExe32;

        end;

        cNEMagic:

        begin

          // We have 16 bit Windows executable: check whether app or DLL

          if FS.Size <= HdrOffset + cNEAppTypeOffset

            + SizeOf(AppFlagsNE) then

            // app flags field would be beyond EOF: assume DOS

            Exit;

          // read app flags byte

          FS.Position := HdrOffset + cNEAppTypeOffset;

          FS.ReadBuffer(AppFlagsNE, SizeOf(AppFlagsNE));

          if (AppFlagsNE and cNEDLLFlag) = cNEDLLFlag then

            // app flags indicate DLL

            Result := fkDLL16

          else

            // app flags indicate program

            Result := fkExe16;

        end;

        cLEMagic:

          // We have a Virtual Device Driver

          Result := fkVXD;

        else

          // DOS application

          {Do nothing - DOS result already set};

      end;

    finally

      FS.Free;

    end;

  except

    // Exception raised in function => error result

    Result := fkError;

  end;

end;

How to detect the types of executable files的更多相关文章

  1. Files and Directories

    Files and Directories Introduction     In the previous chapter we coveredthe basic functions that pe ...

  2. The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

    The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technol ...

  3. System startup files

    System startup files When you log in, the shell defines your user environment after reading the init ...

  4. How To Get Log, Trace Files In OA Framework Pages And Concurrent Request Programs

    Goal   Solution   References APPLIES TO: Oracle Supplier Lifecycle Management - Version 12.1.2 and l ...

  5. Guava Files 源码分析(一)

    Files中的工厂 Files类中对InputStream, OutputStream以及Reader,Writer的操作封装了抽象工厂模式,抽象工厂是InputSupplier与OutputSupp ...

  6. CentOS 6.7 中安装Emacs 24.5

    Emacs 版本:http://mirror.bjtu.edu.cn/gnu/emacs/emacs-24.5.tar.gz CentOS 内核版本:2.6.32-573.el6.x86_64 参考资 ...

  7. malware analysis、Sandbox Principles、Design && Implementation

    catalog . 引言 . sandbox introduction . Sandboxie . seccomp(short for secure computing mode): API级沙箱 . ...

  8. Code Complete阅读笔记(二)

    2015-03-06   328   Unusual Data Types    ——You can carry this technique to extremes,putting all the ...

  9. Hibernate Validator 6.0.9.Final - JSR 380 Reference Implementation: Reference Guide

    Preface Validating data is a common task that occurs throughout all application layers, from the pre ...

随机推荐

  1. 20155226 2016-2017-2 《Java程序设计》第6周学习总结

    20155226 2016-2017-2 <Java程序设计>第6周学习总结 教材学习内容总结 第十章 输入/输出 10.1 InputStream与OutputStream 1 . 串流 ...

  2. spring如何管理mybatis(二) ----- SqlSession的线程安全性

    在之前的文章中我们了解到最终的数据库最终操作是走的代理类的方法: @Override public Object invoke(Object proxy, Method method, Object[ ...

  3. Python内置模块与标准库

    Python内置模块就是标准库(模块)吗?或者说Python的自带string模块是内置模块吗? 答案是:string不是内置模块,它是标准库.也就是说Python内置模块和标准库并不是同一种东西. ...

  4. source insigh安装使用

    下载和安装: 最好去官网下载(http://www.sourceinsight.com/),最新版本是3.5. 第一次去六维下载了sourceinsight,免安装,但是打开后发现界面没有任何窗口,全 ...

  5. Linux TTY驱动--Uart_driver底层【转】

    转自:http://blog.csdn.net/sharecode/article/details/9196591 版权声明:本文为博主原创文章,未经博主允许不得转载. Linux 中将串口驱动进行了 ...

  6. 从零开始自己搭建复杂网络(以Tensorflow为例)

    从零开始自己搭建复杂网络(以MobileNetV2为例) tensorflow经过这几年的发展,已经成长为最大的神经网络框架.而mobileNetV2在经过Xception的实践与深度可分离卷积的应用 ...

  7. postman发送json请求,使用案例

    介绍:  postman是一个很好的http模拟器,,可以发送get.post.put等各种请求,是测试服务接口相当好的工具. postman发送json请求,使用案例 发送json的具体步骤: 1. ...

  8. JQ实现弹幕效果

    JQ实现弹幕效果,快来吐糟你的想法吧 效果图: 代码如下,复制即可使用: <!DOCTYPE html> <html> <head> <meta charse ...

  9. 【OpenCV for Android】Android Studio集成OpenCV

    准备工作 1.下载安装Android Studio(过程略). 2.下载Android OpenCV:https://opencv.org/releases.html,找到Android pack点击 ...

  10. [转] 在安卓设备上使用 Chrome 远程调试功能

    你的网页内容在移动设备上的体验可能和电脑上完全不同.Chrome DevTools 提供了远程调试功能,这让你可以在安卓设备上实时调试开发的内容. 安卓远程调试支持: 在浏览器选项卡中调试网站. 在原 ...