How to detect the types of executable files

type

  {

  IMAGE_DOS_HEADER:

    DOS .EXE header.

  }

  IMAGE_DOS_HEADER = packed record

    e_magic   : Word;               // Magic number ("MZ")

    e_cblp    : Word;               // Bytes on last page of file

    e_cp      : Word;               // Pages in file

    e_crlc    : Word;               // Relocations

    e_cparhdr : Word;               // Size of header in paragraphs

    e_minalloc: Word;               // Minimum extra paragraphs needed

    e_maxalloc: Word;               // Maximum extra paragraphs needed

    e_ss      : Word;               // Initial (relative) SS value

    e_sp      : Word;               // Initial SP value

    e_csum    : Word;               // Checksum

    e_ip      : Word;               // Initial IP value

    e_cs      : Word;               // Initial (relative) CS value

    e_lfarlc  : Word;               // Address of relocation table

    e_ovno    : Word;               // Overlay number

    e_res     : packed array [..] of Word;  // Reserved words

    e_oemid   : Word;               // OEM identifier (for e_oeminfo)

    e_oeminfo : Word;               // OEM info; e_oemid specific

    e_res2    : packed array [..] of Word;  // Reserved words

    e_lfanew  : Longint;            // File address of new exe header

  end;

  {

  TExeFileKind:

    The kinds of files recognised.

  }

  TExeFileKind = (

    fkUnknown,  // unknown file kind: not an executable

    fkError,    // error file kind: used for files that don't exist

    fkDOS,      // DOS executable

    fkExe32,    // 32 bit executable

    fkExe16,    // 16 bit executable

    fkDLL32,    // 32 bit DLL

    fkDLL16,    // 16 bit DLL

    fkVXD       // virtual device driver

  );

function ExeType(const FileName: string): TExeFileKind;

  {Examines given file and returns a code that indicates the type of

  executable file it is (or if it isn't an executable)}

const

  cDOSRelocOffset = $;  // offset of "pointer" to DOS relocation table

  cWinHeaderOffset = $3C; // offset of "pointer" to windows header in file

  cNEAppTypeOffset = $0D; // offset in NE windows header of app type field

  cDOSMagic = $5A4D;      // magic number for a DOS executable

  cNEMagic = $454E;       // magic number for a NE executable (Win 16)

  cPEMagic = $;       // magic nunber for a PE executable (Win 32)

  cLEMagic = $454C;       // magic number for a Virtual Device Driver

  cNEDLLFlag = $        // flag in NE app type field indicating a DLL

var

  FS: TFileStream;              // stream to executable file

  WinMagic: Word;               // word containing PE or NE magic numbers

  HdrOffset: LongInt;           // offset of windows header in exec file

  ImgHdrPE: IMAGE_FILE_HEADER;  // PE file header record

  DOSHeader: IMAGE_DOS_HEADER;  // DOS header

  AppFlagsNE: Byte;             // byte defining DLLs in NE format

  DOSFileSize: Integer;         // size of DOS file

begin

  try

    // Open stream onto file: raises exception if can't be read

    FS := TFileStream.Create(FileName, fmOpenRead + fmShareDenyNone);

    try

      // Assume unkown file

      Result := fkUnknown;

      // Any exec file is at least size of DOS header long

      if FS.Size < SizeOf(DOSHeader) then

        Exit;

      FS.ReadBuffer(DOSHeader, SizeOf(DOSHeader));

      // DOS files begin with "MZ"

      if DOSHeader.e_magic <> cDOSMagic then

        Exit;

      // DOS files have length >= size indicated at offset $02 and $04

      // (offset $02 indicates length of file mod 512 and offset $04

      // indicates no. of 512 pages in file)

      if (DOSHeader.e_cblp = ) then

        DOSFileSize := DOSHeader.e_cp *

      else

        DOSFileSize := (DOSHeader.e_cp - ) *  + DOSHeader.e_cblp;

      if FS.Size <  DOSFileSize then

        Exit;

      // DOS file relocation offset must be within DOS file size.

      if DOSHeader.e_lfarlc > DOSFileSize then

        Exit;

      // We assume we have an executable file: assume its a DOS program

      Result := fkDOS;

      // Try to find offset of Windows program header

      if FS.Size <= cWinHeaderOffset + SizeOf(LongInt) then

        // file too small for windows header "pointer": it's a DOS file

        Exit;

      // read it

      FS.Position := cWinHeaderOffset;

      FS.ReadBuffer(HdrOffset, SizeOf(LongInt));

      // Now try to read first word of Windows program header

      if FS.Size <= HdrOffset + SizeOf(Word) then

        // file too small to contain header: it's a DOS file

        Exit;

      FS.Position := HdrOffset;

      // This word should be NE, PE or LE per file type: check which

      FS.ReadBuffer(WinMagic, SizeOf(Word));

      case WinMagic of

        cPEMagic:

        begin

          // 32 bit Windows application: now check whether app or DLL

          if FS.Size < HdrOffset + SizeOf(LongWord) + SizeOf(ImgHdrPE) then

            // file not large enough for image header: assume DOS

            Exit;

          // read Windows image header

          FS.Position := HdrOffset + SizeOf(LongWord);

          FS.ReadBuffer(ImgHdrPE, SizeOf(ImgHdrPE));

          if (ImgHdrPE.Characteristics and IMAGE_FILE_DLL)

            = IMAGE_FILE_DLL then

            // characteristics indicate a 32 bit DLL

            Result := fkDLL32

          else

            // characteristics indicate a 32 bit application

            Result := fkExe32;

        end;

        cNEMagic:

        begin

          // We have 16 bit Windows executable: check whether app or DLL

          if FS.Size <= HdrOffset + cNEAppTypeOffset

            + SizeOf(AppFlagsNE) then

            // app flags field would be beyond EOF: assume DOS

            Exit;

          // read app flags byte

          FS.Position := HdrOffset + cNEAppTypeOffset;

          FS.ReadBuffer(AppFlagsNE, SizeOf(AppFlagsNE));

          if (AppFlagsNE and cNEDLLFlag) = cNEDLLFlag then

            // app flags indicate DLL

            Result := fkDLL16

          else

            // app flags indicate program

            Result := fkExe16;

        end;

        cLEMagic:

          // We have a Virtual Device Driver

          Result := fkVXD;

        else

          // DOS application

          {Do nothing - DOS result already set};

      end;

    finally

      FS.Free;

    end;

  except

    // Exception raised in function => error result

    Result := fkError;

  end;

end;

How to detect the types of executable files的更多相关文章

  1. Files and Directories

    Files and Directories Introduction     In the previous chapter we coveredthe basic functions that pe ...

  2. The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

    The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technol ...

  3. System startup files

    System startup files When you log in, the shell defines your user environment after reading the init ...

  4. How To Get Log, Trace Files In OA Framework Pages And Concurrent Request Programs

    Goal   Solution   References APPLIES TO: Oracle Supplier Lifecycle Management - Version 12.1.2 and l ...

  5. Guava Files 源码分析(一)

    Files中的工厂 Files类中对InputStream, OutputStream以及Reader,Writer的操作封装了抽象工厂模式,抽象工厂是InputSupplier与OutputSupp ...

  6. CentOS 6.7 中安装Emacs 24.5

    Emacs 版本:http://mirror.bjtu.edu.cn/gnu/emacs/emacs-24.5.tar.gz CentOS 内核版本:2.6.32-573.el6.x86_64 参考资 ...

  7. malware analysis、Sandbox Principles、Design && Implementation

    catalog . 引言 . sandbox introduction . Sandboxie . seccomp(short for secure computing mode): API级沙箱 . ...

  8. Code Complete阅读笔记(二)

    2015-03-06   328   Unusual Data Types    ——You can carry this technique to extremes,putting all the ...

  9. Hibernate Validator 6.0.9.Final - JSR 380 Reference Implementation: Reference Guide

    Preface Validating data is a common task that occurs throughout all application layers, from the pre ...

随机推荐

  1. spring如何管理mybatis(一) ----- 动态代理接口

    问题来源 最近在集成spring和mybatis时遇到了很多问题,从网上查了也解决了,但是就是心里有点别扭,想看看到底怎么回事,所以跟了下源码,终于发现了其中的奥妙. 问题分析 首先我们来看看基本的配 ...

  2. Django进阶之缓存和信号

    一.缓存 简介 由于Django是动态网站,所有每次请求均会去数据进行相应的操作,当程序访问量大时,耗时必然会更加明显,最简单解决方式是使用:缓存,缓存将一个某个views的返回值保存至内存或者mem ...

  3. [LeetCode] Candy (分糖果),时间复杂度O(n),空间复杂度为O(1),且只需遍历一次的实现

    [LeetCode] Candy (分糖果),时间复杂度O(n),空间复杂度为O(1),且只需遍历一次的实现 原题: There are N children standing in a line. ...

  4. ASP.NET应用技巧:非托管COM组件的使用

    众所周知,asp.net是基于通用语言运行库创建的,也就是所谓的托管执行环境.生成的代码称为托管代码.编译器能够从源代码的描述中产生元数据信息,而运行库又从元数据中获得托管代码的信息.而我们编写的组件 ...

  5. 基于Apache在本地配置多个虚拟主机站点

    简单的说,打开httpd.conf 在最后加入如下内容: <VirtualHost 127.0.0.2:80>    DocumentRoot d:/AppServ/www2    Ser ...

  6. linux pwd指令C实现

    linux pwd指令C实现 研究实现pwd所需的系统调用 我们可以通过man命令和grep命令来获取我们所需要的系统调用函数信息 man chdir Linux pwd命令用于显示工作目录. 执行p ...

  7. Python Extension 编译问题

    Python 的一大好处是调用C扩展程序相当方便,但是 Windows 下的话,编译器版本是一个大问题.以Python27为例,官方版本时采用VC2008编译的.在setup.py中添加Extensi ...

  8. php 批量导入昨天的数据(别类版的增量备份安案)

    $where = ''; $localogLogin = $this->gamedb_model->query_onerow("select `datetime` from lo ...

  9. 微信WeixinJSBridge的接口使用

    以下都要包含weixinApi.js(见底部git里的js文件) 1).分享 WeixinApi.ready(function(Api) { // 微信分享的数据 var wxData = { &qu ...

  10. UEditor插入视频,Object Iframe等标签被过滤问题处理

    UEditor插入视频由于兼容性问题,需要再处理一个视频代码,但是新版ueditor不支持Objec IFrame标签,所以要加入// xss过滤白名单 名单来源: https://raw.githu ...