How to detect the types of executable files

type

  {

  IMAGE_DOS_HEADER:

    DOS .EXE header.

  }

  IMAGE_DOS_HEADER = packed record

    e_magic   : Word;               // Magic number ("MZ")

    e_cblp    : Word;               // Bytes on last page of file

    e_cp      : Word;               // Pages in file

    e_crlc    : Word;               // Relocations

    e_cparhdr : Word;               // Size of header in paragraphs

    e_minalloc: Word;               // Minimum extra paragraphs needed

    e_maxalloc: Word;               // Maximum extra paragraphs needed

    e_ss      : Word;               // Initial (relative) SS value

    e_sp      : Word;               // Initial SP value

    e_csum    : Word;               // Checksum

    e_ip      : Word;               // Initial IP value

    e_cs      : Word;               // Initial (relative) CS value

    e_lfarlc  : Word;               // Address of relocation table

    e_ovno    : Word;               // Overlay number

    e_res     : packed array [..] of Word;  // Reserved words

    e_oemid   : Word;               // OEM identifier (for e_oeminfo)

    e_oeminfo : Word;               // OEM info; e_oemid specific

    e_res2    : packed array [..] of Word;  // Reserved words

    e_lfanew  : Longint;            // File address of new exe header

  end;

  {

  TExeFileKind:

    The kinds of files recognised.

  }

  TExeFileKind = (

    fkUnknown,  // unknown file kind: not an executable

    fkError,    // error file kind: used for files that don't exist

    fkDOS,      // DOS executable

    fkExe32,    // 32 bit executable

    fkExe16,    // 16 bit executable

    fkDLL32,    // 32 bit DLL

    fkDLL16,    // 16 bit DLL

    fkVXD       // virtual device driver

  );

function ExeType(const FileName: string): TExeFileKind;

  {Examines given file and returns a code that indicates the type of

  executable file it is (or if it isn't an executable)}

const

  cDOSRelocOffset = $;  // offset of "pointer" to DOS relocation table

  cWinHeaderOffset = $3C; // offset of "pointer" to windows header in file

  cNEAppTypeOffset = $0D; // offset in NE windows header of app type field

  cDOSMagic = $5A4D;      // magic number for a DOS executable

  cNEMagic = $454E;       // magic number for a NE executable (Win 16)

  cPEMagic = $;       // magic nunber for a PE executable (Win 32)

  cLEMagic = $454C;       // magic number for a Virtual Device Driver

  cNEDLLFlag = $        // flag in NE app type field indicating a DLL

var

  FS: TFileStream;              // stream to executable file

  WinMagic: Word;               // word containing PE or NE magic numbers

  HdrOffset: LongInt;           // offset of windows header in exec file

  ImgHdrPE: IMAGE_FILE_HEADER;  // PE file header record

  DOSHeader: IMAGE_DOS_HEADER;  // DOS header

  AppFlagsNE: Byte;             // byte defining DLLs in NE format

  DOSFileSize: Integer;         // size of DOS file

begin

  try

    // Open stream onto file: raises exception if can't be read

    FS := TFileStream.Create(FileName, fmOpenRead + fmShareDenyNone);

    try

      // Assume unkown file

      Result := fkUnknown;

      // Any exec file is at least size of DOS header long

      if FS.Size < SizeOf(DOSHeader) then

        Exit;

      FS.ReadBuffer(DOSHeader, SizeOf(DOSHeader));

      // DOS files begin with "MZ"

      if DOSHeader.e_magic <> cDOSMagic then

        Exit;

      // DOS files have length >= size indicated at offset $02 and $04

      // (offset $02 indicates length of file mod 512 and offset $04

      // indicates no. of 512 pages in file)

      if (DOSHeader.e_cblp = ) then

        DOSFileSize := DOSHeader.e_cp *

      else

        DOSFileSize := (DOSHeader.e_cp - ) *  + DOSHeader.e_cblp;

      if FS.Size <  DOSFileSize then

        Exit;

      // DOS file relocation offset must be within DOS file size.

      if DOSHeader.e_lfarlc > DOSFileSize then

        Exit;

      // We assume we have an executable file: assume its a DOS program

      Result := fkDOS;

      // Try to find offset of Windows program header

      if FS.Size <= cWinHeaderOffset + SizeOf(LongInt) then

        // file too small for windows header "pointer": it's a DOS file

        Exit;

      // read it

      FS.Position := cWinHeaderOffset;

      FS.ReadBuffer(HdrOffset, SizeOf(LongInt));

      // Now try to read first word of Windows program header

      if FS.Size <= HdrOffset + SizeOf(Word) then

        // file too small to contain header: it's a DOS file

        Exit;

      FS.Position := HdrOffset;

      // This word should be NE, PE or LE per file type: check which

      FS.ReadBuffer(WinMagic, SizeOf(Word));

      case WinMagic of

        cPEMagic:

        begin

          // 32 bit Windows application: now check whether app or DLL

          if FS.Size < HdrOffset + SizeOf(LongWord) + SizeOf(ImgHdrPE) then

            // file not large enough for image header: assume DOS

            Exit;

          // read Windows image header

          FS.Position := HdrOffset + SizeOf(LongWord);

          FS.ReadBuffer(ImgHdrPE, SizeOf(ImgHdrPE));

          if (ImgHdrPE.Characteristics and IMAGE_FILE_DLL)

            = IMAGE_FILE_DLL then

            // characteristics indicate a 32 bit DLL

            Result := fkDLL32

          else

            // characteristics indicate a 32 bit application

            Result := fkExe32;

        end;

        cNEMagic:

        begin

          // We have 16 bit Windows executable: check whether app or DLL

          if FS.Size <= HdrOffset + cNEAppTypeOffset

            + SizeOf(AppFlagsNE) then

            // app flags field would be beyond EOF: assume DOS

            Exit;

          // read app flags byte

          FS.Position := HdrOffset + cNEAppTypeOffset;

          FS.ReadBuffer(AppFlagsNE, SizeOf(AppFlagsNE));

          if (AppFlagsNE and cNEDLLFlag) = cNEDLLFlag then

            // app flags indicate DLL

            Result := fkDLL16

          else

            // app flags indicate program

            Result := fkExe16;

        end;

        cLEMagic:

          // We have a Virtual Device Driver

          Result := fkVXD;

        else

          // DOS application

          {Do nothing - DOS result already set};

      end;

    finally

      FS.Free;

    end;

  except

    // Exception raised in function => error result

    Result := fkError;

  end;

end;

How to detect the types of executable files的更多相关文章

  1. Files and Directories

    Files and Directories Introduction     In the previous chapter we coveredthe basic functions that pe ...

  2. The Portable Executable File Format from Top to Bottom(每个结构体都非常清楚)

    The Portable Executable File Format from Top to Bottom Randy KathMicrosoft Developer Network Technol ...

  3. System startup files

    System startup files When you log in, the shell defines your user environment after reading the init ...

  4. How To Get Log, Trace Files In OA Framework Pages And Concurrent Request Programs

    Goal   Solution   References APPLIES TO: Oracle Supplier Lifecycle Management - Version 12.1.2 and l ...

  5. Guava Files 源码分析(一)

    Files中的工厂 Files类中对InputStream, OutputStream以及Reader,Writer的操作封装了抽象工厂模式,抽象工厂是InputSupplier与OutputSupp ...

  6. CentOS 6.7 中安装Emacs 24.5

    Emacs 版本:http://mirror.bjtu.edu.cn/gnu/emacs/emacs-24.5.tar.gz CentOS 内核版本:2.6.32-573.el6.x86_64 参考资 ...

  7. malware analysis、Sandbox Principles、Design && Implementation

    catalog . 引言 . sandbox introduction . Sandboxie . seccomp(short for secure computing mode): API级沙箱 . ...

  8. Code Complete阅读笔记(二)

    2015-03-06   328   Unusual Data Types    ——You can carry this technique to extremes,putting all the ...

  9. Hibernate Validator 6.0.9.Final - JSR 380 Reference Implementation: Reference Guide

    Preface Validating data is a common task that occurs throughout all application layers, from the pre ...

随机推荐

  1. <header><footer>引用

    示例:http://www.w3school.com.cn/html/html_layout.asp

  2. Paint Fence

    There is a fence with n posts, each post can be painted with one of the k colors.You have to paint a ...

  3. 利用gcc自带的功能-fstack-protector检测栈溢出及其实现【转】

    转自:https://www.cnblogs.com/leo0000/p/5719186.html 最近又遇到了一个崩溃,栈回溯非常怪异. /lib/i386-linux-gnu/libc.so.6( ...

  4. mysql5.7主从复制--在线变更复制类型【转】

    这里说一下关于如何在线变更复制类型(日志复制到全局事物复制),参考课程:mysql5.7复制实战 先决条件     (1)集群中所有的服务器版本均高于5.7.6(2)集群中所有的服务器gtid_mod ...

  5. H5开发APP考题和答案

    { "last_updated": { "$date": 1544276670569 }, "page_count": 1, "a ...

  6. Angularjs里面跨作用域的实战!

    好久没有来写博客了,最近一直在用Google的AngularJS,后面我自己简称AngularJS就叫AJ吧! 学习AngularJS一路也是深坑颇多啊--!就不多说了,不过还是建议大家有时间去学下下 ...

  7. Spring:@Cacheable 中condition条件的理解

    condition=false时,不读取缓存,直接执行方法体,并返回结果,同时返回结果也不放入缓存. ndition=true时,读取缓存,有缓存则直接返回.无则执行方法体,同时返回结果放入缓存(如果 ...

  8. springboot---->集成mybatis开发(一)

    这里面我们介绍一下springboot与mybatis的集成,主要完成了mybatis的真分页.一个成熟的人往往发觉可以责怪的人越来越少,人人都有他的难处. springboot简单集成mytbati ...

  9. SpringMvc定时器任务

    在最近的工作中,涉及到一个定时任务,由于以前对springMVC使用较少,所以,上网找了一点资料.这个demo感觉挺好,推荐给大家. 使用到的JAR文件: aopalliance-1.0.jarcom ...

  10. JavaScript如何获得input元素value值

    转载地址:http://aquarius-zf.iteye.com/blog/605144 在页面中我们最常见的页面元素就是input了,但是我们如何用JavaScript得到网页input中输入的v ...