Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Reading File Version from Memory (https://forum.exetools.com/showthread.php?t=19509)

phroyt 04-29-2020 08:41

Reading File Version from Memory
I faced a strange problem:
GetFileVersionInfoSize And GetFileVersionInfo return nothing from an .EXE file with a valid RT_VERSION.

Using Resource Hacker the Record List appear as italic.
What I don't know what means, But the record is there.

By the way, my goal is to determinate the version of running executable that loaded my Proxy DLL.

The workaround was read the RT_VERSION resource using HInstance value from already loaded data into memory.


function FileVersion(Module: HINST = 0): String;
    if Module = 0 then
      Module := HInstance;

    if VerQueryValue(m.Memory,'\',pointer(verblock),verlen) then
          IntToStr(versionMS shr 16)+'.'+
          IntToStr(versionMS and $FFFF)+'.'+
          IntToStr(VersionLS shr 16)+'.'+
          IntToStr(VersionLS and $FFFF);
    if VerQueryValue(m.Memory,PChar('\\StringFileInfo\\'+
      IntToHex(GetThreadLocale,4)+IntToHex(GetACP,4)+'\\FileDescription'),p,s) or
        VerQueryValue(m.Memory,'\\StringFileInfo\\040904E4\\FileDescription',p,s) then //en-us
          Result:=PChar(p)+' '+Result;

The Module param can be omitted to load my DLL HInstace value, or can give the value using

to find Main Module (EXE) HInstance.

atom0s 04-29-2020 10:49

You can lookup the proper translation ids that the file offers via: VerQueryValueA/VerQueryValueW
They can be requested via the following lookup property: \\VarFileInfo\\Translation

MSDN shows an example of doing that here:

This way you don't have to hardcode it to English only, or guess. Using GetACP won't guarantee a valid number either, as that is specific to the system and not the file.

phroyt 04-29-2020 11:06

1 Attachment(s)
What kind of protection is this below?


I can't read the resources in standard way.
Even save after changes.

Tried to inject a DLL using LordPE but it's also blocked.

atom0s 04-29-2020 15:57

That picture isn't a protection, just a manifest file that tells Windows the kind of requirements and access level the application expects/needs to run properly. Generally, it's used to request elevated permissions.

phroyt 04-29-2020 23:21


I'm not arguing about manifest.
I know what it means.

I don't understand what makes a executable locked from resource changing.
As you can see, even the "Save As" button is disabled.

This image shows Resource Hacker with italic items:

This image shows Resource Hacker with normal items:

atom0s 04-30-2020 05:47

That would be specific to the tool itself, you'd have to ask the author of it for help as to why. Could be any number of things.

chants 04-30-2020 12:28

Is this just an NTFS file or other permission issue? Perhaps the executable is read execute or the like. Certainly most editors will gray out save options. You could try running it elevated or as whatever service or the SYSTEM account with runas.

Why the version query fails might also have to do with integrity levels and permissions checks. I would research exact details here as I assume this is straight forward to resolve without a potentially complicated workaround given the multilingual issues etc

Kurapica 05-01-2020 04:18

I have version 4.5.30 of Resource Hacker

I was curios to know why it sets the font style to italic in the TreeView when opening a new file


00705308                                    | 8B45 F4                  | mov eax,dword ptr ss:[ebp-C]                            |
0070530B                                    | 8B80 E0060000            | mov eax,dword ptr ds:[eax+6E0]                          |
00705311                                    | 8B16                      | mov edx,dword ptr ds:[esi]                              |
00705313                                    | E8 00DFEFFF              | call <resourcehacker.sub_603218>                        |
00705318                                    | 8B45 F4                  | mov eax,dword ptr ss:[ebp-C]                            |
0070531B                                    | 8B80 E0060000            | mov eax,dword ptr ds:[eax+6E0]                          |
00705321                                    | 8078 16 00                | cmp byte ptr ds:[eax+16],0                              |
00705325                                    | 74 1A                    | je resourcehacker.705341                                |
00705327                                    | 8B45 F4                  | mov eax,dword ptr ss:[ebp-C]                            |
0070532A                                    | 8B80 C8030000            | mov eax,dword ptr ds:[eax+3C8]                          |
00705330                                    | 8B40 74                  | mov eax,dword ptr ds:[eax+74]                          |
00705333                                    | 0FB615 B8557000          | movzx edx,byte ptr ds:[7055B8]                          |
0070533A                                    | E8 AD51DCFF              | call <resourcehacker.SetFont>                          |
0070533F                                    | EB 18                    | jmp resourcehacker.705359                              |
00705341                                    | 8B45 F4                  | mov eax,dword ptr ss:[ebp-C]                            |

When it returns from "resourcehacker.sub_603218" , if "byte ptr ds:[eax+0x16] = 0" it won't set font style to italic.
Enter "resourcehacker.sub_603218" and you will see it checks the file for several conditions

Before entering "resourcehacker.sub_603218" you will notice this byte is set to 1
and later in that function it's set to 0

00603425 | C640 16 00 | mov byte ptr ds:[eax+16],0

0060329D                                    | 50                        | push eax                                                |
0060329E                                    | E8 49F8E0FF              | call <JMP.&CreateFileW>                                |
006032A3                                    | 8945 F0                  | mov dword ptr ss:[ebp-10],eax                          |
006032A6                                    | 837D F0 FF                | cmp dword ptr ss:[ebp-10],FFFFFFFF                      |
006032AA                                    | 0F84 AC000000            | je resourcehacker.60335C                                |
006032B0                                    | 33C0                      | xor eax,eax                                            |
006032B2                                    | 55                        | push ebp                                                |
006032B3                                    | 68 F3326000              | push resourcehacker.6032F3                              |
006032B8                                    | 64:FF30                  | push dword ptr fs:[eax]                                |
006032BB                                    | 64:8920                  | mov dword ptr fs:[eax],esp                              |
006032BE                                    | 8B45 FC                  | mov eax,dword ptr ss:[ebp-4]                            |
006032C1                                    | 83C0 4C                  | add eax,4C                                              |
006032C4                                    | 50                        | push eax                                                |
006032C5                                    | 8B45 FC                  | mov eax,dword ptr ss:[ebp-4]                            |
006032C8                                    | 83C0 44                  | add eax,44                                              |
006032CB                                    | 50                        | push eax                                                |
006032CC                                    | 8B45 FC                  | mov eax,dword ptr ss:[ebp-4]                            |
006032CF                                    | 83C0 3C                  | add eax,3C                                              |
006032D2                                    | 50                        | push eax                                                |
006032D3                                    | 8B45 F0                  | mov eax,dword ptr ss:[ebp-10]                          |
006032D6                                    | 50                        | push eax                                                |
006032D7                                    | E8 28F9E0FF              | call <JMP.&GetFileTime>                                |
006032DC                                    | 33C0                      | xor eax,eax                                            |
006032DE                                    | 5A                        | pop edx                                                |
006032DF                                    | 59                        | pop ecx                                                |
006032E0                                    | 59                        | pop ecx                                                |

So most probably it's a file permissions issue in your case.

All times are GMT +8. The time now is 10:27.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX