#1
|
|||
|
|||
Reading File Version from Memory
I faced a strange problem:
GetFileVersionInfoSize And GetFileVersionInfo return nothing from an .EXE file with a valid RT_VERSION. Using Resource Hacker the Record List appear as italic. What I don't know what means, But the record is there. By the way, my goal is to determinate the version of running executable that loaded my Proxy DLL. The workaround was read the RT_VERSION resource using HInstance value from already loaded data into memory. Code:
function FileVersion(Module: HINST = 0): String; var verblock:PVSFIXEDFILEINFO; versionMS,versionLS:cardinal; verlen:cardinal; rs:TResourceStream; m:TMemoryStream; p:pointer; s:cardinal; begin m:=TMemoryStream.Create; try if Module = 0 then Module := HInstance; rs:=TResourceStream.CreateFromID(Module,1,RT_VERSION); try m.CopyFrom(rs,rs.Size); finally rs.Free; end; m.Position:=0; if VerQueryValue(m.Memory,'\',pointer(verblock),verlen) then begin VersionMS:=verblock.dwFileVersionMS; VersionLS:=verblock.dwFileVersionLS; Result:= IntToStr(versionMS shr 16)+'.'+ IntToStr(versionMS and $FFFF)+'.'+ IntToStr(VersionLS shr 16)+'.'+ IntToStr(VersionLS and $FFFF); end; if VerQueryValue(m.Memory,PChar('\\StringFileInfo\\'+ IntToHex(GetThreadLocale,4)+IntToHex(GetACP,4)+'\\FileDescription'),p,s) or VerQueryValue(m.Memory,'\\StringFileInfo\\040904E4\\FileDescription',p,s) then //en-us Result:=PChar(p)+' '+Result; finally m.Free; end; end; Code:
GetModuleHandle(nil); |
#2
|
||||
|
||||
You can lookup the proper translation ids that the file offers via: VerQueryValueA/VerQueryValueW
They can be requested via the following lookup property: \\VarFileInfo\\Translation MSDN shows an example of doing that here: https://docs.microsoft.com/en-us/windows/win32/api/winver/nf-winver-verqueryvaluea This way you don't have to hardcode it to English only, or guess. Using GetACP won't guarantee a valid number either, as that is specific to the system and not the file.
__________________
Personal Projects Site: https://atom0s.com |
The Following User Says Thank You to atom0s For This Useful Post: | ||
phroyt (04-29-2020) |
#3
|
|||
|
|||
What kind of protection is this below?
Code:
https://i.stack.imgur.com/70pG4.png Even save after changes. Tried to inject a DLL using LordPE but it's also blocked. Last edited by phroyt; 04-29-2020 at 11:12. |
#4
|
||||
|
||||
That picture isn't a protection, just a manifest file that tells Windows the kind of requirements and access level the application expects/needs to run properly. Generally, it's used to request elevated permissions.
__________________
Personal Projects Site: https://atom0s.com |
#5
|
|||
|
|||
Sorry,
I'm not arguing about manifest. I know what it means. I don't understand what makes a executable locked from resource changing. As you can see, even the "Save As" button is disabled. This image shows Resource Hacker with italic items: https://imgur.com/eLUbofr This image shows Resource Hacker with normal items: https://imgur.com/ioEm72Q |
#6
|
||||
|
||||
That would be specific to the tool itself, you'd have to ask the author of it for help as to why. Could be any number of things.
__________________
Personal Projects Site: https://atom0s.com |
#7
|
|||
|
|||
Is this just an NTFS file or other permission issue? Perhaps the executable is read execute or the like. Certainly most editors will gray out save options. You could try running it elevated or as whatever service or the SYSTEM account with runas.
Why the version query fails might also have to do with integrity levels and permissions checks. I would research exact details here as I assume this is straight forward to resolve without a potentially complicated workaround given the multilingual issues etc |
#8
|
||||
|
||||
I have version 4.5.30 of Resource Hacker
I was curios to know why it sets the font style to italic in the TreeView when opening a new file Code:
00705308 | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | 0070530B | 8B80 E0060000 | mov eax,dword ptr ds:[eax+6E0] | 00705311 | 8B16 | mov edx,dword ptr ds:[esi] | 00705313 | E8 00DFEFFF | call Enter "resourcehacker.sub_603218" and you will see it checks the file for several conditions Before entering "resourcehacker.sub_603218" you will notice this byte is set to 1 and later in that function it's set to 0 00603425 | C640 16 00 | mov byte ptr ds:[eax+16],0 | Code:
0060329D | 50 | push eax | 0060329E | E8 49F8E0FF | call |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Reading process memory | FEARHQ | General Discussion | 10 | 01-22-2005 21:24 |
Is it possbile to play a file from the memory without caching it on the HDD? | raladin | General Discussion | 10 | 04-22-2004 01:49 |