Next Generation Emulation banner

1 - 3 of 3 Posts

·
Emu Author
Joined
·
613 Posts
Discussion Starter · #1 ·
hi, i am still a rather new person to programming but i know soem stuff already. well since i started programming i always made sort of small goals i would like to reach before i moved on to bigger things and well earlier this year i broke at least to me a very major goal, being able to make and use dll files effectively.

well since that time there has always been a very tiny thing with dll files i always wanted to have with mine but well just never knew how to do. that little thing being able to have mine show the description and version number under the name of my dll file.

so if anyone knows how to possibly do this with dll files could you maybe show me how? thank you very much :).(o if you want to also see a copy of soem of my work just contact me, i like to show off some of what i work on as well)
 

·
Transcended
Joined
·
1,416 Posts
I don't know the exact answer. I can guide you to the solution, but the solution I propose will NOT be an easy one. I'm not an extensive C++ coder, so there might be a way to do this easier, but after some google searches, I can find no way to do it.

I'm warning you now that this is not for the faint of heart.

First of all, let's deal with the EASY problem, or at least the problem I have a somewhat a solution for...

The data you want, such as version and description are stored in the Resource Section of a PE file (which is essentially what a Win32 DLL file is anyway). Specifically, in the section known as .rsrc. That section contains data on where the resources of the PE file are stored. The data you need is treated as a resource and stored in Unicode format. You can do some mathematics on your own to determine where the data is. I tried to search the internet for specifics on the data you need but I couldn't find any. So I'm guessing you need some trial and error on your part to find the exact location. You'll have to reconstruct the Resource tree on your own and figure out which part of the tree corresponds to the data you need.

You CAN cheat though. I for one never really bothered to study exactly how the resource section is constructed since I never really needed to fiddle with it. You see, the data you need is preceded by "FileVersion" for the version and "FileDescription" for the Description. The preceding labels ARE Unicoded still though. But for most circumstances, they are near the end of the file. So you could do a byte-for-byte check near the end instead of reconstructing the whole resource tree data. Or, to make it safer, you can calculate the start of the Resource Section via the data in the .rsrc and start looking from there for Unicoded strings. The algo would be.. read the MZ header to know where the PE header is. From the PE header the first section is a fixed length away. Each section is also a fixed length, so you can start iterating through each, looking for the string ".rsrc". Once you find it, look up where the Raw data is physically located (Or was that Virtual...? Damn I forgot.) Once you get the address... start comparing away. This is much easier to understand than a resource tree reconstruction, I think.

Well... now you know the data... The HARD problem now is how the make the darn data pop up underneath the filename when you hover above it? MP3s and other files get away with this easy since Windows has built in support for this. No such thing for DLL files.

I have an idea, but it's ridiculously hard in comparison to the first problem. Make a C++ or Assembly program that intercepts all File Accesses and checks the name of the accessed file. A classic example of something that does this is the Chernobyl virus. It's also known as CIH by other AV vendors. It basically Hooks the API that Windows calls by making it go to it's own code in memory first. Getting the filename is one thing... displaying it on the screen is another... er... I don't know what to do anymore. If you know a way to do this in VB, C++ or something, then be my guest. They MIGHT have a way to override the tooltips that windows provides so that they display your custom data (tooltips are what you call those yellow boxes that pop up).

So I have an better alternative... Just make an app that collates all the DLL files in your drive (or specified location). That way, you can click on the name through some GUI, then fetch the data right then and there. *Infinitely* easier than a running app that intercepts your accesses.

Now, I'm sure you'd want some resources on the matter. I can't give you my resources since I'm under a Non-disclosure agreement... but I can give you tips.

Here are links on the PE file format. There's no data on getting the data you want specifically, though, but you'll need it to start the rudimentary calculations.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndebug/html/msdn_peeringpe.asp
http://www.windowsitlibrary.com/Content/356/11/1.html

I have another link which is a tad simpler (I think) but I can't post it since I just discovered that it's hosted on a VX (Virus Community) site so I can't post it here. PM me if you want it.

Now, it'd be helpful if you have tools to help you with the job.

http://www.softpedia.com/progDownload/Hiew-Download-1699.html
Hiew - It's a damn powerful Hex editor/viewer. It also loads files Megabytes in size almost instantaneously too. I even use it as my default file viewer nowadays since it sees stuff in raw form, without Windows-compatible modifications (you see it in ASCII form as it was meant). You'll be using it to find the sections and headers

http://www.foundstone.com/index.htm...tm&subcontent=/resources/proddesc/bintext.htm
BinText - Allows you to view the strings in a file. It recognizes Unicode and converts it to a more readable form. Open a DLL and scroll down and you'll see the stuff such as FileDescription etc....

http://peid.has.it/
PEid - Allows you to see pertinent PE file information. Not necessary since Hiew can give you the info too, but this is much easier to use at least for that info only.

LordPE, PEBrowse, PEDUMP, PE Explorer - Recommended tools I found linked from Wikipedia. I never used them but heck... they might help.

Now... after all that, and you still want to go through with it, assuming you haven't found an easier solution, PM me and I might be able to help you more.

Good luck! :)
 
1 - 3 of 3 Posts
Top