flat assembler
Message board for the users of flat assembler.

Index > Windows > Problem with FileDescription information

Author
Thread Post new topic Reply to topic
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 08 Nov 2011, 17:12
So I'm using this function to retrieve FileDescription information from running processes :

Code:
                       proc GetFileDescription uses esi edi ebx,_fileName,_fileDescript
                 locals
                              subBlock1       TCHAR   '\VarFileInfo\Translation',0
                            subBlock2       TCHAR   '\StringFileInfo\%04x%04x\FileDescription',0
                           _handle rd      1
                           _size   rd      1
                           _ptr    rd      1
                           _len    rd      1
                           subBlock        rw      MAX_PATH
                    endl
                                                
                            invoke RtlZeroMemory,addr subBlock,MAX_PATH*2
                               ;       
                            invoke GetFileVersionInfoSizeW,[_fileName],[_handle]
                                or eax,eax
                          jz .out
                             mov [_size],eax
                             invoke GlobalAlloc,GMEM_FIXED or GMEM_ZEROINIT,eax
                          mov ebx,eax
                         invoke GetFileVersionInfoW,[_fileName],[_handle],[_size],ebx
                                ;       
                            invoke VerQueryValueW,ebx,addr subBlock1,addr _ptr,addr _len
                                or eax,eax
                          jz @f
                               ;
                           mov edx,[_ptr]
                              virtual at edx
                                      .language       dw      ?
                                   .codePage       dw      ?
                           end virtual
                         
                            movzx eax,[.language]
                               movzx ecx,[.codePage]
                               ;
                           cinvoke wsprintf,addr subBlock,addr subBlock2,eax,ecx
                               invoke VerQueryValueW,ebx,addr subBlock,addr _ptr,addr _len
                         ;
                           or eax,eax
                          jz @f
                               invoke lstrcpy,[_fileDescript],[_ptr]
               @@:         
                            invoke GlobalFree,ebx
               .out:       
                            xor eax,eax
                         ret
                 endp
    

/*Arguments to the function are memory addresses*/

and it is working for every process I started and tested ( and compared to the Process Explorer ) except one ( for now ) ,
that one is FASMW.EXE from fasm package,
according to process explorer file description for fasmw.exe is flat assembler ( right mouse click / properties confirms ) but the second call to the VerQueryValueW return false and empty string,
and I really dont know why ( no GetLastError for this func ),
so if someone could test this func and illuminate me I would be really appreciated...

thx
Post 08 Nov 2011, 17:12
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 08 Nov 2011, 17:28
TIP: OllyDbg v2 + int 3CH + NOP + F2 + F8
Post 08 Nov 2011, 17:28
View user's profile Send private message Reply with quote
dancho



Joined: 06 Mar 2011
Posts: 74
dancho 10 Nov 2011, 19:43
well although fasmw.exe's language and codepage components arent read properly by the first VerQueryValueW function ( dont know why , some other processes I tested also have ANSI codepage 04E4 and read just fine ),
I found that hardcoded codepage also works ( like that is surprise ) and the second call to VerQueryValueW returns TRUE and proper FileDesription is written.
The only problem is when to use 04E4 and when 04B0 ( Unicode ) , for the processes that have analogous problem like fasmw.exe,well
simple solution is 2 calls to VerQueryValueW to find right one...
If anyone have some other suggestion please post it...

thx
Post 10 Nov 2011, 19:43
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.