Dustin's Busted

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Dustin this C language we were talking about recently is interesting. I'm  
getting to like it. Some tech I bumped into says the following is the  
right way to do it.  

Sorry about the line wrap but I like to keep the code as clear and self  
documenting as possible. You know...... the way IT pros do it.  

You're busted!  

Jax  

====================================================

using System;
using System.IO;
using System.Runtime.InteropServices;

namespace ExeChecker              //Dustin's Busted!
{
    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_DOS_HEADER
    {
        public ushort e_magic;    // Magic number
        public ushort e_cblp;     // Bytes on last page of file
        public ushort e_cp;       // Pages in file
        public ushort e_crlc;     // Relocations
        public ushort e_cparhdr;  // Size of header in paragraphs
        public ushort e_minalloc; // Minimum extra paragraphs needed
        public ushort e_maxalloc; // Maximum extra paragraphs needed
        public ushort e_ss;       // Initial (relative) SS value
        public ushort e_sp;       // Initial SP value
        public ushort e_csum;     // Checksum
        public ushort e_ip;       // Initial IP value
        public ushort e_cs;       // Initial (relative) CS value
        public ushort e_lfarlc;   // File address of relocation table
        public ushort e_ovno;     // Overlay number
        public uint e_res1;       // Reserved
        public uint e_res2;       // Reserved
        public ushort e_oemid;    // OEM identifier (for e_oeminfo)
        public ushort e_oeminfo;  // OEM information; e_oemid specific
        public uint e_res3;       // Reserved
        public uint e_res4;       // Reserved
        public uint e_res5;       // Reserved
        public uint e_res6;       // Reserved
        public uint e_res7;       // Reserved
        public int e_lfanew;      // File address of new exe header
    }

    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_FILE_HEADER
    {
        public ushort Machine;
        public ushort NumberOfSections;
        public uint TimeDateStamp;
        public uint PointerToSymbolTable;
        public uint NumberOfSymbols;
        public ushort SizeOfOptionalHeader;
        public ushort Characteristics;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_NT_HEADERS_COMMON
    {
        public uint Signature;
        public IMAGE_FILE_HEADER FileHeader;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_NT_HEADERS32
    {
        public uint Signature;
        public IMAGE_FILE_HEADER FileHeader;
        public IMAGE_OPTIONAL_HEADER32 OptionalHeader;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_NT_HEADERS64
    {
        public uint Signature;
        public IMAGE_FILE_HEADER FileHeader;
        public IMAGE_OPTIONAL_HEADER64 OptionalHeader;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_OPTIONAL_HEADER32
    {
        public ushort Magic;
        public byte MajorLinkerVersion;
        public byte MinorLinkerVersion;
        public uint SizeOfCode;
        public uint SizeOfInitializedData;
        public uint SizeOfUninitializedData;
        public uint AddressOfEntryPoint;
        public uint BaseOfCode;
        public uint BaseOfData;
        public uint ImageBase;
        public uint SectionAlignment;
        public uint FileAlignment;
        public ushort MajorOperatingSystemVersion;
        public ushort MinorOperatingSystemVersion;
        public ushort MajorImageVersion;
        public ushort MinorImageVersion;
        public ushort MajorSubsystemVersion;
        public ushort MinorSubsystemVersion;
        public uint Win32VersionValue;
        public uint SizeOfImage;
        public uint SizeOfHeaders;
        public uint CheckSum;
        public ushort Subsystem;
        public ushort DllCharacteristics;
        public uint SizeOfStackReserve;
        public uint SizeOfStackCommit;
        public uint SizeOfHeapReserve;
        public uint SizeOfHeapCommit;
        public uint LoaderFlags;
        public uint NumberOfRvaAndSizes;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct IMAGE_OPTIONAL_HEADER64
    {
        public ushort Magic;
        public byte MajorLinkerVersion;
        public byte MinorLinkerVersion;
        public uint SizeOfCode;
        public uint SizeOfInitializedData;
        public uint SizeOfUninitializedData;
        public uint AddressOfEntryPoint;
        public uint BaseOfCode;
        public ulong ImageBase;
        public uint SectionAlignment;
        public uint FileAlignment;
        public ushort MajorOperatingSystemVersion;
        public ushort MinorOperatingSystemVersion;
        public ushort MajorImageVersion;
        public ushort MinorImageVersion;
        public ushort MajorSubsystemVersion;
        public ushort MinorSubsystemVersion;
        public uint Win32VersionValue;
        public uint SizeOfImage;
        public uint SizeOfHeaders;
        public uint CheckSum;
        public ushort Subsystem;
        public ushort DllCharacteristics;
        public ulong SizeOfStackReserve;
        public ulong SizeOfStackCommit;
        public ulong SizeOfHeapReserve;
        public ulong SizeOfHeapCommit;
        public uint LoaderFlags;
        public uint NumberOfRvaAndSizes;
    }

    static class ExeChecker
    {
        public static bool IsValidExe(string fileName)
        {
            if (!File.Exists(fileName))
                return false;

            try
            {
                using (var stream = File.OpenRead(fileName))
                {
                    IMAGE_DOS_HEADER dosHeader = GetDosHeader(stream);
                    if (dosHeader.e_magic != IMAGE_DOS_SIGNATURE)
                        return false;

                    IMAGE_NT_HEADERS_COMMON ntHeader = GetCommonNtHeader
(stream, dosHeader);
                    if (ntHeader.Signature != IMAGE_NT_SIGNATURE)
                        return false;

                    if ((ntHeader.FileHeader.Characteristics &  
IMAGE_FILE_DLL) != 0)
                        return false;

                    switch (ntHeader.FileHeader.Machine)
                    {
                        case IMAGE_FILE_MACHINE_I386:
                            return IsValidExe32(GetNtHeader32(stream,  
dosHeader));

                        case IMAGE_FILE_MACHINE_IA64:
                        case IMAGE_FILE_MACHINE_AMD64:
                            return IsValidExe64(GetNtHeader64(stream,  
dosHeader));
                    }
                }
            }
            catch (InvalidOperationException)
            {
                return false;
            }

            return true;
        }

        static bool IsValidExe32(IMAGE_NT_HEADERS32 ntHeader)
        {
            return ntHeader.OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32
_MAGIC;
        }

        static bool IsValidExe64(IMAGE_NT_HEADERS64 ntHeader)
        {
            return ntHeader.OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64
_MAGIC;
        }

        static IMAGE_DOS_HEADER GetDosHeader(Stream stream)
        {
            stream.Seek(0, SeekOrigin.Begin);
            return ReadStructFromStream<IMAGE_DOS_HEADER>(stream);
        }

        static IMAGE_NT_HEADERS_COMMON GetCommonNtHeader(Stream stream,  
IMAGE_DOS_HEADER dosHeader)
        {
            stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
            return ReadStructFromStream<IMAGE_NT_HEADERS_COMMON>(stream);
        }

        static IMAGE_NT_HEADERS32 GetNtHeader32(Stream stream,  
IMAGE_DOS_HEADER dosHeader)
        {
            stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
            return ReadStructFromStream<IMAGE_NT_HEADERS32>(stream);
        }

        static IMAGE_NT_HEADERS64 GetNtHeader64(Stream stream,  
IMAGE_DOS_HEADER dosHeader)
        {
            stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
            return ReadStructFromStream<IMAGE_NT_HEADERS64>(stream);
        }

        static T ReadStructFromStream<T>(Stream stream)
        {
            int structSize = Marshal.SizeOf(typeof(T));
            IntPtr memory = IntPtr.Zero;

            try
            {
                memory = Marshal.AllocCoTaskMem(structSize);
                if (memory == IntPtr.Zero)
                    throw new InvalidOperationException();

                byte[] buffer = new byte[structSize];
                int bytesRead = stream.Read(buffer, 0, structSize);
                if (bytesRead != structSize)
                    throw new InvalidOperationException();

                Marshal.Copy(buffer, 0, memory, structSize);

                return (T)Marshal.PtrToStructure(memory, typeof(T));
            }
            finally
            {
                if (memory != IntPtr.Zero)
                    Marshal.FreeCoTaskMem(memory);
            }
        }

        const ushort IMAGE_DOS_SIGNATURE = 0x5A4D;  // MZ
        const uint IMAGE_NT_SIGNATURE = 0x00004550; // PE00

        const ushort IMAGE_FILE_MACHINE_I386 = 0x014C;  // Intel 386
        const ushort IMAGE_FILE_MACHINE_IA64 = 0x0200;  // Intel 64
        const ushort IMAGE_FILE_MACHINE_AMD64 = 0x8664; // AMD64

        const ushort IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10B; // PE32
        const ushort IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20B; // PE32+

        const ushort IMAGE_FILE_DLL = 0x2000;
    }

    class Program
    {
        static int Main(string[] args)
        {
            if (args.Length == 0)
            {
                Console.WriteLine("Please specify a file name to check.");
                return 1;
            }

            bool isValid = ExeChecker.IsValidExe(args[0]);
            Console.WriteLine(isValid);

            return 0;
        }
    }
}


--  


Re: Dustin's Busted

127.0.0.1:

Quoted text here. Click to load it

Poohs no IT pro under those conditions. [g]
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted


Quoted text here. Click to load it

Dustin is that the best comment you can make on that code? It does a far  
better job than Exevalid. I'm surprised you haven't got more to say.

Why bother running a flawed application like your Exevalid?

--  
Jax    :)

Re: Dustin's Busted

wrote:

Quoted text here. Click to load it

Nice work Jax. Send my love to all the girls at GCHQ. Boy does that that
me back. Chin Chin. Drop by for tiffin sometime. Ciao.

--  
Women know your place!
Ironing the bedlinen -  Super fun.
Flower arranging - One must do one's bit you know!
Rimming the Vicar - He just adores me  

Re: Dustin's Busted

"Jax" wrote:

Quoted text here. Click to load it

That's arguable. It is the correct way to detect PE exes but that's
the only type it detects. Furthermore, It does not compute the size,
examines only one file and it deliberately excludes DLLs. It's
important to include DLLs because although they need help to get run,
a lot of malware is packaged that way.

By the way it's written in C# (C sharp) not C. C# resembles Java more
than it does C.



Re: Dustin's Busted

127.0.0.1:

Quoted text here. Click to load it

No it doesn't. It's limited to a single file. Ignores DLL files and can  
only tell you about PE based files; it does not compute file size, either.
  
Quoted text here. Click to load it

Computing correct filesize, including dlls, including MZ dos stubs, and  
with a little additional code; provide the details the plagiarized source  
you posted (which is not C source, btw. Your tech needs to go back to  
school for confusing C# with C.) as well. Oh, and EXEVALID processes an  
entire folder of files at a time, it's not limited to a single file only.

Oh wait, you thought it was c too, and your tech didn't correct you, and  
obviously Pooh didn't know the difference either.

Thanks for playing Jax, but you really don't have the required knowledge to  
participate and don't have the time to stalk/repaste from various  
newsgroups and forums for the help you need to stay in the discussion.  
You're just fucked.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted

Quoted text here. Click to load it

Dustin there's no need to be such a bad loser..... be a good loser instead
and retain what little respect you have left. Just saying.

--  
Jax    :)

Re: Dustin's Busted


Quoted text here. Click to load it

Pooh Cat...... Dustin's gone quiet about your latest Dusty Buster. Maybe
he's finding it hard to beat. He hasn't criticized on my code either. Just
saying!

--  
Jax    :)

Re: Dustin's Busted

127.0.0.1:

Quoted text here. Click to load it

A tech you bumped into? :)
  
Quoted text here. Click to load it

Not only don't you understand how what you posted works, you also stole it  
from a rather cool website:

http://stackoverflow.com/questions/2863683/how-to-find-if-a-file-is-an-exe

So you may now officially add plagiarist to your resume.

You're Busted!
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted


Quoted text here. Click to load it

Does it now? You respect Ant's opinion, right? Let'see here.. oh yes:


Here ya go:

"Jax" wrote:

Quoted text here. Click to load it

That's arguable. It is the correct way to detect PE exes but that's
the only type it detects. Furthermore, It does not compute the size,
examines only one file and it deliberately excludes DLLs. It's
important to include DLLs because although they need help to get run,
a lot of malware is packaged that way.

By the way it's written in C# (C sharp) not C. C# resembles Java more
than it does C.

Ant spoiled my fun by pointing out the glaring obvious fact Jax didn't post  
C source code and YOU didn't catch that! That tells me you probably aren't  
actually a c/c++ programmer either. *laugh laugh*

  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted


Quoted text here. Click to load it

Nice spin, but.. you need a new angle I think. Fact is, you couldn't tell  
the difference between c/c++ or the silly looking C# (C Sharp). I'm not a  
personal fan of c sharp, if it helps. I can read it well enough to know my  
way around, but I'd rather stick hot nails thru my eyeballs than write  
anything in it.
  
Quoted text here. Click to load it

Oh? I'm pretty sure I listed c/C++/c-- (not a typo) along with several  
other HLL languages I have experience in with DOS/Windows. hehehe. I'm  
multilingual in the digital sense of the word. *laugh*.


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted


Quoted text here. Click to load it

skin in the game of exposing Jax's mistake? LOLz! Bro, what do you think  
Ant has been for you? Nice try.
  
Quoted text here. Click to load it

Laugh as I laugh pooh. I especially enjoyed your non coder comments. :)
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted


Quoted text here. Click to load it

Pooh Cat I don't understand what you wrote. I am not playering. I'm here
to chat about general matters and have discussions with all my online
friends.  

I didn't ask Dustin to dump his flawed code for Exevalid in A.C.F. and I
wish he would stop trying to pretend it works correctly. Then we could
talk about something more interesting.

--  
Jax    :)

Re: Dustin's Busted

On 5/18/2014 10:59 AM, Jax wrote:
Quoted text here. Click to load it
If you really mean that, then stop starting threads just so you can  
continue talking about it you stupid troll.


Re: Dustin's Busted

Quoted text here. Click to load it

Translation:  you didn't spot the code was a script.

--  
Jax    :)

Re: Dustin's Busted


Quoted text here. Click to load it

Nice try. :) Pathetic, but when you've got nothing else, go with what you  
have right?
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Dustin's Busted


Quoted text here. Click to load it

Dustin I loved reading your post about sticking hot nails thru your
eyeballs and your claims about how many languages you know..... but all
that is totally irrelevant.  

The bottom line is you didn't mention the code was a script. Your excuses
don't change that. Think about it!

--  
Jax    :)

Re: Dustin's Busted

"Jax" wrote:

Quoted text here. Click to load it

That's because it isn't. Why do you think it is?



Re: Dustin's Busted


  
Quoted text here. Click to load it

Where did I say c sharp is script? I might personally consider it like script  
, but... it's not technically a "script" language.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.
Lighten up while you still can. Don't even try to understand. Just find a
place to make your stand and take it easy!  


Re: Dustin's Busted

Quoted text here. Click to load it
Seems to me like you, BD and Pooh are like grade school bullies who really  
don't know shit, so all you can do is make fun of others by insults and  
other put downs to cover your ignorance. Sad.
Hopefully you three really have other things to do in life.
--  
Buffalo  


Site Timeline