// Check PE Format 0.1 // Bugreports : horsicq@gmail.com // function load() { // call on script load script.addMessage("Loading Check PE Format script"); script.addMessage("Bugreports: horsicq@gmail.com"); script.addMessage("______________________________"); } function name() { // return script's name return "Check PE Format 0.1"; } function info() { // return script's information return "Check PE Format 0.1"; } function run() { // main script's function var pefile=PEFile; var szCurrentFile=script.getCurrentFileName(); var value; var szString; script.addMessage("Open file: "+szCurrentFile); script.addMessage(""); if(pefile.setFileName(szCurrentFile)) { if(pefile.isValid()) { value=pefile.getDosHeader_magic(); szString="IMAGE_DOS_HEADER.e_magic: 0x"+script.wordToHex(value); if(value==0x5A4D) { script.addSuccessMessage(szString); } else { script.addErrorMessage(szString+" Invalid value(must be 0x5A4D)"); } value=pefile.getDosHeader_cblp(); szString="IMAGE_DOS_HEADER.e_cblp: 0x"+script.wordToHex(value); if(value) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } value=pefile.getDosHeader_cp(); szString="IMAGE_DOS_HEADER.e_cp: 0x"+script.wordToHex(value); if(value) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } value=pefile.getDosHeader_crlc(); szString="IMAGE_DOS_HEADER.e_crlc: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_cparhdr(); szString="IMAGE_DOS_HEADER.e_cparhdr: 0x"+script.wordToHex(value); if(value) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } value=pefile.getDosHeader_minalloc(); szString="IMAGE_DOS_HEADER.e_minalloc: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_maxalloc(); szString="IMAGE_DOS_HEADER.e_maxalloc: 0x"+script.wordToHex(value); if(value) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } value=pefile.getDosHeader_ss(); szString="IMAGE_DOS_HEADER.e_ss: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_sp(); szString="IMAGE_DOS_HEADER.e_sp: 0x"+script.wordToHex(value); if(value) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } value=pefile.getDosHeader_csum(); szString="IMAGE_DOS_HEADER.e_csum: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_ip(); szString="IMAGE_DOS_HEADER.e_ip: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_cs(); szString="IMAGE_DOS_HEADER.e_cs: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_lfarlc(); szString="IMAGE_DOS_HEADER.e_lfarlc: 0x"+script.wordToHex(value); if(value) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } value=pefile.getDosHeader_ovno(); szString="IMAGE_DOS_HEADER.e_ovno: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res(0); szString="IMAGE_DOS_HEADER.e_res[0]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res(1); szString="IMAGE_DOS_HEADER.e_res[1]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res(2); szString="IMAGE_DOS_HEADER.e_res[2]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res(3); szString="IMAGE_DOS_HEADER.e_res[3]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_oemid(); szString="IMAGE_DOS_HEADER.e_oemid: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_oeminfo(); szString="IMAGE_DOS_HEADER.e_oeminfo: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(0); szString="IMAGE_DOS_HEADER.e_res2[0]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(1); szString="IMAGE_DOS_HEADER.e_res2[1]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(2); szString="IMAGE_DOS_HEADER.e_res2[2]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(3); szString="IMAGE_DOS_HEADER.e_res2[3]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(4); szString="IMAGE_DOS_HEADER.e_res2[4]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(5); szString="IMAGE_DOS_HEADER.e_res2[5]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(6); szString="IMAGE_DOS_HEADER.e_res2[6]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(7); szString="IMAGE_DOS_HEADER.e_res2[7]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(8); szString="IMAGE_DOS_HEADER.e_res2[8]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_res2(9); szString="IMAGE_DOS_HEADER.e_res2[9]: 0x"+script.wordToHex(value); if(value==0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0)"); } value=pefile.getDosHeader_lfanew(); szString="IMAGE_DOS_HEADER.e_lfanew: 0x"+script.dwordToHex(value); if(value%4) { script.addWarningMessage(szString+" Invalid value(must be multiplicity 4)"); } else if(value==0) { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } else if(value<=64) { script.addWarningMessage(szString+" PE signature in MSDOS header"); } else if(value>0x200) { script.addWarningMessage(szString+" Invalid value(too large)"); } else { script.addSuccessMessage(szString); } if(pefile.isDosStubPresent()) { script.addSuccessMessage("MS DOS present"); } else { script.addWarningMessage("MS DOS is not present"); } if(pefile.isRichSignaturePresent()) { script.addSuccessMessage("Rich signature present"); } else { script.addWarningMessage("Rich signature is not present"); } value=pefile.getNTHeaders_Signature(); szString="IMAGE_NT_HEADERS.Signature: 0x"+script.dwordToHex(value); if(value==0x00004550) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0x00004550)"); } value=pefile.getFileHeader_Machine(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.Machine: 0x"+script.wordToHex(value); if(value==0x014C) { script.addSuccessMessage(szString); } else if(value==0x8664) { script.addSuccessMessage(szString); } else { script.addErrorMessage(szString+" Invalid value(must be 0x014C or 0x8664)"); } value=pefile.getFileHeader_NumberOfSections(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.NumberOfSections: 0x"+script.wordToHex(value); if(value==0) { script.addErrorMessage(szString+" Invalid value(must be initialized)"); } else if(value>0x60) { script.addErrorMessage(szString+" Invalid value(too large)"); } else { script.addSuccessMessage(szString); } value=pefile.getFileHeader_TimeDateStamp(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.TimeDateStamp: 0x"+script.dwordToHex(value); if(value==0) { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } else { script.addSuccessMessage(szString); } value=pefile.getFileHeader_PointerToSymbolTable(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.PointerToSymbolTable: 0x"+script.dwordToHex(value); if(value) { script.addWarningMessage(szString+" Invalid value(must be 0)"); } else { script.addSuccessMessage(szString); } value=pefile.getFileHeader_NumberOfSymbols(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.NumberOfSymbols: 0x"+script.dwordToHex(value); if(value) { script.addWarningMessage(szString+" Invalid value(must be 0)"); } else { script.addSuccessMessage(szString); } value=pefile.getFileHeader_SizeOfOptionalHeader(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.SizeOfOptionalHeader: 0x"+script.wordToHex(value); if(value==0) { script.addErrorMessage(szString+" Invalid value(must be initialized)"); } else { if(pefile.isPEPlus()) { if(value==0xF0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0x00F0)"); } } else { if(value==0xE0) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0x00E0)"); } } } value=pefile.getFileHeader_Characteristics(); szString="IMAGE_NT_HEADERS.IMAGE_FILE_HEADER.Characteristics: 0x"+script.wordToHex(value); if(value==0) { script.addErrorMessage(szString+" Invalid value(must be initialized)"); } else if(value&0x0002) { script.addSuccessMessage(szString); } else { script.addErrorMessage(szString+" Invalid value(IMAGE_FILE_EXECUTABLE_IMAGE must be set)"); } value=pefile.getOptionalHeader_Magic(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.Magic: 0x"+script.wordToHex(value); if(value==0) { script.addErrorMessage(szString+" Invalid value(must be initialized)"); } else if(value==0x10B) { script.addSuccessMessage(szString); } else if(value==0x20B) { script.addSuccessMessage(szString); } else { script.addErrorMessage(szString+"Invalid value(must be 0x10B or 0x20B)"); } value=pefile.getOptionalHeader_MajorLinkerVersion(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MajorLinkerVersion: 0x"+script.byteToHex(value); if(value==0) { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } else { script.addSuccessMessage(szString); } value=pefile.getOptionalHeader_MinorLinkerVersion(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.MinorLinkerVersion: 0x"+script.byteToHex(value); script.addSuccessMessage(szString); value=pefile.getOptionalHeader_SizeOfCode(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfCode: 0x"+script.dwordToHex(value); if(value==pefile.calculateSizeOfCode()) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfCode())+")"); } value=pefile.getOptionalHeader_SizeOfInitializedData(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfInitializedData: 0x"+script.dwordToHex(value); if(value==pefile.calculateSizeOfInitializedData()) { script.addSuccessMessage(szString); } else if(value==pefile.calculateSizeOfInitializedData2()) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfInitializedData())+" or "+script.dwordToHex(pefile.calculateSizeOfInitializedData2())+")"); } value=pefile.getOptionalHeader_SizeOfUninitializedData(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfUninitializedData: 0x"+script.dwordToHex(value); if(value==pefile.calculateSizeOfUninitializedData()) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be "+script.dwordToHex(pefile.calculateSizeOfUninitializedData())+")"); } value=pefile.getOptionalHeader_AddressOfEntryPoint(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint: 0x"+script.dwordToHex(value); if(pefile.RVAToSection(value)==0) { script.addSuccessMessage(szString); } else if(valuepefile.getOptionalHeader_SizeOfStackReserve64()) { script.addErrorMessage(szString+" Invalid value(must be below than IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackReserve)"); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } } else { value=pefile.getOptionalHeader_SizeOfStackCommit(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackCommit: 0x"+script.dwordToHex(value); if(value) { script.addSuccessMessage(szString); } else if(value>pefile.getOptionalHeader_SizeOfStackReserve()) { script.addErrorMessage(szString+" Invalid value(must be below than IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfStackReserve)"); } else { script.addWarningMessage(szString+" Invalid value(must be initialized)"); } } if(pefile.isPEPlus()) { value=pefile.getOptionalHeader_SizeOfHeapReserve64(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapReserve: 0x"+script.qwordToHex(value); script.addSuccessMessage(szString); } else { value=pefile.getOptionalHeader_SizeOfHeapReserve(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapReserve: 0x"+script.dwordToHex(value); script.addSuccessMessage(szString); } if(pefile.isPEPlus()) { value=pefile.getOptionalHeader_SizeOfHeapCommit64(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapCommit: 0x"+script.qwordToHex(value); script.addSuccessMessage(szString); } else { value=pefile.getOptionalHeader_SizeOfHeapCommit(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.SizeOfHeapCommit: 0x"+script.dwordToHex(value); script.addSuccessMessage(szString); } value=pefile.getOptionalHeader_LoaderFlags(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.LoaderFlags: 0x"+script.dwordToHex(value); script.addSuccessMessage(szString); value=pefile.getOptionalHeader_NumberOfRvaAndSizes(); szString="IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER.NumberOfRvaAndSizes: 0x"+script.dwordToHex(value); if(value==16) { script.addSuccessMessage(szString); } else { script.addWarningMessage(szString+" Invalid value(must be 0x00000010)"); } // Export if(pefile.isDll()) { if(pefile.isExportPresent()) { script.addSuccessMessage("Export is present"); } else { script.addWarningMessage("Export is not present"); } } else { if(pefile.isExportPresent()) { script.addWarningMessage("Export is present"); } else { script.addSuccessMessage("Export is present"); } } // Import if(pefile.isImportPresent()) { script.addSuccessMessage("Import is present"); } else { script.addErrorMessage("Import is not present(module will not work in Windows 2000 and Vista)"); } // Resource if(pefile.isResourcePresent()) { script.addSuccessMessage("Resource is present"); } else { script.addWarningMessage("Resource is not present"); } // Version info if(pefile.isVersionInfoPresent()) { script.addSuccessMessage("Version info is present"); } else { script.addWarningMessage("Version info is not present"); } var nNumberOfSections=pefile.getFileHeader_NumberOfSections(); // Check sections for(var i=0;i