How to detect the types of executable files
How to detect the types of executable files
type { IMAGE_DOS_HEADER: DOS .EXE header. } IMAGE_DOS_HEADER = packed record e_magic : Word; // Magic number ("MZ") e_cblp : Word; // Bytes on last page of file e_cp : Word; // Pages in file e_crlc : Word; // Relocations e_cparhdr : Word; // Size of header in paragraphs e_minalloc: Word; // Minimum extra paragraphs needed e_maxalloc: Word; // Maximum extra paragraphs needed e_ss : Word; // Initial (relative) SS value e_sp : Word; // Initial SP value e_csum : Word; // Checksum e_ip : Word; // Initial IP value e_cs : Word; // Initial (relative) CS value e_lfarlc : Word; // Address of relocation table e_ovno : Word; // Overlay number e_res : packed array [0..3] of Word; // Reserved words e_oemid : Word; // OEM identifier (for e_oeminfo) e_oeminfo : Word; // OEM info; e_oemid specific e_res2 : packed array [0..9] of Word; // Reserved words e_lfanew : Longint; // File address of new exe header end; { TExeFileKind: The kinds of files recognised. } TExeFileKind = ( fkUnknown, // unknown file kind: not an executable fkError, // error file kind: used for files that don't exist fkDOS, // DOS executable fkExe32, // 32 bit executable fkExe16, // 16 bit executable fkDLL32, // 32 bit DLL fkDLL16, // 16 bit DLL fkVXD // virtual device driver ); function ExeType(const FileName: string): TExeFileKind; {Examines given file and returns a code that indicates the type of executable file it is (or if it isn't an executable)} const cDOSRelocOffset = $18; // offset of "pointer" to DOS relocation table cWinHeaderOffset = $3C; // offset of "pointer" to windows header in file cNEAppTypeOffset = $0D; // offset in NE windows header of app type field cDOSMagic = $5A4D; // magic number for a DOS executable cNEMagic = $454E; // magic number for a NE executable (Win 16) cPEMagic = $4550; // magic nunber for a PE executable (Win 32) cLEMagic = $454C; // magic number for a Virtual Device Driver cNEDLLFlag = $80 // flag in NE app type field indicating a DLL var FS: TFileStream; // stream to executable file WinMagic: Word; // word containing PE or NE magic numbers HdrOffset: LongInt; // offset of windows header in exec file ImgHdrPE: IMAGE_FILE_HEADER; // PE file header record DOSHeader: IMAGE_DOS_HEADER; // DOS header AppFlagsNE: Byte; // byte defining DLLs in NE format DOSFileSize: Integer; // size of DOS file begin try // Open stream onto file: raises exception if can't be read FS := TFileStream.Create(FileName, fmOpenRead + fmShareDenyNone); try // Assume unkown file Result := fkUnknown; // Any exec file is at least size of DOS header long if FS.Size < SizeOf(DOSHeader) then Exit; FS.ReadBuffer(DOSHeader, SizeOf(DOSHeader)); // DOS files begin with "MZ" if DOSHeader.e_magic <> cDOSMagic then Exit; // DOS files have length >= size indicated at offset $02 and $04 // (offset $02 indicates length of file mod 512 and offset $04 // indicates no. of 512 pages in file) if (DOSHeader.e_cblp = 0) then DOSFileSize := DOSHeader.e_cp * 512 else DOSFileSize := (DOSHeader.e_cp - 1) * 512 + DOSHeader.e_cblp; if FS.Size < DOSFileSize then Exit; // DOS file relocation offset must be within DOS file size. if DOSHeader.e_lfarlc > DOSFileSize then Exit; // We assume we have an executable file: assume its a DOS program Result := fkDOS; // Try to find offset of Windows program header if FS.Size <= cWinHeaderOffset + SizeOf(LongInt) then // file too small for windows header "pointer": it's a DOS file Exit; // read it FS.Position := cWinHeaderOffset; FS.ReadBuffer(HdrOffset, SizeOf(LongInt)); // Now try to read first word of Windows program header if FS.Size <= HdrOffset + SizeOf(Word) then // file too small to contain header: it's a DOS file Exit; FS.Position := HdrOffset; // This word should be NE, PE or LE per file type: check which FS.ReadBuffer(WinMagic, SizeOf(Word)); case WinMagic of cPEMagic: begin // 32 bit Windows application: now check whether app or DLL if FS.Size < HdrOffset + SizeOf(LongWord) + SizeOf(ImgHdrPE) then // file not large enough for image header: assume DOS Exit; // read Windows image header FS.Position := HdrOffset + SizeOf(LongWord); FS.ReadBuffer(ImgHdrPE, SizeOf(ImgHdrPE)); if (ImgHdrPE.Characteristics and IMAGE_FILE_DLL) = IMAGE_FILE_DLL then // characteristics indicate a 32 bit DLL Result := fkDLL32 else // characteristics indicate a 32 bit application Result := fkExe32; end; cNEMagic: begin // We have 16 bit Windows executable: check whether app or DLL if FS.Size <= HdrOffset + cNEAppTypeOffset + SizeOf(AppFlagsNE) then // app flags field would be beyond EOF: assume DOS Exit; // read app flags byte FS.Position := HdrOffset + cNEAppTypeOffset; FS.ReadBuffer(AppFlagsNE, SizeOf(AppFlagsNE)); if (AppFlagsNE and cNEDLLFlag) = cNEDLLFlag then // app flags indicate DLL Result := fkDLL16 else // app flags indicate program Result := fkExe16; end; cLEMagic: // We have a Virtual Device Driver Result := fkVXD; else // DOS application {Do nothing - DOS result already set}; end; finally FS.Free; end; except // Exception raised in function => error result Result := fkError; end; end;
