detect EXE/DLL bitness (x86 or x64)

[highend]

@Sammy

There are tools like FiletypeID / TrIDNet since years. Please don't get me wrong. I also like inbuild XY solutions instead of using external tools but "I see this script becoming Ultimate File Detector... " ... This would be more like: Reinventing the wheel

[PeterH]

Nice to see so much interest...
( if this goes on, I see this script becoming Ultimate File Detector... )

BTW, there's absolutely no reason now to have me as the only author. This intro note is better suited:

Code: Select all

...
[About]
Authors      = PeterH, SammaySarkar, Snail, TheQwerty
...

I think *my* biggest contribution was to reactivate this topic

[bdeshi]

Highend, relax, that was a joke!
PeterH, is that bad?

[Enternal]

Ultime File Detector... like what my script do by using TrID? (shameless advertising)
http://xyplorer.com/xyfc/viewtopic.php?f=7&t=12134

Well, not sure how often it's used anyway...

Either way, this tool is still useful when you need to verify executable without having to run it and then check the task manager.

[bdeshi]

Yes, like that, only XYnative. But this script is far far away from that target.

BTW, your XY color scheme in the pics looks good enough to steal.

[PeterH]

PeterH, is that bad?

What should I say? No

I normally mention people having worked on a piece of code.
But after what has happened here I don't know if, on the end, I did enough still to be mentioned here.
Or, in other words: if the list becomes to long you should kick me out

(As I'm not a native english speaker, just to say: absolutely nothing negative intended. )

[Enternal]

Yes, like that, only XYnative. But this script is far far away from that target.

BTW, your XY color scheme in the pics looks good enough to steal.

Hahaha. Well getting it to that level definitely will take a long long time. If you think about it, TrID took a very very long time until it gets all the definitions to the point where it is now. So if you could somehow incorporate its databases, that could potentially save you a lot of work on file identification...

Haha. I'm really fond of my color theme too. Uhh... let see. Use my script here to import the color scheme XYplorerColors-Dark.ini.
http://xyplorer.com/xyfc/viewtopic.php? ... 60#p109460
Make sure you save your color scheme first in just in case (also can be done by my script). After you import it, restart XYplorer because the script modifies XYplorer.ini directly so it needs to be reloaded. Also, in case you are interested in my coloring for file types, in raw form (directly from XYplorer.ini):

Code: Select all

[ColorFilter]
Count=17
1=+len:>256>FFFFFF,C23D03
2=+attr:system>FF0000,FFFF80
3=+attr:junction>D500D5,
4=+attr:encrypted>008080,
5=+attr:compressed>0080FF,
6=+size:0>FFFFFF,545E8D
7=+ageC: < 3 n>FFFFFF,CC3514
8=+ageC: d>FFFFFF,677F40
9=+ageM: d>FFFFFF,E89A0C
10=attr:d>5E738C,
11=+*.exe;*.bat>D95B6F,
12=+*.dll;*.ocx;*.sys>B366FF,
13=+*.7z;*.gz;*.lzh;*.rar;*.tar;*.tar.gz;*.zip>808000,
14=+*.aac;*.ape;*.flac;*.mp3;*.mpc;*.ogg;*.wav;*.wma>FF8000,
15=+*.bmp;*.gif;*.jpeg;*.jpg;*.png;*.psd;*.tif;*.tiff>38A050,
16=+*.txt;*.inf;*.ini>BA4B86,
17=+*.css;*.htm;*.html;*.js;*.mht;*.mhtml;*.maff;*.php>4287D2,

[bdeshi]

Much appreciated. The colorscheme by itself doesn't look much exciting without matching colorfilters. Thanks for that too.

[bdeshi]

A minor update to bitness detector.

Consolidated Snail's 2nd mod (v5) into TQ's very.
+The extra detection results added by Snail have been shortened for CC-friendly results.
+minor bugfixes, edits.

Code: Select all

/*#############################################################################\
BitnessDetector.xys

This script attempts to determine for which architecture binaries and executables
are compiled.

It can be used as-is or within a Custom Column Script, but note that due to
limitations in XY the Custom Column Script must set a Global variable
'$G_INTERACTIVE' to 'false' before calling the script. Example:
Global $G_INTERACTIVE = false;
Load 'BitnessDetector';


See also:
  http://www.xyplorer.com/xyfc/viewtopic.php?f=7&t=11574


[ABOUT]
Authors      = PeterH, SammaySarkar, Snail, TheQwerty
Version      = 6.0
Date         = 2014-09-11 1:57:15 PMZ
Requires     = XYplorer v14.40.0300


[]
\#############################################################################*/

"BitnessDetector"
  // Changed separator to semi-colon so it matches CC filter.
  $SUPPORTED_EXTENSIONS = 'exe;dll;ocx;cpl;sys;com';  // allowed extensions

  // Unfortunately the <cc_*> vars persist outside the scope of the CC script,
  // so there is no way to determine when running within a CC script.
  // Until Don makes this possible we'll use a global variable.
  // http://www.xyplorer.com/xyfc/viewtopic.php?f=3&t=11181&p=111509#p111509
  // Thus it is the responsibility of the CC script to set:
  // Global $G_INTERACTIVE = false;
  Global $G_INTERACTIVE;
  if ($G_INTERACTIVE == '') {
    $G_INTERACTIVE = true;
  }


  // If not interactive...
  if (! $G_INTERACTIVE) {
    // Assume we are in a Custom Column.
    $list = "<cc_item>";

  } else {
    // Determine items to work on.
    // <cc_item> is removed because of the above-mentioned issue with their scope.
    // If fixed it will probably be #3.
    $list = GetToken(FormatList("<taggeditem>|<pfaitem>|<get drop <crlf>>|<get SelectedItemsPathNames <crlf>>|<focitem>", 'ted'), 1, '|');
  }

  // These are the magic bits and descriptions.
  // Try to keep bitness first so it sorts better in a custom column.
  $magicBits = <<<#KNOWNBITS
    64 86|64-bit [AMD64 WinPE+ Lite]
    02 00|64-bit [IA64 WinPE+]
    0B 00|64-bit [Magic # x64]
    0B 01|32-bit [Magic # 32]
    0B 02|64-bit [Magic # 64]
    07 01|ROM non-bit
    00 4C|32-bit [WinPE x86]
    01 4C|32-bit [i386 WinPE]
    07 06|16-bit [DOS Compiled]
    0C A5|16-bit [DOS Executable]
    4[CE] 45|16-bit [WinNE]
  #KNOWNBITS;

  //first 2 bytes ->> chars; kind of a shortcut to platform detection
  //utilized when MZ header is missing (so MZ itself is not in listed)
  //the ' is added to NOT sort mixed 8/16bit with other pure 8-bits
  $headChars = <<<#HEADCRABS
    NE|'8-bit/16-bit [DOS4/Win3x]
    LX|8-bit [OS/2]
    PI|8-bit [PalmDOS]
    XI|16-bit [PalmDOS Ext.]
    DL|8-bit [DOS Mgr]
    MP|8-bit [DOS Ext.]
    P2|16-bit [DOS Ext.]
    P3|32-bit [DOS Ext.]
  #HEADCRABS;

  // Collection of all results.
  $allResults = '';

  foreach ($item, $list, "<crlf>") {
    if ($item == '') { continue; }

    $result = 'Unknown';

    // Not a file.
    if (exists($item) != 1) {
      $result = 'Not a file.';

    // Unsupported extension.
    } elseif (! GetTokenIndex(GetPathComponent($item, 'ext'), $SUPPORTED_EXTENSIONS, ';', 'i')) {
      $result = 'Extension not supported';

    // Missing MZ header.
    } elseif (ReadFile($item, 'b', 2, /*codepage*/, 1) != 'MZ') {
        $result = 'Maybe PACKED - Not MZ';

        $header = ReadFile($item, 'b', 2, /*codepage*/, 1);
        //this foreach should be consolidated into the later one
        // $notMZ = 1; //for foreach consolidation
        foreach ($line, $headChars, "<crlf>") {
          // Trim line & skip empties.
          $line = Trim($line, " <tab><crlf>");
          if ($line == '') { continue; }

          // Split line
          $pattern = GetToken($line, 1, '|', 't');
          $text = GetToken($line, 2, '|', 't', 2);

          // Check for match
          if ($header LikeI "*$pattern*") {
            $result = $text;
            break;
          }
        } // foreach - non-MZ headers

    // Contains MZ header.
    } else {
      $pntr = HexDump(ReadFile($item, 'b', 4, /*codepage*/, 61), 0, 'r');
      $pntr = HexToDec(GetToken($pntr, 2) . GetToken($pntr, 1));

      // Pointer out of range.
      if ($pntr-8 > FileSize($item)) {
        $result = 'Maybe PACKED';
      } else {
        $bitnum = HexDump(ReadFile($item, 'b', 6, /*codepage*/, $pntr+1), 0, 'r');

        foreach ($line, $magicBits, "<crlf>") {
          // Trim line & skip empties.
          $line = Trim($line, " <tab><crlf>");
          if ($line == '') { continue; }

          // Split line
          $pattern = GetToken($line, 1, '|', 't');
          $text = GetToken($line, 2, '|', 't', 2);

          // Check for match
          if ($bitnum LikeI "*$pattern*") {
            $result = $text;
            break;
          }
        } // foreach - knownBits
      } // valid pointer
    } // MZ header

    $allResults = $allResults . $item . "<crlf><tab>" . $result . "<crlf>";
  } // foreach - list

  // Display results when not in a Custom Column.
  if ($G_INTERACTIVE) {
    Text $allResults;
  } else {
    return $result;
  }

[/size]

[Snail]

Thanks for the updates and corrections.
On dialup and severe weather here.
Nice work to everyone.

[Snail]

There are tools like FiletypeID / TrIDNet since years. Please don't get me wrong. I also like inbuild XY solutions instead of using external tools but "I see this script becoming Ultimate File Detector... " ... This would be more like: Reinventing the wheel

I believe their is some truth in this statement, but that doesn't have to be the case.
While I've used XY for a long time it has only been the past few days I've even bothered with the scripting code.
(I just have too many program, OS's and languages I work with to throw in another.)
As I've said, I use HEX viewers, resource editors and tools like PE ID (tools being many). I mention PE ID specifically because it was designed to be called by other tools. To that end, is it possible to write a script to call upon an external tool and pipe that data back to XY?
I know this again goes back to relying upon external tools, but a freeware tool like PE ID 220Kb, could easily be added to XY.
It's just a thought. I know this was just meant to be a quick internal way to determine 32/64 bit exe's, but I see a lot of expansion potiential.
The scripting language reminds me a bit of LUA and look what was done with that! Entire servers and MMORPG's built with it.
It was taken way past anything the original designers ever conceived and without documentation.
Well, just some thoughts.

[highend]

To that end, is it possible to write a script to call upon an external tool and pipe that data back to XY?

Depends on what output that external tool produces...

E.g. runret() for command line versions.

The scripting language reminds me a bit of LUA

It's more PHP than LUA

[PeterH]

FiletypeID / TrIDNet both seem to be GUI programs - so output isn't easy to get.

But there is a linemode version of the latter called TrID - this should work with runret()
(See http://mark0.net/soft-trid-e.html )

[bdeshi]

Enternal already has a nice script for trID.

[Snail]

I have obtained and tested FileTypeID v2.4.
I must say, I am not very impressed by it.

FileTypeID claims to be able to identify over 4,600 file types.

Most DLL's it reports as 32bit EXE's, then Delphi generic, then DOS.
On 32bit EXE's it reports them as Win32 DLL's, Generic Win/DOS, Autodesk FLIC.
On 64bit EXE's it reports Win32 Generic DLL, Win32 Generic EXE, DOS, and finally Win64.
On a Win3.1 16bit NE EXE it reports Generic DOS!

Of the 28 files I tested, it failed 100%.
This is on files I KNOW. I can only imagine the confusion it would cause on a truly unknown file.

Good concept, poor delivery.

As the XY script clearly indicates, a few simple 2byte tests can product more accurate results.
The only place I see for FileTypeID is when all other options have failed. And then, I would not trust in its results. I'd put more faith in a HEX edit and view of the header.

FileTypeID appears to be nothing more than a Python coded GUI to TrIDLib.
It sucks that it doesn't accept piped data, so options like SendTo won't work. Poor design.

The database triddefs.trd, what I was really interested in for the XY scripts, is a compressed RIFF.
It turns out, TrIDLib doesn't really do any testing. It uses a FUZZY logic scan based upon a string read and then tries to compare it to a database. As such, none of the data is useful for XY.

A massive 10Mb download on dialup, and a big disappointment.