PE Viewer 3.0

[iteg]

Hello, everyone!

I rebuilt the project based on the sources of "PE Viewer 2.0".
For suggestions and errors, post in the current topic.

Plugin posted on sites:
https://wincmd.ru/plugring/PEViewer3.html
http://totalcmd.net/plugring/PEViewer3.html

[white]

Something seems to be missing..

[AntonyD]

2iteg
i can only guess, but very probably w/o any link for downloading of your new rebuilt sources we can't add any significant suggestions.

[Gral]

I guess the plugin is on totalcmd.net...

[Sir_SiLvA]

Hey, thanks for taking the time to create this plugin.

I suggest not only to supply a russian.lng2 but also an english.lng2 so that translators have an easier job translating


@white and the rest: must be really hard to look at totalcmd.net:
http://totalcmd.net/plugring/PEViewer3.html

[AntonyD]

2Gral
Good point.
http://totalcmd.net/plugring/PEViewer3.html?
So, the initial question imho should be: HOW (and how often) we can get updated for PEid database? Am I correct in assuming that it is stored in UserDB.txt?
And in general - does this base, in principle, have the concept of updating? Maybe someone fills it from time to time. Purely for yourself?
Despite the changed size, the relevance of the database is in doubt. I opened totalcmd64.exe with a plugin and was surprised to find that the compiler definition didn't work! The string Unknown is displayed. Are these 64 bit applications impossible to detect?

Signs.txt - this database looks like was not updated? So we still have only outdated list of such things? And what is stored in it?

What should I do with file 'PEViewer_config.ini.sample'? What options are expected to be supported here? There should also be a complete list of all options that can be found in this file with a description of all options for entering values ​​for these options.

Batch saving of selected resources is very necessary. And accordingly, for this you need to provide this selection. I.e, for example, out of 30 string constants, I need to save 5 of them. I would like to open the "Batch Copy" action from the context menu of the "String" tree-item, which would list all the current resources, and I could check the boxes next to the ones I need. And well, a couple of commonly used checkboxes "select all" / "deselect all". And a Save to... button.

[Sir_SiLvA]

Signs.txt - this database looks like was not updated? So we still have only outdated list of such things?

You can always update it yourself, plus UserDB.txt was updated from 1832 Signatures to 5588 signatures.

What should I do with file 'PEViewer_config.ini.sample'? What options are expected to be supported here?

after first run the PEViewer.ini is filled with:

Code: Select all

[PEViewer]
DefaultTab=ctResources
SaveDefaultTab=True
Localization=
AutoDetermineCompiler=True
ImportExportFrame.Splitter1Pos=157
ImportExportFrame.Splitter2Pos=375
ImportExportFrame.UndecorateCPPNames=True
HeadersFrame.Splitter1Pos=172
ResourcesFrame.Splitter1Pos=119

[iteg]

1) Plugin posted on sites:
https://wincmd.ru/plugring/PEViewer3.html
http://totalcmd.net/plugring/PEViewer3.html
2) UserDB.txt was taken from the project:
https://github.com/packing-box/peid/tree/main/src/peid
3) Signs.txt not updated.
4) Selective and full resource saving added to the "To Do" list.
5) Adding English.lng2 added to the "To Do" list.
6) Documentation writing added to the "To Do" list.

[Hurdet]

Possible that not recognize file compiled with Visual Studio 2022 C++?

HeadersFrame.Splitter1Pos=472
ResourcesFrame.Splitter1Pos=419

don't seem to work.

[AntonyD]

2iteg

3) Signs.txt not updated.

Is it possible? And Expected? And how does its content intersect with UserDB.txt?
What in which file is more important and useful for the purposes of the plugin?

[iteg]

Possible that not recognize file compiled with Visual Studio 2022 C++?

It is necessary to look for signatures, if any.

HeadersFrame.Splitter1Pos=472
ResourcesFrame.Splitter1Pos=419

The splitter position for HeadersFrame.Splitter1Pos is set automatically to display all sections, but is ignored from the configuration file.
For the ResourcesFrame.Splitter1Pos splitter, I fixed the usage from the configuration file.

Batch saving of selected resources is very necessary.

Implemented in version 3.0.2.

Is it possible? And Expected? And how does its content intersect with UserDB.txt?
What in which file is more important and useful for the purposes of the plugin?

To analyze the compiler, the signature databases of the projects "PETools / PE Sniffer" (Signs.txt) and "PEiD" (UserDB.txt) are used. The two analysis methods use only the search starting from the OEP. The plugin displays search results for these two databases.
Bases can be created manually. A signature search starting with OEP is ineffective (or even the entire file) because some distinctive data may be stored in other sections and very slowly. Well implemented in the project https://github.com/horsicq/Detect-It-Easy when using scripts.
I couldn't find a newer Signs.txt base.

[Sir_SiLvA]

Thanks for the update, 2 bugs:

1st when you have an upx'ed exe and click on Export/Import it turns on the display of "File Corrupted" which is just wrong

2nd this is a bug that was present in PEViewer 2 and FileInfo plugin too:
https://ibb.co/3ssbsMz as you can see, it clearly correctly identifies the exe as 64bit but claims the Target OS to be 32bit (which
I hope u mayhaps can fix?)

[Dalai]

2nd this is a bug that was present in PEViewer 2 and FileInfo plugin too:
https://ibb.co/3ssbsMz as you can see, it clearly correctly identifies the exe as 64bit but claims the Target OS to be 32bit (which I hope u mayhaps can fix?)

This is correct information. Take a look at the Resouces tab, select Version from the tree at th left and then look at the VS_FIXEDFILEINFO information. There you'll see the File OS flags. For totalcmd64.exe it's listed as Windows NT, 32-bit Windows even though it's also clearly a PE AMD64 executable.

As this is a very old data structure it doesn't know anything about 64-bit or even other architectures like ARM: https://learn.microsoft.com/en-us/windows/win32/api/verrsrc/ns-verrsrc-vs_fixedfileinfo (dwFileOS)

Regards
Dalai

[Hurdet]

Not handle c# detail in info exe.
This are visible in compiled file on right clicking it and looking to the properties of the file.

[iteg]

In version "PE Viewer" 3.0.3:
1)

when you have an upx'ed exe and click on Export/Import it turns on the display of "File Corrupted" which is just wrong

Replaced with a detailed description of the error.
2)

this is a bug that was present in PEViewer 2 and FileInfo plugin too

Yes, there are no flags for the 64-bit OS in the VS_FIXEDFILEINFO structure.
3)

Not handle c# detail in info exe.

Fixed.