OS : Windows XP/2003/7/8/10

ExeinfoASL / ASL

Free Windows Detector Software

https://github.com/ExeinfoASL/ASL

710 stars 90 forks source link

OS : Windows XP/2003/7/8/10 #9

Open LordGarfio opened 6 months ago

LordGarfio commented 6 months ago

You have broken the functionality on Windows XP x86-32 by using Wow64DisableWow64FsRedirection API.

Exeinfo Pe v0 0 8 3

Thank you in advance.

ExeinfoASL commented 6 months ago

I don't have Windows XP , can't test . Try disable function in Config.

LordGarfio commented 6 months ago

The API "Wow64DisableWow64FsRedirection" does not exist in Windows XP X86-32 bit (it makes no sense if there is no Windows 32 on Windows 64), if you have it in XP X86-64 bit.

https://stackoverflow.com/questions/25413612/wow64disablewow64fsredirection-on-32-bit-windows-xp https://www.codeproject.com/Tips/55290/Disabling-Windows-file-system-redirection-on-a-CFi https://nsis-dev.github.io/NSIS-Forums/html/t-237297.html

Cheers.

ExeinfoASL commented 6 months ago

I can add - if Windows XP option not enabled in Config :-)

LordGarfio commented 6 months ago

Wow64disablewow64fsredir == 0x1 has no effect, in summary, ExeInfo PE does not load --_ (o0) --

ExeinfoASL commented 6 months ago

Yes , static declaration function

You can run Exeinfo after patch. instructions : 👍 1.unpack Exeinfo with upx.exe 2.download .eis script patch : https://app.box.com/s/w09xf1ypkv3aouex4l32yb7ghdvyd276 3.Run .eis script file with Exeinfo ( File menu - script ) 4.pack exeinfo with upx

not tested on Windows XP , but can be ok

LordGarfio commented 6 months ago

I have followed the instructions, the script complies, but, UPX fails.

exeinfope_Fixed No repacked, running fails. exeinfope_Fixed, UPX repacking fails. exeinfope_Fixed Comparison View.

Regards.

exeinfope_Fixed_repack_fail exeinfope_Fixed_no repacked_run_fail

ExeinfoASL commented 6 months ago

yea, Upx has bug , you must pack with upx maximum ver.4.1.0 new version can't pack :-)

LordGarfio commented 6 months ago

Wow, now everything works perfectly.

exeinfope_Fixed, Repacking with UPX 4.10 Works. exeinfope_Fixed, Repacked works flawless on Windows XP.

Thank you too much.

exeinfope_Fixed_repacking_UPX_4 -10_works exeinfope_Fixed_repacked_works_XP

ExeinfoASL commented 5 months ago

:-)

wesinator commented 1 week ago

nulling or changing the Wow64DisableWow64FsRedirection import in the binary is sort of a hacky way to fix this issue.

You can change the code to load the API call if it exists. Something like this in C code:

   PVOID oldValue;
   // NT 6.0+ only API; using address lookup call
   HINSTANCE hDll = GetModuleHandleA("kernel32.dll");
   Wow64DisableWow64FsRedirection_ wow64dwow64fsredir;
   wow64dwow64fsredir = (Wow64DisableWow64FsRedirection_)GetProcAddress(hDll, "Wow64DisableWow64FsRedirection");
   ...
   if (wow64dwow64fsredir != NULL) {
       // call the function here if present
       wow64dwow64fsredir(&oldValue);
   }

you can also do this for other NT6+ only API calls, but it might need more work depending on what the calls are.

The source code hasn't been published so I can't know exactly how to implement this in your tool.