Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***

Giganews Newsgroups
Subject: Re: Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! ***
Posted by:  Ant (n…@home.today)
Date: Fri, 25 Apr 2014

"p-0''0-h the cat (ES)" wrote:

> I quizzed him about the code and his strange use of ABS which he never
> adequately explained preferring instead to go on a rampage to try and
> discredit me despite the fact that I had never programmed in ASIC.

I didn't see that discussion but then I'm reading only in ACAV.
However, I know a bit about executables so now I've read Dustin's and
your code I can say you're both barking up the wrong tree.

> and contrary to what Dusty now says after FTR pointed out the purpose of
> ABS you can see the file size returns a negative value and an incorrect
> file size and therefore doesn't accurately return the file size as per
> the MZ EXE header specification when the number of blocks > 7FFF.

This is completely irrelevant for Windows executables.

The MZ header fields are used only when running under MSDOS. Every
Windows executable from NT3 onwards uses the PE (portable executable)
format which by convention has a small MSDOS stub program prepended to
it (normally prints a message and exits when run under MSDOS). This is
why all Windows executables are expected to have 'M' and 'Z' as the
first 2 bytes but need not (and sometimes do not) actually have the
stub program. The 2nd and 3rd dwords are applicable only to the stub
program size, not the complete Windows executable.

The check being used in exevalid will pass in most cases for PE files
because the stub is always smaller than the whole file. However, there
are many malware and some legitimate packed executables which use the
MZ header fields for other purposes. In these cases the exe is not
corrupt as far as Windows is concerned but obviously is from an MSDOS
point of view.

The correct way to compare file to executable sise is to check for the
presence of the PE header and use values from that when dealing with
Windows executables.

[followups set to ACAV]

Replies

None

In response to

Dusty's EXEVALID utility fundemental flaw EXPOSED! *** WARNING: DO NOT USE THIS UTILITY! *** posted by p-0''0-h the cat (ES) on Fri, 25 Apr 2014