Dec 102017
 
Rips apart Windows .EXE files and SHOws contents. C source included.
File EXESHO.ZIP from The Programmer’s Corner in
Category Windows 3.X Files
Rips apart Windows .EXE files and SHOws contents. C source included.
File Name File Size Zip Size Zip Type
EXESHOW.C 7924 2702 deflated
EXESHOW.DOC 12502 3830 deflated
EXESHOW.EXE 10754 6505 deflated

Download File EXESHO.ZIP Here

Contents of the EXESHOW.DOC file


EXESHOW.EXE
Version 1.00; March 29, 1988.
Pat Beirne
Corel Systems

This little utility rips apart a Windows 2.0+ EXE file, and shows you
the contents.

EXESHOW is invoked using the format:
EXESHOW filename [-Rn] [-Nn]
The filename is any fully specified filename (no wildcards). The R
option allows you to specify how much of the resource to dump
(default: 128), and the N option allows you to specify how many
names to display (default: 16).

The output dump is directed to stdout, so you can easily redirect it
to a file using the DOS > or >> capability.

Note that EXESHOW runs as a normal DOS program, NOT as a Windows
application. If anyone converts it to Windows, please send me a copy.

The first part of the dump is a list of some of the interesting
elements of the file headder, including the filename, the link
version, the flags, the heap and stack sizes, and the execution
address.

Following this is a dump of the resources. Each resource type, and
each resource within it are listed. Where I knew the resource type, I
substituted the name (ICON, BITMAP, CURSOR, DIALOG, ACCELERATOR,
MENU, STRING, FONTDIR and FONT). The length and the flags on each
resource are listed. If the resource id is a number, it is shown as
an integer; if it is a name, the name is shown.

After this line of resource info, I dump the contents of the
resource, in binary and ASCII. The default is 128 bytes, although you
can control the length of the dump by using the R parameter on the
command line. For instance, you can inhibit the dump by using -R0.

After all the resources, the dump contains the contents of the
resident name list, and the non resident name list. Usually, the
first 16 entries are shown, although you can control the number by
using the -N parameter on the command line. Quite often the resident
name list is empty, so don't be concerned if no data is shown.

The total dump can be used to check the resulting .EXE file against
what you put in your .RC and .DEF files. Also, you can see the format
of DIALOG, MENU, BITMAP, CURSOR and ICON resources.

This data can be quite interesting. After using it, you will probably
observe that Microsoft's RC puts at least 2 bytes of the string
"mtswslnk" at the end of each resource. MAKE SURE THAT IT DOESN'T
OVERWRITE YOUR DATA.


Suggestions and comments are welcome.
Pat Beirne
Corel Systems Corp.
1600 Carling Ave.
Ottawa, Ontario.
K1Z 7M4

The source code given here is for public use. No liability of any
sort is assumed.



Here is a sample output of EXESHOW:

EXESHOW: dump of file \bin\heapwalk.exe
old EXE header MZ
offset to new EXE header 40
DOS 2.0 stub:
E8 2B 00 54 68 69 73 20-70 72 6F 67 72 61 6D 20 .+.This program
72 65 71 75 69 72 65 73-20 4D 69 63 72 6F 73 6F requires Microso
66 74 20 57 69 6E 64 6F-77 73 2E 0D 0A 24 5A 0E ft Windows...$Z.
sig word: NE
link version: 5.1
flags: NotDisc/Fixed/LoadOnCall
heap size requested: 1388
stack size requested: BB8
Entry table: 2E bytes
07 FF 01 CD 3F 01 A9 01-01 CD 3F 01 92 20 01 CD ....?.....?.. ..
3F 01 D8 27 01 CD 3F 01-39 03 01 CD 3F 01 89 18 ?..'..?.9...?...
00 CD 3F 01 10 00 00 CD-3F 02 00 00 00 00 5A 0E ..?.....?.....Z.
Segment table: 2 entries Auto data seg: 2
Execution starts at 3C44 in segment #0
Stack starts at 0000 in segment #0
Module ref table: 3 entries

<-----------------Resources----------------->
Resource Type ICON
Resource #1: len: 410; flags: Disc/Movable/LoadOnCall; id: HEAPWALK
01 01 00 00 00 00 40 00-40 00 08 00 00 00 F8 00 ......@.@.......
00 01 FF FF FF FF F8 00-00 01 FF FF FF FF F8 00 ................
00 01 FF FF FF FF FC 00-00 00 FF FF FF FF FC 00 ................
00 00 7F FF FF FF FE 00-00 00 7F FF FF FF FE 00 ................
00 00 3F FF FF FF FE 00-00 00 3F FF FF FF FF 00 ..?.......?.....
00 00 3F FF FF FF FF 00-00 00 1F FF FF FF FF 80 ..?.............
00 00 0F FF FF FF FF 80-00 00 0F FF FF FF FF C0 ................
00 00 0F FF FF FF FF C0-00 00 07 FF FF FF FF E0 ................
Resource Type MENU
Resource #1: len: 2b0; flags: Disc/Movable/LoadOnCall; id: HEAPWALK
10 26 46 69 6C 65 00 00-84 00 26 53 61 76 65 00 .&File....&Save.
00 00 00 00 00 85 00 45-26 78 69 74 00 80 86 00 .......E&xit....
41 26 62 6F 75 74 20 48-65 61 70 57 61 6C 6B 65 A&bout HeapWalke
72 2E 2E 2E 00 10 26 57-61 6C 6B 00 00 65 00 26 r.....&Walk..e.&
57 61 6C 6B 20 48 65 61-70 00 00 6D 00 57 61 6C Walk Heap..m.Wal
6B 20 26 4C 52 55 20 4C-69 73 74 00 00 6E 00 57 k &LRU List..n.W
61 6C 6B 20 46 72 26 65-65 20 4C 69 73 74 00 00 alk Fr&ee List..
68 00 26 47 43 28 30 29-20 61 6E 64 20 57 61 6C h.&GC(0) and Wal
Resource #2: len: 10; flags: Disc/Movable/LoadOnCall; id: LOCALWALK
90 26 46 69 6C 65 00 80-C9 00 26 53 61 76 65 00 .&File....&Save.
Resource Type DIALOG
Resource #1: len: e0; flags: Disc/Movable/LoadOnCall; id: 1
00 00 40 80 06 16 00 11-00 AA 00 4B 00 00 00 00 [email protected]....
34 00 05 00 44 00 08 00-FF FF 01 00 02 50 82 4D 4...D........P.M
69 63 72 6F 73 6F 66 74-20 57 69 6E 64 6F 77 73 icrosoft Windows
00 00 09 00 17 00 00 00-00 00 FF FF 03 00 00 50 ...............P
82 48 65 61 70 57 61 6C-6B 00 00 00 00 0E 00 AA .HeapWalk.......
00 08 00 FF FF 01 00 02-50 82 48 65 61 70 57 61 ........P.HeapWa
6C 6B 20 41 70 70 6C 69-63 61 74 69 6F 6E 00 00 lk Application..
35 00 22 00 40 00 08 00-FF FF 01 00 02 50 82 56 5."[email protected]
Resource #2: len: d0; flags: Disc/Movable/LoadOnCall; id: 2
00 00 40 80 08 29 00 31-00 7D 00 43 00 00 00 00 ..@..).1.}.C....
0A 00 14 00 37 00 08 00-00 00 00 00 00 50 82 43 ....7........P.C
75 72 72 65 6E 74 20 53-69 7A 65 3A 00 00 0A 00 urrent Size:....
20 00 34 00 09 00 01 00-00 00 00 50 82 4D 61 78 .4........P.Max
69 6D 75 6D 20 53 69 7A-65 3A 00 00 1A 00 08 00 imum Size:......
26 00 08 00 02 00 00 00-00 50 82 4E 65 77 20 53 &........P.New S
69 7A 65 3A 00 00 48 00-06 00 20 00 0C 00 66 00 ize:..H... ...f.
00 00 81 50 81 00 00 48-00 20 00 16 00 08 00 65 ...P...H. .....e
Resource Type STRING
Resource #1: len: 30; flags: Disc/Movable/LoadOnCall; id: 101
00 00 08 48 65 61 70 57-61 6C 6B 0F 4C 75 6B 65 ...HeapWalk.Luke
20 48 65 61 70 57 61 6C-6B 65 72 00 00 00 00 00 HeapWalker.....
00 00 00 00 00 00 00 6D-74 73 77 73 6C 6E 6B 6D .......mtswslnkm

Resident name table
Resident names & entry index:

NonResident name table: 67 bytes
NonResident names & entry index:
Windows Local/Global Heap Walker0
LOCALWNDPROC3
HWWNDPROC1
HWHOOKPROC4
HWSETSWAP5
BYTESWNDPROC2

end of listing




Here is another sample:


EXESHOW: dump of file \bin\spy.exe
old EXE header MZ
offset to new EXE header 40
DOS 2.0 stub:
E8 2B 00 54 68 69 73 20-70 72 6F 67 72 61 6D 20 .+.This program
72 65 71 75 69 72 65 73-20 4D 69 63 72 6F 73 6F requires Microso
66 74 20 57 69 6E 64 6F-77 73 2E 0D 0A 24 5A 0E ft Windows...$Z.
sig word: NE
link version: 5.1
flags: NotDisc/Fixed/LoadOnCall
heap size requested: 1000
stack size requested: 1000
Entry table: 56 bytes
05 FF 01 CD 3F 01 BA 0C-01 CD 3F 01 1C 01 01 CD ....?.....?.....
3F 01 5A 01 01 CD 3F 01-63 04 01 CD 3F 01 84 06 ?.Z...?.c...?...
5D 00 08 FF 01 CD 3F 01-E6 25 00 CD 3F 01 A9 19 ].....?..%..?...
00 CD 3F 01 D1 19 00 CD-3F 01 99 2A 00 CD 3F 01 ..?.....?..*..?.
1B 25 00 CD 3F 01 6F 23-00 CD 3F 01 1E 19 00 CD .%..?.o#..?.....
3F 02 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ?...............
Segment table: 2 entries Auto data seg: 2
Execution starts at 11E4 in segment #0
Stack starts at 0000 in segment #0
Module ref table: 4 entries

<-----------------Resources----------------->
Resource Type ICON
Resource #1: len: 410; flags: Disc/Movable/LoadOnCall; id: SPYICON
01 01 00 00 00 00 40 00-40 00 08 00 00 00 FF FF ......@.@.......
FF C0 FF FF FF FF FF FF-FF 01 FF FF FF FF FF F0 ................
7E 03 FF FF FF FF FF C0-1C 03 FF FF FF FF FF 80 ~...............
18 07 FF FF FF FF FE 00-00 0F FF FF FF FF FC 00 ................
00 1F FF FF FF FF FC 00-00 1F FF FF FF FF F8 00 ................
00 3F FF FF FF FF F0 00-00 3F FF FF FF FF E0 00 .?.......?......
00 3F FF FF FF FF E0 00-01 1F FF FF FF FF E0 00 .?..............
00 1F FF FF FF FF E0 00-00 1F FF FF FF FF E0 00 ................
Resource Type MENU
Resource #1: len: 70; flags: Disc/Movable/LoadOnCall; id: SPYMENU
10 26 53 70 79 00 00 00-10 26 53 70 79 20 4F 6E .&Spy....&Spy On
00 00 00 00 00 00 05 10-45 26 78 69 74 00 80 06 ........E&xit...
10 26 41 62 6F 75 74 20-53 70 79 2E 2E 2E 00 10 .&About Spy.....
26 57 69 6E 64 6F 77 00-00 03 10 53 65 74 20 26 &Window....Set &
57 69 6E 64 6F 77 2E 2E-2E 00 80 07 10 26 43 6C Window.......&Cl
65 61 72 20 57 69 6E 64-6F 77 00 80 04 10 26 4F ear Window....&O
70 74 69 6F 6E 73 00 6D-74 73 77 73 6C 6E 6B 6D ptions.mtswslnkm
Resource Type DIALOG
Resource #1: len: d0; flags: Disc/Movable/LoadOnCall; id: 1
00 00 40 90 06 0A 00 0A-00 C3 00 4D 00 00 00 00 [email protected]....
00 00 05 00 C3 00 08 00-FF FF 01 00 02 50 82 4D .............P.M
69 63 72 6F 73 6F 66 74-20 57 69 6E 64 6F 77 73 icrosoft Windows
00 00 00 00 0F 00 C3 00-08 00 FF FF 01 00 02 50 ...............P
82 53 70 79 20 55 74 69-6C 69 74 79 00 00 00 00 .Spy Utility....
21 00 C3 00 09 00 FF FF-01 00 02 50 82 56 65 72 !..........P.Ver
73 69 6F 6E 20 32 2E 30-33 00 00 00 00 2F 00 C3 sion 2.03..../..
00 09 00 FF FF 01 00 02-50 82 43 6F 70 79 72 69 ........P.Copyri
Resource #2: len: c0; flags: Disc/Movable/LoadOnCall; id: 2
00 00 40 80 06 16 00 0F-00 94 00 4C 00 00 00 00 [email protected]....
00 00 05 00 90 00 08 00-FF FF 01 00 02 50 82 4D .............P.M
69 63 72 6F 73 6F 66 74-20 57 69 6E 64 6F 77 73 icrosoft Windows
00 00 00 00 0E 00 90 00-08 00 FF FF 01 00 02 50 ...............P
82 53 50 59 20 41 70 70-6C 69 63 61 74 69 6F 6E .SPY Application
20 56 32 2E 30 00 00 3A-00 36 00 20 00 0E 00 01 V2.0..:.6. ....
00 01 00 03 50 80 4F 4B-00 00 00 00 17 00 90 00 ....P.OK........
08 00 01 00 01 00 00 50-82 42 79 3A 20 54 6F 64 .......P.By: Tod
Resource #3: len: 1a0; flags: Disc/Movable/LoadOnCall; id: 3
00 00 C0 80 11 24 00 1D-00 CB 00 59 00 00 00 53 .....$.....Y...S
70 79 20 57 69 6E 64 6F-77 00 A2 00 12 00 1E 00 py Window.......
0E 00 01 00 01 00 01 50-80 4F 4B 00 00 A2 00 27 .......P.OK....'
00 1E 00 0E 00 02 00 00-00 01 50 80 43 61 6E 63 ..........P.Canc
65 6C 00 00 00 00 02 00-B7 00 0C 00 00 00 01 00 el..............
00 50 82 43 6C 69 63 6B-20 6F 76 65 72 20 57 69 .P.Click over Wi
6E 64 6F 77 20 74 6F 20-53 70 79 20 75 70 6F 6E ndow to Spy upon
2E 00 00 02 00 10 00 9D-00 42 00 00 00 07 00 00 .........B......
Resource #4: len: 210; flags: Disc/Movable/LoadOnCall; id: 4
00 00 40 80 15 13 00 0F-00 B8 00 7A 00 00 00 00 [email protected]....
92 00 04 00 1E 00 0E 00-01 00 01 00 01 50 80 4F .............P.O
4B 00 00 92 00 17 00 1E-00 0E 00 02 00 00 00 01 K...............
50 80 43 61 6E 63 65 6C-00 00 02 00 00 00 87 00 P.Cancel........
3A 00 00 00 07 00 00 50-80 4D 65 73 73 61 67 65 :......P.Message
73 00 00 0B 00 0C 00 24-00 0C 00 08 80 02 00 01 s......$........
50 80 26 4D 6F 75 73 65-00 00 0B 00 1A 00 24 00 P.&Mouse......$.
0C 00 01 80 02 00 01 50-80 26 57 69 6E 64 6F 77 .......P.&Window

Resident name table
Resident names & entry index:

NonResident name table: 6B bytes
NonResident names & entry index:
Windows Spy Application0
DLGMASKSET5
PRINTFWNDPROC99
DLGABOUT2
SPYWNDPROC1
DLGSPYSET4
DLGABOUTTODD3

end of listing



 December 10, 2017  Add comments

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)