This DLL is for programmers, it has PEiD v0.94 embedded and uses the power of PEiD (invisibly) to scan a file passed to one of the functions to get the ID, Entropy and other useful information ..
Also embedded is my UserDB.TXT..
DLL size in total is 215k packed - 397k unpacked (234k for UserDB, 163k PEiD + my code) ..
Included with this DLL is an example Console-PEiD type program, written in MASM and also three examples in Delphi. The first Delphi version checks the registry for the scan-mode settings of installed PEiD, the second demonstrates the newer exports of PEiDLL and using PEiDLL_Unit.pas to easily use PEiDLL .. Also included in the Delphi Examples dir is Multi.DPR - An example of a simple multi-scanner..
Type -? as the param for the examples to get usage instructions..
New in v1.06: Included Test3.exe in Delphi examples, a very simple program to test using Scan_External with your UserDB ..
Note for the confused: Scan_External scans only with your UserDB, not with PEiD internal database aswell.. If you want to scan with internal and your UserDB, use SetScanOptions ..
If you want my UserDB.TXT (that is embedded in the DLL) it is here: http://reverse-engineering-scripts.googlecode.com/files/UserDB.TXT
..And no, there is no way to stop the console window title flashing when running from console. This is normal behaviour, and does the same when ANY non-console program is run from console (PEiD is not a console program, even without visible GUI) ..
I'm not going to do any more updates to this until PEiD v0.95 is released ..
v1.00 - 07-Oct-2oo6 - Initial Release
+ ScanWithPEiD func - Uses PEiD option for scan-mode to scan file. Returns PEiD output as PChar..
+ Scan_Normal func - Scans a file with the Normal scan-mode. Returns PEiD output as PChar..
+ Scan_Deep func - Scans a file with the Deep scan-mode. Returns PEiD output as PChar..
+ Scan_Hard func - Scans a file with the Hardcore scan-mode. Returns PEiD output as PChar..
+ GetPEiDVersion func - Returns embedded PEiD version as PChar..
+ GetPEiDLLVersion func - Returns PEiDLL version as PChar..
v1.01 - 19-Oct-2oo6
o Fixed memory leak in scan routine..
o Changed some code around, now faster..
+ GetPEiDScanMode func - Reads registry so you don't have to.
+ SetScanOptions proc - Use other UserDB.TXT or no external sigs.
+ SetPluginOptions proc - Load and run plugin from PEiD.
+ MultiScanDir func - Scan multiple files in a dir..
+ PEiDLL_Unit.pas included for easy Delphi use.. If somone wants to make similar for Asm / C++ / etc, please send to me!
v1.02 - 24-Oct-2oo6
o Improved scan functions - now faster, esp. for MultiScanDir..
o Works better with PEiD running at same time..
+ ScanMode option to MultiScanDir.. (Did use PEiD options)
+ FileEntropy func - By request, gets the entropy of a file ..
+ Example usage of FileEntropy func in Test2.Dpr and Multi.DPR (when file not recognized by PEiD then shows entropy)
v1.03 - 31-Oct-2oo6
o Changed code to try hide PEiD dialog on all systems - Was hidden for most, just not all... Let me know if still visible..
v1.04 - 16-Nov-2oo6
o Logic of SetScanOptions was dodgy.. (Thx Jupiter)
o Changed all functions to StdCall - was Pascal EG left-to-right (Thx Jupiter)
o Replaced some weird Delphi code with better code.. :)
o Better handling so won't get confused when > 1 PEiDLL is active..
o Now even faster code!
+ Added C++ examples and function definitions.. (Thx ReeZe)
+ Added GetInternalDatabase - Returns list of internal detections ..
+ Example usage of GetInternalDatabase func in Test2.Dpr
- Removed duplicate code..
- Removed internal archive + code ..
v1.05 - 29-Jul-2oo7
+ Added some more error checking .. (Checks can write to registry and temp dir)
+ Added LoadDll and DoMyJob exports incase someone thinks this is a PEiD plugin .. :)
+ Added Scan_External export - Scans a file only with the UserDB. Returns PEiD output as PChar.. (Suggested by Dong)
v1.06 - 02-Aug-2oo7
o Fixed Scan_External export - Was not functioning correctly..
o Scan_External now returns "UserDB does not exist!" if you pass bad filename..
+ Added very simple Test3 program to test Scan_External ..
Legend :
o = Item is Changed / Fixed
+ = Item is Added
- = Item is Removed
The DLL has 13 functions:
Function ScanWithPEiD (Filename : PChar) : PChar; StdCall;
Function Scan_Norm (Filename : PChar) : PChar; StdCall;
Function Scan_Deep (Filename : PChar) : PChar; StdCall;
Function Scan_Hard (Filename : PChar) : PChar; StdCall;
Function PEiDVersion : PChar; StdCall;
Function PEiDLLVersion : PChar; StdCall;
[New in v1.01]
Function GetPEiDScanMode : Integer; StdCall;Procedure SetScanOptions (UseUserDB : Boolean; UserDB : PChar); StdCall;
Procedure SetPluginOptions (UsePlugin : Boolean; Plugin : PChar; AutoRun : Boolean); StdCall;
Function MultiScanDir (DirName : PChar; OnlyPE, Recursive : Boolean; CallBack : Pointer; ScanMode : DWord) : PChar; StdCall;
[New in v1.02]
Function FileEntropy(Filename : PChar) : PChar; StdCall;
[New in v1.04]
Function GetInternalDatabase : PChar; StdCall;
[New in v1.05]
Function Scan_External (Filename, UserDB : PChar) : PChar; StdCall;
Description of functions:
Too obvious for description:
The scan functions return the ID string from PEiD, the version functions return the versions..
New in v1.01:
The GetPEiDScanMode reads PEiD's options from registry, returns : -1 (no option in reg), 0 (Normal), 1 (Deep) or 2 (Hardcore)
The SetScanOptions proc is to Use/not use a UserDB.TXT external sigs file.
If a file is passed as UserDB param, it is used .. If UseUserDB is true and UserDB is null then internal UserDB.TXT is used.. If UseUserDB is false, no UserDB.TXT is used - only PEiD internal signatures.
The SetPluginOptions proc is to use a plugin, the plugin can be executed from PEiD if UsePlugin and AutoRun are both true, and the file passed to proc as Plugin exists..
The MultiScanDir func will scan a directory and call the callback proc with the Path+Filename and the ID of the file. Then, you can output it somewhere.. If the callback func returns False then the scan is aborted.. The function returns a string like: "Scanned 4 files.."
If Recursive is True, then will also scan inside any dirs found..
If OnlyPE is True then only PE files will be passed back to the callback func..
The CallBack proc takes this form:
Function CallBackProc (Filename : PChar; ID : PChar) : Boolean;
See Multi.DPR in the Delphi Examples directory for an example of this..
New in v1.02:
The MultiScanDir func has been expanded to have ScanMode option, values to use are: 0 - Normal, 1 - Deep, 2 - Hard .. Same as the return values of the GetPEiDScanMode func ..
The FileEntropy func takes a PChar Filename and returns a PChar of the Entropy string, as returned from the Extra Information window of PEiD v0.94 ...
New in v1.04:
The GetInternalDatabase func returns a pointer to the list of internal signatures of PEiD (601 in PEiD v0.94)
Each line is terminated with CR + LF (#13#10)
Try Test2.EXE -DB to see this list..
New in v1.05:
New function Scan_External will scan the file using the UserDB.TXT supplied as the second param..
This is the same as running PEiD with -external command-line.
If no UserDB.TXT supplied, then the internal UserDB is used.
C:\> Test2 -?
Usage:
Test [-Info \ -Norm \ -Deep \ -Hard \ -Plugin \ -UserDB \ -DB] FileToScan.Exe
-Info = Show information about DLL
-Norm = Use Normal Scan-mode
-Deep = Use Deep Scan-mode
-Hard = Use Hard Scan-mode
-Plugin:<filename> - To load plugin, also -AutoRun to run it..
-UserDB:<filename> - To use an external UserDB.TXT file..
-NoUserDB - To not use Internal or External UserDB.TXT ..
-DB - To list the internal signatures of PEiD ..
EG: Test.EXE -Plugin:"D:\PEiD v0.94\Plugins\AddSig.DLL" -AutoRun Target.EXE
- Will scan Target.EXE with default scan-mode, and run AddSig Plugin..
If no scan-mode selected, then PEiD setting is used ..
If PEiD setting not in registry then Normal is used ..
C:\> Test2 -Info
PEiD Version : PEiD v0.94
PEiDLL Version : PEiDLL v1.06
C:\> Test2 Test.exe
Scanmode [Hard] : Borland Delphi 6.0 - 7.0
C:\>
Test2 Test_Asm.exe
ScanMode[Hard] : Nothing found * - Entropy: 4.66 (Not Packed)
Comments? Email : BobSoft@GMail.com - Site : BoB's Place
Thanks again to whoever invented coffee, without which I would never get anything done.. ;)
~ A program with no bugs has either too few users or too few uses ~