» An ultimate catalog of computer data
Forum posts for ekrn.exe
Read strings from .exe files(Like Strings.exe) in Delphi
I want to write a program for read/extract all of the valid strings in a .exe files (For example: 'This program must be run under Win' or 'MZ'), Exactly like Strings.exe of sysinternals.
Actually i want to scan a .exe file and if that contain special string value such as 'ekrn.exe' or 'Filrefox.exe' then detect that file as a suspicious file (Killing ekrn.exe or inject malcode to firefox.exe).
I wrote the following code in Delphi :
const
TargetName = 'E:AntiDebugg.exe';
var
hFile: THandle;
tmp: AnsiString;
dwFileSize, lChar, lSearch: Integer;
dwNumRead: Cardinal;
dwBuffer: array of AnsiChar;
begin
mmo1.Clear;
hFile := CreateFileA(TargetName, GENERIC_READ, FILE_SHARE_READ, nil,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
dwFileSize := GetFileSize(hFile, nil);
SetLength(dwBuffer, dwFileSize);
lChar := 0;
lSearch := 0;
while lChar <= dwFileSize do
begin
ReadFile(hFile, dwBuffer[lChar], SizeOf(dwBuffer), dwNumRead, nil);
while dwBuffer[lChar] <> '' do
begin
tmp := tmp + dwBuffer[lChar];
Inc(lChar, 1);
end;
lSearch := 0;
Inc(lChar, 1);
end;
mmo1.Text := (tmp);
CloseHandle(hFile);
The result of running my code is (A small piece):
MZP??¸@?´ ?!¸L?!??This program must be run under Win32
$7PEL
%0?Q?´?
¤'0B??.textd .itext| .data`@.bss?N.idata
@.didata?@.tls.rdata@.reloc¤'@.rsrc@@@Boolean@alseTrueSystem4@AnsiCharP@ Char?h@Integer?€@Byte?@Word?°@Pointer?@Cardinal????@ NativeInt???ü@
NativeUInt?@ShortString?,@ PAnsiChar0@D@stringT@TClass?@h@HRESULT?€@TGUID
But this isn't my desired result and my desired result is :
MZP
This program must be run under Win32
.text
`.itext
`.data
.bss
.idata
.didata
.tls
.rdata
@.reloc
B.rsrc
Boolean
False
True
System
AnsiChar
Char
Integer
Byte
Word
Pointer
Cardinal
NativeInt
NativeUInt
ShortString
PAnsiChar0
string
TClass
HRESULT
TGUID
In this example the AntiDebugg.exe compiled by Delphi .
The result of Strings.exe for strings of 'AntiDebugg.exe'
Any idea ?
What should i to do ?
View complete forum thread with replies
Other posts related to ekrn.exe
See Related Forum Messages: Follow the Links Below to View Complete Thread
WCF failing is NOD32 is installed
Read strings from .exe files(Like Strings.exe) in Delphi
Disable Eset Smart Security using metasploit
PowerShell remote sessions: Problems with ESET Nod32 AntiVirus