Home » Tipps & Tricks » Dateien/Verzeichnisse » Dateieigenschaften » Prüfen, ob eine Datei eine Win32-EXE (PE-Format) ist

Prüfen, ob eine Datei eine Win32-EXE (PE-Format) ist

const
  IMAGE_DOS_SIGNATURE = $5A4D;
  IMAGE_NT_SIGNATURE = $00004550;

type
  PIMAGE_DOS_HEADER = ^IMAGE_DOS_HEADER;
  IMAGE_DOS_HEADER = packed record
  e_magic, e_cblp, e_cp, e_crlc, e_cparhdr, e_minalloc,
  e_maxalloc, e_ss, e_sp, e_csum, e_ip, e_cs, e_lfarlc,
  e_ovno: WORD;
  e_res: packed array[0..3] of word;
  e_oemid, e_oeminfo: word;
  e_res2: packed array[0..9] of word;
  e_lfanew: Longint;
end;

function isexe(s: string): boolean;
var hfile, hmap, test: DWORD;
  pEXE: PChar;
begin
  result := false;
  hfile := createfile(pchar(s), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING,
  FILE_ATTRIBUTE_NORMAL, 0);
  if hfile  INVALID_HANDLE_VALUE then
    try
      hmap := CreateFileMapping(hFile, nil, PAGE_READONLY, 0, 0, nil);
      if hmap  0 then
        try
          pEXE := MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
          result := PWORD(pEXE)^ = IMAGE_DOS_SIGNATURE;
          if result then begin
            MessageBox(0, pchar(format('DOS-Header found' + #13#10 + 'PE offset: 0x%8.8x',
            [PIMAGE_DOS_HEADER(pEXE)^.e_lfanew])), '', MB_OK);
            result := false;
            pEXE := pEXE + PIMAGE_DOS_HEADER(pEXE)^.e_lfanew;
            result := PDWORD(pEXE)^ = IMAGE_NT_SIGNATURE;
            if result then begin
              MessageBox(0, 'Yepp, it''s a PE', '', MB_OK);
              test := PIMAGE_FILE_HEADER(pEXE)^.TimeDateStamp;
              MessageBox(0, pchar(format('%8.8x (%d) - %d', [test, test, test])), '', MB_OK);
            end;
            UnmapViewOfFile(pEXE);
          end;
        finally
          closehandle(hmap);
        end;
    finally
      closehandle(hfile);
    end;
end;