Check for PE file

Experts, I want to know if there in a way to check if a file created is a PE(portable executable) in minifilter driver. I know that _FLT_FILE_NAME_INFORMATION -> Extension gives me the extension of a file created (in PostCreate), but it doesn’t ensure that it is a valid PE file. Please help…!

I want the results similar to user-mode API - SHGetFileInfoW() with SHGFI_EXETYPE .

Sandeep

You can check if file han a valid PE header msdn.microsoft.com/en-us/library/ms809762.aspx

You can check if file has a valid PE header msdn.microsoft.com/en-us/library/ms809762.aspx

Note that .exe, .dll, .sys and .ocx are all examples of PE files. I’m not
sure this list is exhaustive.

As to being a “valid” PE file, having a PE header does not guarantee the
rest of the file is valid, and there are some interesting concepts about
what constitutes “valid”. Such as, is it signed by a valid signature
authority, does it represent the result of a successful link (note that
the linker has an option for producing an executable file even when there
are undefined symbols), does it have a valid checksum, does the header
give the illusion of having a correct format, are the necessary DLLs in
the search path, etc. And do you care about the header bits that say what
kind of executable it is?

So it depends on what you mean by “valid”, and I note that ShGetFileInfo
does not actually say what it checks when it returns the values it
returns. And the documentation is a little vague on what is being
returned, For example, I have no idea what “LOWORD is NE or PE” means.
Does it mean the LOWORD == 0x4E45 or LOWORD == 0x454E? Inquiring minds
want to know! If it says ‘NE’ this is different than if it says “NE”, but
there is an absence of quote marks, which is simply poor documentation.
joe

Experts, I want to know if there in a way to check if a file created is a
PE(portable executable) in minifilter driver. I know that
_FLT_FILE_NAME_INFORMATION -> Extension gives me the extension of a file
created (in PostCreate), but it doesn’t ensure that it is a valid PE file.
Please help…!

I want the results similar to user-mode API - SHGetFileInfoW() with
SHGFI_EXETYPE .

Sandeep


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks Dragan and Joseph for your replies. I can check if file has valid PE header but how can i ensure that it is a .exe file and not a .sys or .dll etc.

Sandeep

The answer is in c# ,just to see which fields to check stackoverflow.com/questions/2863683/how-to-find-if-a-file-is-an-exe