Initial Commit

Author: extremecoders-re

README.html

@@ -0,0 +1,166 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+	<title>Virtual File System Editor</title>
+	
+	<style type="text/css" media="screen">
+		html, body 		{ margin: 0; padding: 0;}
+		body 			{ color: #333; font: 12px Helvetica, Arial, sans-serif; line-height: 18px; }
+		h2				{ color: #333; }
+		a				{ color: #337810; }
+		p				{ margin: 0 0 18px; }
+		#container		{ width: 760px; margin: 0 auto; }
+		
+		/* Header */
+		#header			{ background: #eee; border-bottom: 2px solid #ddd; }
+		#header h1  	{ color: #004b6f; margin: 0 0 3px; padding: 24px 18px 0; }
+		#header p		{ color: #666; font-size: 11px; font-weight: bold; padding: 0 18px; }
+		
+		/* Content Style */
+		#navigation		{ margin-left: 18px; }
+		#navigation ul	{ padding: 0 18px 9px; }
+		#extra			{ margin: 0 18px; }
+		#extra small	{ font-size: 11px; line-height: 18px; }
+		#content		{ border-bottom: 1px solid #ccc; margin: 0 18px; }
+		#content p, #extra p { padding-right: 18px; }
+		
+		/* Content Positioning and Size */
+		#navigation		{ float: left; width: 350px; }
+		#content		{ }
+		#extra			{ float: right; width: 350px; }		/* Footer */
+		#footer			{ background: #333; border-bottom: 2px solid #999; clear: both; }
+		#footer a		{ color: #eee; }
+		#footer	p		{ color: #ccc; margin: 0; padding: 0 18px 10px; }
+		#footer ul		{ border-bottom: 1px solid #555; list-style: none; margin: 0 18px 6px; padding: 10px 0 6px; }
+		#footer li		{ display: inline; font-size: 11px; font-weight: bold; padding-right: 5px; }
+	</style>
+	<!--[if IE]>
+	<style type="text/css">
+	    #navigation, #content, #extra { margin-top: 20px; }
+	</style>
+	<![endif]-->
+</head><body>
+	<div id="container">
+		<div id="header">
+			<h1>Virtual File System Editor</h1>
+			<p class="description">A tool to extract embedded files from application virtualizers</p>
+		</div>
+		<div id="wrapper">
+			<div id="content">
+				<h2>General Information</h2>
+				<p align="justify">
+				Virtual File System Editor is a tool to extract/modify embedded files from packed executables created by application virtualizers.
+				The main tool is provided in the form of a DLL which needs to be injected into the process you want to extract files from.
+				Since DLL injection is a separate topic with it's own nuances, I have not provided a DLL injector in this package. You may use any DLL 
+				injector. I recommend the one developed by Ralph Hare available at <a href="http://www.ysgyfarnog.co.uk/utilities/Injector/" target="_blank">ysgyfarnog.co.uk</a> or
+				RemoteDLL available at <a href="http://securityxploded.com/remotedll.php" target="_blank">SecurityXploded</a>. The latter is particularly
+				recommended for ASLR aware systems.				
+				</p>
+			</div>
+			
+			<div id="content">
+				<h2>Program Usage</h2>
+				
+				<p align="justify"><b>Access Test</b> : Use this to check if the selected file is readable by the virtual application. Normally both access tests
+				would pass. If the tests fail, it indicates that packer did not correctly hook the APIs. In such cases you need to find the real VA of the
+				hooked APIs and enter it in the options dialog.
+
+				<p align="justify"><b>Run</b> : Use this to run another application in the context of this process. For example, this can be used to run <i>regedit.exe</i> 
+				to work with embedded registry keys. This feature has been modelled on the basis of Windows Run dialog, and will accept URLS, file paths etc. 
+				Note that if the application does not virtualize child processes it will be run of outside the virtualization container.
+
+				<p align="justify"><b>Extract</b> : Use this to extract any files from the virtual file system. You need to ensure that the output
+				folder is outside the virtual file system or otherwise the files will be created within it (if the filesystem is writable of course). This mode uses
+				<i>SHFILEOPERATION</i> function to copy selected files/directories.
+
+				<p align="justify"><b>Extract by name</b> : Use this to extract files by specifying their path. This option is particularly useful for extracting
+				hidden files, which are not visible in the listing. For example, <a href="http://www.molebox.com/" target="_blank">molebox virtualization solution</a>
+				provides an option to hide files from directory listing which uses <i>FindFirst</i> API function. In such cases, if you know
+				the full file path (which you may obtain by debugging the application), you can extract it using this option. Also note that 
+				this method extracts the file using vfsserver process, so you need to run it. Additionally, you can only extract files by this.
+
+				<p align="justify"><b>Extract by server</b> : Use this to leverage the extraction of files by using a separate process(vfsserver.exe) which is run outside
+				the virtualization container. You can use this 
+				extraction mode, if file creation is not possible within the virtualized application. You can only extract files by this method.
+
+				<p align="justify"><b>Add</b> : You can add/copy files to the virtual file system using this method. Note that the virtual file system should be 
+				writable for this to succeed. You can only add files by this method.
+				
+				<p align="justify"><b>Delete</b> : Delete files from the virtual file system. As usual the file system should not be read-only.
+				Also make sure that selected files are a part of the virtual file system, or otherwise real files on disk which are outside the virtualization container 
+				will be deleted. You can delete both files as well as directories by this method.
+				
+				<p align="justify"><b>Options</b> : Here you can specifiy the virtual addresses for the APIs used for extraction. You need to provide the VA of
+				four API's namely <i>CreateFileA</i>, <i>GetFileSize</i>, <i>ReadFile</i>, &amp; <i>CloseHandle</i>. Normally, you do not need to use this, 
+				but for very old packers such as old versions of molebox this is needed. This is because the software incorrectly hooks the IAT, as a result the newly injected dll
+				does not use the hooked APIs. In such cases, you need to debug the application to find the VA of the said hooked APIs and then provide the values here.
+				Also note that the provided values are only used in extract by name &amp; server modes.
+			</div>
+			<div id="content">
+			<h2>Tests</h2>
+			<p>
+			Virtual File System Editor was tested with the following packers on Windows XP SP3.
+			<ul type="square">
+              <li><a href="http://www.boxedapp.com/" target="_blank">BoxedApp Packer 3.2.3.8</a> </li>
+			  <li><a href="http://www.cameyo.com/" target="_blank">Cameyo 2.0.8.32</a></li>
+			  <li><a href="http://www.enigmaprotector.com/en/about.html" target="_blank">Enigma Protector 4.20.20140508</a></li>
+              <li><a href="http://www.enigmaprotector.com/en/aboutvb.html" target="_blank">Enigma Virtual Box 7.10.20131218</a></li>
+			  <li><a href="http://www.evalaze.de/" target="_blank">Evalaze Commercial Edition 2.2.1.1</a></li>
+			  <li><a href="http://www.molebox.com/" target="_blank">Molebox Virtualization Solution 5.4.6.2</a></li>
+			  <li><a href="http://www.smartpacker.nl/" target="_blank">Smart Packer Pro 1.93</a></li>
+              <li><a href="https://spoon.net/studio" target="_blank">Spoon Virtual Application Studio 11.4.176</a></li>
+              <li><a href="http://www.vmware.com/products/thinapp" target="_blank">VMware ThinApp Enterprise 5.0.0.1391583</a></li>              
+        	</ul>
+			</div>
+			<div id="content">
+			<h2>Tips, Tricks &amp; Limitations</h2>
+			
+			<p align="justify">
+			Molebox allows to hide specific or all files from directory structure listing. 
+			This can be controlled by the "Hide all files" option or passing specific flags in the MXB file. In such a case
+			<i>FindFirstFile</i> / <i>FindNextFile</i> used for directory listing will not list the hidden files &amp; so they will not be shown in the extractor window.
+			As a workaround, you can use the extract by name method, but you need to know the full path of the embedded file beforehand. Also the main executable cannot be 
+			unpacked by this tool. For very old versions of Molebox which incorrectly hooks the IAT you also need to specify the VA of the hooked APIs in Options.
+			
+			
+			<p align="justify">
+			For enigma virtual box &amp; enigma protector, the main executable will not be unpacked. The best solution in this case is to use 
+			<a href="https://forum.tuts4you.com/topic/35554-static-enigma-virtual-box-unpacker/" target="_blank">Static Enigma Virtual Box Unpacker</a> 
+			by <a href="http://lifeinhex.com/">kao</a> which 
+			not only unpacks the main executable but also embedded registry keys(if any) along with other embedded files. 
+			
+			<p align="justify">
+			For boxed app packer the main executable may not be unpacked. In such cases open the packed file in a PE editor,
+			dump <i>.bxpack</i> section and find the main PE within it by searching for MZ signature.
+
+			</div>
+			<div id="content">
+			<h2>Changelog</h2>
+			<b>v0.3</b> December 15, 2015
+			<br>&#x2022; Support for large files via name &amp; server modes
+			<br>&#x2022; Fixed some bugs
+			<p><p><b>v0.2</b> August 22, 2015
+			<br>&#x2022; Added run external program feature
+			<p><p><b>v0.1</b> August 26, 2014
+			<br>&#x2022; First Public Release
+			<p>
+			</div>
+			
+			</div>
+			<div id="content">
+			<h2>Credits</h2>		
+			Coded in Borland Delphi 7
+			<p>
+			Virtual File System Editor uses the following :			
+			<br>&#x2022; <a href="http://www.delphicomponents.net/" target="_blank">Ortus Shell Components</a>
+			<br>&#x2022; <a href="http://dryicons.com/" target="_blank">Aesthetica Icon Set version 2.0</a>			
+			</div>
+			<p>
+		
+		<div id="footer">
+		<p><p><b>Developed by <a href="mailto:[email protected]">Extreme Coders</a> &#xA9; 2014 - 15. All Rights Reserved.</b></p>
+		</div>
+	</div>
+</body>
+</html>

README.md

@@ -1,2 +1,76 @@
-# Virtual-File-System-Editor
+Virtual File System Editor
+==========================
+
 A tool to extract embedded files from application virtualizers
+
+General Information
+-------------------
+
+Virtual File System Editor is a tool to extract/modify embedded files from packed executables created by application virtualizers. The main tool is provided in the form of a DLL which needs to be injected into the process you want to extract files from. Since DLL injection is a separate topic with it's own nuances, I have not provided a DLL injector in this package. You may use any DLL injector. I recommend the one developed by Ralph Hare available at [ysgyfarnog.co.uk](http://www.ysgyfarnog.co.uk/utilities/Injector/) or RemoteDLL available at [SecurityXploded](http://securityxploded.com/remotedll.php). The latter is particularly recommended for ASLR aware systems.
+
+Program Usage
+-------------
+
+**Access Test** : Use this to check if the selected file is readable by the virtual application. Normally both access tests would pass. If the tests fail, it indicates that packer did not correctly hook the APIs. In such cases you need to find the real VA of the hooked APIs and enter it in the options dialog.
+
+**Run** : Use this to run another application in the context of this process. For example, this can be used to run _regedit.exe_ to work with embedded registry keys. This feature has been modelled on the basis of Windows Run dialog, and will accept URLS, file paths etc. Note that if the application does not virtualize child processes it will be run of outside the virtualization container.
+
+**Extract** : Use this to extract any files from the virtual file system. You need to ensure that the output folder is outside the virtual file system or otherwise the files will be created within it (if the filesystem is writable of course). This mode uses _SHFILEOPERATION_ function to copy selected files/directories.
+
+**Extract by name** : Use this to extract files by specifying their path. This option is particularly useful for extracting hidden files, which are not visible in the listing. For example, [molebox virtualization solution](http://www.molebox.com/) provides an option to hide files from directory listing which uses _FindFirst_ API function. In such cases, if you know the full file path (which you may obtain by debugging the application), you can extract it using this option. Also note that this method extracts the file using vfsserver process, so you need to run it. Additionally, you can only extract files by this.
+
+**Extract by server** : Use this to leverage the extraction of files by using a separate process(vfsserver.exe) which is run outside the virtualization container. You can use this extraction mode, if file creation is not possible within the virtualized application. You can only extract files by this method.
+
+**Add** : You can add/copy files to the virtual file system using this method. Note that the virtual file system should be writable for this to succeed. You can only add files by this method.
+
+**Delete** : Delete files from the virtual file system. As usual the file system should not be read-only. Also make sure that selected files are a part of the virtual file system, or otherwise real files on disk which are outside the virtualization container will be deleted. You can delete both files as well as directories by this method.
+
+**Options** : Here you can specifiy the virtual addresses for the APIs used for extraction. You need to provide the VA of four API's namely _CreateFileA_, _GetFileSize_, _ReadFile_, & _CloseHandle_. Normally, you do not need to use this, but for very old packers such as old versions of molebox this is needed. This is because the software incorrectly hooks the IAT, as a result the newly injected dll does not use the hooked APIs. In such cases, you need to debug the application to find the VA of the said hooked APIs and then provide the values here. Also note that the provided values are only used in extract by name & server modes.
+
+Tests
+-----
+
+Virtual File System Editor was tested with the following packers on Windows XP SP3.
+
+*   [BoxedApp Packer 3.2.3.8](http://www.boxedapp.com/)
+*   [Cameyo 2.0.8.32](http://www.cameyo.com/)
+*   [Enigma Protector 4.20.20140508](http://www.enigmaprotector.com/en/about.html)
+*   [Enigma Virtual Box 7.10.20131218](http://www.enigmaprotector.com/en/aboutvb.html)
+*   [Evalaze Commercial Edition 2.2.1.1](http://www.evalaze.de/)
+*   [Molebox Virtualization Solution 5.4.6.2](http://www.molebox.com/)
+*   [Smart Packer Pro 1.93](http://www.smartpacker.nl/)
+*   [Spoon Virtual Application Studio 11.4.176](https://spoon.net/studio)
+*   [VMware ThinApp Enterprise 5.0.0.1391583](http://www.vmware.com/products/thinapp)
+
+Tips, Tricks & Limitations
+--------------------------
+
+Molebox allows to hide specific or all files from directory structure listing. This can be controlled by the "Hide all files" option or passing specific flags in the MXB file. In such a case _FindFirstFile_ / _FindNextFile_ used for directory listing will not list the hidden files & so they will not be shown in the extractor window. As a workaround, you can use the extract by name method, but you need to know the full path of the embedded file beforehand. Also the main executable cannot be unpacked by this tool. For very old versions of Molebox which incorrectly hooks the IAT you also need to specify the VA of the hooked APIs in Options.
+
+For enigma virtual box & enigma protector, the main executable will not be unpacked. The best solution in this case is to use [Static Enigma Virtual Box Unpacker](https://forum.tuts4you.com/topic/35554-static-enigma-virtual-box-unpacker/) by [kao](http://lifeinhex.com/) which not only unpacks the main executable but also embedded registry keys(if any) along with other embedded files.
+
+For boxed app packer the main executable may not be unpacked. In such cases open the packed file in a PE editor, dump _.bxpack_ section and find the main PE within it by searching for MZ signature.
+
+Changelog
+---------
+
+**v0.3** December 15, 2015  
+• Support for large files via name & server modes  
+• Fixed some bugs
+
+**v0.2** August 22, 2015  
+• Added run external program feature
+
+**v0.1** August 26, 2014  
+• First Public Release
+
+Credits
+-------
+
+Coded in Borland Delphi 7
+
+Virtual File System Editor uses the following :  
+• [Ortus Shell Components](http://www.delphicomponents.net/)  
+• [Aesthetica Icon Set version 2.0](http://dryicons.com/)
+
+**Developed by [Extreme Coders](mailto:[email protected]) © 2014 - 15. All Rights Reserved.**

vfseditor/aboutdialogbox.dcu

@@ -0,0 +1,85 @@
+object Form2: TForm2
+  Left = 518
+  Top = 264
+  BorderIcons = [biSystemMenu]
+  BorderStyle = bsToolWindow
+  Caption = 'About'
+  ClientHeight = 209
+  ClientWidth = 385
+  Color = clBtnFace
+  Font.Charset = DEFAULT_CHARSET
+  Font.Color = clWindowText
+  Font.Height = -11
+  Font.Name = 'Tahoma'
+  Font.Style = []
+  FormStyle = fsStayOnTop
+  OldCreateOrder = False
+  Position = poOwnerFormCenter
+  PixelsPerInch = 96
+  TextHeight = 13
+  object txt1: TStaticText
+    Left = 50
+    Top = 11
+    Width = 285
+    Height = 29
+    Caption = 'Virtual File System Editor v0.3'
+    Font.Charset = DEFAULT_CHARSET
+    Font.Color = clWindowText
+    Font.Height = -21
+    Font.Name = 'Tahoma'
+    Font.Style = []
+    ParentFont = False
+    TabOrder = 0
+  end
+  object txt2: TStaticText
+    Left = 71
+    Top = 42
+    Width = 243
+    Height = 18
+    Caption = 'Developed by Extreme Coders '#169' 2014 - 15'
+    Font.Charset = DEFAULT_CHARSET
+    Font.Color = clWindowText
+    Font.Height = -12
+    Font.Name = 'Tahoma'
+    Font.Style = []
+    ParentFont = False
+    TabOrder = 1
+  end
+  object mmo1: TMemo
+    Left = 9
+    Top = 88
+    Width = 368
+    Height = 112
+    BiDiMode = bdLeftToRight
+    Font.Charset = DEFAULT_CHARSET
+    Font.Color = clWindowText
+    Font.Height = -11
+    Font.Name = 'Tahoma'
+    Font.Style = [fsBold]
+    Lines.Strings = (
+      'Coded in Borland Delphi 7'
+      ''
+      'Virtual File System Editor uses the following :'
+      '> Ortus Shell Components :: http://www.delphicomponents.net/'
+      '> Aesthetica Icon Set, version 2.0 :: http://dryicons.com/')
+    ParentBiDiMode = False
+    ParentFont = False
+    ReadOnly = True
+    TabOrder = 2
+    WordWrap = False
+  end
+  object txt3: TStaticText
+    Left = 94
+    Top = 62
+    Width = 198
+    Height = 18
+    Caption = 'email: [email protected]'
+    Font.Charset = DEFAULT_CHARSET
+    Font.Color = clWindowText
+    Font.Height = -12
+    Font.Name = 'Tahoma'
+    Font.Style = []
+    ParentFont = False
+    TabOrder = 3
+  end
+end

vfseditor/aboutdialogbox.ddp

@@ -0,0 +1,28 @@
+unit aboutdialogbox;
+
+interface
+
+uses
+  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
+  Dialogs, StdCtrls;
+
+type
+  TForm2 = class(TForm)
+    txt1: TStaticText;
+    txt2: TStaticText;
+    mmo1: TMemo;
+    txt3: TStaticText;
+  private
+    { Private declarations }
+  public
+    { Public declarations }
+  end;
+
+var
+  Form2: TForm2;
+
+implementation
+
+{$R *.dfm}
+
+end.