How To Get the Company Name from DLLs or EXE Files






3.50/5 (9 votes)
Viruses often use unknown company names or the developers forget to add one
Introduction
I often like to scan my computer for unwanted software but with Windows being so large these days, it's no easy task but if you scan all the .Exe files to extract the company name for the file, then you soon start to see the questionable files that may warrant further investigation.
Bits You Need To Know
Microsoft had to do a bit of a fudge when it came to the windows/system32 folder so that old 32 bit applications that hardcoded DLL names into the code would still continue to work on 64 bit machine and developers need to keep in mind that files are not always where you think they are and the Windows/System32 folder is a good example of this but you can make sure you are looking at the right folder by using "SysNative
" in your code as I have shown in the code below.
Using the Code
//
string Company = FileHelper.GetCompany(@"c:\Windows\system32\cmd.exe");
//
Shown below is the full source code needed to do the job in a static
class.
//
using System;
using System.IO;
using System.Diagnostics;
using System.Text;
public static class FileHelper
{
public static string GetCompany(string ExecutablePath)
{//This function scans a file to retrieve the company name
//which is useful for looking for viruses or spyware
ExecutablePath = ExecutablePath.Replace("\"", "");
if (ExecutablePath.ToLower() == "windows" || ExecutablePath.Length == 0) return "";
if (!File.Exists(ExecutablePath))
{
if (ExecutablePath.ToLower().IndexOf("\\windows\\system32\\") > -1)
{//64 become 32 and 32 becomes 64 with windows folder-names but Sysnative will fit it
ExecutablePath = ExecutablePath.ToLower().Replace
("\\windows\\system32\\", "\\Windows\\Sysnative\\");
if (!File.Exists(ExecutablePath)) return "File Not Found";
}//Microsoft often forget to sign there files with a company name, trust me, I am a doctor!
else return "File Not Found";
}
try
{
string CopyRight = "";
FileVersionInfo versionInfo = FileVersionInfo.GetVersionInfo(ExecutablePath);
if (versionInfo == null) return "Error";
if (versionInfo.CompanyName == null) return "WARNING no company name";
string Company = versionInfo.CompanyName.Replace(",", "-");
if (versionInfo.LegalTrademarks != null) CopyRight = versionInfo.LegalCopyright;
if (Company.ToLower() == "microsoft corporation") Company = "Microsoft";
if (Company.ToLower() == "intel corporation") Company = "Intel";
if (Company == "Microsoft" &&
!versionInfo.OriginalFilename.ToLower().EndsWith(".mui"))
{//Will do a few checks to see if we can find a fake microsoft file
if (versionInfo.LegalCopyright.ToLower()
!= "copyright microsoft corporation" &&
versionInfo.LegalCopyright.ToLower().Replace(" ",
" ").Replace("corp.",
"corporation.").Trim().IndexOf
("microsoft corporation. all rights reserved.") == -1 &&
versionInfo.LegalCopyright.ToLower().Replace(" ",
" ").Trim().IndexOf("copyright © microsoft") == -1)
Company = "WARNING
(" + Company + ") Unusual copyright notice";
else if (!versionInfo.ProductVersion.EndsWith
(versionInfo.ProductPrivatePart.ToString()) ||
versionInfo.ProductVersion.Length == 0)
Company = "WARNING
(" + Company + ") Unusual product version";
return Company.Trim().Replace
("\t", "").Replace(",", "-");
}
if (Company.Trim() == "")
{
if (versionInfo.LegalCopyright.Length == 0)
Company = "WARNING no company name
or Copyright notice";//Cowboy code
else
Company = "WARNING no company name";
}
else if (CopyRight.Trim().Length == 0)
Company = "WARNING (" + Company.Replace
("\t", "") + ") No Copyright notice";
return Company.Replace("\t", "").Replace(",", "-");
}
catch (Exception Ex) { return "Error"; }
}
}
//
Points of Interest
This code will work best if the application using the code has administrator rights, but bear in mind that even with admin rights turned on, Windows will still lock your code out from large parts of the file system so remember to use a try /catch
in your code of check the folders permissions first.