Show information about different sections of PE and the dump of sections.
76{
80 LPVOID BaseAddr;
81 PIMAGE_DOS_HEADER DosHeader;
82 PIMAGE_NT_HEADERS32 NtHeader32 =
NULL;
83 PIMAGE_NT_HEADERS64 NtHeader64 =
NULL;
84 IMAGE_FILE_HEADER Header;
85 IMAGE_OPTIONAL_HEADER32 OpHeader32;
86 IMAGE_OPTIONAL_HEADER64 OpHeader64;
87 PIMAGE_SECTION_HEADER SecHeader;
88
89
90
91
92 FileHandle = CreateFileW(AddressOfFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
94 {
95 ShowMessages(
"err, could not open the file specified\n");
97 };
98
99
100
101
102 MapObjectHandle =
103 CreateFileMapping(
FileHandle, NULL, PAGE_READONLY, 0, 0, NULL);
104
105 if (MapObjectHandle == NULL)
106 {
109 }
110
111 BaseAddr = MapViewOfFile(MapObjectHandle, FILE_MAP_READ, 0, 0, 0);
112
113 if (BaseAddr == NULL)
114 {
117 }
118
119
120
121
122 DosHeader = (PIMAGE_DOS_HEADER)BaseAddr;
123
124
125
126
128 {
129
130
131
132 ShowMessages(
"\nValid Dos Exe File\n------------------\n");
133 ShowMessages(
"\nDumping DOS Header Info....\n---------------------------");
135 "Magic number : ",
136 DosHeader->e_magic == 0x5a4d ? "MZ" : "-");
137 ShowMessages(
"\n%-36s%#x",
"Bytes on last page of file :", DosHeader->e_cblp);
138 ShowMessages(
"\n%-36s%#x",
"Pages in file : ", DosHeader->e_cp);
139 ShowMessages(
"\n%-36s%#x",
"Relocation : ", DosHeader->e_crlc);
141 "Size of header in paragraphs : ",
142 DosHeader->e_cparhdr);
144 "Minimum extra paragraphs needed : ",
145 DosHeader->e_minalloc);
147 "Maximum extra paragraphs needed : ",
148 DosHeader->e_maxalloc);
149 ShowMessages(
"\n%-36s%#x",
"Initial (relative) SS value : ", DosHeader->e_ss);
150 ShowMessages(
"\n%-36s%#x",
"Initial SP value : ", DosHeader->e_sp);
151 ShowMessages(
"\n%-36s%#x",
"Checksum : ", DosHeader->e_csum);
152 ShowMessages(
"\n%-36s%#x",
"Initial IP value : ", DosHeader->e_ip);
153 ShowMessages(
"\n%-36s%#x",
"Initial (relative) CS value : ", DosHeader->e_cs);
155 "File address of relocation table : ",
156 DosHeader->e_lfarlc);
157 ShowMessages(
"\n%-36s%#x",
"Overlay number : ", DosHeader->e_ovno);
158 ShowMessages(
"\n%-36s%#x",
"OEM identifier : ", DosHeader->e_oemid);
160 "OEM information(e_oemid specific) :",
161 DosHeader->e_oeminfo);
162 ShowMessages(
"\n%-36s%#x",
"RVA address of PE header : ", DosHeader->e_lfanew);
163 ShowMessages(
"\n==============================================================="
164 "================\n");
165 }
166 else
167 {
170 goto Finished;
171 }
172
173
174
175
176
177
178
179 if (Is32Bit)
180 {
181 NtHeader32 = (PIMAGE_NT_HEADERS32)((
UINT64)(DosHeader) + (DosHeader->e_lfanew));
182 }
183 else
184 {
185 NtHeader64 = (PIMAGE_NT_HEADERS64)((
UINT64)(DosHeader) + (DosHeader->e_lfanew));
186 }
187
188
189
190
192 {
194 }
196 {
198 }
199 else
200 {
201 ShowMessages(
"err, the specified file is not a valid PE file");
203 goto Finished;
204 }
205
206
207
208
210 "Info....\n--------------------------------");
212
213
214
215
216 if (Is32Bit)
217 {
218 Header = NtHeader32->FileHeader;
219 }
220 else
221 {
222 Header = NtHeader64->FileHeader;
223 }
224
225
226
227
229
230
231
232
233
234 switch (Header.Machine)
235 {
236 case 0x0:
238 break;
239 case 0x14d:
241 break;
242 case 0x14c:
244 break;
245 case 0x200:
247 break;
248 case 0x8664:
250 break;
251 case 0x162:
253 break;
254 case 0x166:
256 break;
257 case 0x183:
259 break;
260 default:
262 break;
263 }
264
265
266
267
269 if ((Header.Characteristics & 0x0002) == 0x0002)
271 if ((Header.Characteristics & 0x0020) == 0x0020)
273 if ((Header.Characteristics & 0x1000) == 0x1000)
274 ShowMessages(
"System file (Kernel Mode Driver(I think)), ");
275 if ((Header.Characteristics & 0x2000) == 0x2000)
277 if ((Header.Characteristics & 0x4000) == 0x4000)
278 ShowMessages(
"Application runs only in Uniprocessor, ");
279
280
281
282
284 "Time Stamp :",
285 ctime((const time_t *)&(Header.TimeDateStamp)));
286
287
288
289
290 ShowMessages(
"%-36s%d",
"No.sections(size) :", Header.NumberOfSections);
291 ShowMessages(
"\n%-36s%d",
"No.entries in symbol table :", Header.NumberOfSymbols);
293 "Size of optional header :",
294 Header.SizeOfOptionalHeader);
295
297 "Info....\n-----------------------------------");
298
299 if (Is32Bit)
300 {
301
302
303
304 OpHeader32 = NtHeader32->OptionalHeader;
305 ShowMessages(
"\n\nInfo of optional Header\n-----------------------");
307 "Address of Entry Point : ",
308 OpHeader32.AddressOfEntryPoint);
309 ShowMessages(
"\n%-36s%#llx",
"Base Address of the Image : ", OpHeader32.ImageBase);
310 ShowMessages(
"\n%-36s%s",
"SubSystem type : ", OpHeader32.Subsystem == 1 ?
"Device Driver(Native windows Process)" : OpHeader32.Subsystem == 2 ?
"Windows GUI"
311 : OpHeader32.Subsystem == 3 ? "Windows CLI"
312 : OpHeader32.Subsystem == 3 ? "Windows CLI"
313 : OpHeader32.Subsystem == 9 ? "Windows CE GUI"
314 : "Unknown");
315 ShowMessages(
"\n%-36s%s",
"Given file is a : ", OpHeader32.Magic == 0x20b ?
"PE32+(64)" :
"PE32");
316 ShowMessages(
"\n%-36s%d",
"Size of code segment(.text) : ", OpHeader32.SizeOfCode);
318 "Base address of code segment(RVA) :",
319 OpHeader32.BaseOfCode);
321 "Size of Initialized data : ",
322 OpHeader32.SizeOfInitializedData);
323
325 "Base address of data segment(RVA) :",
326 OpHeader32.BaseOfData);
327
328 ShowMessages(
"\n%-36s%#x",
"Section Alignment :", OpHeader32.SectionAlignment);
329 ShowMessages(
"\n%-36s%d",
"Major Linker Version : ", OpHeader32.MajorLinkerVersion);
330 ShowMessages(
"\n%-36s%d",
"Minor Linker Version : ", OpHeader32.MinorLinkerVersion);
331 }
332 else
333 {
334
335
336
337 OpHeader64 = NtHeader64->OptionalHeader;
338 ShowMessages(
"\n\nInfo of optional Header\n-----------------------");
340 "Address of Entry Point : ",
341 OpHeader64.AddressOfEntryPoint);
342 ShowMessages(
"\n%-36s%#llx",
"Base Address of the Image : ", OpHeader64.ImageBase);
343 ShowMessages(
"\n%-36s%s",
"SubSystem type : ", OpHeader64.Subsystem == 1 ?
"Device Driver(Native windows Process)" : OpHeader64.Subsystem == 2 ?
"Windows GUI"
344 : OpHeader64.Subsystem == 3 ? "Windows CLI"
345 : OpHeader64.Subsystem == 3 ? "Windows CLI"
346 : OpHeader64.Subsystem == 9 ? "Windows CE GUI"
347 : "Unknown");
348 ShowMessages(
"\n%-36s%s",
"Given file is a : ", OpHeader64.Magic == 0x20b ?
"PE32+(64)" :
"PE32");
349 ShowMessages(
"\n%-36s%d",
"Size of code segment(.text) : ", OpHeader64.SizeOfCode);
351 "Base address of code segment(RVA) :",
352 OpHeader64.BaseOfCode);
354 "Size of Initialized data : ",
355 OpHeader64.SizeOfInitializedData);
356
357 ShowMessages(
"\n%-36s%#x",
"Section Alignment :", OpHeader64.SectionAlignment);
358 ShowMessages(
"\n%-36s%d",
"Major Linker Version : ", OpHeader64.MajorLinkerVersion);
359 ShowMessages(
"\n%-36s%d",
"Minor Linker Version : ", OpHeader64.MinorLinkerVersion);
360 }
361
363 "Info....\n--------------------------------");
364
365
366
367
368 if (Is32Bit)
369 {
370 SecHeader = IMAGE_FIRST_SECTION(NtHeader32);
371 NumberOfSections = NtHeader32->FileHeader.NumberOfSections;
372 }
373 else
374 {
375 SecHeader = IMAGE_FIRST_SECTION(NtHeader64);
376 NumberOfSections = NtHeader64->FileHeader.NumberOfSections;
377 }
378
379 for (
UINT32 i = 0; i < NumberOfSections; i++, SecHeader++)
380 {
381 if (Is32Bit)
382 {
383 ShowMessages(
"\n\nSection Info (%d of %d)", i + 1, NtHeader32->FileHeader.NumberOfSections);
384 }
385 else
386 {
387 ShowMessages(
"\n\nSection Info (%d of %d)", i + 1, NtHeader64->FileHeader.NumberOfSections);
388 }
389
391 ShowMessages(
"\n%-36s%s",
"Section Header name : ", SecHeader->Name);
393 "ActualSize of code or data : ",
394 SecHeader->Misc.VirtualSize);
395 ShowMessages(
"\n%-36s%#x",
"Virtual Address(RVA) :", SecHeader->VirtualAddress);
397 "Size of raw data (rounded to FA) : ",
398 SecHeader->SizeOfRawData);
400 "Pointer to Raw Data : ",
401 SecHeader->PointerToRawData);
403 "Pointer to Relocations : ",
404 SecHeader->PointerToRelocations);
406 "Pointer to Line numbers : ",
407 SecHeader->PointerToLinenumbers);
409 "Number of relocations : ",
410 SecHeader->NumberOfRelocations);
412 "Number of line numbers : ",
413 SecHeader->NumberOfLinenumbers);
414 ShowMessages(
"\n%-36s%s",
"Characteristics : ",
"Contains ");
415 if ((SecHeader->Characteristics & 0x20) == 0x20)
417 if ((SecHeader->Characteristics & 0x40) == 0x40)
419 if ((SecHeader->Characteristics & 0x80) == 0x80)
421 if ((SecHeader->Characteristics & 0x200) == 0x200)
423 if ((SecHeader->Characteristics & 0x10000000) == 0x10000000)
425 if ((SecHeader->Characteristics & 0x40000000) == 0x40000000)
427 if ((SecHeader->Characteristics & 0x80000000) == 0x80000000)
429
430
431
432
433 if (SectionToShow != NULL)
434 {
435 if (!_strcmpi(SectionToShow, (const char *)SecHeader->Name))
436 {
437 if (SecHeader->SizeOfRawData != 0)
438 {
439 if (Is32Bit)
440 {
442 SecHeader->SizeOfRawData,
443 OpHeader32.ImageBase + SecHeader->VirtualAddress);
444 }
445 else
446 {
448 SecHeader->SizeOfRawData,
449 (int)(OpHeader64.ImageBase + SecHeader->VirtualAddress));
450 }
451 }
452 }
453 }
454 }
455
456 ShowMessages(
"\n==============================================================="
457 "================\n");
458
459
460
461
463
464Finished:
465
466
467
468 UnmapViewOfFile(BaseAddr);
469 CloseHandle(MapObjectHandle);
470
471 return Result;
472}
unsigned int UINT32
Definition BasicTypes.h:48
VOID PeHexDump(CHAR *Ptr, int Size, int SecAddress)
Show hex dump of sections of PE.
Definition pe-parser.cpp:23
1.11.0