HyperDbg Debugger
Loading...
Searching...
No Matches
pe.cpp File Reference

.pe command More...

#include "pch.h"

Functions

VOID CommandPeHelp ()
 help of the .pe command
VOID CommandPe (vector< CommandToken > CommandTokens, string Command)
 .pe command handler

Detailed Description

.pe command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2021-12-27

Function Documentation

◆ CommandPe()

VOID CommandPe ( vector< CommandToken > CommandTokens,
string Command )

.pe command handler

Parameters
CommandTokens
Command
Returns
VOID
43{
44 BOOLEAN Is32Bit = FALSE;
45 wstring Filepath;
46 string TempFilePath;
47 BOOLEAN ShowDumpOfSection = FALSE;
48
49 if (CommandTokens.size() <= 2)
50 {
51 ShowMessages("err, incorrect use of the '%s' command\n\n",
52 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
54 return;
55 }
56
57 //
58 // Check for first option
59 //
60 if (CompareLowerCaseStrings(CommandTokens.at(1), "section"))
61 {
62 if (CommandTokens.size() == 3)
63 {
64 ShowMessages("err, incorrect use of the '%s' command\n\n",
65 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
67 return;
68 }
69
70 if (CommandTokens.size() != 4)
71 {
72 ShowMessages("err, incorrect use of the '%s' command\n\n",
73 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
75 return;
76 }
77 ShowDumpOfSection = TRUE;
78 TempFilePath = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(3));
79 }
80 else if (CompareLowerCaseStrings(CommandTokens.at(1), "header"))
81 {
82 if (CommandTokens.size() != 3)
83 {
84 ShowMessages("err, incorrect use of the '%s' command\n\n",
85 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
87 return;
88 }
89
90 ShowDumpOfSection = FALSE;
91 TempFilePath = GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2));
92 }
93 else
94 {
95 //
96 // Couldn't resolve or unknown parameter
97 //
98 ShowMessages("err, couldn't resolve error at '%s'\n\n",
99 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(1)).c_str());
101 return;
102 }
103
104 //
105 // Convert path to wstring
106 //
107 StringToWString(Filepath, TempFilePath);
108
109 //
110 // TEMPORARY LINUX SHIM:
111 // std::wstring stores native wchar_t, which is 4 bytes on Linux, but the
112 // HyperDbg WCHAR type is 2 bytes (UINT16) and the PE-parser path APIs take
113 // a const WCHAR *. The cast below exists ONLY so the project compiles on
114 // Linux. On Linux it produces a bogus 2-byte reinterpretation of the 4-byte
115 // buffer; that is acceptable for now only because Linux file I/O is still
116 // stubbed (the path is never actually opened). On Windows WCHAR == wchar_t,
117 // so it is a plain, correct pointer with no reinterpretation.
118 //
119 // TODO (Linux): remove this cast once real Linux file I/O lands. The proper
120 // fix is to convert the 4-byte wchar_t path into a 2-byte WCHAR/UTF-16
121 // buffer (e.g. a std::wstring -> WCHAR helper) and pass that, so the PE
122 // parser receives a valid path. The same conversion is needed by
123 // PlatformMapFileReadOnly / PlatformOpenFileForWriting.
124 //
125#ifdef __linux__
126 const WCHAR * FilepathW = (const WCHAR *)Filepath.c_str();
127#else
128 const WCHAR * FilepathW = Filepath.c_str();
129#endif
130
131 //
132 // Detect whether PE is 32-bit or 64-bit
133 //
134 if (!PeIsPE32BitOr64Bit(FilepathW, &Is32Bit))
135 {
136 //
137 // File was invalid, the error message is shown in the above function
138 //
139 return;
140 }
141
142 //
143 // Parse PE file
144 //
145 if (!ShowDumpOfSection)
146 {
147 PeShowSectionInformationAndDump(FilepathW, NULL, Is32Bit);
148 }
149 else
150 {
151 PeShowSectionInformationAndDump(FilepathW, GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str(), Is32Bit);
152 }
153}
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
VOID StringToWString(std::wstring &ws, const std::string &s)
convert std::string to std::wstring
Definition common.cpp:850
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN PeIsPE32BitOr64Bit(const WCHAR *AddressOfFile, PBOOLEAN Is32Bit)
Detect whether PE is a 32-bit PE or 64-bit PE.
Definition pe-parser.cpp:4483
BOOLEAN PeShowSectionInformationAndDump(const WCHAR *AddressOfFile, const CHAR *SectionToShow, BOOLEAN Is32Bit)
Show information about different sections of PE and the dump of sections.
Definition pe-parser.cpp:3727
VOID CommandPeHelp()
help of the .pe command
Definition pe.cpp:20

◆ CommandPeHelp()

VOID CommandPeHelp ( )

help of the .pe command

Returns
VOID
21{
22 ShowMessages(".pe : parses portable executable (PE) files, displays header metadata, and dumps sections.\n\n");
23
24 ShowMessages("syntax : \t.pe [header] [FilePath (string)]\n");
25 ShowMessages("syntax : \t.pe [section] [SectionName (string)] [FilePath (string)]\n");
26 ShowMessages("\n.pe section dumps are capped at 1 MiB per matching section and 4 MiB total.\n");
27
28 ShowMessages("\n");
29 ShowMessages("\t\te.g : .pe header c:\\reverse\\myfile.exe\n");
30 ShowMessages("\t\te.g : .pe section .text \"c:\\reverse files\\myfile.exe\"\n");
31 ShowMessages("\t\te.g : .pe section .rdata \"c:\\reverse files\\myfile.exe\"\n");
32}