Parsing the Portable Executable File Format

Download Source Code and Example


The WINPE project is basically a conversion of Matt Pietreks PEDUMP Program from a DOS based application to an Windows MFC based app. It demonstrates Parsing PE files and displaying each section in a seperate view.

A WIN32 PE file or better know as a .EXE or .DLL file is broken up into sections. WINPE handles these sections in its own separate view. The views are Dynamically switched depending on the View option selected. WINPE also Provides Printing and Print Preview and since the font selection has a lot to do With how the print will look the app also provides for font selection on both the Display and printout. Print Preview was required in order to allow the user to Find and select the page range for printing so that the entire EXE or DLL does Not have to be printed.

WINPE is implemented as a SDI app. The Document class however does not use The serialize function since the actual file is not read, it is loaded as a memory mapped File by the document class and a pointer to the memory mapped file can be returned To the view on request. Each View contains the code to process the PE section data that is to be displayed. WINPE by default provides a HEXDUMP of the file upon opening. The HEXDUMP will work on any file type, however if the file is not a EXE or DLL all other view options are disabled via CmdUI interface.

CmainFrame

Handles most of menu messages. The OnViewChange function Determines which view was requested and dynamically switches The Documents current View. The OnFrameView function is A message handler that allows the document class to ensure That the CDumpXView is always the default View.

CwinpeDoc

Memory maps the PE file (or any other file). The OnOpenDocument Function determines what kind of file is being processed and then Either enables or disables the View options.

CdebugDirView

Displays the data associated with the PE files Debug Directory.

CDumpXView

The HEXDUMP View.

CExportView

Displays the data associated with the PE files Export section.The Export section contains the names of the Functions that This DLL or EXE exports. For example, to see the names of the Functions exported by ICMP.DLL.

CImportView

Displays the data associated with the PE files Import section.The Import section contains the names of the DLLs and their Correspnding functions that are used or Imported into this DLL or EXE.

CHeaderView

Displays the PE file Header.

CResourceView

Displays the Names and resource IDs and their types. Example. The names and IDs of all the Bitmaps that Were compiled into this EXE or DLL.

CSectionTblView

Displays the PE Section Table.

The WINPE program was written to make life a little easier. When writing The Nettools program I found myself having to constantly go back into DOS and run DUMPBIN or PEDUMP to see what functions were available In the ICMP and INETMIB1 DLL and to see what DLLs were being used By PING,TRACERT and NETSTAT. In order to print the data I had to Redirect the output to a file then use WordPad to print the pages I was interested In studying. This is how I gathered some of the info required to write Nettools.

Of Course WINPE does not support ALL of the PEDUMP and DUMPBIN Options but it does support the ones I use most.

Known Problems

  • The CscrolView does not work on Win95.
  • Due to CScrollView limits on WIN95 only 32k of data will display in the hexdump. (all other views will work correctly I was too lazy to write the scrolling code in a CView.

Tested on NT4.0 with MS/VC++ 4.2.

Reference Materials Used.

See Microsoft Systems Journal at http://www.microsoft.com/msj for more info on the following. I believe the source code to HEXDUMP and PEDUMP can also be obtained there.

Programming Windows 95 with MFC by Prosise.
    The HEXDUMP example was used to create the DumpXView.

WIN95 Systems Programming Secrets by Matt Pietrek. 
	The best book ever written on WIN95 and WIN32 internals. 
	Contains the source to PEDUMP.

Developing Pro apps for NT and 95 using MFC 
http://www.iftech.com/mfc
	The Print and Preview sections were very helpful.

Microsoft also provides some samples and documentation.

The Portable Executable File Format from Top to Bottom
http://www.microsoft.com/win32dev/base/pefile.htm

Managing Memory-Mapped Files in Win32 http://www.microsoft.com/win32dev/base/mmfile.htm

Last updated: 14 April 1998



Comments

  • Compiled successfully in VC++.NET under XP

    Posted by Legacy on 10/07/2002 12:00am

    Originally posted by: Abhijit B

    Thanks, nice work.

    -Abhijit

    Reply
  • winpe vc 6 compile problem

    Posted by Legacy on 09/09/2002 12:00am

    Originally posted by: ranjith v k


    compiling winpe with makefile included i get error -->

    whileImportView.cpp(313) : error C2440: '=' : cannot convert
    'struct _IMAGE_IMPORT_BY_NAME *'
    Conversion from integral type to pointer type r
    C-style cast or function-style cast
    NMAKE : fatal error U1077: 'cl.exe' : return code '0x2'

    why so??

    Reply
  • Good job

    Posted by Legacy on 08/14/2002 12:00am

    Originally posted by: Ilya

    Very useful code.
    Very clean and easy to understand.

    Thanks a lot.

    PS: the program just has one small limitation - it doesn't want to load information from ActiveX controls (.ocx)

    Reply
  • wonderful work

    Posted by Legacy on 01/21/2002 12:00am

    Originally posted by: Larry zhang

    wonderful work

    Reply
  • works on Win2K (vc++6)

    Posted by Legacy on 10/09/2001 12:00am

    Originally posted by: Larry


    Just did a quick test on Win2K with VC++6.0 compiler, the program worked very well.

    there is a little thing: the scroll bar seems not work when I opened a big EXE (>6mb).

    very good job,
    larry

    Reply
  • Great Work! -nt

    Posted by Legacy on 04/22/1999 12:00am

    Originally posted by: Chris

    Great Work!

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: November 20, 2014 @ 2:00 p.m. ET / 11:00 a.m. PT Are you wanting to target two or more platforms such as iOS, Android, and/or Windows? You are not alone. 90% of enterprises today are targeting two or more platforms. Attend this eSeminar to discover how mobile app developers can rely on one IDE to create applications across platforms and approaches (web, native, and/or hybrid), saving time, money, and effort and introducing apps to market faster. You'll learn the trade-offs for gaining long …

  • Live Event Date: October 29, 2014 @ 11:00 a.m. ET / 8:00 a.m. PT Are you interested in building a cognitive application using the power of IBM Watson? Need a platform that provides speed and ease for rapidly deploying this application? Join Chris Madison, Watson Solution Architect, as he walks through the process of building a Watson powered application on IBM Bluemix. Chris will talk about the new Watson Services just released on IBM bluemix, but more importantly he will do a step by step cognitive …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds