Parsing the Portable Executable File Format

Download Source Code and Example


The WINPE project is basically a conversion of Matt Pietreks PEDUMP Program from a DOS based application to an Windows MFC based app. It demonstrates Parsing PE files and displaying each section in a seperate view.

A WIN32 PE file or better know as a .EXE or .DLL file is broken up into sections. WINPE handles these sections in its own separate view. The views are Dynamically switched depending on the View option selected. WINPE also Provides Printing and Print Preview and since the font selection has a lot to do With how the print will look the app also provides for font selection on both the Display and printout. Print Preview was required in order to allow the user to Find and select the page range for printing so that the entire EXE or DLL does Not have to be printed.

WINPE is implemented as a SDI app. The Document class however does not use The serialize function since the actual file is not read, it is loaded as a memory mapped File by the document class and a pointer to the memory mapped file can be returned To the view on request. Each View contains the code to process the PE section data that is to be displayed. WINPE by default provides a HEXDUMP of the file upon opening. The HEXDUMP will work on any file type, however if the file is not a EXE or DLL all other view options are disabled via CmdUI interface.

CmainFrame

Handles most of menu messages. The OnViewChange function Determines which view was requested and dynamically switches The Documents current View. The OnFrameView function is A message handler that allows the document class to ensure That the CDumpXView is always the default View.

CwinpeDoc

Memory maps the PE file (or any other file). The OnOpenDocument Function determines what kind of file is being processed and then Either enables or disables the View options.

CdebugDirView

Displays the data associated with the PE files Debug Directory.

CDumpXView

The HEXDUMP View.

CExportView

Displays the data associated with the PE files Export section.The Export section contains the names of the Functions that This DLL or EXE exports. For example, to see the names of the Functions exported by ICMP.DLL.

CImportView

Displays the data associated with the PE files Import section.The Import section contains the names of the DLLs and their Correspnding functions that are used or Imported into this DLL or EXE.

CHeaderView

Displays the PE file Header.

CResourceView

Displays the Names and resource IDs and their types. Example. The names and IDs of all the Bitmaps that Were compiled into this EXE or DLL.

CSectionTblView

Displays the PE Section Table.

The WINPE program was written to make life a little easier. When writing The Nettools program I found myself having to constantly go back into DOS and run DUMPBIN or PEDUMP to see what functions were available In the ICMP and INETMIB1 DLL and to see what DLLs were being used By PING,TRACERT and NETSTAT. In order to print the data I had to Redirect the output to a file then use WordPad to print the pages I was interested In studying. This is how I gathered some of the info required to write Nettools.

Of Course WINPE does not support ALL of the PEDUMP and DUMPBIN Options but it does support the ones I use most.

Known Problems

  • The CscrolView does not work on Win95.
  • Due to CScrollView limits on WIN95 only 32k of data will display in the hexdump. (all other views will work correctly I was too lazy to write the scrolling code in a CView.

Tested on NT4.0 with MS/VC++ 4.2.

Reference Materials Used.

See Microsoft Systems Journal at http://www.microsoft.com/msj for more info on the following. I believe the source code to HEXDUMP and PEDUMP can also be obtained there.

Programming Windows 95 with MFC by Prosise.
    The HEXDUMP example was used to create the DumpXView.

WIN95 Systems Programming Secrets by Matt Pietrek. 
	The best book ever written on WIN95 and WIN32 internals. 
	Contains the source to PEDUMP.

Developing Pro apps for NT and 95 using MFC 
http://www.iftech.com/mfc
	The Print and Preview sections were very helpful.

Microsoft also provides some samples and documentation.

The Portable Executable File Format from Top to Bottom
http://www.microsoft.com/win32dev/base/pefile.htm

Managing Memory-Mapped Files in Win32 http://www.microsoft.com/win32dev/base/mmfile.htm

Last updated: 14 April 1998