[windows] Peviewer V1.0

GovernmentSecurity.org > System Security > Windows Systems

White Scorpion

Mar 7 2005, 06:49 AM

Hi all,

just written a new tool which can be helpful with understanding / reading PE headers.

it runs under the commandline and takes the name / path of an executable as an argument.

output will be similar to this (only then in a nice column

).:

QUOTE

PEviewer v1.0 - White Scorpion Security © 2005
***** http://www.white-scorpion.nl *****

Target file: cmd.exe
-----------------------------------------------------
Field Name: Offset: Value:
-----------------------------------------------------
PE signature: 0xD8 PE
Machine: 0xDC 0x14C
Number of sections: 0xDE 0x3
Timestamp: 0xE0 0x41107EBE
System table pointer: 0xE4 0x0
Number of symbols: 0xE8 0x0
Optional header size: 0xEC 0xE0
Chararteristics: 0xEE 0x10F
Magic: 0xF0 0x10B
Linker version: 0xF2 0xA07
Size of code: 0xF4 0x1F600
Initialized data size: 0xF8 0x3F600
Uninitial. data size: 0xFC 0x0
RVA of entry point: 0x100 0x5056
RVA base of code: 0x104 0x1000
RVA base of data: 0x108 0x1F000
Image base: 0x10C 0x4AD00000
Section alignment: 0x110 0x1000
File alignment: 0x114 0x200
OS version: 0x118 0x10005
Image version: 0x11C 0x10005
Subsystem version: 0x120 0x4
Image size: 0x128 0x61000 (397312 bytes)
Header size: 0x12C 0x400
Checksum: 0x130 0x62494
Sub system: 0x134 0x3
Dll characteristics: 0x136 0x8000
Size of stack reserve: 0x138 0x100000
Size of stack commit: 0x13C 0x100000
Size of heap reserve: 0x140 0x100000
Size of heap commit: 0x144 0x1000
Loader flag: 0x148 0x0
Nr of data directories: 0x14C 0x10
Expected entry point: 0x004AD05056 0x004AD05056

you can download it from my site here.

Kind regards.

White Scorpion

Mr_X

Mar 7 2005, 02:54 PM

It doesn't work for me. Perhaps it's because i'm under windows 2003. Don't know. I always get

CODE

PEviewer v1.0 - White Scorpion Security (C) 2005
***** http://www.white-scorpion.nl *****

Target file: c:\WINDOWS\system32\cmd.exe
-----------------------------------------------------
Unable to read file.

or not a valid PE file (of course with a different target). :/

NB: I see a typo error at the 8th field name: "Chararteristics" should be "Characteristics"

belgther

Mar 7 2005, 04:21 PM

well, i use LordPE, or ProcDump, to get/change much more info from a PE file, however, this tool is quite good, and could be used as PE engine...

JonJon

Mar 7 2005, 04:45 PM

nice work...
but you didnt have to trouble so much...
windows has it's own structures that "strap-on" specific places in memory(nt header,dos header,sections table) and let you read it easily:

for example fo NT HEADERS:

http://msdn.microsoft.com/library/default....headers_str.asp

White Scorpion

Mar 8 2005, 06:23 AM

and so i've heared (from the structure), but i wanted to have each offset as well, and as far as i could tell i couldn't using that structure.

i could have also written a function for it, but this made the PE headers more easy to understand of others.

i've been advised to add ELF support and i nice little GUI. currently i'm already reading up on ELF headers.

if you have any other suggestions, please let me know

QUOTE

It doesn't work for me. Perhaps it's because i'm under windows 2003. Don't know. I always get

CODE
PEviewer v1.0 - White Scorpion Security © 2005
***** http://www.white-scorpion.nl *****

Target file: c:\WINDOWS\system32\cmd.exe
-----------------------------------------------------
Unable to read file.

or not a valid PE file (of course with a different target). :/

NB: I see a typo error at the 8th field name: "Chararteristics" should be "Characteristics"

i'll correct the typo

.. did you try running the program while in the same directory?

here on my windows 2003 server SP1 it works fine, so i think there's something else wrong.

ninar12

Mar 8 2005, 01:37 PM

good work scorpion

im already using gt2.exe
witch can also detect other files

gonna test if i can get more info with yours

belgther

Mar 14 2005, 04:46 PM

the extension check seems to be unnecessary...
because you are already doing the PE validity check...
removing it will increase speed and decrease size.

cheers

belgther

Mr_X

Mar 14 2005, 09:24 PM

I can't make it working, even v1.1 on win 2003.
I also tested it by putting peviewer.exe in the dir where cmd.exe is located
About my windows, i'm running it without SP1.
But, it works fine on windows 2000 on another machine.
Seems that my 2003 is rotted

White Scorpion

Mar 14 2005, 09:26 PM

QUOTE

the extension check seems to be unnecessary...
because you are already doing the PE validity check...
removing it will increase speed and decrease size.

yeah i know, it is just a test version... i'm already rewriting it in assembly with a GUI and the use of the IMAGE_NT_HEADERS structure, but GUI's are new to me, so it may take a while

belgther

Mar 16 2005, 03:33 PM

QUOTE(Mr_X @ Mar 14 2005, 10:24 PM)

maybe it has to do with Win2003 API structure... Because you are not the only one who has the problem... You can find out which API is making trouble by editing the text messages in the program to anything you like & recompiling it...

Bedosman

Mar 18 2005, 02:17 AM

Thx very much for your new tool , but just one question : is it possible (if you add some lines of code

) to edit some things of exe files , for example the timestamp ?

White Scorpion

Mar 18 2005, 06:35 AM

well i'm already working on it, i want everything to be editable, so that also includes the timestamp

belgther

Mar 18 2005, 09:02 PM

QUOTE(Bedosman @ Mar 18 2005, 03:17 AM)

Thx very much for your new tool , but just one question : is it possible (if you add some lines of code

) to edit some things of exe files , for example the timestamp ?

Bedosman,
if you are looking for editing PE header, i can suggest you ProcDump or LordPE, which are discontinued projects (google for them).

White Scorpion

Mar 18 2005, 09:56 PM

PEexplorer also is a very nice tool. unfortunately it isn't freeware...

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.