Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

PE File typing

AlbertAlbert Member - All Emails Posts: 406
I am looking for ways to identify different kinds of PE files like
services, versus DLLs versus drivers versus regular PE exe files.

Is there a way ti classify all this from the PE headers, or is the only way
to assertively do this is to look at the export tables?

thanks
Al

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,379
    The PE header can tell you kernel VS user mode. A service exe is the same a normal exe, so no, the PE header won't tell you. You have to look to at the imports to infer what the binary's runtime functionality is.

    Bent from my phone
    ________________________________
    From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
    Sent: Tuesday, March 6, 2018 3:29:15 PM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] PE File typing

    I am looking for ways to identify different kinds of PE files like services, versus DLLs versus drivers versus regular PE exe files.

    Is there a way ti classify all this from the PE headers, or is the only way to assertively do this is to look at the export tables?

    thanks
    Al
    --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
  • raj_rraj_r Member - All Emails Posts: 954
    you can use pefile in python


    :\>cat pyel.py

    import pefile
    pe = pefile.PE("c:\\windows\\system32\\calc.exe")
    print pe.is_dll()
    print pe.is_driver()
    print pe.is_exe()
    :\>python pyel.py
    False
    False
    True

    as doron replied you cant differentiate betwwen a normal exe and exe
    for service

    On 3/7/18, xxxxx@microsoft.com <xxxxx@lists.osr.com> wrote:
    > The PE header can tell you kernel VS user mode. A service exe is the same a
    > normal exe, so no, the PE header won't tell you. You have to look to at the
    > imports to infer what the binary's runtime functionality is.
    >
    > Bent from my phone
    > ________________________________
    > From: xxxxx@lists.osr.com <xxxxx@lists.osr.com>
    > on behalf of xxxxx@gmail.com <xxxxx@lists.osr.com>
    > Sent: Tuesday, March 6, 2018 3:29:15 PM
    > To: Windows System Software Devs Interest List
    > Subject: [ntdev] PE File typing
    >
    > I am looking for ways to identify different kinds of PE files like services,
    > versus DLLs versus drivers versus regular PE exe files.
    >
    > Is there a way ti classify all this from the PE headers, or is the only way
    > to assertively do this is to look at the export tables?
    >
    > thanks
    > Al
    > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
    > crash dump analysis, WDF, Windows internals and software drivers! Details at
    > To unsubscribe, visit the List Server section of OSR Online at
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at:
    > <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    > drivers!
    > Details at <http://www.osr.com/seminars>;
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > <http://www.osronline.com/page.cfm?name=ListServer>;
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!